Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Week 11 Email Analysis: Lab1

Learning Objectives

By the end of this lab, you should be able to:

  • Demonstrate practical competence in using forensic tools and techniques to acquire, preserve and document digital evidence.
  • Analyse and interpret email headers to identify indicators of phishing, spoofing and other malicious activity.
  • Correlate header information with external lookup and geolocation tools to build an evidence-based assessment.

Overview

Email headers contain detailed technical information about the origin, routing and authenticity of an email message.
During this lab, you will investigate a real email you received, extract its header, and examine it both manually and using online forensic tools.

You may complete the work individually or in small groups.

Part 1 - Research Task

1. Anatomy of an Email Header

Research the structure of an email header and write a short summary covering:

  • What an email header is
  • How it differs from the body of an email

Then list the most common header fields that are useful in phishing investigations, such as:

  • From:
  • Return-Path:
  • Received: (all entries)
  • Message-ID:
  • Reply-To:
  • DKIM-Signature
  • SPF and DMARC results
  • Content-Type
  • User-Agent

Provide a brief explanation of why each field matters during forensic analysis.

Part 2 - Acquire the Email Header

2. Select an Email

Choose a recent email you received (preferably a suspicious or promotional one).

3. Extract the Email Header

Use your email provider to copy the full header.

Examples:

  • Gmail: More → Show original
  • Outlook: File → Properties → Internet Headers
  • Apple Mail: View → Message → All Headers

Paste the full header into your lab document.

Part 3 - Manual Header Analysis

4. Analyse the Header Manually

Manually inspect key fields and answer:

  • Who does the email claim to be from?
  • What is the actual sending server domain/IP?
  • Do the Received: lines show unexpected hops?
  • Is the Return-Path consistent with the sender?
  • Does the Message-ID belong to the correct domain?
  • Are SPF, DKIM or DMARC checks failing?
  • Does the timestamp order look valid?

Highlight any suspicious entries.

Part 4 - Tools-Based Header Analysis

5. Analyse the Header Using MXToolbox

Use the tool:
https://mxtoolbox.com/EmailHeaders.aspx

Tasks:

  • Paste your header into the analyser
  • Record the number of hops
  • Note routing anomalies
  • Compare MXToolbox results with your manual findings

Part 5 - IP Address Investigation

6. Investigate the IP Address

Identify the originating IP from the top-most Received: line.

Use a geolocation tool:

  • https://www.ip2location.com

Tasks:

  • Determine the geographical location of the IP
  • Identify the ISP or hosting provider
  • Assess whether this location aligns with the claimed sender

Part 6 - Forensic Tools Research

7. Search for Email Header Analysis / Forensic Tools

Find and list as many tools as possible, including:

  • Online header analysis tools
  • Desktop forensic utilities
  • Open-source tools
  • Security platform analysers

Write a brief note about what each tool does.

Best,

Ali.

Copyright © 2026 • Created by Ali Jaddoa

Page last updated: Tuesday 07 April 2026 @ 12:34:06 | Commit: 5428db7