Email forensics is the process of collecting, analysing, and preserving email data. This data serves as digital evidence in cyber investigations or legal proceedings. Whether you are investigating a phishing attack, business email compromise, or insider threat, knowing how to begin email forensics gives you a systematic method to extract reliable, court-admissible evidence from email systems.
What Is Email Forensics?
Email forensics involves the scientific examination of email messages. This includes their headers, metadata, attachments, and routing information. The goal is to determine origin, authenticity, and content integrity.CEO fraud and cyber extortion.
Furthermore, email evidence is admissible in Indian courts under Section 65B of the Indian Evidence Act. However, it must meet specific conditions to is collected and preserved correctly. However, improper handling — such as opening the original email without creating a forensic copy — can render the evidence inadmissible. Learn more about email as evidence in Indian courts.
How to Begin Email Forensics: Step-by-Step
Step 1: Define the Scope and Objective
Before touching any evidence, clarify the purpose of the investigation. Moreover, are you trying to identify the sender of a threatening email, prove that someone received a specific message on a particular date, or trace the path of a phishing email through corporate infrastructure? As a result, the answers define what data you need to collect and how deeply you need to analyse it.
Step 2: Preserve and Secure the Evidence
This is the most critical step. Additionally, it determines whether your evidence will be admissible in court. Therefore, never work directly on the original email. Also create a forensic image or write-protected copy of the email data source — whether that is an Outlook .pst/.ost file, an Apple Mail .mbox archive, a Gmail Takeout export, or raw message files on a mail server. Calculate and record the hash value (SHA-256 or MD5) of the original files before and after copying to prove they have not been altered. This chain of custody documentation is essential for court admissibility. For more on hash values, see the guide on importance of hash values in computer forensics.
Step 3: Analyse Email Headers
Email headers contain a wealth of investigative data. Normal email clients hide this data fronts. A full header includes: the originating IP address, the mail servers the message traversed (Received fields), timestamps at each hop, the Message-ID, SPF/DKIM/DMARC authentication results, and the email client or software used to compose the message.
To view full headers in Gmail, open the email → click the three-dot menu → “Show original”. In Outlook, open the message → File → Properties → Internet headers. Tools like MXToolbox Email Header Analyser or the free header analyser at mail-header.com can parse headers visually and identify anomalies like spoofed sender addresses or headers that contradict each other.
Step 4: Examine Email Content and Attachments
Analyse the email body for embedded links (hover before clicking — never click directly), encoded content, or hidden text. Always examine attachments in a sandboxed environment. Suspicious file types include .docm, .xlsm, .js, .hta, .iso, and .lnk files that may execute malware on opening. Use tools like VirusTotal, Any.run, or a dedicated malware sandbox to analyse attachments safely without risking your forensic workstation.
Step 5: Extract and Analyse Metadata
Beyond headers, email metadata includes creation timestamps embedded in document attachments, geolocation data in photo attachments (EXIF data), author fields in Office documents that can reveal the true creator, and server-side metadata from email platform logs. Each layer can corroborate or contradict the story presented in the email itself.
Step 6: Recover Deleted Emails
Deleted emails are rarely gone permanently. In Microsoft Exchange and Outlook, items remain in the Recoverable Items folder for a configurable retention period. On Gmail, deleted items remain accessible to administrators via Vault for up to 30 days. Forensic tools can recover deleted messages from .pst/.ost files even after someone removes them from the Recoverable Items folder, by scanning for orphaned message structures in the file’s unallocated space.
Step 7: Document Findings and Prepare a Report
Your forensic report must include a clear chain of custody, a description of the tools and methodology used, a timeline of email activity, the conclusions you have reached, and the evidence that supports each conclusion. Write the report in plain language accessible to non-technical judges and attorneys, with technical details confined to appendices. Under Section 65B of the Indian Evidence Act, a certificate from a competent authority confirming the integrity of electronic evidence must accompany the report.
What Tools Are Used in Email Forensics?
- MailXaminer — Purpose-built email forensics tool supporting 25+ email formats, keyword search, link analysis, geo-location mapping, and court-ready report generation.
- Autopsy / Sleuth Kit — Open-source digital forensics platform that can parse email files as part of broader disk image analysis.
- MXToolbox — Free web tool for parsing and analysing email headers, checking blacklists, and testing email authentication configurations.
- VirusTotal / Any.run — Cloud-based sandboxes for safe analysis of suspicious email attachments.
- FTK (Forensic Toolkit) — Comprehensive forensic platform with strong email parsing capabilities for .pst, .ost, and .mbox formats.
What Are the Common Challenges in Email Forensics?
- End-to-end encryption — Emails encrypted with S/MIME or PGP cannot be read without the recipient’s private key. Investigators must obtain the key through legal process or focus on metadata rather than content.
- Header manipulation — Skilled attackers can forge Received headers to obscure the true origin. Cross-referencing server logs and DKIM signatures helps identify manipulation.
- Email spoofing — The From field in an email can be set to any address. Only SPF, DKIM, and DMARC records can technically verify whether an email genuinely originated from the claimed domain.
- Proprietary formats — Emails are stored in dozens of formats (.pst, .ost, .mbox, .eml, .nsf for Lotus Notes) requiring specific tools for each.
- Cloud-hosted email — When email is hosted on Gmail, Office 365, or another cloud platform, investigators may need a court order to obtain server-side logs that are not accessible to the end user.
How to Report an Email-Based Cybercrime in India?
If you have received threatening, fraudulent, or abusive emails, or if your organisation has been targeted by a phishing or BEC attack, report it at cybercrime.gov.in or call Cyber Crime Helpline 1930. For a professional email forensics investigation with court-admissible evidence, contact cyber expert Anuraag Singh.
