NAME - RAJPUROHIT BHAVANI SINGH Enrollment No.

191127107086 Batch – B1

Practical-1
Email Investigation and IP Tracing

Introduction
What is Email?
Short for electronic mail, email (or e-mail) is defined as the transmission of messages over
communications networks. Typically, the messages are notes entered from the keyboard or
electronic files stored on disk. Most mainframes, minicomputers, and computer networks have an
email system. It is a method of exchanging messages ("mail") between people using electronic
devices. Emails are widely used to send and receive messages over the internet.

History:
The first example of email can be found on computers at MIT in a program called “MAILBOX”, all the
way back in 1965. Emails have very limited use in 1960, which only use to transfer emails between
single host, but in 1971 ARPANET (Advanced Research Projects Agency Network), successfully
transfer email between different host using “@” (at sign) for define server. Indicating a destination
for a message became as simple as addressing it: “username@name of computer”, which is
essentially how email has been addressed ever since.

By the 1980’s, the infancy of the internet, Internet Service Providers (ISPs) had begun connecting
people across the world, and email “hosting” sites began to pop up.

By 1993 the word “electronic mail” had been replaced by “email” in the public lexicon and internet
use had become more widespread.

As the market potential of the internet became widely apparent, Email spam began to multiply
exponentially, creating the need for email sorting software.

username@gmail.com
Above initial part(username) is called username.

end part (gmail.com) is called destination server.

Need of Email analysis:
in cases of phishing and spoofing mail, hacking of computer we need to do email analysis.

• Phishing and spoofing mail: mail phishing is the act of impersonating a business or other entity for
the purpose of tricking the recipient of email into giving up sensitive personal information. Data
gleaned from phishing often is used to commit identity theft or to gain access to online accounts.

Spoofing is similar to email phishing in that it uses deception to trick users into providing sensitive
information. Email spoofing involves the use of a header appearing to have originated from
someone (or somewhere) other than the true source.

• Type of computer abuse (Hacking)

• To solve cases like – Extortion, Narcotics trafficking, Stalking, Sexual harassment, Fraud, Child
abductions & child pornography, Cyber terrorism etc.

Understanding email servers and its protocols:

: Difference between web mail and web client:
Web mail Web client
 It is a software runs on a server  It is software application or program to
(Computer) which used to
use and view your email and manage
constantly communicate over the
them.
internet.

 With webmail, all of our email is  with an email client, our email is
backed up on the server, meaning downloaded onto our computer,
we will still have access in the event allowing us to back up our emails
your computer breaks down onto our hard drive or cloud storage,
if there is one present. (i.e.
 Example: Gmail using Google chrome or Dropbox).
Mozilla Firefox  Example: Thunderbird or Microsoft
Outlook

Pic: web mail pic: web client

Process of sending Email:
For sending and receiving mail sender and receiver may use either web mail using browser (directly
connect with server) or any Email Client.

Sender

(simple mail transfer protocol SMTP)

Sender’s mail server

Internet (SMTP)

Receiver’s mail server

(Internet manage access protocol IMAP)

receiver

Email server:
 A mail server (or email server) is a computer system that sends and receives email.

 A mail server can receive e-mails from client computers and deliver them to other mail
servers. A mail server can also deliver e-mails to client computers. A client computer is
normally the computer where we read our e-mails, for example our computer at home or in
your office.
 The two mail servers which are used for outgoing emails are called as MTAs, mail transfer
agents. The other two mail servers used for incoming, using POP3/IMAP protocols are called
as MDAs, the mail delivery agents.

Email protocols:
1. SMTP (Simple Mail Transfer Protocol)

2. POP (Post Office Protocol)

3. IMAP (Internet Message Access Protocol)

1. SMTP (Simple Mail Transfer Protocol)
•When we press the "Send" button in our e-mail program (e-mail client) the program will connect to
a server on the network / Internet that is called an SMTP server.

•it is a protocol that is used when e-mails are delivered from clients to servers and from servers to
other servers.

2. POP (Post Office Protocol)

•When we download e-mails to our e-mail program the program will connect to a server on the net
that is known as a POP server.

•A POP server uses a protocol named POP3 for its communication. That is the reason why it is called
a POP server.

3. IMAP (Internet Message Access Protocol)

• IMAP is a further development of the POP protocol and is used to read e-mail from mail servers.
•IMAP is not used as much as POP, but many modern mail servers have support for IMAP.

Investigation of email:
•After crime has been committed involving E- Mail, first and foremost the victim’s computer should
be accessed to recover the evidence.

• Using the victim’s E- Mail client, any potential evidence should be searched and copied. • It
might be necessary to log on to the E- Mail service and access any protected or encrypted files or
folders. The contents of the mail must be copied including its header.

• The header contains unique identifying numbers, such as the IP address of the server that sent the
message.

Email header:
Every single Internet e-mail message is made up of two parts the header and the message body of
the email. Every single email we send or receive on the Internet contains an Internet Header, a full
and valid e-mail header provides a detailed log of the network path taken by the message between
the mail sender and the mail receiver(s) (email servers).
email client program will usually hide the full header or display only lines, such as From, To, Date,
and Subject, see below for more information on pulling headers for your email client.

Here is a breakdown of the most commonly used and viewed headers, and their values:

 From: sender's name and email address (IP address here also, but hidden)
 To: recipient's name and email address
 Date: sent date/time of the email
 Subject: whatever text the sender entered in the Subject heading before sending
To see a header file of an email-
Step-1

Step-2

Importance of email header:

Besides the most common identifications (from, to, date, subject), email headers also provide
information on the route an email takes as it is transferred from one computer to another. As
mentioned earlier, mail transfer agents (MTA) facilitate email transfers. When an email is sent from
one computer to another it travels through a MTA. Each time an email is sent or forwarded by the
MTA, it is stamped with a date, time and recipient. This is why some emails, if they have had several
destinations, may have several RECEIVED headers: there have been multiple recipients since the
origination of the email. In a way it is much like the same way the post office would route a letter:
every time the letter passes through a post office on its route, or if it is forwarded on, it will receive a
stamp. In this case the stamp is an email header.

Step require for email investigation:

1. Copying of the E- Mail Message

2. Inspecting E- Mail Headers

3. Scrutinizing E- Mail Headers

4. Examining Additional E- Mail Files

1. Copying of the E- Mail Message

• Before starting an E- Mail investigation, it is essential to copy and print the E- Mail involved in
the crime or policy violation.

• With many E- Mail programs, E- Mail can be copied by dragging it to a storage medium, such as a
folder or drive, or by saving it in a different location.
• For E Mail programs it is run from the command line, however, after opening the message, it can
be copied by using the copy option which is usually located at the bottom of the screen. • After copy
of E- Mail is made, it is imperative to work on the copy only, and not upon the original version, in
order to avoid altering the original evidence by mistakes.

2. Inspecting E- Mail Headers

• After a message has been copied and printed, the E- Mail program is used to find the E- Mail
header that created it.

• This section includes instructions for viewing E- Mail headers in a variety of E- Mail programs,
including Windows GUI clients, a UNIX command-line E- Mail program, and some common Web-
based E- Mail providers.

• After the E- Mail headers are opened, the same is copied and pasted into a text document so that
it can be read with a text editor, such as Windows.

3. Scrutinizing E- Mail Headers

• The next step is scrutinizing the saved E- Mail header to gather information about the E- Mail and
to track the suspect to the E- Mail’s originating location.

• The crucial piece of information is to look for the originating E- Mail’s domain address or an IP
address. Other supportive information consists of the date and time the message was sent,
filenames of any attachments, and unique message number, if it is supplied.

4. Examining Additional E- Mail Files

• E- Mail programs save messages on the client computer or leave them on the server. How E Mails
are stored depends upon the settings on the client and server.

• On the client computer, all the E- Mails are saved in a separate folder for recordkeeping
purposes. For example, in Outlook, messages can be saved as sent, draft, deleted, and received E-
Mails in a
.pst file, or can be saved offline files in an .ost file.

• With these client files (.pst and .ost), user can access and read their E- Mail offline, when their
computers aren’t connected to the central E- Mail server. • Most E- Mail programs also include an
electronic address book also known as Contacts, and many offer calendars, tasks list, and memos.

Email tracing and tracking:

Email tracking:
Email tracking is a method for monitoring the delivery of email messages to the intended recipient.

Examples of email tracking websites:

• https://getnotify.com/

• http://didtheyreadit.com/index.php/membersend

• http://www.readnotify.com
• Email Tracing:
Email tracing is a method for find out the origin of sender using header of mail.

Types of Methods-

1. Manual Tracing:

Step 1 -Copy email header

Step 2 -Paste header to Notepad
Step 3 -Extract all information

2. Automatic Tracing:

Step 1- Copy email header

Step 2- Paste header to a particular software or website
 https://iplogger.org/

https://whatismyipaddress.com/trace-email