Email Forensics: Headers, Authentication, and Phishing

This mock covers email forensics — header analysis, sender authentication (SPF, DKIM, DMARC), spoofing techniques and how to detect them, phishing investigation, business email compromise (BEC), and the legal framework for email-based offences in India. Thirty questions test what every header field means and how to read it, how SPF / DKIM / DMARC verdicts appear in Authentication-Results, the difference between display-name spoofing and full envelope forgery, how to trace a phishing campaign back to its kit and infrastructure, attachment forensics (MIME, Base64, hash matching to MITRE ATT&CK and VirusTotal), and the prosecution handles under IT Act Sections 66C, 66D and BNS Section 318.

It is pitched at BSc and first-year MSc cyber forensics students, FACT and UGC-NET aspirants, and incident-response analysts at Indian SOCs and CERT-In-affiliated teams. Email is the single largest entry vector for cyber-crime complaints registered on the National Cyber Crime Reporting Portal; every cyber-crime cell sees dozens of email cases per week, which makes mastering this area one of the highest-leverage investments for any cyber forensics student.

Topics covered:

• Email header anatomy: Received, Message-ID, Return-Path, Reply-To, From, Date, X-Originating-IP
• SMTP / IMAP / POP3 — what each protocol does, the standard ports, and what trace each leaves
• SPF (RFC 7208), DKIM (RFC 6376), DMARC (RFC 7489), ARC (RFC 8617), BIMI
• Header spoofing vs envelope spoofing; how From and Return-Path can disagree
• Display-name attacks, IDN homograph attacks vs ASCII typosquats, lookalike-domain detection
• Phishing kit fingerprinting and OSINT pivots from a phishing URL (WHOIS, DNS, ASN, crt.sh)
• Attachment forensics: MIME structure, Base64, hash-to-malware-family lookup
• Email storage formats: EML, MSG, PST, OST, MBOX — what each is and how to parse
• Indian legal handle: IT Act Sections 66C (identity theft), 66D (cheating by personation), BNS Section 318
• Operational response: 1930 helpline, cybercrime.gov.in, the CFCFRMS golden-hour fund-hold mechanism

Each question carries a detailed explanation citing the relevant RFC verbatim, NIST SP 800-86 for incident-response procedure, MITRE ATT&CK for technique mappings, the IT Act for the Indian legal handle, and Microsoft / Google admin documentation for header behaviour. Allow 30 minutes; the explanations are long enough to use as study notes by themselves.