Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
Using signature headers to determine if an email has been forged
Email signatures, designed for authentication, non-repudiation, and spam control, can also be used to determine if an email has been forged. In the most common case, the forger copies headers from an existing email message to a new one. He could also attempt to change the content of a signed message. Regardless, the signature no longer corresponds to the message and it can be shown that the message is not authentic.
Sender Policy Framework
Sender Policy Framework, or SPF records, can be used to enumerate which hosts are allowed to send mail for that domain. If a message purports to be from example.com but came from an IP address that is not authorized, under SPF, to send mail for that domain, it has been forged. As an example, let's say we have an email purporting to be from email@example.com using the IP address 18.104.22.168. An investigator can query the DNS records from that domain, in this case mit.edu to see the SPF senders.
$ host -t txt mit.edu mit.edu descriptive text "v=spf1 ip4:22.214.171.124/24 ip4:126.96.36.199/24 ip4:188.8.131.52/16 ~all"
Here we see that there are three computers authorized to send mail for the mit.edu domain. None of them have the IP address found on the message, so the email in question may be forged.
DomainKeys Identified Mail
Messages sent using PGP, or its free equivalents such as GnuPG, have the signature in the message body itself. Each message can be signed, encrypted, or both. Encrypted messages begin with the header
-----BEGIN PGP MESSAGE-----
followed by some optional headers. The optional headers may include the character set of the decoded message, the program and version that created the message, and an optional comment. The end of the message is noted with
-----END PGP MESSAGE-----
Between these two lines are a series of ASCII characters that represent the encrypted or signed message. A signed message has the header
-----BEGIN PGP SIGNATURE-----
at the end of the signed message followed by the same optional headers as encrypted messages. The signature is usually three lines of ASCII characters.