Introduction
For any successful email forensic investigation, the availability of email logs is a key requirement. Email messages are sent using the Simple Mail Transfer Protocol (SMTP) defined here.
As an email is sent and delivered to the recipient, the email will pass through multiple mail gateways. These are known as Message Transfer Agents (MTAs). An MTA will belong to an email system.
Email Message Transport Log Files
The MTA’s belonging to your email system will usually have email log files available for examination. These log files may only be stored for a limited period of time, for example 90 days. Effort is required to ensure email message logs within your email system are retained for a much longer period, for example 7 years. This can be achieved in different ways, such as a scheduled task that copies them to a secure location. Or via an email server backup job.
Retaining the email message transport log files is crucial to the success of any email forensic investigation. This provides immutable evidence of the path an email message takes between email systems. The SMTP protocol ensures the email message header is stamped with meta-data as it moves between the sender’s mailbox, and the recipient’s mailbox. This SMTP header data cannot be removed, it can only be added to.
Terms and Definitions
The term “email” is an acronym for “electronic mail”. Both terms may be used within this report, and mean the same thing.
The term email is listed in the Oxford English Dictionary as both a noun, and a verb.
https://www.oed.com/search/dictionary/?scope=Entries&q=email
Email (noun): A system for sending textual messages (with or without attached files) to one or more recipients via a computer network (esp. the internet); a message or messages sent using this system. Also: an email address.
Email (verb): transitive. To send (a message or file) by email; to send an email to (a person, organization, etc.).
Email Delivery Example
This diagram shows a conceptual diagram of a typical email delivery from one email system to another. Email delivery is a key aspect of any Office 365 email migration project – see office365migrate.com to hire an email migration expert.
The email passes through Mail Servers at each end, and is encrypted when going across the internet. This disallows any manipulation of the email. If the email logs are available from the sender’s email system, and the receiver’s email system – then a complete picture can be presented of the email delivery. This will prove it was sent and received.
There are a series of Mail Servers that belong to any sending email information system. The sent email message will traverse through this prior to routing over the public internet to the receiving information system belonging to the recipient. Multiple Mail Servers may also be present within a receiving information system.
Recap
Contact Rob Walton for a confidential discussion if you need expert email forensic consulting, or SMTP expert witness services.
Leave a Reply