EML File Forensics and How It Facilitates Investigations?

James Ryder | Modified: August 17th, 2018 | Email Forensics

Digital Forensics plays the key role in making investigations streamlined. Computer forensics is a part of digital forensics and penetrates through the data digitally. From the word digital, it is clear that aim of computer forensics is to examine the data by recovering, analyzing, etc. Forensics helps in finding out evidence for a case in legally admissible and authentic manner. Forensics plays a very important role. It helps to find the data, which is enclosed, encrypted, or damaged, etc. During EML file forensics, the following segment elaborates on how the nature of EML files is facilitative in the process of email investigation.

Analyse EML File

EML file stands for E-Mail and is a text based storage file for e-mail messages. Owing to its flexible structure, the file is compatible with a number of desktop mail clients such as Microsoft Outlook, Thunderbird, Apple Mail, etc. It contains plain ASCII text in its shorter header, main message body, etc. The header part contains the sender, receiver, subject, etc., and body contains the message. EML files are exported mainly for the purpose of archiving.

EML File Forensics

What does an E-mail Header Holds?

An e-mail contains three parts; envelope, header and the body. The envelope is hidden and the body is visible to the user. In case of header, user gets only the outside view like; to, from, subject, etc., the detailed view is buried within. Further expanding the header lets the user come across much information.

Generally, one should be aware of header portion since it can help us find whether one mail is authenticated or not.

Example of a header;

Analyse EML File

What Role Does the Email Header Play in EML File Forensics?

There are number of reasons due to which an email header is important from investigative point of view. The header portion includes detailed information about the sender, the servers involved in its exchange, path of the mail, message ID, etc. For a forensic agency, email header information is the most vital part of a message to verify whether the mail is authenticated or not, can help to trace the path of mail, etc.

Let us discuss some of the important portions of the header.

  • Message ID:

It is a unique ID formulated when the mail is sent.

  • Received-SPF:

A Policy Framework indicates which mail server has the right to send the mail.

  • Received:

It is an important part that helps to analyse EML file. It shows the list of servers through which the mail has travelled to reach receiver.

  • Top ‘received’ shows the IP address of receiver mail
  • Middle ‘received’ shows the IP address of server through which the mail is passed.
  • Bottom ‘received’ shows the IP address of the sender’s mail server
  • There are other information such as; MIME version, X-mailer, from, to, subject, etc.

Observation: EML files can be opened in a notepad since it contains messages in simple text format however, for a detailed EML file forensics, the user have to rely on third party- software that not only are able to read EML files collectively in multiple numbers but, are also programmed to show all fields of the message header in a proper classification making the investigation well conducted. There are even free software available to view EML files like; EML Viewer. EML files are supported by most the desktop mail client as mentioned above. Since it supports much mail client it makes easier for the forensic department to work with.