The extended email header is a hidden part of an email which isn’t routinely displayed. Every email has an extended header and careful analysis of the extended header can provide valuable information for an investigator.

No two email headers will be identical. However, typical information contained within the extended header would include:

• - Details about the sender of the message
• - Details about where the message was sent
• - Time and Dates the message was sent
• - Unique identifiers for each specific email

It is important to note that the information contained within the extended header information be have been manipulated by the sender.

The video below shows how to locate the extended email headers when using any Microsoft Outlook email client.

The number one rule that we following when analysing an extended email header is that we start from the bottom and work our way to the top.

We do this as the bottom of the email will contain the details of the sender - as you move up towards the top, you are following the email on its journey through the internet, passing through the routers and switches, until it arrives at its destination - at the top.

The key to making sense of the extended header is to break the information down into sections:

1. Identify all email addresses -  highlight them in one colour 
2. Identify all IP Addresses -  highlight them in another colour 
3. Highlight any other important information you see (that will come with practice) -  highlight them in another yet colour 

Once you have highlighted the above information, review what you have highlighted and resolve any IP Adresses and determine if this leads to any additional lines of enquiry.

In additional to manually going through this process, you may also wish to consider using this extended email header analysis tool developed by Google.