Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 8: E-Mail and...
-
Upload
kathlyn-mcgee -
Category
Documents
-
view
219 -
download
1
Transcript of Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 8: E-Mail and...
Computer ForensicsPrinciples and Practices
by Volonino, Anzaldua, and Godwin
Chapter 8: E-Mail and Webmail Forensics
© Pearson Education Computer Forensics: Principles and Practices 2
Objectives
Understand the flow of electronic mail across a network
Explain the difference between resident e-mail client programs and webmail
Understand the difference between typical desktop data storage and server data storage
Identify the components of e-mail headers Understand the flow of instant messaging
across the network
© Pearson Education Computer Forensics: Principles and Practices 3
Introduction
E-mail has transcended social boundaries and moved from a convenient way to communicate to a corporate requirement. In many cases, incriminating unintentional documentation of people’s activities and attitudes can be found through computer forensics of e-mail.
© Pearson Education Computer Forensics: Principles and Practices 4
In Practice: E-Mail in Senate Investigations of Finance Companies Financial institutions helped Enron
manipulate its numbers and mislead investors
E-mail proved that banks such as JPMorgan Chase knew very well how Enron was hiding its debt
© Pearson Education Computer Forensics: Principles and Practices 5
Importance of E-Mail as Evidence
E-mail can be pivotal evidence in a case Due to its informal nature, it does not always
represent corporate policy Many cases provide examples of the use of
e-mail as evidence Knox v. State of Indiana Harley v. McCoach Nardinelli et al. v. Chevron Adelyn Lee v. Oracle Corporation
© Pearson Education Computer Forensics: Principles and Practices 6
Working with E-Mail
E-mail evidence typically used to corroborate or refute other testimony or evidence
Can be used by prosecutors or defense parties
Two standard methods to send and receive e-mail: Client/server applications Webmail
© Pearson Education Computer Forensics: Principles and Practices 7
Working with E-Mail (Cont.)
E-mail data flow User has a client program such as Outlook or
Eudora Client program is configured to work with one or
more servers E-mails sent by client reside on PC A larger machine runs the server program that
communicates with the Internet, where it exchanges data with other e-mail servers
© Pearson Education Computer Forensics: Principles and Practices 8
Working with E-Mail (Cont.)
Sending E-MailUser creates e-
mail on her client User issues send command Client moves e-
mail to Outbox
Server acknowledges client and
authenticates e-mail account
Client sends e-mail to the server
Server sends e-mail to destination e-mail
serverIf the client cannot connect with the server, it keeps trying
© Pearson Education Computer Forensics: Principles and Practices 9
Working with E-Mail (Cont.)
Receiving E-MailUser opens client
and logs on User issues receive command Client contacts
server
Server acknowledges,
authenticates, and contacts mail box for
the accountMail downloaded to
local computerMessages placed in Inbox to be read
POP deletes messages from server; IMAP retains copy on server
© Pearson Education Computer Forensics: Principles and Practices 10
Working with E-Mail (Cont.)
Working with resident e-mail files Users are able to work offline with e-mail E-mail is stored locally, a great benefit for forensic
analysts because the e-mail is readily available when the computer is seized
Begin by identifying e-mail clients on system You can also search by file extensions of common
e-mail clients
© Pearson Education Computer Forensics: Principles and Practices 11
Working with E-Mail (Cont.)
E-Mail Client Extension Type of File
AOL .abi
.aim
.arl
.bag
AOL6 organizer file
Instant Message launch
Organizer file
Instant Messenger file
Outlook Express .dbx
.dgr
.eml
OE mail database
OE fax page
OE mail message
OE electronic mail
Outlook .pab
.pst
.wab
Personal address book
Personal folder
Windows address book
(Continued)
© Pearson Education Computer Forensics: Principles and Practices 12
Working with E-Mail (Cont.)
E-Mail Client Extension Type of File
Lotus Notes .box
.ncf
.nsf
Notes mailbox
Notes internal clipboard
Notes database
Novell Groupwise .mlm Saved e-mail (using WP5.1 format)
Eudora .mbx Eudora message base
© Pearson Education Computer Forensics: Principles and Practices 13
Working with E-Mail (Cont.)
Popular e-mail clients: America Online (AOL)—users have a month to
download or save before AOL deletes messages Outlook Express—installed by default with
Windows Outlook—bundled with Microsoft Office Eudora—popular free client Lotus Notes—integrated client option for Lotus
Domino server
© Pearson Education Computer Forensics: Principles and Practices 14
Working with Webmail
Webmail data flow User opens a browser, logs in to the webmail
interface Webmail server has already placed mail in Inbox User uses the compose function followed by the
send function to create and send mail Web client communicates behind the scenes to
the webmail server to send the message No e-mails are stored on the local PC; the
webmail provider houses all e-mail
© Pearson Education Computer Forensics: Principles and Practices 15
Working with Webmail (Cont.)
Working with webmail files Entails a bit more effort to locate files Temporary files is a good place to start Useful keywords for webmail programs include:
Yahoo! mail: ShowLetter, ShowFolder Compose, “Yahoo! Mail”
Hotmail: HoTMail, hmhome, getmsg, doattach, compose Gmail: mail[#]
© Pearson Education Computer Forensics: Principles and Practices 16
Working with Webmail (Cont.)
Type of E-Mail Protocol POP3 IMAP Webmail
E-mail accessible from anywhere
No Yes Yes
Remains stored on server
No (unless included in a backup of server)
Yes Yes, unless POP3 was used too
Dependence on Internet
Moderate Very strong Strong
Special software required
Yes Yes No
© Pearson Education Computer Forensics: Principles and Practices 17
Working with Mail Servers
Some initial things to consider: How many users are serviced? E-mail retention policies of the company Accessibility of the e-mail server
© Pearson Education Computer Forensics: Principles and Practices 18
Working with Mail Servers (Cont.)
Redundant array of independent disks (RAID) RAID 0: Basic disk striping RAID 1: Disk mirroring RAID 3: Striping with parity RAID 5: Striping with distributed parity RAID 0+1 and 10 (1+0): Mirror of stripes and
striped mirroring
© Pearson Education Computer Forensics: Principles and Practices 19
Working with Mail Servers (Cont.)
Harvesting data from RAID servers Easiest way to obtain the data is over the network Considerations:
Time to obtain the data Physical configuration and space Production server downtime
© Pearson Education Computer Forensics: Principles and Practices 20
Examining E-Mails for Evidence
Understanding e-mail headers The header records information about the sender,
receiver, and servers it passes along the way Most e-mail clients show the header in a short
form that does not reveal IP addresses Most programs have an option to show a long
form that reveals complete details
© Pearson Education Computer Forensics: Principles and Practices 21
Examining E-Mails for Evidence (Cont.) Most common parts of the e-mail header are
logical addresses of senders and receivers Logical address is composed of two parts
The mailbox, which comes before the @ sign The domain or hostname that comes after the @
sign The mailbox is generally the userid used to log in to the
e-mail server The domain is the Internet location of the server that
transmits the e-mail
© Pearson Education Computer Forensics: Principles and Practices 22
Examining E-Mails for Evidence (Cont.) Reviewing e-mail headers can offer clues to
true origins of the mail and the program used to send it
Common e-mail header fields include: Bcc Cc Content-Type Date From
Message-ID Received Subject To X-Priority
© Pearson Education Computer Forensics: Principles and Practices 23
Examining E-Mails for Evidence (Cont.) IP address registries:
African Network Information Asia Pacific Network Information American Registry for Internet Number Latin American and Caribbean Internet Addresses
Registry Réseaux IP Européens Network Coordination
Centre
© Pearson Education Computer Forensics: Principles and Practices 24
Examining E-Mails for Evidence (Cont.) Understanding e-mail attachments
MIME standard allows for HTML and multimedia images in e-mail
Searching for base64 can find attachments in unallocated or slack space
Anonymous remailers Allow users to remove identifying IP data to
maintain privacy Stems from users citing the First Amendment
and freedom of speech
© Pearson Education Computer Forensics: Principles and Practices 25
Private IP Address Classifications
IP Address Range Classification Use
10.0.0.0 to 10.255.255.255
Class A Local network use—not recognized on the Internet
172.16.0.0 to 172.31.255.255
Class B Local network use—not recognized on the Internet
192.168.0.0 to 192.168.255.255
Class C Local network use—not recognized on the Internet
© Pearson Education Computer Forensics: Principles and Practices 26
In Practice: Attempted Attack by Chinese Hackers In December 2005, e-mails sent to the British
embassy represented attempt to take control of embassy computers
Filtering software logged addresses and identified origin of e-mails in China
A Trojan was hidden in attachments to e-mails
© Pearson Education Computer Forensics: Principles and Practices 27
Working with Instant Messaging
Most widely used IM applications include: Windows Messenger Google Talk AIM (AOL Instant Messenger) ICQ (“I Seek You”) Instant Messenger
Newer versions of IM clients and servers allow the logging of activity
Can be more incriminating than e-mail
© Pearson Education Computer Forensics: Principles and Practices 28
FYI: Vermont Supreme Court Affirms Conviction Based on IM Evidence Forensic investigator recovered IM
conversations relating to photo shoot Expert noted that because IMs are not
usually saved, storing them required a special effort
© Pearson Education Computer Forensics: Principles and Practices 29
Summary
Electronic mail and instant messages can be important evidence to find
They can provide a more realistic and candid view of a person
Client and server programs are needed for both e-mail and IM applications
Webmail does not leave a complete trail on the local computer
© Pearson Education Computer Forensics: Principles and Practices 30
Summary (Cont.)
It may be necessary to harvest data from a server, in which case you need to consider the following: Data storage structure being used Authority to access the data A realistic plan for time and space needed to
house the forensic copy of the data
© Pearson Education Computer Forensics: Principles and Practices 31
Summary (Cont.)
E-mail headers and IM logs can provide additional evidence
Tracing IP addresses may involve searches of international and regional registries responsible for allocating IP addresses
© Pearson Education Computer Forensics: Principles and Practices 32
Summary (Cont.)
Instant messaging, like e-mail, is a client/server-based technology Due to volume, records may not be kept by
providers If found, can contribute significantly to a case