Is it possible to prove a certain email has been sent using a certain computer?

Experts are experts. What an expert says stands in court as long as:

  • He is an expert.
  • The other party cannot provide another expert, who says that the first expert is wrong, and says it in a more convincingly expertish way.

In practice, a email will be reputed to have been sent from a given PC if the context makes it a lot more plausible than any alternative explanation. Context elements include IP addresses registered from the SMTP server side, ease (or lack thereof) to assume that IP address on the client side (WiFi or not WiFi, accessible wires...), presence or absence of log files on the PC... and, more often than not, whether the purported sender admits to the deed or not.

Take note that perjury is a serious offence, so people tend not to deny sending emails when what is at stake (e.g. a commercial dispute) is "less serious" than the consequences of being caught in the act of lying to the judge. The crucial point is that proving whether an email was really sent by some specific individual is a complex matter in both ways: it is hard to convincingly pinpoint on the perpetrator, but it is equally hard to make sure that it will never be decisively proven.

This reproduces the security model of handwritten signatures. It is, in fact, not very difficult to imitate the signature of somebody else; it is also quite hard to actually verify that a signature is proper or not. But handwritten signatures happen in the physical world, with pens and human hands, so they tend to leave traces -- what I call contextual elements. You can repudiate your own signature, but it is risky, because you cannot be sure that nobody saw you, or you did not leave a fingerprint on the pen, or any other of a million possible incriminating details. And trying to repudiate your own signature is severely punished. Therefore, it is often preferable to recognize the signature as your own and assume the consequences.

In the case of emails, the same mechanism is at work. Though actual proofs are often flimsy elements (log entries and so on), denying having sent an email that you did send is risky, and felt as risky, especially since it involves computers (computers are beyond the "magical horizon" of most people). So most cases involving emails end up with producing a few log file entries (that could, indeed, be faked in a great many ways), and the sender crumbling under the steady gaze of the judge.


Basically, almost every method of discovering the sender is considerably unreliable.

Usually, you don't send the email "directly" from your PC. Usually, you use a SMTP server owned by your internet provider or your email service provider. This SMTP server takes care of your email. For instance if the end destination SMTP server was unavailable it delays the delivery until the destination would be up again and so you don't need to have your PC online all the time just to ensure email delivery. Email usually passes several SMTP's before it reaches its destination.

First, you should know, there are just few mandatory email headers. Even "From" header is just optional. It's just a SMTP's good will to puts its signature in any form (like its IP) to the email and it's only the SMTP's good will to keep others headers in the email.

How reliably you can find the sender? It depends on the SMTPs on the emails way and how you can trust them. And you almost always can't.

You can ask the SMTP admins if the observed email passed their server, but I'm sure, they don't tell you. You can check the email headers, but you can't fully trust them since everybody could have changed it.

Some level of certainty could be given by the DKIM signature (if the email is signed). For instance, if the email was sent from gmail.com, then you can check it's DKIM signature and if it was valid, you can be sure, it was really send from gmail SMTP servers and since I believe google wouldn't send any email with faked from (you must trust google about this) you got the sender or better, you got the person, who has access to the gmail account :-).


From a technical point of view it possible to prove that an e-mail has been sent from a specific mail account, if the original SMTP server enforces such a policy and all intermediate servers authenticate the origin of pass-through messages, e. g. with DKIM (and assuming the servers themselves have not been tampered with).

From a legal point of view you need convince the judge or jury of your argument that the e-mail under scrutiny is spoofed. Many legal systems require certainty beyond a “reasonable amount of doubt” for a guilty verdict in penal trials. In civil lawsuits the bar is usually much lower. I won't go into that because this is an InfoSec and not a legal forum.

Tags:

Email

Forensics

Related

Recommended key usage for a client certificate How safe are Firefox addons from official mozilla.org site? Is Django vulnerable to shellshock? New payment option on Paypal "Enter your online banking ID + password": Any mechanism that could make this safe? Is it dangerous to post my MAC address publicly? Why do browsers enforce the same-origin security policy on iframes? Does Android encryption really prevent law enforcement access? What are the differences between dictionary attack and brute force attack? How do systems protect against a stolen code-signing certificate after the certificate expires? What role do hashes play in TLS/SSL certificate validation? My IP address (with a NAS) is targeted by a hacker. What to do? Should I be worried? How can I find if my password has been posted online?

Recent Posts