The Bat! Is a desktop-based email application, which was developed by Ritlabs, SRL. It is a corresponding email program for the advance set of users. It is a well-known application for different aspects like security, interface customization, and filtering capabilities. This email application uses encryption techniques, Inbuilt HTML viewer, attachment handling in a safe manner etc., to maintain data security within it.
Whenever a person sends or receives a message through The Bat!, its pre-defined server appends a specific field of email header within it. One can easily view normal header part of each email, which contains basic information of sender and receiver. In addition, there is portion of the header part, which comprises of the information that can widely be used while performing investigation. Therefore, A need to access Email Header is required that shows message source information through which the investigators can perform analysis and collect evidences for resolving a case.
Go through following set of instructions to view complete detail of a particular email message in account of The Bat!:
Tip: After selecting an email, you can directly press the F9 key from your keyboard without opening any menu list or anything else.
In this section, one is going to learn about each and every attribute of The Bat! email header along with there significance in email:
Delivered-To: This Delivered-To header part indicates the email id of the person who is receiving the selected email in The Bat! account.
Value: Email id of the receiver.
X-Received: It is a non-standard email attribute, which is basically attached either by a user agent or mail transfer clients like the Google mail SMTP server.
Value: by 10.36.20.66 with SMTP id 63mr14168439itg.103.1484552281338; Sun, 15 Jan 2017 23:38:01 -0800 (PST).
Return-Path: A return-path (also known as bounce address or envelope sender address) is an email address to which bounces mails are delivered. Basically, its usage is to provide information about returning bounce messages.
Value: Email id of the sender in angular brackets.
Received-SPF: The term SPF stands for Sender Policy Framework, which is a hidden email attribute that avoid fake email addresses. It is a framework for preventing forgery of the sender address. In other words, it describes whether the mail server is having permission to send messages for particular domain or not.
Value: pass (google.com: domain of sp261213@gmail.com designates 2607:f8b0:4001:c0b::233 as permitted sender) client-ip=2607:f8b0:4001:c0b::233;
Authentication-Results: An Authentication-Results email header, as per name suggests that it gives output of email authentication procedure. Depending upon the procedure of authentication, the result of the procedure also varies that are separated by wrapped or semicolons.
Value: mx.google.com; dkim=pass header.i=@gmail.com; spf=pass (google.com: domain of sp261213@gmail.com designates 2607:f8b0:4001:c0b::233 as permitted sender) smtp.mailfrom=sp261213@gmail.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
DKIM-Signature: The term DKIM stands for DomainKeys Identifies Mail, which is a procedure of authentication to find out email spoofing. It enables receivers to examine the domain, which was indeed authorized by the admin of that domain. The significance of this header part is to prevent from forging (used on email spam and phishing) sender's email address.
Value: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=wl9VKDoUIx0wavGG4Y/cQmv+l648ZDc9jCdzN+iU7Ug=; b=nJUzV29gdf+qMHKTKYRgdkdxsC/i+iDEgoW+L/DGarBTLnaqvVgAnxD6Dx89Jok8ww q4PDg4tFj4ijonvbVI/jbv5fGG1EDxS4TetvJSyOHGlZUI3USPOnhcUoVncAVNctMXVK E+58JAX6PoF5senYIoL8zWUj/uonE7WDbuumMD4P4FmJLee4yrA6984qG1LtBo+jBh3M oGvRJPjuE81OvUJJb09/2f1uno+c9/+Y3/801CC2w+g73XjDwXuOr+Yrq/UuG7JVQP4Y bhEWALP/2X3ctfIGqjbXRnDA3nm15Vv3NnUpe0DyPLk8ELvwt3dJY51/7Sce8kNMVjM+ ILIg==
X-Google-DKIM-Signature: If a receiver is receiving emails from a Gmail account then, an email signature is appended by Google itself. The functioning of this signature is to authenticate emails from Google techniques. Apart from this, the significance of this attribute is same as DKIM-Signature email header.
Value: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=wl9VKDoUIx0wavGG4Y/cQmv+l648ZDc9jCdzN+iU7Ug=;b=QuVKv75CLkugTw9J71qRHs48zl89kAJYMFxUUAbShkMbBQk//zoT6RYIxsDLgHJXXu eMmICMygbO/wYWzYg337IIFNIhls8Ov18h//CN6h8axW461P2109UX0StQo04AYgFYoi 4IpUtEqkg85iggcx3N/hTrR9yTTkCoimGQKBcLK78C8dc+T+3UIIOIzBeOG5XKFM2y+A P5g6zYMssz4fIP1oNE8pg7ZwwqBDVooPe69KYM9QN5efotC3ZM8c0ZNuKhzZkAojgKLi 4pnccYyb0ZFIedPBkSD1wL7nJr6ys2IZkybLKnOP4ZyB1zlHC5JHO5bLLvih14NvBXIu bBLg==
X-Gm-Message-State: There are two states of this Google message state, which describes whether the mail is sent or not. The states will be sent successfully or bounce back.
Value: AIkVDXId2ksy3R8BpetQP+vwL/rXxOZKe2f24BjdK0GrmXfXmbRHJ75+Uo7VIzacahwWewrOC6hvXTj+QZsfnQ==
Apart from the above-mentioned attributes, all the other header elements like MIME-Version, From, Date, Message-ID, Subject, and To are components which are generally known to end users.
A complete The Bat! email header analysis plays an important role in performing investigation of multiple cyber crimes, which involves depth examination of The Bat! emails. In this blog, we have described each and every header attribute of The Bat!, which could be helpful for forensics investigators. Moreover, The Bat! email header analyzer renders Forensic Email Search Tool for finding details within emails.