Private Investigator E-mail Tracing Part two

 

In the last article that we presented we discuss the basics of e-mail tracing for the private investigator or the new cyber private investigator.  In this article 1 to discuss the next phase of tracing an e-mail and what you need to be looking for and the next stages of the report writing.

As a short recap a school over the fact that when it comes to facing an e-mail the most important thing of course is the headers in the e-mail.  When you do start to trace an e-mail you must ensure that you have the original headers of the e-mail, and not be forwarded headers from your client.  Once you have identified that you do have the correct headers for the e-mail that you want to trace, I highly suggest that you print these out and take out a yellow highlighter and highlight the different areas of the e-mail that are important.

These areas again are:

1.        Received line

2.       Date line

3.       From line

4.       Two line

5.       Subject line

6.       Message ID line

7.       X-originating IP line

8.       Received from line

9.       X. Mailer line

 Once you have highlighted all these areas it’s going to make it a lot easier and faster for you to be able to trace his e-mail.so let’s go on to the subject of today’s article which is the message ID line of the e-mail header.

So what is the message ID line in an e-mail header?  Well the message ID line was intended mainly for tracing and e-mail routing and the path it takes through the server.  More importantly it is a uniquely identified strain of numbers and letters for each and every e-mail.  In other words only one e-mail should have that exact message ID.  This string of text which identifies the message is generally assigned by the first server to receive the message.  Normally, spammers tend to put trash in this field and that is one key way to determine whether or not you’re dealing with a piece of SPAM in this e-mail.this message ID also allows the ISP or Internet service provider to trace the e-mail through their logs on the server so that they can find out where the message went what time it went what day it went and if there were any issues with that e-mail.

Now, let’s pay attention the last statement I made.  And that is that the message ID is a unique identifier that allows the ISP to trace the e-mail through their logs on the server.what this means is that not only are you going to trace the e-mail and identify the Internet service provider that the e-mail originated from your going to request the law from their server that had this particular message ID attached to it.  Why?  Well the simple answer is once you’ve done this you should be able to identify the IP it actually connected to the server in order to send the e-mail.  This is vitally important to the successful tracing of an e-mail.

According to the RFC when it comes to e-mails they state that the message ID of a message is intended mainly for tracing mail routing and is rarely of interest to normal users.  Well we are not normal users we are investigators therefore the message ID is vitally important to our investigation.  So always make sure you have that message ID because it is guaranteed to be unique on every single system. Again let me repeat the message ID field is guaranteed to be unique so remember here is a formula for you to use when tracing e-mails.  This formula is e-mail header plus message ID plus server logs equals location of the e-mail sender!

If you can just remember that one formula then you will be able to eat one step ahead of everyone else when it comes to tracing an e-mail.  So now that you identify the message ID in your e-mail header you want to make sure that that is part of the work that you going to do and your final report to your client because what you identify that then you’re going to contact the Internet service provider that the original e-mail came from and not only are you going to ask about the e-mail and other laws from the mail server and routers that have that uniquely identified message ID attached to it.  And of course you also want to ask about any additional IP’s that are connected to that message ID that may be in server logs.

No one comes to server logs be aware that these logs tend to rotate and become archived or even race due to capacity restraints and storage requirements on the server.  In other words you got an e-mail that six months old you may not deal to find a logs for it with the Internet service provider.  So make sure that once you get e-mail you quickly start to work or on your e-mail tracing investigation and then once you’ve done that you then start going to the Internet service provider to ask for the log from the servers.  Again Time is of the essence.

In our next report will go into the next phase of the e-mail header and start to look at other parts of the e-mail headers that will help you to identify the origination of the e-mail.  All of these pieces put together will help you to identify where the e-mail originated from and potentially the individual that sent the e-mail.  Again remember my magic formula e-mail header plus message ID plus server logs equals location of the e-mail sender.

If you’re interested in further information about tracing of e-mails please visit our website at: http://www.pimall.com and you can check into our e-mail tracing classes that we host on line and our other private investigation online classes that you can take.