Product Navigation

Complete Understanding On Hotmail Header Analysis

Since Hotmail is one of the first webmail services on the Web. It offers an overall investigation of mailbox components to analyze hidden evidence is defined to as Hotmail Email Forensics Analysis. Hotmail email header is one of the most considerable elements which help an investigator in cyber crimes. Apart from this Server logs analyzers, the application through an email has sent or receive like such of these strategies plays an important task in forensic investigation of Hotmail email header.

Additional points to Analyze Hotmail Email Header

During Investigation, several parameters coupled with Hotmail header analysis are discussed. Hotmail email forensics is an arena; some of the techniques have been explained to understand its wider properties.

What is Hotmail Email Header

Through email header, the analyzed authorities might be able to identify the IP address which can be used to verify details of sender. In some situations, masking, redirecting and spoofing methods are used through a sender to preserve its exact information.

Email headers are divided into two categories such as:

Envelop Header: It is very difficult to spoof or take off details. This information consists Senders mail server information, Message ID and X-Message-Info fields.

Message Header: Generally, the information is user-defined and it can easily be spoofed. It contains multiple fields like To, From, Subject, Return-Path, Content-Type, etc.

How to View Hotmail Email Header

To view the full email header in Window Live Hotmail, need to know email header forensics allow accessing the following actions:

  • On Webpage, sign in the user Hotmail account and also, open message list.
  • Double click on Message and then, choose "View Message Source" option from the menu bar.

The screen shot of email message can be represented like as:

Analyze Hotmail Email Header

How to Analyze Hotmail Email Header

When the header information for an email is opened, Hotmail displays the information as:

Hotmail Header Analysis

Received: The email header receives the message from sender, who has delivered the message.

Significance: In given source code, it can easily view that the 'Received' section has been repeated multiple times. Investigators may study these parameters from top to bottom for viewing Hotmail emails forensically. It will display the transaction path through which email message has been traversed.

Consider, the last 'Received' value has become first in the queue of forensics analysis of Hotmail. This value contains information about the sender associated with IP address as well as information of sender's Mail Server. The IP Address helps to analyze the location of the sender of the email.

Note: The date and time information is sent through the Email Sever and may be not consider the corresponding time when an email message is sent by the sender.

The second 'Received' field helps to demonstrate the information related to the path through which specified email message has being traveled.

From investigator's point of view, this field will display the IP address for target Server or the receiver.

Investigate Hotmail Email Header

From: The email header from field represents the email id of the sender, who has delivered the email message.

Significance: One can easily come to know the email address of the sender for future reference. However, many criminals attempt to manipulate the field by using email formation technique. Thus, this field is less reliable to depend on critical email analysis.

Message-ID: The Message-Id is a unique identifier assigned to each message, it helps to easily identify which message sent through whom.

Significance: This header is designed uniquely, usually it is encountered by first mail server. Conventionally, first part could be anything and in second part the name of the machine which assigned the respective ID.

Content type: The Hotmail content type represents the way in which emails are displayed in specified application. Several varieties of content type denote the structure of messages.

Significance: Generally, the Hotmail is free based email client for displaying the content. So, it believes on Content Type from email header to find out the way in which message should be displayed in a good manner.

Return-Path: The Hotmail return path header field indicates the email address where the notifications for the message should be sent. In multiple cases, this is same as that of sender's email address.

Significance: Generally, this information is easily configured by user itself within the email client and may or may not be completely reliable. Although from a forensics point of view, it is more important to investigate all possible information as it may helps to identify hidden evidences in a simplified way or any other one.

X-Message-Status: This header helps to understand the current status of the email message.

Significance: By this header, to check and analyze the recent status of the messages. The exact status is also associated at the end of this field.

X-Message-Delivery: This email headers help to understand the delivery of the email message.

Significance: By analyzing message header and to understand the delivery result of the message.

Content-Transfer-Encoding: While to send an email message over the network, an encryption is enabled to maintain the authentication of email. So, content transfer encoding field specifies the type of encryption performed on the content.

Significance: Generally, Hotmail messages comes with 8-bit encryption applied on them.

Date: This header helps to specify a date, generally, the message was composed and sent according to date.

Significance: In Hotmail, the date is displayed. If this header is eliminated through sender's Desktop, it might be possible to add through a mail server or even by some other machine along the route.

X Original Arrival Time: It tells the real arrival time when the receiver has received a message.

Significance: The detail is not considered because it might not be necessary for delivery of email messages. This message header might reveal the information regarding Provider ISP.

Authentication Result: This header tells the authenticated result to the receiver at the time of message delivery.

Significance: If an email message is sending through a domain, it is just a responsibility of SPF (Server Policy Framework) to check and verify if the specified Mail Server is authorized for sending email messages to that particular domain. The possible result will show such as 'PASS', 'FAIL' or 'NONE'. In Hotmail message header, if the email message is successfully delivered to the receiver, this can be read as mentioned above:

However, in any case, if the particular domain is not registered under that specified Mail Server, the result will display as 'NONE' even if the sender's Mail Server become fails to deliver an email message to the receiver, the value may be return as 'FAIL'.

X-SID-PRA & X-AUTH-Result: When this type of email header comes in Hot mail, it is put into the spam folder. Might be because the result will become Fail by using these two X-AUTH-Result or X-SID-PRA message header.

X-Message-Info: Similarly 'X-Original Arrival Time', field also comes under 'X-headers' that falls into the category of nonstandard headers. However, this might explore more information about (ISP) Internet Service Provider, so investigators do not take this section lightly and during the investigation to consider all associated factors.

DKIM-Signature(Domain Keys Identified Mail): It is a technique to confirm the accuracy of any email message to detect email spoofing and spamming.

Significance: In Hotmail, If an email is sent through an organization along with DKIM signature that is assigned on the mail, it signifies that the message is not saved in SPAM and the signing authority that is directly responsible for it.

Examine Hotmail Email Header

MIME-Version: This MIME version helps to show that the MIME (Multi-Purpose Internet Mail Extensions) format of email supported by Hotmail.

Significance: Hotmail messages always contain MIME 1.0 as MIME Version. So, if any other MIME is found, the message may get corrupted. It ensures that the sent email message gets complicated to RFC 1341 standard formatting. MIME allows displaying a registration policy which uses IANA (Internet Assigned Numbers Authority) as a registry for all associated values and standards.


After considering the analysis of all mentioned components the following well-defined criteria helps to the investigators in Hotmail Forensics of emails. Hotmail Header analysis offers Email Search Software to find anything within email messages. However, spoofed or spammed email headers; messages sent from different remote locations such as airports, libraries, internet cafes; delayed delivery of email messages are some of the main issues that investigators must be aware of these misleading officials while investigating the several pieces of evidences.