We use cookies on this website. By using this site, you agree that we may store and access cookies on your device Read More Got it!
Email Forensics 5 minute read

Importance of Message-ID in Forensic Analysis of Emails

Abhinav Sethi
Written By
Abhinav Sethi
Kuljeet Singh
Approved By
Kuljeet Singh
stellar calander
Updated on
September 2nd, 2022

Contents

  • Taking a Closer Look at Message-ID
  • Challenges with Message-ID in Email Forensics
  • Looking Beyond Message-IDs for Comprehensive Forensic Email Analysis

Summary: In this article, we have talked about the importance of message IDs in the forensic examination of emails. We have also discussed the parts of message-IDs, and how we can obtain message IDs in Gmail and Outlook. Finally, we have highlighted some of the challenges of message IDs and how using an eDiscovery tool like Stellar Email Forensic can help counter these challenges.

TRY 60 DAYS FREE

When digital forensics investigators study emails to find the source of spoofed messages, they have to analyze every field of email architecture. The email header is one of the vital resources that contains many important fields, one of which is Message-ID. So, it is crucial to understand what Message-IDs are, how they are created and extracted, and how they can help investigators in extracting useful information.

Stellar

Taking a Closer Look at Message-ID

According to RFC 2822, the standard for the format of Advanced Research Projects Agency (ARPA) Internet text messages or emails, each email should have a globally-unique identifier to distinguish it from other emails. This identifier is called Message-ID, a critical field in the email header. It comprises a long string of characters that end with the Fully Qualified Domain Name (FQDN).

Message IDs are generated by client programs that send emails, such as Mail User Agents (MUA) or Mail Transfer Agents(MTA). The following figures consist of a sample Message header:

Part 1 of Sample Message header
Figure 1: Part 1 of Sample Message header
Part 2 of Sample Message header
Figure 2: Part 2 of Sample Message header

After analyzing the message header, the following information can be retrieved:

Information retrieved from Sample Message header
Figure 3: Information retrieved from Sample Message header

In the above-mentioned figure, the Message-ID is 20200612190818.3E16E1FBE8@serverxx.xxxxx.xxx,
There are two parts of a Message-ID. One part is before @, and another part is after @.

Most mail services incorporate the date and time at which an email is sent, into the Message ID, along with other random strings of characters to distinguish it from other emails. In the sample Message-ID above, the mail system had used timestamp information of the message at the time when it was sent. The date and time format are in the form of YYYY-MM-DD-HH-MM-SS. Extracting the details from the timestamp (the numerical value in the first part till the first dot: 20200612190818), we can know the following details:

  • Year: 2020
  • Month: June (06)
  • Day: 12
  • Time: 19:08:18 (Hours:Minutes:Seconds)

The second part of the Message-ID contains the details of the FQDN. It shares important details such as the local hostname, which is serverxx and the local domain name which is xxxxx.xxx.

You can find the Message-ID of an email in its message header. The following are the steps to extract the message header of an email in Gmail and Outlook:

How to Obtain Message-ID in Gmail?

To obtain the Message-ID of a Gmail message, follow the given steps:

Step 1: Open the email message.

Step 2: Click the icon with three dots on the top-right of the message box and select Show original from the options. [See Figure 4]

Extracting email header in Gmail
Figure 4: Extracting email header in Gmail

Step 3: It will open a new tab that contains all the fields of the email header. You can find the Message-ID in it. [See Figure 5]

Message-ID in Gmail
Figure 5: Message-ID in Gmail

You can also instantly locate it by using the search function of your web browser (usually activated by CTRL+F key combination) and searching with the keyword “Message-ID”.

How to Obtain Message-ID in Outlook?

The steps to obtain Message-ID of an email in Microsoft Outlook are given below:
Step 1: Open the email message and click on more actions (v) menu to expand it. [See Figure 6]

Process for extracting email header in Outlook
Figure 6: Process for extracting email header in Outlook

Step 2: Click View message details. [See Figure 7]

Extracting email header in Outlook
Figure 7: Extracting email header in Outlook

Step 3: It will open a new window that contains the email header. You can find the Message-ID. [See Figure 8]

Message-ID in Outlook
Figure 8: Message-ID in Outlook

Challenges with Message-ID in Email Forensics

Message-ID is a unique identifier that helps to distinguish emails across the globe. An email forensics expert can break it down to discover important details about an email and its MTA. However, there are a few challenges:

  • The majority of mail systems add the Message-ID field in their emails. However, it’s an optional detail, and you may receive an email that doesn’t contain Message-ID.
  • There is no standard algorithm used for Message-IDs generation; each mail service uses its own algorithm to generate unique identifiers. You must have a sound understanding of multiple email platforms and their Message-ID formats to decode these identifiers for a comprehensive investigation.
  • You can understand the construction of a Message-ID of open source email MTAs, as the documentation is easy to obtain. However, proprietary programs can make acquiring information a challenge.

Looking Beyond Message-IDs for Comprehensive Forensic Email Analysis

Message-ID is an important email header field and can significantly help the investigation. However, forensic investigators need all kinds of additional details to conduct investigations. For instance, useful information can be readily found in other email header fields, like Received: where the details of each server relayed an SMTP message is cumulated, or X-headers, where details of security devices like email anti-virus are found. Similarly, their Hex values may be required for closer inspection of attachments.

Forensic investigation correlates multiple pieces of information in an email message to trace its origin. This can only be done efficiently and timely with the help of a reliable, advanced, and feature-rich eDiscovery tool, such as Stellar Email Forensic. This software is engineered for accuracy, speed, and versatility and supports more than 25 email file formats. Stellar Email Forensics is an advanced software for email search, which supports investigation at the granular level and helps in digital evidence collection. One of the most significant features of this product is that it facilitates deleted email recovery along with large-scale bulk email forensics. It also offers case management during criminal investigations through tagging, bookmarking, and logs.

Download a free trial version of Stellar Email Forensic software to start your email investigation now. The software is available for a free 60-day trial.

About The Author

Abhinav Sethi

Abhinav Sethi is a Senior Writer at Stellar. He writes articles, blog posts, knowledge-bases, case studies, etc. for different technologies. He also has a keen interest in digital forensics and helps forward-thinking companies fight different threats with apt solutions.

Best Selling Products

Stellar Data Recovery Professional for Windows

Stellar Data Recovery Professional for Windows

Stellar Data Recovery has the right Windows Recovery tool for all your data recovery

Read More
Stellar Data Recovery Professional for Mac

Stellar Data Recovery Professional for Mac

Stellar Data Recovery for Mac program performs safe..

 

Read More
Stellar Photo Recovery

Stellar Photo Recovery

A comprehensive photo recovery software to restore photos, music & video files

 

Read More
Stellar Repair for Video

Stellar Repair for Video

Powerful video repair tool for repairing corrupt or damaged MOV and other video files

 

Read More

Table of Contents    arrow

  1. Taking a Closer Look at Message-ID
  2. Challenges with Message-ID in Email Forensics
  3. Looking Beyond Message-IDs for Comprehensive Forensic Email Analysis

Categories

Related Posts

related post
Email Forensics

How to Prevent Email Spoofing in Office 365?

Stellar Author Nduka John C. September 20, 2022 Read More
related post
Email Forensics

Recover Deleted Emails from Email Clients and Web Services

Stellar Author Abhinav Sethi August 26, 2020 Read More
related post
Email Forensics

Approaches to Filter Emails for eDiscovery and Forensic Investigation

Stellar Author Abhinav Sethi August 25, 2020 Read More

Free Trial for 60 Days

Stellar Official Website

Stellar Data Recovery Inc.
48 Bridge Street Metuchen,
New Jersey 08840,
United States

ALSO AVAILABLE AT

Partner Logo

About

  • About us
  • Career
  • ISMS Policy
  • Privacy Policy
  • Terms of Use
  • License Policy
  • Refund Policy
  • End User License Agreement

RESOURCES

  • Blog
  • Articles
  • Product Videos
  • Knowledge Base
  • Case Studies
  • Whitepapers
  • Software Catalog

NEWS & EVENTS

  • News
  • Events

PARTNERS

  • Affiliates
  • Resellers
  • Distributors

Useful Links

  • Contact Us
  • Support
  • Special Offers
  • Student Discounts
  • Awards & Reviews
  • Downloads
  • Store
  • Sitemap
Follow Us

tw in yt

Stellar & Stellar Data Recovery are Registered Trademarks of Stellar Information Technology Pvt. Ltd. © Copyright 2023 Stellar Information Technology Pvt. Ltd. All Trademarks Acknowledged.

Hippa Logo tuv footer partner logo DMCA.com Protection Status