Why do we need Digital Evidence because these are helpful in solving cybercrime such as hacking, unauthorised transmission of information or data, identify theft, malicious attacks, stealing of commercial secrets or confidential information of state or country, creation of fake documents such as identity proofs, email communication between suspects/conspirators etc.
Can you guess how many emails are sent each day?
Approx 330 billion in 2022 as per research organization’s report.
In today’s digital age, email has become a crucial tool for both professional and personal communication. Cybercriminals also use email as a means of communication. Therefore, it is important to understand the process of email communication and the procedures involved. By understanding this, it becomes easier to extract evidence during email investigation and forensics. When an email is sent, it is first composed on an email client, such as Outlook, Gmail, or Hotmail.
Email process begins when user sends the email message, using email client such as gmail, Hotmail, outlook etc). Initially email message approaches to the sender’s mail server. The mail server uses SMTP (Simple Mail Transfer Protocol) is the standard protocol for sending email messages between servers. Most email systems that send mail over the Internet use SMTP to send messages from one server to another, and to deliver messages to local mail clients like Microsoft Outlook or Apple Mail) to forward the message to the mail server of the recipient’s email service provider. This is typically done through a process called mail transfer.
Once the email message reaches the recipient’s mail server, it is stored there until the recipient retrieves it using either IMAP or Post Office Protocol (POP) which is another standard used for receiving email. POP, the Post Office Protocol, is a protocol used to retrieve email from a mail server. It is typically used by email clients such as Microsoft Outlook, Apple Mail, and Thunderbird. POP clients connect to a mail server, retrieve all the messages, and then disconnect. Once the messages are downloaded, they are typically removed from the server. This means that if you want to access your emails from multiple devices, you will have to download them multiple times.
IMAP, the Internet Message Access Protocol, is a protocol used to retrieve and manage email messages from a mail server. It is typically used by email clients such as Microsoft Outlook, Apple Mail, and Thunderbird. IMAP clients connect to a mail server and can retrieve and manage email messages without having to download them. This means that if you want to access your emails from multiple devices, you can do so without having to download them multiple times. IMAP supports many features that POP does not, therefore IMAP is generally considered to be a better choice than POP as it offers more flexibility and functionality.
Along the way, the email message may pass through multiple servers, such as spam filters, firewalls, and gateways, which are used to ensure the security and integrity of the email message. These servers may also add additional features such as encryption, and can also help to prevent spam and malware.
Overall, the email message flow is a complex process that involves many different components and technologies working together to ensure that the email message arrives at its destination in a timely and secure manner. It is a general overview of how email is sent and delivered.
Let’s understand it more clearly-
When you compose and send an email, the message is first sent from your email client to your mail server, which is typically operated by your email service provider (such as Gmail or Hotmail or outlook etc). The mail server then uses the Simple Mail Transfer Protocol (SMTP) to send the message to the recipient’s mail server.
As the message travels across the internet, it passes through various routers and servers, which are responsible for routing the message to its destination. The Domain Name System (DNS) is used to convert the domain name of the recipient’s email address (such as gmail.com) into an IP address, which is used to route the message to the correct server. ( I have already uploaded an video on DNS, what is DNS, how does it work, this video is in Hindi and English both the languages)
Once the email reaches the recipient’s mail server, it is checked for spam and then delivered to the recipient’s mailbox. The recipient can then access the message using an email client or a web interface.
Because email communication process is bit more complex and there are many other details and protocols that are involved in the process such as:
Email client may use one of the protocols like IMAP or POP3 to connect to mail server and retrieve the email.
Email security protocol mechanism like SSL or TLS for secure communication between email server SSL- SSL (Secure Sockets Layer) is a protocol for establishing secure connections between web servers and clients. It is used to encrypt data sent over the internet, such as credit card numbers and login credentials, to prevent it from being intercepted by unauthorized parties. SSL was replaced by TLS (Transport Layer Security) in 1999, but the term “SSL” is still commonly used.
Email Authentication mechanisms like SPF, DKIM, DMARC to prevent email spoofing and phishing. SPF – Sender Policy Framework (SPF) is an email authentication method designed to detect forged sender addresses in emails (email spoofing), a common vulnerability, by verifying that incoming mail from a domain comes from an IP address authorized by that domain’s administrators. It is a type of DNS TXT record that identifies which mail servers are authorized to send email on behalf of a domain. Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain’s administrators.
DKIM- DomainKeys Identified Mail (DKIM) is an email authentication method. It allows the person receiving the email to check that it was actually sent by the domain it claims to be sent from, and that it hasn’t been modified during transmission. This is done by using a digital signature, which is added to the message headers. The signature is based on a private key, which is held by the email sender, and a public key, which is published in the DNS. The recipient can use the public key to verify the signature, and thus confirm that the message is authentic.
DMARC – Domain-based Message Authentication, Reporting & Conformance (DMARC) is an email authentication protocol. It builds upon the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email. DMARC allows a domain owner to publish a policy in their DNS records that specifies which mechanism(s) (e.g. SPF, DKIM) are used to authenticate email messages sent from their domain, as well as instructions for receivers on what to do if neither mechanism passes. It also provides a way for email receivers to report back to the domain owner about messages that pass and/or fail the evaluation of the domain owner’s published policy.
Email Filtering and blocking mechanism like spam filters, content filters etc.
Overall, the email system is a complex network of interconnected servers and protocols that work together to ensure that messages are delivered quickly and securely.