An Empirical Analysis of Email Forensics Tools

Abstract

Emails are the most common service on the Internet for communication and sending documents. Email is used not only from computers but also from many other electronic devices such as tablets; smartphones, etc. Emails can also be used for criminal activities. Email forensic refers to the study of email detail and content as evidence to identify the actual sender and recipient of a message, date/time of transmission, detailed record of email transaction, intent of the sender, etc. Email forensics involves investigation of metadata, keyword, searching, port scanning and generating report based on investigators need. Many tools are available for any investigation that involves email forensics. Investigators should be very careful of not violating user’s privacy. To this end, investigators should run keyword searches to reveal only the relevant emails. Therefore, knowledge of the features of the tool and the search features is necessary for the tool selection. In this research, we experimentally compare the performance of several email forensics tools. Our aim is to help the investigators with the tool selection task. We evaluate the tools in terms of their keyword search, report generation, and other features such as, email format, size of the file accepted, whether they work online or offline, format of the reports, etc. We use Enron email dataset for our experiment.