Cyber forensics is slowly and steadily becoming an important part of law enforcement, as it helps to find details of any information that was exchanged through the digital media.
With more and more people getting connected to the digital world, the amount of information created is humongous, and it also gives law enforcement officers the clues and leads to nab the culprits.
An expert in cyber forensics uses a range of different tools to find information across many devices, using which crimes can be solved faster. Additionally, this information is now accepted as evidence in any court of law, and so it becomes vital in any legal case.
In both criminal and civil cases, it is common for lawyers to demand to see this evidence, so the necessary documentation and tools used to uncover it may also have to be produced.
All this processes place great emphasis on cyber forensics tools, out of which
email tracking is one of the most prominent and most widely used. Before going into how emails are tracked by forensics experts, let's briefly look into how
emails work.
How Emails Work?
There are two parts to an email - a server that stores all emails and a network-enabled client software like Outlook or Eudora that interacts with the server to display emails. Most email applications have two servers, one for outgoing email and the other for incoming email.
Some of the different protocols used by email applications to connect to a server to get incoming email are Post Office Protocol (POP), Internet Mail Access Protocol (IMAP) and Microsoft's Mail API (MAPI). If it is web-based, then http headers are used.
To send outgoing emails, all applications connect to the Simple Mail Transfer Protocol (SMTP). These protocols keep track of important details such as the IP address of the system that sends out the email, and all this information is encoded in their headers.
Tracking Emails
When you want to track emails as a part of your investigation, the first place you have to look at is the header. To do this, an understanding of SMTP is required, and this would make it easy for the experts to understand what is contained in the headers.
One of the first information that can be gleaned out of it is the IP address, and based on this, it is possible to trace the email to the computer that sent it. It is hard to spoof IP addresses, and this is why it's an easy way to identify a criminal.
Besides IP address, the header also contains other useful information such as the name of the computer, date and time when it was sent, the sender's email address, receiver's email address, the software that mailed this email, priority, MIME version and the encoding format used to send the message.
With the help of this information, forensics experts can learn much about the sender and his or her location. Using this information as the starting point, they can go on with their investigation and collect the necessary evidence to convict a criminal.
