Transactions together

For evidence purposes, an investigator needs to prove that a certain email originating address travelled through a machine by verifying the message ID on a log of email transactions together with the date and time the address was recorded. If an email is not faked, it becomes a matter of determining who used the machine at the time the suspect message was sent. More sophisticated suspects will fake their emails, however. There are several ways of faking email, which include spoofing, remaining, relaying, spamming, stealing, and bogus accounts. Some of these use email programmers that strip the message header from the message before delivering it to the recipient or bury the message header within the email programmed.



In other cases, the "from" line in a message header is faked. Other offenders steal someone else's email account or set one up temporarily using bogus address information when they registered. Once the physical presence of the perpetrator's PC has been located, it is confiscated, and the forensic analyst makes exact copies (called image copies) of the computer's hard drives. The forensic analyst looks for file fragments or portions of any emails that contain specific refer acnes to the offending message.


There are worrisome trends that suggest email tracing will become more difficult in the future. For example, some new products coming on the market strip email headers, encrypt the message, and then destroy it after a period of time. Al-Qaida terrorists were found to be resorting to using the "dead letter box" system: someone creates an email account, gives the password to several members of a group and communicates by saving messages in a draft messages folder without sending them.


Communication by this method cannot be monitored because government systems for tracking emails work only if someone sends an email. Smart programmers are always looking for ways to get around the audit trail, and investigators always seem to be playing catch-up when tracing email. However, email tracing is likely to remain an essential part of computer forensics.