You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Email and web browser activity are among the most common sources of digital evidence. Emails can establish communication patterns, intent, and timelines, while browser history reveals research activity, downloads, and interactions with web services. Both leave rich forensic artefacts that examiners must know how to locate, extract, and interpret.
| Protocol | Purpose | Port |
|---|---|---|
| SMTP | Sending email | 25 (plain), 465 (SSL), 587 (STARTTLS) |
| POP3 | Retrieving email (downloads and deletes from server) | 110 (plain), 995 (SSL) |
| IMAP | Retrieving email (syncs with server; mail remains on server) | 143 (plain), 993 (SSL) |
| Exchange/MAPI | Microsoft Exchange proprietary protocol | 443 (HTTPS) |
| Format | Application | Location |
|---|---|---|
| PST | Microsoft Outlook (Windows) | C:\Users<user>\Documents\Outlook Files\ or AppData |
| OST | Microsoft Outlook (cached Exchange) | C:\Users<user>\AppData\Local\Microsoft\Outlook\ |
| MBOX | Thunderbird, Unix mail | Profile directory (varies) |
| EML | Individual email files | Various; one file per message |
| MSG | Microsoft Outlook individual messages | Various |
| SQLite databases | Web-based clients, mobile apps | Application data directories |
Email headers contain critical forensic metadata:
Return-Path: <sender@example.com>
Received: from mail-server.example.com (198.51.100.25)
by recipient-server.example.org (203.0.113.10)
with ESMTPS id abc123;
Wed, 14 Jan 2026 15:30:00 +0000 (UTC)
Received: from client-machine.local (192.168.1.50)
by mail-server.example.com
with ESMTP id def456;
Wed, 14 Jan 2026 15:29:55 +0000 (UTC)
From: "Alice Smith" <alice@example.com>
To: "Bob Jones" <bob@example.org>
Subject: Project Update
Date: Wed, 14 Jan 2026 15:29:50 +0000
Message-ID: <unique-id@example.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="boundary123"
X-Mailer: Microsoft Outlook 16.0
| Field | Forensic Value |
|---|---|
| Received | Traces the path the email took; read bottom-to-top; each server adds a header |
| From | Claimed sender (can be spoofed) |
| Return-Path | Envelope sender; used for bounce handling |
| Message-ID | Unique identifier; useful for correlation |
| Date | Claimed send time (from sender's system; may be inaccurate) |
| X-Originating-IP | Some servers record the sender's IP address |
| DKIM-Signature | Cryptographic signature proving the email was sent from the claimed domain |
| Authentication-Results | SPF, DKIM, and DMARC verification results |
Tip: Read the Received headers from bottom to top to trace the email's actual path. The bottom-most Received header is closest to the sender, while the top-most is closest to the recipient.
| Indicator | Description |
|---|---|
| Mismatched From address | Display name says "Bank" but the email address is from an unrelated domain |
| Suspicious links | URL text says "bank.com" but the actual href points to a different domain |
| Urgency and threats | "Your account will be closed in 24 hours" |
| Spelling and grammar errors | Professional organisations typically have quality control |
| Attachment analysis | Suspicious file types (.exe, .scr, .js, .hta) or macro-enabled documents |
| SPF/DKIM/DMARC failures | Authentication headers show the email failed verification |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.