E-Mail and Webmail Forensics
-
Upload
uriel-mann -
Category
Documents
-
view
19 -
download
2
description
Transcript of E-Mail and Webmail Forensics
![Page 1: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/1.jpg)
E-Mail and Webmail Forensics
![Page 2: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/2.jpg)
2
Objectives
Understand the flow of electronic mail across a network
Explain the difference between resident e-mail client programs and webmail
Identify the components of e-mail headers Understand the flow of instant messaging
across the network
![Page 3: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/3.jpg)
3
Introduction
E-mail has transcended social boundaries and moved from a convenient way to communicate to a corporate requirement. In many cases, incriminating unintentional documentation of people’s activities and attitudes can be found through computer forensics of e-mail.
![Page 4: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/4.jpg)
4
Investigating E-mail Crimes and Violations Similar to other types of investigations Goals
Find who is behind the crime Collect the evidence Present your findings Build a case
![Page 5: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/5.jpg)
5
Investigating E-mail Crimes and Violations (continued) Becoming commonplace Examples of crimes involving e-mails
Narcotics trafficking Extortion Sexual harassment Child abductions and pornography
![Page 6: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/6.jpg)
6
In Practice: E-Mail in Senate Investigations of Finance Companies Financial institutions helped Enron
manipulate its numbers and mislead investors
E-mail proved that banks such as JPMorgan Chase knew very well how Enron was hiding its debt
![Page 7: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/7.jpg)
7
Importance of E-Mail as Evidence
E-mail can be pivotal evidence in a case Due to its informal nature, it does not always
represent corporate policy Many other cases provide examples of the
use of e-mail as evidence Knox v. State of Indiana Harley v. McCoach Nardinelli et al. v. Chevron
![Page 8: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/8.jpg)
8
Working with E-Mail
Can be used by prosecutors or defense parties
Two standard methods to send and receive e-mail: Client/server applications Webmail
![Page 9: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/9.jpg)
9
Working with E-Mail (Cont.)
E-mail data flow User has a client program such as Outlook or
Eudora Client program is configured to work with one or
more servers E-mails sent by client reside on PC A larger machine runs the server program that
communicates with the Internet, where it exchanges data with other e-mail servers
![Page 10: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/10.jpg)
10
Working with E-Mail (Cont.)
Sending E-MailUser creates e-mail
on her client User issues send command Client moves e-mail
to Outbox
Server acknowledges client and
authenticates e-mail account
Client sends e-mail to the serverServer sends e-mail to
destination e-mail server
If the client cannot connect with the server, it keeps trying
![Page 11: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/11.jpg)
11
Working with E-Mail (Cont.)
Receiving E-MailUser opens client
and logs on User issues receive command Client contacts
server
Server acknowledges, authenticates, and
contacts mail box for the account
Mail downloaded to local computerMessages placed in
Inbox to be read
POP deletes messages from server; IMAP retains copy on server
![Page 12: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/12.jpg)
12
Working with E-Mail (Cont.)
Working with resident e-mail files Users are able to work offline with e-mail E-mail is stored locally, a great benefit for forensic
analysts because the e-mail is readily available when the computer is seized
Begin by identifying e-mail clients on system You can also search by file extensions of common
e-mail clients
![Page 13: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/13.jpg)
13
Working with E-Mail (Cont.)
E-Mail Client Extension Type of File
Eudora .mbx Eudora message base
Outlook Express .dbx
.dgr
.eml
OE mail database
OE fax page
OE mail message
OE electronic mail
Outlook .pab
.pst
.wab
Personal address book
Personal folder
Windows address book
(Continued)
![Page 14: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/14.jpg)
14
Working with E-Mail (Cont.)
Popular e-mail clients: Outlook Express—installed by default with
Windows Outlook—bundled with Microsoft Office Eudora—popular free client
![Page 15: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/15.jpg)
15
Working with Webmail
Webmail data flow User opens a browser, logs in to the webmail
interface Webmail server has already placed mail in Inbox User uses the compose function followed by the
send function to create and send mail Web client communicates behind the scenes to
the webmail server to send the message No e-mails are stored on the local PC; the
webmail provider houses all e-mail
![Page 16: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/16.jpg)
16
Working with Webmail (Cont.)
Working with webmail files Entails a bit more effort to locate files Temporary files is a good place to start Useful keywords for webmail programs include:
Yahoo! mail: ShowLetter, ShowFolder Compose, “Yahoo! Mail”
Hotmail: HoTMail, hmhome, getmsg, doattach, compose Gmail: mail[#]
![Page 17: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/17.jpg)
17
Working with Webmail (Cont.)
Type of E-Mail Protocol POP3 IMAP Webmail
E-mail accessible from anywhere
No Yes Yes
Remains stored on server
No (unless included in a backup of server)
Yes Yes, unless POP3 was used too
Dependence on Internet
Moderate Strong Strong
Special software required
Yes Yes No
![Page 18: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/18.jpg)
18
Examining E-mail Messages
Access victim’s computer to recover the evidence
Using the victim’s e-mail client Find and copy evidence in the e-mail
Guide victim on the phone Open and copy e-mail including headers
Sometimes you will deal with deleted e-mails
![Page 19: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/19.jpg)
19
Examining E-mail Messages (continued) Copying an e-mail message
Before you start an e-mail investigation You need to copy and print the e-mail involved in the
crime or policy violation You might also want to forward the message as
an attachment to another e-mail address With many GUI e-mail programs, you can
copy an e-mail by dragging it to a storage medium Or by saving it in a different location
![Page 20: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/20.jpg)
20
Examining E-mail Messages (continued)
![Page 21: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/21.jpg)
21
Examining E-mail Messages (continued) Understanding e-mail headers
The header records information about the sender, receiver, and servers it passes along the way
Most e-mail clients show the header in a short form that does not reveal IP addresses
Most programs have an option to show a long form that reveals complete details
![Page 22: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/22.jpg)
22
Examining E-Mails for Evidence (Cont.) Most common parts of the e-mail header are
logical addresses of senders and receivers Logical address is composed of two parts
The mailbox, which comes before the @ sign The domain or hostname that comes after the @
sign The mailbox is generally the userid used to log in to the
e-mail server The domain is the Internet location of the server that
transmits the e-mail
![Page 23: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/23.jpg)
23
Examining E-Mails for Evidence (Cont.) Reviewing e-mail headers can offer clues to
true origins of the mail and the program used to send it
Common e-mail header fields include: Bcc Cc Content-Type Date From
Message-ID Received Subject To X-Priority
![Page 24: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/24.jpg)
24
Viewing E-mail Headers (continued) Outlook
Open the Message Options dialog box Copy headers Paste them to any text editor
Outlook Express Open the message Properties dialog box Select Message Source Copy and paste the headers to any text editor
![Page 25: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/25.jpg)
25
Viewing E-mail Headers (continued)
![Page 26: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/26.jpg)
26
Viewing E-mail Headers (continued)
![Page 27: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/27.jpg)
27
![Page 28: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/28.jpg)
28
Viewing E-mail Headers (continued) Hotmail
Demo! Apple Mail
Click View from the menu, point to Message, and then click Long Header
Copy and paste headers
![Page 29: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/29.jpg)
29
Viewing E-mail Headers (continued)
![Page 30: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/30.jpg)
30
Viewing E-mail Headers (continued)
![Page 31: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/31.jpg)
31
Viewing E-mail Headers (continued) Yahoo
Demo
![Page 32: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/32.jpg)
32
![Page 33: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/33.jpg)
33
Examining Additional E-mail Files E-mail messages are saved on the client
side or left at the server Microsoft Outlook uses .pst file Most e-mail programs also include an
electronic address book In Web-based e-mail
Messages are displayed and saved as Web pages in the browser’s cache folders
![Page 34: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/34.jpg)
34
Examining E-Mails for Evidence (Cont.) Understanding e-mail attachments
MIME standard allows for HTML and multimedia images in e-mail
Searching for base64 can find attachments in unallocated or slack space
Anonymous remailers Allow users to remove identifying IP data to
maintain privacy
![Page 35: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/35.jpg)
35
Tracing an E-mail Message Contact the administrator responsible for the
sending server Finding domain name’s point of contact
www.arin.net American Registry for Internet Numbers www.internic.com www.freeality.com www.google.com
Find suspect’s contact information Verify your findings by checking network e-mail logs
against e-mail addresses
![Page 36: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/36.jpg)
36
Using Network E-mail Logs Router logs
Record all incoming and outgoing traffic Have rules to allow or disallow traffic You can resolve the path a transmitted e-mail has
taken Firewall logs
Filter e-mail traffic Verify whether the e-mail passed through
You can use any text editor or specialized tools
![Page 37: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/37.jpg)
37
Using Network E-mail Logs (continued)
![Page 38: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/38.jpg)
38
Understanding E-mail Servers
Maintains logs you can examine and use in your investigation
E-mail storage Database Flat file
Logs
![Page 39: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/39.jpg)
39
Understanding E-mail Servers (continued) Log information
E-mail content Sending IP address Receiving and reading date and time System-specific information
Contact suspect’s network e-mail administrator as soon as possible
Servers can recover deleted e-mails Similar to deletion of files on a hard drive
![Page 40: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/40.jpg)
40
Using Specialized E-mail Forensics Tools Tools include:
AccessData’s Forensic Toolkit (FTK) ProDiscover Basic FINALeMAIL Sawmill-GroupWise DBXtract Fookes Aid4Mail and MailBag Assistant Paraben E-Mail Examiner Ontrack Easy Recovery EmailRepair R-Tools R-Mail
![Page 41: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/41.jpg)
41
Using Specialized E-mail Forensics Tools (continued) Tools allow you to find:
E-mail database files Personal e-mail files Offline storage files Log files
Advantage Do not need to know how e-mail servers and
clients work
![Page 42: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/42.jpg)
42
Using AccessData FTK to Recover E-mail FTK
Can index data on a disk image or an entire drive for faster data retrieval
Filters and finds files specific to e-mail clients and servers
![Page 43: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/43.jpg)
43
Using a Hexadecimal Editor to Carve E-mail Messages Very few vendors have products for analyzing
e-mail in systems other than Microsoft Example: carve e-mail messages from
Evolution
![Page 44: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/44.jpg)
44
![Page 45: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/45.jpg)
45
![Page 46: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/46.jpg)
46
Using a Hexadecimal Editor to Carve E-mail Messages (continued)
![Page 47: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/47.jpg)
47
Using a Hexadecimal Editor to Carve E-mail Messages (continued)
![Page 48: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/48.jpg)
48
Working with Instant Messaging
Most widely used IM applications include: Yahoo Messenger Google Talk
Newer versions of IM clients and servers allow the logging of activity
Can be more incriminating than e-mail
![Page 49: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/49.jpg)
49
Summary
Electronic mail and instant messages can be important evidence to find
They can provide a more realistic and candid view of a person
Client and server programs are needed for both e-mail and IM applications
Webmail does not leave a complete trail on the local computer
![Page 50: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/50.jpg)
50
Summary (Cont.)
It may be necessary to harvest data from a server, in which case you need to consider the following: Data storage structure being used Authority to access the data A realistic plan for time and space needed to
house the forensic copy of the data
![Page 51: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/51.jpg)
51
Summary (Cont.)
E-mail headers and IM logs can provide additional evidence
Tracing IP addresses may involve searches of international and regional registries responsible for allocating IP addresses
![Page 52: E-Mail and Webmail Forensics](https://reader036.fdocuments.net/reader036/viewer/2022062718/56812f05550346895d94a415/html5/thumbnails/52.jpg)
52
Summary (Cont.)
Instant messaging, like e-mail, is a client/server-based technology Due to volume, records may not be kept by
providers If found, can contribute significantly to a case