When digital forensics investigators study emails to find the source of spoofed messages, they have to analyze every field of email architecture. Email header is one of the vital resources that contains many important fields, one of which is Message-ID. So, it is important to understand what Message-IDs are, how they are created and extracted, and how they can help investigators in extracting useful information.
According to RFC 2822, standard for the format of Advanced Research Projects Agency (ARPA) Internet text messages or emails, each email should have a globally-unique identifier to distinguish it from other emails. This identifier is called Message-ID, an important field in the email header. It comprises a long string of characters that end with the Fully Qualified Domain Name (FQDN).
Message-IDs are generated by client programs that send emails such as Mail User Agents (MUAs) or Mail Transfer Agents (MTAs). The following figures consist of a sample Message header:
After analyzing the message header, the following information can be retrieved:
In the above-mentioned figure, the Message-ID is 20200612190818.3E16E1FBE8@serverxx.xxxxx.xxx,
There are two parts of a Message-ID. One part is before @ and another part is after @.
Most of the mail services incorporate the date and time, at which an email is sent, into the Message-ID, along with other random string of characters to distinguish it from other emails. In the sample Message-ID above, the mail system has used timestamp information of the message at the time when it was sent. The date and time format are in the form of YYYY-MM-DD-HH-MM-SS. Extracting the details from the timestamp (the numerical value in the first part till the first dot: 20200612190818), we can know the following details:
The second part of the Message-ID contains the details of the FQDN. It shares important details such as the local hostname which is serverxx and the local domain name which is xxxxx.xxx.
You can find the Message-ID of an email in its message header. The following are the steps to extract the message header of an email in Gmail and Outlook:
To obtain the Message-ID of a Gmail message, follow the given steps:
Step 1: Open the email message.
Step 2: Click the icon with three dots on the top-right of the message box and select Show original from the options. [See Figure 4]
Step 3: It will open a new tab that contains all the fields of the email header. You can find the Message-ID in it. [See Figure 5]
You can also instantly locate it by using the search function of your web browser (usually activated by CTRL+F key combination) and searching with the keyword “Message-ID”.
The steps to obtain Message-ID of an email in Microsoft Outlook are given below:
Step 1: Open the email message and click on more actions (v) menu to expand it. [See Figure 6]
Step 2: Click View message details. [See Figure 7]
Step 3: It will open a new window that contains the email header. You can find the Message-ID. [See Figure 8]
Message-ID is a unique identifier that helps to distinguish emails across the globe. An email forensic expert can break it down to discover important details about an email and its MTA. However, there are a few challenges:
Looking Beyond Message-IDs for Comprehensive Email Examination
Message-ID is an important email header field and can be of huge help in the investigation. However, forensic experts need all kinds of additional details to conduct investigations. For instance, useful information can be readily found in other email header fields, like Received: where the details of each server that’s relayed an SMTP message is cumulated, or X-headers where details of security devices like email anti-virus are found. Similarly, for closer inspection of attachments, their Hex values may be required.
Forensic experts correlate multiple pieces of information in an email message to trace its origin. This can only be done efficiently and timely with the help of a reliable and feature-rich tool, such as Stellar Email Forensic. This software is engineered for accuracy, speed, and versatility, and supports 25+ email file formats. It allows you to perform granular search for emails and offers case management facility.
| Download a free trial version of Stellar Email Forensic software to start your email investigation now. The software is available for a free 60-day trial. |
Abhinav Sethi is a Senior Writer at Stellar. He writes articles, blog posts, knowledge-bases, case studies, etc. for different technologies. He also has a keen interest in digital forensics and helps forward-thinking companies fight different threats with apt solutions.
