Identification of Spoofed Emails by applying Email Forensics and Memory Forensics

Abstract

Email forensics is the subdomain of network forensics, and email spoofing is the most common type of email attack. Email spoofing is a process of creating a forged message by manipulating the sender's email address so that it appears to the recipient that the originating email is coming from a genuine sender. Spoofed email attack and its detection is a challenging problem in email forensic investigation. Research in the past has tried to address email detection by different mechanisms. This paper tries to improve and fill some of the research gaps from the base paper of R.P Iyer [11]. In our work, we detect spoofed emails received by the user by applying memory forensic approach. Instead of capturing the complete memory dump, we only capture the browser's live running processes from memory and extract the email header for analysis. This reduces the size of the memory dump and makes detection fast. Also proposed detection algorithm overcomes messageID based detection failures by applying nslookup to fetch MX record to identify the genuine emails. The advantage of memory forensic application for spoofed email detection is that we get guaranteed non-repudiation of the user's digital footprint in physical memory. The results of the performance analysis show that the entire task can be completed in approximately 1 min with high accuracy with minimum false positives. The proposed method detects spoofed emails without disrupting the regular operation of the testing machine.