Deals with recovery and analysis of emails, including deleted emails, calendars, and contacts.
| Tool Name | Description |
| EnCase | A widely used digital forensics platform that supports email analysis, providing in-depth examination of email headers, attachments, and content. |
| MailXaminer | Email forensics software that offers comprehensive analysis of various email formats, including support for metadata extraction and keyword searching. |
| MBOX Viewer | A tool specifically designed for MBOX file format, enabling investigators to view, search, and analyze emails stored in MBOX files. |
| Email Examiner | An email forensics tool with advanced search capabilities, supporting multiple email formats, and providing detailed analysis of email artifacts and metadata. |
| Forensic Toolkit | A powerful forensic tool that includes email analysis features, allowing investigators to recover, analyze, and present email evidence in legal cases. |
| PST Viewer | Software to view and analyze Microsoft Outlook PST files, providing access to email messages, attachments, and other data stored in the PST file format. |
| Wireshark | A network protocol analyzer that can be used for email forensics by capturing and analyzing network traffic, including email communications over the network. |
| OxygenForensic Detective | A mobile forensics tool that supports email analysis on smartphones, extracting emails, attachments, and other related data from mobile devices. |
| MailMarshal | An email security tool that can be utilized for forensics purposes, helping investigators analyze email traffic, identify threats, and trace email sources. |
| NetworkMiner | A network forensic analysis tool that can be used to parse and analyze emails transmitted over a network, extracting valuable information from captured network traffic. |
| Sintelix | Adcomplain |
| Xtraxtor | AccessData’s FTK |
| Aid4Mail Forensic | EnCase Forensic |
| MailXaminer Forensic Email Analysis Software | FINALeMAIL |
| MailPro+ | Forensics Investigation Toolkit (FIT) |
| Autopsy | MxToolBox Email Software |
| Advik Email Forensic Wizard | Paraben Email Examiner |
| Stellar data recovery | OSForensic Software |
| Advik MBOX to PDF Converter | Kernel Outlook PST Viewer |
| FreeViewer | R-Mail by R-tools-technology |
| eMailTrackerPro | EmailTracer |
Email forensics is the investigation of email communications to detect fraud, phishing, data breaches, and cybercrimes. It helps uncover forged emails, track senders, and analyze malicious attachments or links.
Techniques & Tools:
Techniques:
- Preserve Email Evidence
- Securely collect email files (e.g., PST, OST, EML) or server backups without altering metadata.
- Tools: FTK Imager (Download).
- Analyze Email Headers
- Extract and decode email headers to trace sender IPs, mail servers, and authentication results (e.g., SPF, DKIM).
- Inspect Email Content and Metadata
- Review timestamps, email threads, and metadata for tampering or anomalies.
- Analyze Attachments and Links
- Scan attachments for malware and links for phishing.
- Reconstruct Email Threads
- Organize email threads for context or detect missing communications.
- Tools: Belkasoft Evidence Center (Download)
- Report Findings Document the sender’s details, communication patterns, and flagged anomalies in a comprehensive report.
Open-Source Tools:
- MIME-Tools: Analyze email structures and metadata. Download
- Cuckoo Sandbox: Analyze email attachments and links for malware. Download
- MXToolbox Header Analyzer: Decode email headers. Download
Commercial Tools: