Importance of Message-ID in Forensic Analysis of Emails

Summary: In this article, we have talked about the importance of message IDs in the forensic examination of emails. We have also discussed the parts of message-IDs, and how we can obtain message IDs in Gmail and Outlook. Finally, we have highlighted some of the challenges of message IDs and how using an eDiscovery tool like Stellar Email Forensic can help counter these challenges.

When digital forensics investigators study emails to find the source of spoofed messages, they have to analyze every field of email architecture. The email header is one of the vital resources that contains many important fields, one of which is Message-ID. So, it is crucial to understand what Message-IDs are, how they are created and extracted, and how they can help investigators in extracting useful information.

Taking a Closer Look at Message-ID

According to RFC 2822, the standard for the format of Advanced Research Projects Agency (ARPA) Internet text messages or emails, each email should have a globally-unique identifier to distinguish it from other emails. This identifier is called Message-ID, a critical field in the email header. It comprises a long string of characters that end with the Fully Qualified Domain Name (FQDN).

Message IDs are generated by client programs that send emails, such as Mail User Agents (MUA) or Mail Transfer Agents(MTA). The following figures consist of a sample Message header:

After analyzing the message header, the following information can be retrieved:

In the above-mentioned figure, the Message-ID is 20200612190818.3E16E1FBE8@serverxx.xxxxx.xxx,
There are two parts of a Message-ID. One part is before @, and another part is after @.

Most mail services incorporate the date and time at which an email is sent, into the Message ID, along with other random strings of characters to distinguish it from other emails. In the sample Message-ID above, the mail system had used timestamp information of the message at the time when it was sent. The date and time format are in the form of YYYY-MM-DD-HH-MM-SS. Extracting the details from the timestamp (the numerical value in the first part till the first dot: 20200612190818), we can know the following details:

• Year: 2020
• Month: June (06)
• Day: 12
• Time: 19:08:18 (Hours:Minutes:Seconds)

The second part of the Message-ID contains the details of the FQDN. It shares important details such as the local hostname, which is serverxx and the local domain name which is xxxxx.xxx.

You can find the Message-ID of an email in its message header. The following are the steps to extract the message header of an email in Gmail and Outlook:

How to Obtain Message-ID in Gmail?

To obtain the Message-ID of a Gmail message, follow the given steps:

Step 1: Open the email message.

Step 2: Click the icon with three dots on the top-right of the message box and select Show original from the options. [See Figure 4]

Step 3: It will open a new tab that contains all the fields of the email header. You can find the Message-ID in it. [See Figure 5]

You can also instantly locate it by using the search function of your web browser (usually activated by CTRL+F key combination) and searching with the keyword “Message-ID”.

How to Obtain Message-ID in Outlook?

The steps to obtain Message-ID of an email in Microsoft Outlook are given below:
Step 1: Open the email message and click on more actions (v) menu to expand it. [See Figure 6]

Step 2: Click View message details. [See Figure 7]

Step 3: It will open a new window that contains the email header. You can find the Message-ID. [See Figure 8]

Challenges with Message-ID in Email Forensics

Message-ID is a unique identifier that helps to distinguish emails across the globe. An email forensics expert can break it down to discover important details about an email and its MTA. However, there are a few challenges:

• The majority of mail systems add the Message-ID field in their emails. However, it’s an optional detail, and you may receive an email that doesn’t contain Message-ID.
• There is no standard algorithm used for Message-IDs generation; each mail service uses its own algorithm to generate unique identifiers. You must have a sound understanding of multiple email platforms and their Message-ID formats to decode these identifiers for a comprehensive investigation.
• You can understand the construction of a Message-ID of open source email MTAs, as the documentation is easy to obtain. However, proprietary programs can make acquiring information a challenge.

Looking Beyond Message-IDs for Comprehensive Forensic Email Analysis

Message-ID is an important email header field and can significantly help the investigation. However, forensic investigators need all kinds of additional details to conduct investigations. For instance, useful information can be readily found in other email header fields, like Received: where the details of each server relayed an SMTP message is cumulated, or X-headers, where details of security devices like email anti-virus are found. Similarly, their Hex values may be required for closer inspection of attachments.

Forensic investigation correlates multiple pieces of information in an email message to trace its origin. This can only be done efficiently and timely with the help of a reliable, advanced, and feature-rich eDiscovery tool, such as Stellar Email Forensic. This software is engineered for accuracy, speed, and versatility and supports more than 25 email file formats. Stellar Email Forensics is an advanced software for email search, which supports investigation at the granular level and helps in digital evidence collection. One of the most significant features of this product is that it facilitates deleted email recovery along with large-scale bulk email forensics. It also offers case management during criminal investigations through tagging, bookmarking, and logs.