Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
Email Headers are lines of metadata attached to each email that contain lots of useful information for a forensic investigator. However, email headers can be easily forged, so they should never be used as the only source of information.
Making Sense of Headers
There is no single way to make sense of email headers. Some examiners favor reading from the bottom up, some favor reading from the top down. Because information in the headers can be put there by the user's MUA, a server in transit, or the recipient's MUA, it can be difficult to determine when a line was added.
Sender's IP Address
Some web-based email providers include the sender's IP address in the message headers. Some do not.
Mail User Agents
Every MUA sets up the headers for a message slightly differently. Although some headers are required under the applicable RFC, their format and ordering can vary by client. Almost all clients, however, add their headers in a fixed format and order. The examiner can use the format and order for each client to show that messages were forged, but not that they were legitimate. For example, if a message purports to be from Apple Mail but the order or the headers do not match the Apple Mail Header Format, the message has been forged. If the headers of the message do match that format, however, it does not guarantee that the message was sent by that program.
Servers in Transit
Mail servers can add lines onto email headers, usually in the form of "Received" lines, like this:
Received: by servername.recipeienthost.com (Postfix, from userid 506) id 77C30808A; Sat, 24 Feb 2007 20:43:56 -0500 (EST)
Message Id Field
This is an (incomplete) excerpt from an email header:
Received: from lists.securityfocus.com (lists.securityfocus.com [18.104.22.168]) by outgoing2.securityfocus.com (Postfix) with QMQP id 7E9971460C9; Mon, 9 Jan 2006 08:01:36 -0700 (MST) Mailing-List: contact firstname.lastname@example.org; run by ezmlm Precedence: bulk List-Id: <forensics.list-id.securityfocus.com> List-Post: <mailto:email@example.com> List-Help: <mailto:firstname.lastname@example.org> List-Unsubscribe: <mailto:email@example.com> List-Subscribe: <mailto:firstname.lastname@example.org> Delivered-To: mailing list email@example.com Delivered-To: moderator for firstname.lastname@example.org Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000 From: YJesus <email@example.com> To: firstname.lastname@example.org Subject: New Tool : Unhide User-Agent: KMail/1.9 MIME-Version: 1.0 Content-Disposition: inline Date: Thu, 5 Jan 2006 16:41:30 +0100 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <email@example.com> X-HE-Spam-Level: / X-HE-Spam-Score: 0.0 X-HE-Virus-Scanned: yes Status: RO Content-Length: 586 Lines: 26