Why To Analyse Outlook Email Header?
The lines of metadata i.e. data about data are included in each email are email headers. They contain lots of important information for forensic investigators. It is basically a special kind of field added by the server automatically known as email header. Therefore, Outlook email header analysis is very helpful because it contains the data such as contact information or route information that can be a part of the evidence in cyber crimes also.
Analyse Outlook email header can play a major role in understanding the route of email messages and identify the email spamming and spoofing. These types of information can easily be traced by the analyzing any manipulation in the headers of senders and receivers. If there is any manipulation or changes present in the email message header then it is clear that there is some manipulation in the email. Therefore, Outlook email header analysis is also considered as major an artifact for a forensic team in investigating a cyber crime.
Microsoft Outlook Email Header Analysis
After reading complete header in Outlook there is a need to understand the purpose or significance of each header in the email. Therefore, in this section, a complete email header forensic of Outlook is discussed.
The above figure represents the complete email header list of Microsoft that is attached in an email.
Return-Path: The return-path email header Outlook is mainly used for bounces. It describes the return-path of the message, where the message needs to be delivered or how one can reach to message sender. If the message is not delivered, then the mail server will send the message to the specified email address.
Received: An essential email header in Outlook 2010 or all other versions is received header. It displays the list of all the email server through which message is routed to reach the receiver. Moreover, the best way to analysis this header is read it from bottom to top.
This header also provides the information about the message that is when the message is transferred for example in above header it specifies that it occur on Tuesday, October 18, 2016, at 04:56:19 in the morning is Pacific Standard Time that is 8 hours late than UTC (Universal Coordinated Time).
This field also provides IP address of all the sender's mail server, receiver's mail server, and the mail server, through which message is passed from sender to receiver.
Message-ID: There is always a unique message id assigned to each message that refers to a particular version of a particular message. For example:
This message has a unique identifier (number) that is assigned by mx.google.com for identification purpose. It is the unique ID that is always associated with the message.
Date: As it is clear from the name, it specifies the date and time of a particular message that when the message was composed and sent. Moreover, this date and time are totally dependent on the clock of sender's computer.
From: The from email header in Outlook specifies the name of the sender and the email address of the sender. This header can easily be forged, therefore it is least reliable. For example:
From: "Microsoft Outlook" "firstname.lastname@example.org"
It specifies that message was sent by Microsoft Outlook from the email address email@example.com
To: The "to" field in the Outlook email header normally specifies the name of the receiver or we can say that to whom message was sent.
Subject: This header field normally displays the subject of the email message which is specified by the sender of the email.
MIME Version: MIME is basically a Multipurpose Internet Mail Extension is an internet standard. Its role is to extend the email message format. It also describes the version of MIME protocol that sender was using at that time. It is also an important email header in Outlook.
Content-Type: It is an additional MIME header that tells the type of content to expect in the message with the help of MIME-compliant e-mail programs. It also displays the format of the message like HTML, XML and plain text.