E-Mail and Webmail Forensics
description
Transcript of E-Mail and Webmail Forensics
2
Objectives
Understand the flow of electronic mail across a network
Explain the difference between resident e-mail client programs and webmail
Identify the components of e-mail headers Understand the flow of instant messaging
across the network
3
Introduction
E-mail has transcended social boundaries and moved from a convenient way to communicate to a corporate requirement. In many cases, incriminating unintentional documentation of people’s activities and attitudes can be found through computer forensics of e-mail.
4
Investigating E-mail Crimes and Violations Similar to other types of investigations Goals
Find who is behind the crime Collect the evidence Present your findings Build a case
5
Investigating E-mail Crimes and Violations (continued) Becoming commonplace Examples of crimes involving e-mails
Narcotics trafficking Extortion Sexual harassment Child abductions and pornography
6
In Practice: E-Mail in Senate Investigations of Finance Companies Financial institutions helped Enron
manipulate its numbers and mislead investors
E-mail proved that banks such as JPMorgan Chase knew very well how Enron was hiding its debt
7
Importance of E-Mail as Evidence
E-mail can be pivotal evidence in a case Due to its informal nature, it does not always
represent corporate policy Many other cases provide examples of the
use of e-mail as evidence Knox v. State of Indiana Harley v. McCoach Nardinelli et al. v. Chevron
8
Working with E-Mail
Can be used by prosecutors or defense parties
Two standard methods to send and receive e-mail: Client/server applications Webmail
9
Working with E-Mail (Cont.)
E-mail data flow User has a client program such as Outlook or
Eudora Client program is configured to work with one or
more servers E-mails sent by client reside on PC A larger machine runs the server program that
communicates with the Internet, where it exchanges data with other e-mail servers
10
Working with E-Mail (Cont.)
Sending E-MailUser creates e-
mail on her client User issues send command Client moves e-
mail to Outbox
Server acknowledges client and
authenticates e-mail account
Client sends e-mail to the server
Server sends e-mail to destination e-mail
serverIf the client cannot connect with the server, it keeps trying
11
Working with E-Mail (Cont.)
Receiving E-MailUser opens client
and logs on User issues receive command Client contacts
server
Server acknowledges,
authenticates, and contacts mail box for
the accountMail downloaded to
local computerMessages placed in Inbox to be read
POP deletes messages from server; IMAP retains copy on server
12
Working with E-Mail (Cont.)
Working with resident e-mail files Users are able to work offline with e-mail E-mail is stored locally, a great benefit for forensic
analysts because the e-mail is readily available when the computer is seized
Begin by identifying e-mail clients on system You can also search by file extensions of common
e-mail clients
13
Working with E-Mail (Cont.)
E-Mail Client Extension Type of File
Eudora .mbx Eudora message base
Outlook Express .dbx
.dgr
.eml
OE mail database
OE fax page
OE mail message
OE electronic mail
Outlook .pab
.pst
.wab
Personal address book
Personal folder
Windows address book
(Continued)
14
Working with E-Mail (Cont.)
Popular e-mail clients: Outlook Express—installed by default with
Windows Outlook—bundled with Microsoft Office Eudora—popular free client
15
Working with Webmail
Webmail data flow User opens a browser, logs in to the webmail
interface Webmail server has already placed mail in Inbox User uses the compose function followed by the
send function to create and send mail Web client communicates behind the scenes to
the webmail server to send the message No e-mails are stored on the local PC; the
webmail provider houses all e-mail
16
Working with Webmail (Cont.)
Working with webmail files Entails a bit more effort to locate files Temporary files is a good place to start Useful keywords for webmail programs include:
Yahoo! mail: ShowLetter, ShowFolder Compose, “Yahoo! Mail”
Hotmail: HoTMail, hmhome, getmsg, doattach, compose Gmail: mail[#]
17
Working with Webmail (Cont.)
Type of E-Mail Protocol POP3 IMAP Webmail
E-mail accessible from anywhere
No Yes Yes
Remains stored on server
No (unless included in a backup of server)
Yes Yes, unless POP3 was used too
Dependence on Internet
Moderate Strong Strong
Special software required
Yes Yes No
18
Examining E-mail Messages
Access victim’s computer to recover the evidence
Using the victim’s e-mail client Find and copy evidence in the e-mail
Guide victim on the phone Open and copy e-mail including headers
Sometimes you will deal with deleted e-mails
19
Examining E-mail Messages (continued) Copying an e-mail message
Before you start an e-mail investigation You need to copy and print the e-mail involved in the
crime or policy violation You might also want to forward the message as
an attachment to another e-mail address With many GUI e-mail programs, you can
copy an e-mail by dragging it to a storage medium Or by saving it in a different location
21
Examining E-mail Messages (continued) Understanding e-mail headers
The header records information about the sender, receiver, and servers it passes along the way
Most e-mail clients show the header in a short form that does not reveal IP addresses
Most programs have an option to show a long form that reveals complete details
22
Examining E-Mails for Evidence (Cont.) Most common parts of the e-mail header are
logical addresses of senders and receivers Logical address is composed of two parts
The mailbox, which comes before the @ sign The domain or hostname that comes after the @
sign The mailbox is generally the userid used to log in to the
e-mail server The domain is the Internet location of the server that
transmits the e-mail
23
Examining E-Mails for Evidence (Cont.) Reviewing e-mail headers can offer clues to
true origins of the mail and the program used to send it
Common e-mail header fields include: Bcc Cc Content-Type Date From
Message-ID Received Subject To X-Priority
24
Viewing E-mail Headers (continued) Outlook
Open the Message Options dialog box Copy headers Paste them to any text editor
Outlook Express Open the message Properties dialog box Select Message Source Copy and paste the headers to any text editor
28
Viewing E-mail Headers (continued) Hotmail
Demo! Apple Mail
Click View from the menu, point to Message, and then click Long Header
Copy and paste headers
33
Examining Additional E-mail Files E-mail messages are saved on the client
side or left at the server Microsoft Outlook uses .pst file Most e-mail programs also include an
electronic address book In Web-based e-mail
Messages are displayed and saved as Web pages in the browser’s cache folders
34
Examining E-Mails for Evidence (Cont.) Understanding e-mail attachments
MIME standard allows for HTML and multimedia images in e-mail
Searching for base64 can find attachments in unallocated or slack space
Anonymous remailers Allow users to remove identifying IP data to
maintain privacy
35
Tracing an E-mail Message Contact the administrator responsible for the
sending server Finding domain name’s point of contact
www.arin.net American Registry for Internet Numbers www.internic.com www.freeality.com www.google.com
Find suspect’s contact information Verify your findings by checking network e-mail logs
against e-mail addresses
36
Using Network E-mail Logs Router logs
Record all incoming and outgoing traffic Have rules to allow or disallow traffic You can resolve the path a transmitted e-mail has
taken Firewall logs
Filter e-mail traffic Verify whether the e-mail passed through
You can use any text editor or specialized tools
38
Understanding E-mail Servers
Maintains logs you can examine and use in your investigation
E-mail storage Database Flat file
Logs
39
Understanding E-mail Servers (continued) Log information
E-mail content Sending IP address Receiving and reading date and time System-specific information
Contact suspect’s network e-mail administrator as soon as possible
Servers can recover deleted e-mails Similar to deletion of files on a hard drive
40
Using Specialized E-mail Forensics Tools Tools include:
AccessData’s Forensic Toolkit (FTK) ProDiscover Basic FINALeMAIL Sawmill-GroupWise DBXtract Fookes Aid4Mail and MailBag Assistant Paraben E-Mail Examiner Ontrack Easy Recovery EmailRepair R-Tools R-Mail
41
Using Specialized E-mail Forensics Tools (continued) Tools allow you to find:
E-mail database files Personal e-mail files Offline storage files Log files
Advantage Do not need to know how e-mail servers and
clients work
42
Using AccessData FTK to Recover E-mail FTK
Can index data on a disk image or an entire drive for faster data retrieval
Filters and finds files specific to e-mail clients and servers
43
Using a Hexadecimal Editor to Carve E-mail Messages Very few vendors have products for analyzing
e-mail in systems other than Microsoft Example: carve e-mail messages from
Evolution
48
Working with Instant Messaging
Most widely used IM applications include: Yahoo Messenger Google Talk
Newer versions of IM clients and servers allow the logging of activity
Can be more incriminating than e-mail
49
Summary
Electronic mail and instant messages can be important evidence to find
They can provide a more realistic and candid view of a person
Client and server programs are needed for both e-mail and IM applications
Webmail does not leave a complete trail on the local computer
50
Summary (Cont.)
It may be necessary to harvest data from a server, in which case you need to consider the following: Data storage structure being used Authority to access the data A realistic plan for time and space needed to
house the forensic copy of the data
51
Summary (Cont.)
E-mail headers and IM logs can provide additional evidence
Tracing IP addresses may involve searches of international and regional registries responsible for allocating IP addresses