<![CDATA[Email spoofing is a form of cybercrime that often occurs by taking advantage of weaknesses in email protocols to deceive recipients through spoofing sender identities. This attack is a serious threat because it can be used to commit fraud, data theft, and the spread of malware. This study aims to analyze email spoofing cases with a digital forensic approach using the National Institute of Justice (NIJ) methodology, which includes five important stages: identification, collection, examination, analysis, and reporting. The main problem studied is the difficulty of detecting fake emails on internal networks that have not implemented modern email authentication mechanisms such as the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). The research method used was qualitative, experimental, with controlled simulation. Some of the tools used in this experiment include Postfix, SWAKS, tcpdump, and Mozilla Thunderbird. In simulations, fake billing emails are sent from fake addresses (e.g. finance@bankxyz.com) through an open SMTP service to see the extent to which spoofing can be done without being detected. During this process, email traffic is recorded, and various digital artifacts such as .eml files, .pcap packet captures, SMTP logs, and PDF attachments are successfully collected for further analysis. The results of forensic analysis showed that there were inconsistencies in the email headers, especially in the Return-Path, From, and Received fields, which were the main indicators of spoofing activity. This study proves that email spoofing is very likely to occur on unprotected systems, so strengthening email server configuration and implementing authentication is an important step. In addition, the NIJ method has proven to be effective in providing a systematic and valid forensic investigation structure, and can be a reference in handling email-based cybercrime cases in the future.]]>
