Our professional forensic analysts are all fully trained specialists. Many are ex police employees and others have worked for organisations such as GCHQ or other government bodies.
Many people who use Gmail, Yahoo, Outlook or Hotmail among others think that their true identity and location are hidden and they are very surprised when we trace them within a very short time to their service provider and location. Assuming the email is of a threatening or illegal nature it is not difficult to initiate an enquiry leading directly to the person or persons involved.
How we trace emails to their source.
1. Tracing an email address:
If you do not have the actual email message but maybe just an address we can still trace it to the server. However it should be noted that email addresses can be easily forged, the results from tracing an email address may not be related to the true sender. We can however send a special forensic email to the address which will reveal where it was opened and details of the IP address of the person reading the messages computer along with other revealing potentially useful data.
If you need us to trace an email we will be able to tell you on the phone how to extract the data which we will need to get right to the source.
2. Email Internet Headers:
The key to tracing is to keep in mind that every received email carries Internet Headers. It is by anylising these that we can get right to the source.
3. 'Received' Headers:
The most important header field for tracking purposes is the Received header field, which usually has a syntax similar to:
Received: from ? by ? via ? with ? id ? for ? ; date-time
Where from, by, via, with, id, and for are all tokens with values within a single Header-Value, which may span multiple lines. Note: Some mail servers may not include all of these tokens -- or additional tokens/values may be added to this field, but now you are prepared to break it apart and understand it.
Every time an email moves through a new mail server, a new Received header line (and possibly other header lines, like line 2 above) is added to the beginning of the headers list. This is similar to FedEx package tracking, when your package enters a new sorting facility and is 'swiped' through a tracking machine.
In most cases we will identify the IP address of the sender's computer, the sender's geographical location, and the company providing Internet service (or ISP) for the IP address. Reports for email abuse -- such as spam, email-borne viruses and email threats – can then be directed to the sender's ISP who is easy to pin down once we have the actual IP address.
The Internet Headers for an email message sometimes contain some really interesting information about the sender. Of course we won’t know this until we start looking into the specific case but this is a guide as to what sometimes presents itself.
A) Windows Computer Name: It appears that the Windows computer name is sometimes leaked. Consider the following partial header information from an actual email: Received: from mossmann. While the computer name can be named anything, in this case, I might assume that the person is named Mossman so we have a good idea what we are looking for. Of course if you are being harassed or threatened by a Harry Mossmann this would be very damning. This computer name may be intentionally misleadingly named or not be meaningful but it can become very useful confirming information if the Police or other agencies can confirm that the name of the suspect's computer matches the name in the email header. There are ways people can try to hide or confuse even the most professional email analyst and below are some of the issues we always look at and what we can do if the person is realy determined to evade being traced.
B) Hostnames vs IP Addresses: We always base our tracking decisions upon the IP Addresses and not on host names (which are a lookup from the IP Address anyway). Because mapping an IP Address into a host name and then back into an IP Address may yield a different IP Address.
C) False Header Information: We are aware that spammers may try to insert fake Received: header lines into the Internet Headers of the email message to confuse us. We just follow the trail through the Received: header fields from mail server to mail server and use some common sense based on years of experience and our comprehensive databases of proxy servers and suspect IP’s, this has a high chance of success even when the information makes no sense initially.
D) False IP Address: The IP Address that you finally end up at is the IP Address of the computer that sent the email. But is that computer the real sender, or a computer that was broken into, so that a false email could be sent. Or the sender could try to hide behind a proxy service -- where you will get to the IP Address of the 'proxy' company. In this situation we send a tagged email which should send us back a pile of information when the document is opened – different route but the end result is we have a high probability of getting our man.
E) IP Addresses Changers: Do not assume that the sender's computer has a fixed, constant IP Address. This may be true in some cases, but most people who connect into the Internet almost always get a different IP Address each and every time they connect unless they have a static IP. However, all is not lost. Many times we can report the IP Address and full email Internet Headers (which often contain time-of-day information) to the person's ISP and the ISP can track this down to a unique end-user (by examining login and logout logs) and take the appropriate action.
F) Viruses: Do not assume the worst of the person sending the email. They may have just been infected with a virus, which is using a person's computer to spread itself. We get calls every week on this point but certain things are cause for worry such as keylogger spyware etc.
G) Open Mail Servers: Do not assume the worst of the company whose mail server was used to send the original email. They may be involved in the spam, but they also may just have a misconfigured email server, which is allowing a spammer to send the email through their mail server.