Evidence Hunters: Navigating Email Forensics

When carrying out analyses, whether in the forensic, intelligence, financial or other fields, the search for the truth stands out. The truth as an objective and using reason as a means, just as Descartes described in his day in the Discourse on Methodto direct reason well and search for the truth in the sciences. As analysts we aim to find out what happened and respond to the client's concerns, without leaving aside the fact that, sometimes, the truth is the most complex thing to witness.

Forensic analysis of emails arises almost entirely after an event or incident that requires investigation. These analyzes are sometimes comprised of two parts, the technological part (the sending and receiving process) and the information part (contained in the email and/or attached to it).

The main considerations for carrying out the technological analysis of fraudulent emails, although they will not always have a place in all analyses, but which must be considered initially, are:

• Uniquely identify the mail services involved at both origin and destination. The email technology of both parties must be identified, it could be cloud emails (SaaS) or on-premise email servers.

• Guarantee that the emails have not been manipulated, obtaining the email samples to be analyzed with an administrative account directly from the server, not from the email clients of the affected users.

• Analyze the technical headers in the emails received to identify the origin servers of the shipment.

• Analyze email security elements such as:

• SPF alignment: The SPF alignment can be considered unchanged when the domain of “MAIL-FROM” or “Return-Path” and “From” are the same. The difference between these could suggest that the email is fake.

• SPF Authentication: If the SPF authentication is “false,” it means that the sender's IP address is not authorized to send email on behalf of a sender. That is, you are not authorized to send emails on behalf of the legitimate domain.

• DKIM lineup: To confirm DKIM alignment in an email, the “DKIM-Signature” field must include the domain signature of the “From” header in its “tag; d=domain.com”.

• DKIM authentication: If the DKIM Signature field is not verified, you can assume that the email has been modified or altered.

As for the part of the analysis on the information in the email, it is necessary to objectively pay attention to what is written in it, as well as what is included in the attached files, if any. In this part, several premises must be taken into account:

• Writing, literary style and spelling: the distinction between real or legal messages from those generated by an attacker using Artificial Intelligence is becoming increasingly complex.

• Signature format: visual analysis of the signature in search of possible forgeries or, in any case, if there is the possibility of it being a copy of an authentic signature, identifying spaces under the signature that should not exist .

• Relevant data: establish what information in the email is in the public or private domain. Possible spheres of knowledge of said information.

• Mention people: assess whether they are real or fictitious people; in the case of attackers, the former is more likely, but it is important not to rule them out before the analysis.

• Leaked or exposed emails: identify if the account receiving the email is present in data leaks or can be found in open sources. In the case of password leaks, consider the possibility of account compromise.

• Modus operandi: establish a hypothesis with the most objective and accurate foundations available that indicates how the attack could have been carried out.

• Objective: Analyzing the attacker's possible objective, as well as the benefit they would obtain, can be helpful in complex cases.

• Attached files: extraction of metadata from the files and analysis of both these and the information of the document itself (signature, bank account number, etc.).

As a key aspect in the forensic analysis, it is worth highlighting the extraction of the element and the chain of custody of it as an element. Although it is important in the forensic field, it takes on special relevance in the case of mail, since an analysis must be carried out at all the points where they have passed.

In forensic analysis, therefore, it is always advisable to turn to the best experts, those who carry out a good identification of the evidence and are able to relate the proven facts without falling into assumptions or false beliefs. In addition, as long as the report is going to be presented in court, proper custody of the devices and/or files is carried out, also counting on the experts who prepared the report for their correct defense in court.

Sergio Gutierrez, Technical Lead at Zerolynx and Noelia B. Cyber ​​Intelligence Analyst at Zerolynx.