312-49 · Question #451
312-49 Question #451: Real Exam Question with Answer & Explanation
The correct answer is C: The E-mail Header. The email header is the most valuable artifact for tracing the origin of an email. It contains a chain of 'Received:' fields showing every mail server the message passed through, along with originating IP addresses and timestamps. Investigators can trace the path backwards throug
Question
You have been asked to investigate after a user has reported a threatening e-mail they have received from an external source. Which of the following are you most interested in when trying to trace the source of the message?
Options
- AThe X509 Address
- BThe SMTP reply Address
- CThe E-mail Header
- DThe Host Domain Name
Explanation
The email header is the most valuable artifact for tracing the origin of an email. It contains a chain of 'Received:' fields showing every mail server the message passed through, along with originating IP addresses and timestamps. Investigators can trace the path backwards through the relay chain to find the true sending IP address. The SMTP reply address (Reply-To) can be forged and is unreliable. There is no standard field called 'X509 Address' in email forensics (X.509 is a certificate standard). The host domain name alone is insufficient without the full header chain. Tools like MXToolbox or manual header parsing are used to extract forensic data from email headers.
Topics
Community Discussion
No community discussion yet for this question.