cyber forensics, of email analysis using
Download as PPTX, PDF0 likes22 views
cyber forensics importance of electronic mail using forensics analysis
More Related Content
Similar to cyber forensics, of email analysis using (20)
More from Srinivas Kanakala (20)
cyber forensics, of email analysis using
- 2. Cyber forensics • Cyber forensics, also known as computer forensics or digital forensics, is the process of collecting and analyzing digital evidence. It's used to investigate cyberattacks and other illegal activities.
- 33. • Email forensics involves investigating emails to gather evidence for legal or investigative purposes. It focuses on analyzing email content, headers, attachments, and metadata to establish facts or track the origin of emails. Anti-forensics, on the other hand, refers to techniques used to evade or hinder forensic investigation efforts.
- 34. • The two parts of an email are the header and the body. The body of the message contains the message itself, while the header contains metadata such as the message’s origin, delivery date, and destination address. Analyzing email headers is one of the most typical jobs in computer forensics, and it may be beneficial if we have questions about the legitimacy of an email sender.
- 35. • Objectives • To determine whether or not the email is genuine. • To look into incidents of cybercrime that include the usage of emails.
- 36. • Email Header Analysis • The analysis of the email header is the first step in email forensics since it includes a wealth of information about the email content. This examination includes both the text body and the email header, which contains information about the specific email. Email header analysis aids in the detection of most email-related crimes such as spear phishing, spamming, and email spoofing. One can tell if an email is from a faked or legitimate address by looking at the email headers.
- 42. • Full Explanation of Email Analysis • Delivered To: The above email header field contains email address of the intended recipient. Received By: This field includes information about the previous SMTP server you visited. The following details are revealed: • Server’s IP address • SMTP ID of the visited server • Data and time at which the email was received by the SMTP server.
- 43. • X-Received: Some email parameters are not defined in Internet Official Protocol Standards and are called non- standard headers. These are generated by mail transfer agents, such as Google’s SMTP server, which employ the X- Received field to share non-standard information. This field should not be overlooked while examining email headers because it contains the following information: • IP address of the message-receiving servers • SMTP ID of the server • Data and time at which the email was received.
- 44. • ARC-Seal: This header contains a signature that includes the ARC-Message-Signature and the information from the ARC Authentication Results header. • ARC-Message-Signature: This is a DKIM-like signature and takes a snapshot of the message header information. This includes to, from, subject and body.
- 46. • Received-SPF: The Sender Policy Framework (SPF) is a security framework for email that verifies the sender. Only once the sender’s identity has been verified does the system forward the message. The following codes are used: • Pass: Email source is valid • Soft fail: Fake source possible • Neutral: Source validity difficult to ascertain • None: SPF record not found • Unknown: SPF check can’t be performed • Error: An error occurring during SPF check
- 48. • ARC Authentication Results: This header contains email authentication results like SPF, DKIM, and DMARC.
- 50. • DKIM, or Domain Keys Identified Mail, lets an organization (or handler of the message) take responsibility for a message that is in transit. DKIM attaches a new domain name identifier to a message and uses cryptographic techniques to validate authorization for its presence. DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. The following are the various tags of the DKIM signature header:
- 51. • v: application version. • a: algorithms used for encryption. • c: algorithms used for canonicalization. • s: selector record name used with the domain. • h: signed header fields that are used in the signing algorithm to create the hash in b= tag. • bh: hash of the message body. • b: hash data of the headers listed in the h= tag. It’s also called DKIM signature. • d: domain used with the selector record. • So, we can say it is a valid email as DKIM, SPF, DMARC are passed, which means email source is legit.
- 54. ANALYSIS OF FAKE EMAIL
- 56. • From the ARC-Authentication-Result, spf = softail means fake source possible. The value of dmarc = fail suggest that source isn’t legit. • Return-Path :< [email protected]> This field contains the email address where the message is returned, in case it fails to reach the intended recipient. This can easily happen if the sender has used a wrong email address for the recipient.
- 59. • As we can notice in from: Softwarica college < [email protected]>, the email claims to have originated from Softwarica college. However, the received header shows that the email indeed has originated from emkei.cz, which is a publicly available fake email service. Even though the email claims to be from Softwarica College, the received header reveals that it came from emkei.cz.
- 60. CONCLUSION • To summarize, email headers include information such as the sender’s IP address, internet service provider, email client, and even location, as well as information regarding the origin and course an email traveled before arriving at its destination. The information might be used to determine the validity of a suspicious email or to prevent the sender from sending more emails. The headers may also be used to identify header spoofing, which is a strong sign that the email was sent with malicious intent.