How to Analyze Hotmail Email Header
When the header information for an email is opened, Hotmail displays the information as:
Received: The email header receives the message from sender, who has delivered the message.
Significance: In given source code, it can easily view that the 'Received' section has been repeated multiple times. Investigators may study these parameters from top to bottom for viewing Hotmail emails forensically. It will display the transaction path through which email message has been traversed.
Consider, the last 'Received' value has become first in the queue of forensics analysis of Hotmail. This value contains information about the sender associated with IP address as well as information of sender's Mail Server. The IP Address helps to analyze the location of the sender of the email.
Note: The date and time information is sent through the Email Sever and may be not consider the corresponding time when an email message is sent by the sender.
The second 'Received' field helps to demonstrate the information related to the path through which specified email message has being traveled.
From investigator's point of view, this field will display the IP address for target Server or the receiver.
From: The email header from field represents the email id of the sender, who has delivered the email message.
Significance: One can easily come to know the email address of the sender for future reference. However, many criminals attempt to manipulate the field by using email formation technique. Thus, this field is less reliable to depend on critical email analysis.
Message-ID: The Message-Id is a unique identifier assigned to each message, it helps to easily identify which message sent through whom.
Significance: This header is designed uniquely, usually it is encountered by first mail server. Conventionally, first part could be anything and in second part the name of the machine which assigned the respective ID.
Content type: The Hotmail content type represents the way in which emails are displayed in specified application. Several varieties of content type denote the structure of messages.
Significance: Generally, the Hotmail is free based email client for displaying the content. So, it believes on Content Type from email header to find out the way in which message should be displayed in a good manner.
Return-Path: The Hotmail return path header field indicates the email address where the notifications for the message should be sent. In multiple cases, this is same as that of sender's email address.
Significance: Generally, this information is easily configured by user itself within the email client and may or may not be completely reliable. Although from a forensics point of view, it is more important to investigate all possible information as it may helps to identify hidden evidences in a simplified way or any other one.
X-Message-Status: This header helps to understand the current status of the email message.
Significance: By this header, to check and analyze the recent status of the messages. The exact status is also associated at the end of this field.
X-Message-Delivery: This email headers help to understand the delivery of the email message.
Significance: By analyzing message header and to understand the delivery result of the message.
Content-Transfer-Encoding: While to send an email message over the network, an encryption is enabled to maintain the authentication of email. So, content transfer encoding field specifies the type of encryption performed on the content.
Significance: Generally, Hotmail messages comes with 8-bit encryption applied on them.
Date: This header helps to specify a date, generally, the message was composed and sent according to date.
Significance: In Hotmail, the date is displayed. If this header is eliminated through sender's Desktop, it might be possible to add through a mail server or even by some other machine along the route.
X Original Arrival Time: It tells the real arrival time when the receiver has received a message.
Significance: The detail is not considered because it might not be necessary for delivery of email messages. This message header might reveal the information regarding Provider ISP.
Authentication Result: This header tells the authenticated result to the receiver at the time of message delivery.
Significance: If an email message is sending through a domain, it is just a responsibility of SPF (Server Policy Framework) to check and verify if the specified Mail Server is authorized for sending email messages to that particular domain. The possible result will show such as 'PASS', 'FAIL' or 'NONE'. In Hotmail message header, if the email message is successfully delivered to the receiver, this can be read as mentioned above:
However, in any case, if the particular domain is not registered under that specified Mail Server, the result will display as 'NONE' even if the sender's Mail Server become fails to deliver an email message to the receiver, the value may be return as 'FAIL'.
X-SID-PRA & X-AUTH-Result: When this type of email header comes in Hot mail, it is put into the spam folder. Might be because the result will become Fail by using these two X-AUTH-Result or X-SID-PRA message header.
X-Message-Info: Similarly 'X-Original Arrival Time', field also comes under 'X-headers' that falls into the category of nonstandard headers. However, this might explore more information about (ISP) Internet Service Provider, so investigators do not take this section lightly and during the investigation to consider all associated factors.
DKIM-Signature(Domain Keys Identified Mail): It is a technique to confirm the accuracy of any email message to detect email spoofing and spamming.
Significance: In Hotmail, If an email is sent through an organization along with DKIM signature that is assigned on the mail, it signifies that the message is not saved in SPAM and the signing authority that is directly responsible for it.
MIME-Version: This MIME version helps to show that the MIME (Multi-Purpose Internet Mail Extensions) format of email supported by Hotmail.
Significance: Hotmail messages always contain MIME 1.0 as MIME Version. So, if any other MIME is found, the message may get corrupted. It ensures that the sent email message gets complicated to RFC 1341 standard formatting. MIME allows displaying a registration policy which uses IANA (Internet Assigned Numbers Authority) as a registry for all associated values and standards.
