Enhancing Email Forensics: A DKIM archiving and re-verification tool for long-term Signature validation

Since their introduction, emails adoption has growth significantly, as now they have become a fundamental means of communication, whether for connecting with work partners or long-distance friends, but also for receiving sensitive information and updates, related to our online accounts. However, the same growth affected less desirable activities, particularly cybercrime, as email has become nowadays a target for various type of attacks. In order to protect and secure users' inboxes, email authentication protocols, such as DKIM, are used in addition to antispam software, to discriminate between dangerous and harmless emails. During the investigation of cyber related crimes, it is often crucial to establish the existence and the correctness of potential evidence, which may be used as proof within a legal process. DKIM, as a protocol that aims at guaranteeing the authentication of the sender's domain, and the integrity of the email itself, is always checked by the email forensics experts during such investigations. A primary drawback of this protocol, however, is the difficulty in re-verifying the DKIM signatures of emails received in the past, as the light environment required, which do not use PKI but only DNS records, does not protect or preserve the material needed for verification in any way. The work of this thesis aimed at creating a complementary tool for this protocol, which was originally designed for an immediate usage only. By creating an archive of DKIM records, updated daily through the monitoring of an email inbox and a DNS query system, and verifiable in time thanks to the Timestamp process, this tool is able to re-verify older signatures. To further support the archive's growth, an additional feature of DKIM record discovery was added, as this is not a trivial process.