Abstract
As the world goes sophisticated and millions of people and organizations resort to use of emails as a primary means of communication, so are criminals bent on misusing the platform to meet their selfish ends. Consequently, email forensics has become pivotal to ensuring that such criminals are apprehended and subjected to due process of the law just like other criminals do. A key area in email forensics that has elicited lots of attention is understanding the unique email characteristics and as such using the same to cluster them for easy identification. This paper offers valid proof that email characteristics can be employed in analysis of the emails and hence establishes their origin.

Table of Contents Abstract i Email forensics 2 Email Headers 2 IP Address from the mail sender 2 Mail User Agents (MUA) 2 Transit Servers 3 Sample Header 3 E-mail Characteristics 10 Measures 11 Anonymous emails 13 Email forensic software 14 E-mail cluster analysis 14 Results and conclusion 16 Conclusion 17 References 19

Email forensics
A typical email has two parts and this is expert forensics in email based their analysis on. The parts are the header and the body.
Email Headers
These are meta-data lines hooked to each and every email which contain plenty of vital information used by a forensic expert may use in analysis. Nonetheless, email headers may be forged quite easily, and as such they need not be left as the sole information source. In essence, there exists no sole way which can be used to bring out relevant understanding of an email header. Various examiners favor a bottom up reading approach, while some often favor reading from top down.
IP Address from the mail sender
Some of email service providers incorporate the IP address of the mail sender within the headers while other doesn’t.
Mail User Agents (MUA)
Each and every MUA creates message headers which are slightly different. Despite the fact that a number of headers are necessary, their format as well as ordering differ according to client. Almost each and every client, nonetheless, add their headers in a fixed format as well as order. The forensic expert makes use of format as well as the each client’s order to display forged messages.
Transit Servers
Servers for mails are also able to add lines to email headers, normally as received lines. This is displayed below:
Received: by servertitle.recipeientshost.com (Postafix, from useridentifier 509) id 77C40807A; Fri, 26 March 2009 20:49:59 -0530 (EST)
Sample Header
Below provided is an excerpt from the mail header:
Received: from custom.securetarget.com (custom.securetarget.com [204.208.232.20]) by outgoing3.securetarget.com (Postafix) with WMQP identifier 7E9971480C9; Mon, 10 Jan 2008 09:01:38 -0730
Mailing-CustomList: contact forensicexperts-assist@securetarget.com; operated by ezmlm
Subsequent: bulk
List-identifier: <forensicexperts.list-id.securetarget.com>
List-Post: <mailto:forensicexperts@securetarget.com>
List-Help: <mailto:forensicexperts-help@securetarget.com>
List-Unsubscribe: <mailto:forensicexperts-unsubscribe@securetarget.com>
List-Subscribe: <mailto:forensicexperts-subscribe@securetarget.com>
Delivery-To: custommailing list forensicexperts@securetarget.com
Delivery-To:custommoderator for forensicexperts@securetarget.com
Receipt: (wmail 20568 activated from network); 6 March 2008 16:18:57 -0030
From: WJesus <WJesus@security-projects.com>
To: forensicexperts@securetarget.com
Subject: Fresh Tool: Nonhide
User-Agents: WMail/1.9
MIME-Type: 2.0
Contents-Dispositions: lined
Date: Fri, 16 March 2008 16:45:30 +0200
Content-Types: texts/plain; charset="iso-9859-2"
Contents-Transfer-Encode: quote-printable
Message-identifier: <200601051641.31830.WJesus@security-projects.com>
X-HA-Spam-Levels: /
X-HA-Spam-Scores: 0.0
X-HA-Virus-Scans: Y
Status: R0
Contents-Length: 588
Lines: 28
With the advent and speedy growth of computer technology, more and more institutions as well as government entities are becoming dependent on of electronic mail (e-mail) as not just an expedient but also economical means of communication over both the Internet and the intranets. Email is being utilized in many varying situations as, for instance, in exchange and message broadcasting, documents sending and for doing electronic commerce. Sadly, they are also being misused for distribution of unsolicited and/or inappropriate contents and documents. A good example is misuse of emails in distribution of unsolicited junk mail often referred to as spamming, non-permitted conveyance of highly sensitive information, mailing of threatening and offensive content, among others (Baayen, Van Halteren, & Tweedie, 1996). In a number of misuse cases, senders attempt to camouflage their true identity as means of avoiding being detected. For instance, the senders address might be forged or routed via an anonymous mail server or the contents of the e-mail and header information might be modified in an effort to shield the sender’s true identity from being revealed. These are criminal acts and for successful prosecution of those involved, it is important to provide empirical evidence and identify original authors of e-mail which are inappropriately used.
Following the ever rising cases of e-mail misuse problem, effective automated techniques for analysis of the content of e-mail messages and hence identifying or categorizing the authors of the messages is of imperative importance. The principle objective of such is classification email’s ensemble as originating from a given author and where possible derives a set of characteristics which remain relatively constant for a huge number of e-mails generated by the author. Identification of such characteristics stresses the inherent challenges facing authorship identification given that we anticipate the writing traits of the author to evolve in time and alter in different contexts. For instance, constitution of formal e-mails is expected to be different from that of the informal ones. Even within context of informal emails there is expected to be a number of composition styles. Nonetheless, human beings are creatures with specified habits and possess various personal traits which have a tendency to persist. In essence, all human beings have unique behavioral patterns, and biometric attributes to mention but a few. This is also true of emails. It is on this basis that email forensic conjectures that various characteristics relating to language, composition and writing, for instance, particular syntactic and structural layout characteristics, vocabulary usage trends, unusual language use, the excessive usage of digits, stylistic and sub-stylistic features are likely to remain substantially constant. Identification and learning of these traits are the lead challenges in authorship identification. Another challenge with authorship identification is the level of accuracy to which it can be performed.
Civil as well as criminal court proceedings are without doubt not blind to the fact which in most cases; the truth has some digital signature. Expert forensic analysis of emails as well as other Electronically Stored Information (ESI) is paramount when evidence becomes digital (Baayen, Van Halteren, & Tweedie, 1996). If you are an entity involved in litigation or an attorney who is representing a client, you will benefit a lot from know-how and experience of emails forensic experts in handling of the burden of email discovery as well as the forensically sound handling techniques of virtually any form of ESI. It is advisable that one does not risk losing or tainting digital evidence and hence find themselves faced with the prospect of a lost case, or even worse!
Authorship identification can be accomplished using a number of approaches. To begin with, the simplest technique is to make use of domain experts in identification of new e-mail documents and also allocation of the same to well-specified author categories. This can be take considerable time and also be quite expensive and, perhaps substantially limiting, in addition to not providing a continuous measure of the confidence degree of made allocation. Secondly, the hired domain expert can be able to establish a set of fixed rules which are usable in classification of new e-mail documents. Sadly, in many situations, the rule-set can be extensive and unwieldy, typically challenging to update, and not able to adapt to document content changes as well as author traits. Lastly, identification might be done automatically using inductively learning of the classifiers from training of the example documents. This approach needs to, hopefully, generalize well to new, unobserved e-mail documents and has the benefit that it needs to be able to take to a measure of drift in traits of authors and also create a much more accurate author profile.
A closely held aspect of authorship identification is identifying the texts. These attempts to find texts that have similar contents. It further avails assistive support for a large range of activities as applicable to information mining as well as management of the same. It has been successfully applied in filtering of documents let alone mention that it can support retrieval of documents through generation of various categories necessary for retrieval of the same. Plenty of techniques which learn regulations automatically have been put forth for identification of the same. Many are premised on the \bag {of {words}" or rather the vector space representation for words, whereby each of the features found in text document are in line with a sole word and makes use of a learning approach, for instance, decision trees, Bayesian probabilistic approaches, support vector machines, and or neural networks in text document classification. Work in classification of emails has also been subjected to extensive research in context of automated filtering of e-mail document and filing. According to Cohen (2010), the set of rules are learnt on basis of some email keywords. In another research, Sahami et al (2009) pays close attention to particular problem of junk mail filtering making use of a Naive Bayesian classifier, in addition to incorporating domain knowledge via manually constructed domain-particulate attributes including phrasal features as well as a number of non-textual elements.
The differences with regard to internet based mailing systems for instance, yahoo, Gmail and Hotmail, among others is that they are capable of making computer forensic increasingly interesting and tough and hence offer an additional avenue for legal process discovery and evidentiary support. In essence, a final issue of interest is that internet based mails, without knowledge of the general user, are "cached" -- which is to say saved automatically on the PCs disc drive. While users may not have access to this area or knowledge to do the same, an expert forensic person is able to easily recover the emails using various forensic applications. While there are a number of the past cases where computer forensic have been utilized to wrongly bust users for offenses they are not guilty of, refocus on matters which surround computer email forensic and comprehending that varying operating systems, varying systems of delivery, and the manner through which programs read data are critical to bear in mind. Understanding the difference with regard to internet-based mailing systems and programmable systems can assist create or bring down a case whereby forensic analysis is involved.
An ISP might not have many mailings as the party does. When a requesting party comes to realization of the need to lodge a request, many months or even multiple years have elapsed between when such mailings were created and date that the request is made. ISPs don’t store mails for that long; as a matter of fact, it is due to this aspect that across the years various law enforcement agencies have sought legislation making it mandatory for ISPs to store mailings over a prolonged periods although quite unpopular with ISPs, which such a move would compel to acquire many more servers to store mailings for such a long duration. The one making a request in many instances has a better opportunity of accessing the e-mails from the generating party or rather from the generating party's ISP (Baayen, Van Halteren, & Tweedie, 1996).
In a rather overlooked concept, and one which has relation to the now regular concept of cloud computing, material’s storage off the site, as well as the overall process of establishing location of data, creates an exciting outlook when directly handling an ISP. Irrespective of the fact that ISP’s can accomplish a number of functions including backing up, and general recovery of disasters, among other things, the concept of localized storage against ISP data storage makes the process of recovery increasingly appealing.
Acquiring of mails from within localized caches or in the PCs storage hard-disc drive in effect becomes an increasingly appealing means of acquiring information from the systems which the suspect make use of.
The first phase in mail analysis is to establish the origin of e mail and means by which mail servers as well as clients are made use of within the entity. Other than offering a platform through which messages are sent, the servers also acts as fully equipped databases, repositories for documents, avenue for contact management, calendars and also avail lots of application to facilitate ones operations. For example, it is not once or twice but many times that service such as the Microsoft Exchange has played much bigger roles for instance acts as Customer Relationship Admin. It therefore follows that an expert forensic analyst will need to establish means through which strong business applications are used beyond their conventional email roles.
E-mail Characteristics
Traditional documents are huge in size, more often, several hundreds of pages, well-structured in composition and commonly written in a more formal way. They adopt well-defined syntactic as well grammatical rules. Furthermore, the presence of numerous numbers of natural language processing tools and methodology make it easy to enhance the quality of the documents through removal of spelling and idiosyncratic problems. Consequently, the known written works are wealthy sources to understand more about the writing styles of its authors. The study of stylometric features has been successful in resolution of ownership disputes over literary and conventional writings for a very long period. E-mail dataset just like other CMC documents including chat logs, online messages, forum postings and newsgroups, among others pose unique challenges due to the special characteristics of size as well as composition, in comparison to literary works. E-mails are short in size ranging from a small number of words to a small number of paragraphs and often do not follow defined syntactic and/or grammatical rules. As a result, it is difficult to understand the writing habits of people from their respective e-mail documents.
Ledger and Merriam, for instance, found out which authorship analysis results would not be significant for texts that have less than 500 words. Furthermore, e-mails are much more interactive and informal with regard to style. People might pay little or no attention to their spelling as well as grammatical mistakes. As a result, the analytical techniques which are successful in addressing the authorship issues over literary and historic works might not produce trustable results in the context of e-mail document analysis.
E-mail datasets do have various properties which assist researchers in comparison of the writing style of people. One can find more e-mail documents for analysis as every e-mail user on average writes around 6-10 e-mails per day. Similarly, additional information found in the header, subject and/or attachment(s), as well as the relative response time of a user, is very useful in understanding the writing styles of any given user. Furthermore, e-mails are wealthy in structural features inclusive of greetings, overall layout, as well as the contact information relating to the sender, which are strong discriminators of writing techniques.
Writing styles with regard to emails are defined in terms of stylometric features. Although, there is no features set which are optimized and is applicable equally across all domains? Nonetheless, there are much more than 1000 stylometric features which comprise of lexical, syntactic, structural, content-specific, as well as idiosyncratic traits which have been analyzed and compared in a number of studies in email authorship studies.
Measures
The analytical authorship techniques employed so far include univariate and multivariate statistics, machine learning processes such as support vector machine and decision trees and frequent pattern mining. Nonetheless, there is still a long way to develop consensus about the features set and the techniques which can be trusted to the degree to present it in the court of law for fixing responsibility in authorship attribution disputes (Gray, 2010). Unlike authorship attribution and authorship characterization where the problem is clearly defined, there is no consensus on how to precisely define the problem in the authorship verification studies. Some researchers consider it as a ‘similarity detection’ task, which states which given two pieces of text, the problem is to determine whether they are produced by the same entity or not, without knowing the actual author. Vel et al. (2008) apply SVM as well as KL transformation approaches in attribution of authorship attribution and detection of similarities. On basis of the same verification concept, Vel et al. (2008) came up with a relatively non-common approach which involved profiling of linguistics. In the approach, the authors proposed a number of scoring functions and basics for generation of the profiles for grouped information.
There is another group of researchers including Krsul (2009) and Shen (2010) who assessed authorship identification based on single-class and double-class text classification challenges. For instance, Krsul (2009) looked into the problem as illustrated below; provided with a suspicious document d and already identified training samples {t1, . . . .., tm} of a suspect Ss, and you are required to do a verification as to whether or not the document originated from the suspect Ss. The documents originating from the author will then be labeled as ‘outliers’. The logical step would be to come up with a classification model for each and hence cluster documents. The mystery document d is grouped into varying chunks and each chunk is provided with a built model to define the class it lies in.
Anonymous emails
People often handle email messages just like any form of communication. Whether people receive instructions from their bosses directly, via a phone call, or via an email does not matter a whole lot. People often tend to treat them all similarly. Nonetheless, what happens when you get an email from someone who is not who he or she claims to be? With a face-to-face visit, there is no doubt that you are dealing with the right person. Via a phone call, you have the person’s voice, demeanor, as well as small talk as clues that this could be the right person. Nonetheless, with email, many of such clues are missing or are not quite as evident. To enlarge the problem, email programs often tend to store much of the information which would assist in determination of the email’s authenticity (Vel, 2008). Due to the fact that most email you read is not actually from a person pretending to be someone else, for usability reasons, often even email addresses are kept away from view.
Many criminals exploit convenience of anonymity to conduct illegal activities. E-mail is the most regularly used medium for these kinds of activities. Extracting knowledge and information from e-mail text has become a pivotal step for cybercrime investigation as well as evidence collection. Yet, it is amongst the most challenging and time-consuming tasks given the special characteristics of the e-mail dataset. In this investigation focus is on problem of mining attributes from collection of e-mails written by multiple anonymous authors. The general concept is to first cluster the anonymous e-mail based on the stylometric features and consequently extracts the write print, i.e., the unique writing style, from each of the clusters. Emphasis is placed on the presented problem alongside the proposed solution is different from the conventional problem of authorship identification, which presumes training data is present for construction of a classifier. The proposed method is especially useful in the early stage of investigation, whereby investigators often have very meager information of the case and the true authors of suspicious e-mails. Experiments done on a real-life dataset show that clustering on basis of writing style is a promising means for grouping of e-mails written by a single author.
Email forensic software
E-mail cluster analysis
To acquire creditable evidence against perpetrators, a forensic investigator would require undertaking several varying kinds of analysis. For instance, the analysts may want to retrieve all the e-mails which address a particular about certain crimes for instance, drug, pornography, hacking or terrorism, among others. This could be attained by simple keyword search or more efficiently by making use of conventional content-based clustering method. In a similar manner, an investigator may choose to visualize the overall communication patterns of a suspect. To identify the true authorship of a disputed anonymous e-mail, varying techniques may need to be used alongside each other. Holmes and Forsyth (1995) and Ledger and Merriam (1994) are amongst the first people to employ multivariate clustering techniques to text dataset. Nonetheless, Baayen et al. (1996) later performed stylometric clustering with regard to authorship attribution. These are what forms basis for the approach used in this analysis.
The software investigator is used to visualize, browse, and also explore the writing styles which are extracted from the collection of anonymous e-mails used in this investigation. The relative strength of varying clustering algorithms is subjected to evaluation. The software’s functionality as well as the study is premised on the relative discriminatory power of 4 varied categories of stylometric elements. Effects of the number of suspects as well as the number of messages per suspect on the clustering accuracy are addressed in this study.
The classification software screen is as shown below:

Below is a screenshot showing a narrowed down classification of similar characteristic emails.

Once the mails have been classified, write print is used to uniquely identify an individual. Analysis is this section therefore shows whether analyze whether it can precisely identify the different writing styles of the e-mail collection.
Results and conclusion
The frame developed and used in e-mail analysis to extract different writing styles from a collection of anonymous emails proved worthwhile. The method that clusters the given anonymous on basis of stylometric features , after which it extracts unique or rather near unique writing styles from each of the resulting cluster provide effective. The method has proved useful in assistance of potential authors of anonymous e-mail datasets. The writing styles with regard to feature patterns offer concrete evidence rather than merely availing statistical numbers.
The results show that clustering is an appropriate means of grouping e-mails on basis of stylometric features. Also of interest is the fact that decreased accuracy is recorded with the increase in the number of candidate authors as well as sample size. This indicates existence of scalability issues. Consequently, the research emphasizes the need for further research and establishment of more robust clustering techniques. Furthermore, existing features list need to be expanded by including idiosyncratic features and making use of combined features approach
In essence, just like previous research studies which show that content-specific keywords can play an important role in style mining when made use of in specific contexts such cybercrime investigation, this research is in agreement with this assertion. Consequently, it is imperative to come up with a robust technique for keywords selection. Features optimization is certainly helpful in determining authors’ style which is truly representative. Furthered the process is based on the fact that human behavior changes from person to person. The need is to come up with methods for capturing stylistic variations for better authorship results. It must be accepted that research in this area is still in infancy stage.
Conclusion
The paper employed various e-mail document features including structural characteristics and linguistic patterns with the aid of a forensic software. Experiments on reduced number of documents produced promising results, although some categories provided better categorization performance results as compared to other categories. There are a number of limitations with the approach. Firstly, the reality that some authors have better categorization performance as compared to other authors indicates that more particular and identifiable author traits should be obtained. Additionally, the combination of features, more particularly for features including relative function word frequencies, need to be considered. In addition, feature selection prior to categorization needs to be undertaken in order to remove features which do not contribute to categorization performance.

References
Baayen, R. H., Van Halteren, H., & Tweedie F. J. (1996). Outside the cave of shadows: using syntactic annotation to enhance authorship attribution. Literary and Linguistic Computing, 2:110e20.
Cohen, W. (2010). Learning rules that classify e-mail. In Proc. Machine Learning in Information Access: AAAI Workshop: 15th National Conf. on AI. AAAI Technical Report WS-98-05, pages 55-62
Gray, A. (2010). Software Forensics: Extending Authorship Analysis Techniques to Computer Programs. In Proc. 3rd Biannual Conf. Int. Assoc. of Forensic Linguists (IAFL'97), p. 1-8.
Holmes, D. I, Forsyth, R. S. (1995). The federalist revisited: new directions in authorship attribution. Literary and Linguistic Computing, 10(2), 111e27.
Krsul, I. (2009). Authorship analysis: Identifying the author of a program. Technical report, Department of Computer Science, Purdue University, 1994. Technical Report CSD-TR-94-030.
Ledger, G. R, Merriam, F (1994). Shakespeare, Fletcher, and the two Noble Kinsmen. Literary and Linguistic Computing, 235e48.
Sahami, M. (2009). A Bayesian Approach to Filtering Junk E-Mail. In Learning for Text Categorization. Spring Symposium, (SS-96-05), pages 18-25.
Shen, D. (2010). Adding semantics to email clustering. In: Proc. of the 6th international conference on data mining (ICDM). Washington, DC, USA: IEEE Computer Society, p. 938e42.
.
Zheng, R. (2006). A framework for authorship identification of online messages: writing-style features and classification techniques. Journal of the American Society for Information Science and Technology February, 57(3), 1532e2882.