alex@runeforensics.com (603) 758-8189

Article

Email Forensics: What the Evidence Actually Shows and What It Does Not

Published: April 27, 2026

How headers, routing, and authentication artifacts separate appearance from technical reality.

Introduction

A while back, I was giving a presentation on email forensics and explaining, step by step, how business email compromise works. As often happens with this topic, after just a few minutes it became obvious to everyone in the room how easy it is to misread email evidence.

Most people believe they understand email because they can read visible fields:

  • From
  • To
  • Subject
  • Date

Those fields do not tell the full story. In a forensic examination, what the user sees is often the least reliable part of the evidence. The critical facts are usually in technical artifacts that are not visible in the normal interface.

Email Was Never Intended to Be Secure

Email was originally designed to move messages between systems, not to provide strong authentication, identity validation, or integrity assurance. That historical design gap is central to modern email abuse.

When an email appears to come from a CEO, vendor, or colleague, visible fields alone do not confirm authenticity. Those fields can be manipulated with minimal effort.

Attorney's Point of View and What Data Actually Matters

In legal matters, emails are often submitted as screenshots, PDFs, or forwarded messages. Those formats rarely preserve the full forensic record needed for technical evaluation.

The central questions should shift from appearance to transport evidence:

  • Where did the email originate?
  • How did it travel to the recipient?
  • Did anything change during transfer?
  • Does infrastructure align with the claimed sender?

Those answers live in headers and related artifacts, not in screenshots.

Why Headers Are So Important

Each email includes hidden header fields that document technical transmission details. They do not change visual presentation, but they can reveal the most reliable path evidence in the record.

Headers commonly provide:

  • Server addresses
  • IP addresses
  • Timestamps
  • Routing path

Simple Example of Email Deception

In a CEO scam demonstration, the message looked normal on first review. The sender name appeared correct, the tone was plausible, and the request was urgent. Header review changed the conclusion immediately.

Red Flag #1: Inconsistent Return Path

The displayed company domain appeared legitimate, but the Return Path pointed to unrelated infrastructure.

Red Flag #2: Unrelated Routing Path

Transmission path showed servers with no organizational connection to the claimed sender environment.

Red Flag #3: Different Reply Address

Replies were redirected to a third party account, a classic control tactic in fraud campaigns.

Red Flag #4: Sender Domain and Message ID Mismatch

Message ID structure did not align with expected sender infrastructure.

Red Flag #5: Failed Authentication

Authentication checks such as SPF and DKIM did not validate the message path as legitimate.

Importance of Headers in Real Cases

In practice, someone may provide an email and assert: "This came from that person." Without full technical artifacts, that claim may rest on appearance rather than evidence.

Screenshots and forwarded copies are often insufficient to establish origin, integrity, or path authenticity.

Evidence Sources in Email Investigations

1) Local Email Clients

Desktop clients can preserve evidentiary data in storage files such as PST and OST, including messages, attachments, and in some cases deleted content pending overwrite.

2) Webmail and Browser Artifacts

If access occurred via browser, history, cache, cookies, and downloads may preserve traces relevant to message access and account activity.

3) Individual Email Files

Properly acquired single message files can retain headers, body, and attachments, supporting integrity focused review.

Misunderstanding About Deleted Emails

A common assumption is that deleted email is gone permanently. In many systems, deletion may be delayed, soft marked, or retention controlled. Recovery windows vary by platform and policy.

Challenges in Modern Email Examinations

  • Encryption constraints
  • Limited retention windows
  • Ephemeral or expiring message behavior
  • Artifact manipulation risk

These factors make timely preservation and technically disciplined review essential.

Conclusion

What appears in an email interface is only part of the record and often the easiest part to forge. Reliable conclusions come from technical artifacts that can confirm or challenge assumptions about origin, routing, integrity, and authenticity. In litigation, that distinction is critical.