Digital forensics is the process of collecting, analyzing, and preserving electronic evidence from digital devices and systems to uncover facts and reconstruct events, typically for legal or investigative purposes. One of the ways to collect digital evidence is by analyzing email headers.
This guide covers when and why downloading emails is necessary for forensic investigations and provides specific instructions for extracting email data safely and securely from major providers.
Why download emails for digital forensics?
Email data can contain the information necessary to understand a criminal or civil case, which is extremely important during the investigation process. The key reasons why downloading emails is an essential step in digital forensic investigations are:
Email headers analysis
Emails themselves contain massive amounts of crucial data in the email header. This includes the traceroute for the email, DKIM signatures that validate the integrity of the email, and IP address information that can be useful in tracking the emails. By analyzing these headers, forensic experts can trace an email’s path, verify the sender’s identity, and detect potential spoofing or phishing attempts. This process involves examining fields such as the Return Path, Received lines, Message ID, and authentication results from SPF, DKIM, and DMARC. Additionally, header analysis aids in malware detection by identifying unusual patterns or inconsistencies in the email’s metadata.
Preserving evidence
Downloading creates a static copy of email data that preserves the state of communications at a specific point in time and prevents potential tampering or deletion of evidence.
Offline analysis
Having a local copy allows forensic examiners to analyze email contents, headers, and metadata without requiring constant internet access.
Legal admissibility
Properly extracted email data is more likely to be accepted as valid evidence in court than screenshots or printouts. Email downloading must be done carefully, and proper guidelines must be followed to ensure integrity and admissibility.
To ensure defensible email evidence:
- Obtain proper legal authority before accessing accounts
- Use forensically sound tools designed for email acquisition
- Capture full email headers and metadata
- Document your process thoroughly
- Maintain strict access controls for exported data
Data integrity
Forensic downloads preserve important metadata and maintain the integrity of email evidence. Email data collection must be done correctly to avoid issues during the investigation, ensure admissibility during legal processes, and maintain data integrity..
When downloading emails for forensic purposes:
- Use write blockers to prevent modifications to the original data
- Calculate hash values to verify data integrity
- Document chain of custody for all email evidence
- Use encryption when transferring or storing email exports
- Follow data privacy regulations like GDPR when handling personal emails
When to download emails for forensics
The main reason for downloading emails is to use them as evidence during criminal and civil investigations. Some common scenarios that necessitate forensic email downloads include:
- Corporate investigations of employee misconduct
- e-discovery for civil litigation
- Criminal investigations involving digital evidence
- Incident response after cyberattacks or data breaches
- Regulatory compliance audits
How to safely download emails from major providers
To ensure the integrity of the email data, make sure to follow these steps for each email provider or platform.
Gmail
View & copy the full header
- From a browser, open Gmail.
- Open the email for which you want to check the headers.
- Next to Reply, click More More and then Show Original.
4. In a new window, the full header shows.
5. Click Copy to clipboard.
Download emails to your computer
- Open your Gmail.
- Select the email.
- Click More.
- Click on the Download message option.
Apple Mail
View & copy the full header
- Open Apple Mail.
- Open the email you want to see the headers for.
- Click View and then Message and then All Headers.
- The headers will show in the window below your inbox.
Download emails to your computer
To download an email from Apple Mail so that you can analyze its header as well, follow these steps:
- Launch the Mail application on your Mac.
- Click to select the email you want to analyze.
- Go to the menu bar at the top and click on File.
- Choose Save As
- In the dialog box that appears, select the format ‘Raw Message Source’ to get the full headers and source of the email.
- Specify the location where you want to save the file and click Save
Microsoft Outlook/Office 365
View & copy the full header
- Open Outlook.
- Open the email for which you want to see the headers.
- Click File and then Properties.
- The headers will show in the “Internet headers” box.
Download emails to your computer from Outlook Desktop Application (Windows or Mac):
- Open the Microsoft Outlook application on your computer.
- Find the email you wish to download and select it.
- Go to the File menu in the top toolbar.
- Click on Save As.
- In the dialog box, choose a location to save the file. By default, it might be saved as a .msg file. To save the entire source, including headers, you should save it as an .html or .txt file.
- Name the file and click Save.
Download emails to your computer from Outlook on the Web (Office 365 or Outlook.com):
- Log in to your Outlook account using your web browser.
- Click on the email you want to download to open it.
- Download the Email as an EML File:
- While viewing the email, look for the three dots (…) at the top menu bar of the email view pane.
- Click on the dots to open a menu, then select Download as .eml.
- This will download the email as a .eml file, which includes the full headers and body.
Yahoo Mail
View & copy the full header
- Log in to your Yahoo! Mail account.
- Select the email for which you want to see the headers.
- Click More and then View Raw Message.
- The headers will show in a new window.