The purpose of the thesis is to search for a suitable traceback method for use in email forensics when the source IP address is spoofed. To provide a simple and fast traceback method in email forensics, the hop count distance method is proposed in the thesis. This method has a simple architecture with only three operation blocks: the packet signature identification, default hop count estimation & validation and the hop count distance calculation block. Since the hop count distance method depends only on the Time-To-Live field of the packet to calculate the hop count distance, it is totally independent of the source IP address. Also, from capturing the attacking packet to calculating the hop count distance between the source and destination, the traceback process takes less than a minute.