Internet Forensic Analysis – Web, Email and Messaging Forensics to Analyze Network

Mariah | May 4th, 2020 | Forensics

An email has become the most widely used communication medium on the internet for communication. As a result, we have come up with this blog, which focuses on the email, webmail architecture from the perspective of forensics. Also, we will discuss the need for email investigation and several techniques to analyze emails using the best ever internet forensic analysis tool.
As there are several difficulties which the investigating officers may have to face while analyzing the header and link analysis of emails. Our main focus is on the internet and email forensics and to resolve the problems related to these circumstances using by MailXaminer for email investigation.

What is Internet Forensics?

In today’s world, communication is often carried out by emails in various domains such as businesses, schools, colleges, etc. At the same time, email security is also very important as criminals are always in a way to find some loopholes to get access to that sensitive information.

In internet forensics, investigators go through investigation wherein emails are considered as concrete evidence. As a result, internet forensic analysis is very important as it helps to collect evidence within the emails. Before proceeding further, let us shed light on the types of email clients, which are as follows:

1) Web-based email clients
2) Desktop-based email clients

Web-based Email Clients: Web-based email clients provide the feature to save all the data to its web server or cloud. Some web-based email clients are Yahoo mail, Hotmail, Gmail, etc. The main advantage of using web-based email clients is that it can be easily accessed from anywhere. A user just needs an Internet connection to get access through web-based email clients. However, the disadvantage of using a web-based email client is that the location of the stored data is not known to the user.

Desktop-based Email Clients: In the desktop-based email clients, all the user data is stored in the system. Thus, there is no need to worry about data security. Some of the desktop-based email clients are Outlook, Mozilla Thunderbird, Mailbird, etc. In various cybercrime activities using desktop-based clients, the attacker deletes their emails and it becomes tough for investigating officers to collect evidence.

How Does Email Work?

Let us understand the working procedure of emails about the internet and email forensics with an example-

When someone sends an email, the email sent by the sender goes to an outgoing mail server via SMTP (Simple Mail Transfer Protocol). The SMTP server verifies the user’s address and checks where to deliver the mail. Initially, SMTP fails to recognize the domain; therefore SMTP calls a DNS (Domain Name Server). The DNS server is a list of contacts sort of address book for the Internet. It translates domain address in the form of IP address and checks whether this domain has any mail exchange server or not. Now, after getting whole information by the SMTP server, the message is sent to the recipient domain’s mail exchange server. This server is called MTA (Mail Transfer Agent). Then, MTA decides where exactly to deliver the mail and figure out how the email is to be delivered. Then, the recipient fetches the email in internet forensic analysis by using any email client that works via POP or IMAP.

Email Protocols: POP vs. IMAP

Besides other email protocols, here we will focus on POP and IMAP email clients.
So, let’s take a look!

POP (Post Office Protocol): While using a POP server, the user doesn’t need to stay connected to the internet always. It is a standard mail protocol used to receive an email to a local email client. POP allows users to download emails on the system and read even in an offline mode. The major disadvantage of the POP server is that even if emails are downloaded to the user’s system, it will be removed from the email server.

IMAP (Internet Message Access Protocol): In this email protocol, as emails are stored on the remote server, users can easily access emails from multiple locations. Moreover, only an internet connection is required to access emails from any location. In the IMAP server, the emails are automatically backed up if the server is configured properly.

Internet Forensic Analysis and Email Investigation Techniques

In an email internet forensics investigation, investigators examine both the header and the body of an email. In digital forensic investigation technique, investigators follows some basic parameters in finding evidence. These parameters are:

  • Sender’s email address
  • Email initiation protocol (HTTP, SMTP)
  • Email message ID
  • Sender’s IP address

Moreover, some other steps that control email investigation include:

The storage format of email: There are different email storage formats such as Maildir, MBOX, PST, OST, etc. In order to analyze different file formats using Notepad Editor, the investigation officers may have to undergo quite a tough time. This is because, in Notepad editor, it allows opening only a single file format at a time. As a result, when files with multiple file-formats are opened in multiple tabs, it might lead to complexity in analyzing each file simultaneously.

Availability of backup of email: The backup copy of every email is required for forensic investigation. This includes seizing the attacker’s computer. In webmail, the backup emails are always stored at the server-side.

The protocol used to transport email: The protocol used in the transportation of emails is also a part of an internet and email forensics investigation. Email is composed and transmitted on an SMTP or HTTP server depending on the email server applications.

These steps are very important during the email investigation and can be done by only technical users. The disadvantage of this method is that it is a time-consuming task and very tough to do. Therefore, using a forensic tool is a wise option instead of doing it manually.

There are several internet forensic analysis tools, but it is recommended to avail the best in class software like MailXaminer. This software is famous for its great features and its speed. It can process large files in a few seconds thereby saving a lot of time. Also, it supports multiple email storage formats such as Maildir, MBOX, EML, MSG, OLM, OST, PST, etc.

Besides this, the software is induced with numerous advanced features such as Link analysis, Header analysis, Timeline analysis, etc. which makes the internet forensics investigation very easy.


In digital forensics analysis, finding evidence is a very complicated task as it is a quite time-consuming process. In this blog, we have focused on what is internet forensics and some techniques of internet and email forensic investigation. Additionally, using an email forensic analysis tool is a better choice for email investigation instead of implementing it manually. Therefore, we have exemplified about a proficient Email Forensic Tool MailXaminer to ease-up the internet forensic analysis process.