Investigative Responses (e-mail Tracing)

Yona F. Maro

Nov 2, 2006
E-MAIL is the most common security vulnerability. It is a virtual door that leads directly into the network and indirectly into every desktop. It can be used by hackers to sneak into, or by staff to sneak secrets out of. It can also be used as a portal for data destruction. It is important to know how to handle e-mail incursions.
E-MAIL TRACING is probably the most common duty of cybercrime investigators, and an audit or paper trail of e-mail traffic is the most common type of evidence used in court. In a typical scenario, suspects come to the attention of authorities for reasons other than their e-mail traffic, but then their traffic becomes closely monitored. For example, administrators might have reasons to order security checks on employees who appear disgruntled or have access to sensitive information. Their e-mail logs and network usage may show things like innocent family photos being sent to a Hotmail account, but with no traffic back from that Hotmail account. These innocent photos could be a case of corporate espionage through the use of steganography -- a process in which the digital ones and zeros of digital text or images can be buried inside the pixels of ordinary-looking photographs. Discovering if that employee possessed a copy of a steganography program would become the basis of an interrogation session.
Forensic tracing of e-mail is similar to traditional gumshoe detective work. Checking involves looking at each point through which an e-mail passed, with the detective working step-by-step back to the originating computer, and, eventually, the perpetrator. The process requires knowing how e-mail works.
All e-mail contains HEADERS, and most tracing of external e-mail begins by looking at this message-header information. A message header is text at the top of an e-mail that travels through the Internet. It contains the source of an e-mail in the "From" line, while in the "Received" lines, the header lists every point the e-mail passed through on its journey, along with the date and time. The message header provides an audit trail of every machine an e-mail has passed through.
Some places the e-mail has traveled will be unfamiliar machine names outside the company network. In these cases, sleuthing tools such as Whois or BetterWhois, may be needed to do further tracking. These services search databases of registrars that record online users and their Internet Protocol (IP) addresses (numerical identifiers for computers on a network, the virtual equivalent of a street address). For example, running a Whois search on a domain name such as will identify the name and address of the domain name's holder, administrative and technical points of contact, and the domain name servers responsible for the domain. In other cases, a more sophisticated online yet free tracing tool like Webtracer may be needed.
If the address is not faked, it becomes a matter of determining who used the machine at the time the suspect message was sent. For example, if a school or library computer was used to send a bomb threat through a commercial e-mail account, it becomes a matter of checking log-on times in the school or library's sign-on logs.
More sophisticated suspects will fake their e-mails, however. Some of them will use e-mail programs that strip the message header from the message before delivering it to the recipient or bury the message header within the e-mail program. In other cases, the "From" line in a message header is faked. Other offenders will have stolen someone else's e-mail account or set one up temporarily using bogus address information when they registered.
There are several ways of FAKING E-MAIL. These include Spoofing, Remailing, Relaying, Spamming, Stealing, and Bogus accounts.
• SPOOFING is when an e-mail is made to appear to come from someone (or someplace) other than the real sender (or location). The e-mailer uses a software tool that is readily available off the Internet to cut out his IP address and replace it with someone else's address. What many Spoofers don't know, however, is that the first machine to receive the "spoofed" message records the real IP address of the machine sending the message even though the faked ID is in the header.
• REMAILING is when an attempt is made to throw tracing or tracking off the trail by sending the e-mail to a computer that strips the sender's IP address and remails it with the remailing computer's IP address. The only way to find out who sent the mail is to look at any logs maintained by these remailer or anonymizer companies. Their stated policies, however, include the proviso that they don't keep logs. About the only thing an investigator can do is closely analyze the message for embedded information that might give clues to the user or system that sent the message.
• RELAYING is when someone hides the origin of an e-mail message to have someone else's mail server send the message. A properly configured mail server will only process mail from within its system and won't relay mail from IP addresses originating from outside its network. But if the mail server is not configured properly, it becomes vulnerable to a wide variety of remote access programs.
• SPAMMING occurs when an e-mail message is sent with a large number of recipients, usually routed through an unsuspecting company's mail server. The e-mailer uses it as a relay point, and the owner of the server may never be aware that the e-mailer has been there. The e-mailer then disappears before anyone gets suspicious. This is not only a theft of services, but potentially a denial of services as well, if the volume of e-mail sent through the server causes it to crash.

• STEALING can be broadly defined as unauthorized use of someone else's password and e-mail account. Some common ways in which stealing occurs are shoulder-surfing (watching over someone's shoulder as they enter a password and ID), or "sniffing" a network (watching all the network traffic and intercepting user IDs and passwords).

• BOGUS freemail accounts are quite common, and in fact, are often advocated by anti-spam advocates. Anybody can give a false identity and address when opening up a Hotmail account, for example. It is difficult to catch someone who has done this because the e-mail company never knows who opened the false account, and like disposable cell phones, these accounts are quickly used and discarded. Pornographers often use this trick.
Forensic E-Mail Tracing relies on computer logs. A computer log is a record of each e-mail message that passes through a computer in a network. For evidence purposes, an investigator needs to prove that a certain e-mail originating address traveled through a machine by verifying the message ID on a log of e-mail transactions together with the date and time the address was recorded. Sometimes, this is not easily done. Legal limits and jurisdictional issues create tough challenges.
Many Internet service providers (ISPs) do not log e-mail. Smaller ISPs don't turn on their logging functions either because they have inadequately trained staff or because they don't want the responsibility of turning over information. Some only keep partial data, such as log-ins or FTP (file transfer protocol) transfers. ISPs vary in their willingness to assist with a private investigation. Some readily produce computer logs to help, while others refuse to give up logs without a court order or subpoena. They are legitimately concerned about finding themselves in court for violating the privacy rights of users. If an official, public law enforcement officer contacts the ISP and informs them that a certain user is being investigated, the ISP is obligated by law to preserve any information they would have normally logged or collected, giving investigators the time to seek the legal authority to seize the relevant information. ISPs are not required to escalate their monitoring activities, however. If they were not keeping a log to begin with, they are under no obligation to start doing so. Foreign jurisdictions are notoriously uncooperative, even when the investigation has the backing of the Government.
Once the physical presence of the perpetrator's PC has been located, it is confiscated, of course, and the forensic analyst makes exact copies (called image copies) of the computer's hard drives. Any analysis on a piece of media should always be conducted from an image copy to avoid tainting the original evidence. The forensic analyst looks for file fragments or portions of any e-mails that contain specific references to the offending message. For example, if the user was using the public e-mail service Hotmail, investigators will check the image copy of the browser's Internet cache showing where the user has been online. It will contain copies of any e-mails created, sent, or received via Hotmail. Even if the user has emptied the cache, there are ways to undelete and recover this information.
There are worrisome trends that suggest e-mail tracing will become more difficult in the future. For example, some new products coming on the market strip e-mail headers, encrypt the message, and then destroy it after a period of time. There are also fairly thorough window washer delete utilities. Smart programmers are always looking for ways to get around the audit trail, and investigators always seem to be playing catch-up when tracing e-mail. Nevertheless, E-mail tracing will likely remain an essential part of computer forensics.
From A@b.c.d Sat Nov 11 13:16 EST 1995 Received: from ( []) by (8.6.11/8.6.9) with ESMTP id NAA04656 for <>; Sat, 11 Nov 1995 13:16:03 -0500 Received: from ( []) by (8.6.12/8.6.9) with SMTP id KAA27279 for; Sat, 11 Nov 1995 10:27:52 -0800 Received: from ( []) by (8.6.11/8.6.9) with ESMTP id OAA18017 for <>; Tue, 24 Oct 1995 14:09:46 -0400 Received: from ( []) by (8.6.12/8.6.9) with SMTP id LAA02685 for <>; Tue, 24 Oct 1995 11:21:12 -0700
The faked parts are the "from" sections. It looks like the message originated from when in reality it came from The date and time tell you something is wrong by reading the headers from the bottom to the top, which traces sites the message has gone through. An Nslookup on the IP addresses would verify is, but the IP doesn't jive with the name of the IP address of the e- mail faker (A@b.c.d). is; is; and is
The problem of SPAM (junk email) defies easy solution. On the server end, an administrator can try keyword filters or IP database block lists. The keyword approach will simply have to be creative enough to keep up with all the creative ways a spammer can spell "VI@Gra" for example. Attempting to "blacklist" or block spam by specific IP addresses may not work as good as blocking a whole IP address block. Any spammer can spoof a <sent from> but they can't hide from that part of the IP domain which indicates the block of IP addresses they are using for a relay. The drawback of this is that "innocent" relay points and mail servers are being punished even though they don't know they're being used to send spam. Alternatively, a server administrator can try white lists, which only allow email from known and trusted senders, but this is a drastic solution that defies the purpose of email in the first place. Congress has been trying for years to crack down on spam, but the problem is a technological one, and will probably not go away no matter how much legislation is passed. Ultimately, until changes are made in email and related protocols (IMAP, POP3, SMTP, and HTTP), there will probably always be spam. In the meantime, techniques like greylisting hold some promise in cutting down on about 90% or more of spam.
Sample Chapter of Cyberwar Stories
Tips for Tracking the E-Mail Trail
Tracing a Fake E-Mail or Post
Tracing E-Mail and Deciphering Message Headers
Tracking a Computer Hacker
Webtracer Forensic Utility
Blum, Richard. (2001). Open Source E-Mail Security. Indianapolis: Sams Publishing.
Branigan, S. (2004). High Tech Crimes Revealed: Cyberwar Stories from the Digital Front. NY: Addison Wesley.
Riddle, Kelly & Ralph Thomas. (1997). A Guide to the Internet and E-Mail for Investigators. Austin: Thomas Investigative Publishing.
Schneier, Bruce. (1995). E-Mail Security. NY: John Wiley & Sons.
Wood, David & Mark Stone. (1999). Programming Internet E-Mail. NY: O'Reilly and Associates. (Sample pages online)
Last updated: 06/11/05
Syllabus for JUS 426
MegaLinks in Criminal Justice
0 Reactions
Top Bottom