1 / 52

E-Mail and Webmail Forensics

E-Mail and Webmail Forensics. Objectives. Understand the flow of electronic mail across a network Explain the difference between resident e-mail client programs and webmail Identify the components of e-mail headers Understand the flow of instant messaging across the network. Introduction.

uriel-mann
Download Presentation

E-Mail and Webmail Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. E-Mail and Webmail Forensics

  2. Objectives • Understand the flow of electronic mail across a network • Explain the difference between resident e-mail client programs and webmail • Identify the components of e-mail headers • Understand the flow of instant messaging across the network

  3. Introduction E-mail has transcended social boundaries and moved from a convenient way to communicate to a corporate requirement. In many cases, incriminating unintentional documentation of people’s activities and attitudes can be found through computer forensics of e-mail.

  4. Investigating E-mail Crimes and Violations • Similar to other types of investigations • Goals • Find who is behind the crime • Collect the evidence • Present your findings • Build a case

  5. Investigating E-mail Crimes and Violations (continued) • Becoming commonplace • Examples of crimes involving e-mails • Narcotics trafficking • Extortion • Sexual harassment • Child abductions and pornography

  6. In Practice: E-Mail in Senate Investigations of Finance Companies • Financial institutions helped Enron manipulate its numbers and mislead investors • E-mail proved that banks such as JPMorgan Chase knew very well how Enron was hiding its debt

  7. Importance of E-Mail as Evidence • E-mail can be pivotal evidence in a case • Due to its informal nature, it does not always represent corporate policy • Many other cases provide examples of the use of e-mail as evidence • Knox v. State of Indiana • Harley v. McCoach • Nardinelli et al. v. Chevron

  8. Working with E-Mail • Can be used by prosecutors or defense parties • Two standard methods to send and receive e-mail: • Client/server applications • Webmail

  9. Working with E-Mail (Cont.) • E-mail data flow • User has a client program such as Outlook or Eudora • Client program is configured to work with one or more servers • E-mails sent by client reside on PC • A larger machine runs the server program that communicates with the Internet, where it exchanges data with other e-mail servers

  10. Working with E-Mail (Cont.) Sending E-Mail User creates e-mail on her client User issues send command Client moves e-mail to Outbox Server acknowledges client and authenticates e-mail account Client sends e-mail to the server Server sends e-mail to destination e-mail server If the client cannot connect with the server, it keeps trying

  11. Working with E-Mail (Cont.) Receiving E-Mail User opens client and logs on User issues receive command Client contacts server Server acknowledges, authenticates, and contacts mail box for the account Mail downloaded to local computer Messages placed in Inbox to be read POP deletes messages from server; IMAP retains copy on server

  12. Working with E-Mail (Cont.) • Working with resident e-mail files • Users are able to work offline with e-mail • E-mail is stored locally, a great benefit for forensic analysts because the e-mail is readily available when the computer is seized • Begin by identifying e-mail clients on system • You can also search by file extensions of common e-mail clients

  13. Working with E-Mail (Cont.) (Continued)

  14. Working with E-Mail (Cont.) • Popular e-mail clients: • Outlook Express—installed by default with Windows • Outlook—bundled with Microsoft Office • Eudora—popular free client

  15. Working with Webmail • Webmail data flow • User opens a browser, logs in to the webmail interface • Webmail server has already placed mail in Inbox • User uses the compose function followed by the send function to create and send mail • Web client communicates behind the scenes to the webmail server to send the message • No e-mails are stored on the local PC; the webmail provider houses all e-mail

  16. Working with Webmail (Cont.) • Working with webmail files • Entails a bit more effort to locate files • Temporary files is a good place to start • Useful keywords for webmail programs include: • Yahoo! mail: ShowLetter, ShowFolder Compose, “Yahoo! Mail” • Hotmail: HoTMail, hmhome, getmsg, doattach, compose • Gmail: mail[#]

  17. Working with Webmail (Cont.)

  18. Examining E-mail Messages • Access victim’s computer to recover the evidence • Using the victim’s e-mail client • Find and copy evidence in the e-mail • Guide victim on the phone • Open and copy e-mail including headers • Sometimes you will deal with deleted e-mails

  19. Examining E-mail Messages (continued) • Copying an e-mail message • Before you start an e-mail investigation • You need to copy and print the e-mail involved in the crime or policy violation • You might also want to forward the message as an attachment to another e-mail address • With many GUI e-mail programs, you can copy an e-mail by dragging it to a storage medium • Or by saving it in a different location

  20. Examining E-mail Messages (continued)

  21. Examining E-mail Messages (continued) • Understanding e-mail headers • The header records information about the sender, receiver, and servers it passes along the way • Most e-mail clients show the header in a short form that does not reveal IP addresses • Most programs have an option to show a long form that reveals complete details

  22. Examining E-Mails for Evidence(Cont.) • Most common parts of the e-mail header are logical addresses of senders and receivers • Logical address is composed of two parts • The mailbox, which comes before the @ sign • The domain or hostname that comes after the @ sign • The mailbox is generally the userid used to log in to the e-mail server • The domain is the Internet location of the server that transmits the e-mail

  23. Examining E-Mails for Evidence(Cont.) • Reviewing e-mail headers can offer clues to true origins of the mail and the program used to send it • Common e-mail header fields include: • Bcc • Cc • Content-Type • Date • From • Message-ID • Received • Subject • To • X-Priority

  24. Viewing E-mail Headers (continued) • Outlook • Open the Message Options dialog box • Copy headers • Paste them to any text editor • Outlook Express • Open the message Properties dialog box • Select Message Source • Copy and paste the headers to any text editor

  25. Viewing E-mail Headers (continued)

  26. Viewing E-mail Headers (continued)

  27. Viewing E-mail Headers (continued) • Hotmail • Demo! • Apple Mail • Click View from the menu, point to Message, and then click Long Header • Copy and paste headers

  28. Viewing E-mail Headers (continued)

  29. Viewing E-mail Headers (continued)

  30. Viewing E-mail Headers (continued) • Yahoo • Demo

  31. Examining Additional E-mail Files • E-mail messages are saved on the client side or left at the server • Microsoft Outlook uses .pst file • Most e-mail programs also include an electronic address book • In Web-based e-mail • Messages are displayed and saved as Web pages in the browser’s cache folders

  32. Examining E-Mails for Evidence(Cont.) • Understanding e-mail attachments • MIME standard allows for HTML and multimedia images in e-mail • Searching for base64 can find attachments in unallocated or slack space • Anonymous remailers • Allow users to remove identifying IP data to maintain privacy

  33. Tracing an E-mail Message • Contact the administrator responsible for the sending server • Finding domain name’s point of contact • www.arin.net American Registry for Internet Numbers • www.internic.com • www.freeality.com • www.google.com • Find suspect’s contact information • Verify your findings by checking network e-mail logs against e-mail addresses

  34. Using Network E-mail Logs • Router logs • Record all incoming and outgoing traffic • Have rules to allow or disallow traffic • You can resolve the path a transmitted e-mail has taken • Firewall logs • Filter e-mail traffic • Verify whether the e-mail passed through • You can use any text editor or specialized tools

  35. Using Network E-mail Logs (continued)

  36. Understanding E-mail Servers • Maintains logs you can examine and use in your investigation • E-mail storage • Database • Flat file • Logs

  37. Understanding E-mail Servers (continued) • Log information • E-mail content • Sending IP address • Receiving and reading date and time • System-specific information • Contact suspect’s network e-mail administrator as soon as possible • Servers can recover deleted e-mails • Similar to deletion of files on a hard drive

  38. Using Specialized E-mail Forensics Tools • Tools include: • AccessData’s Forensic Toolkit (FTK) • ProDiscover Basic • FINALeMAIL • Sawmill-GroupWise • DBXtract • Fookes Aid4Mail and MailBag Assistant • Paraben E-Mail Examiner • Ontrack Easy Recovery EmailRepair • R-Tools R-Mail

  39. Using Specialized E-mail Forensics Tools (continued) • Tools allow you to find: • E-mail database files • Personal e-mail files • Offline storage files • Log files • Advantage • Do not need to know how e-mail servers and clients work

  40. Using AccessData FTK to Recover E-mail • FTK • Can index data on a disk image or an entire drive for faster data retrieval • Filters and finds files specific to e-mail clients and servers

  41. Using a Hexadecimal Editor to Carve E-mail Messages • Very few vendors have products for analyzing e-mail in systems other than Microsoft • Example: carve e-mail messages from Evolution

  42. Using a Hexadecimal Editor to Carve E-mail Messages (continued)

  43. Using a Hexadecimal Editor to Carve E-mail Messages (continued)

  44. Working with Instant Messaging • Most widely used IM applications include: • Yahoo Messenger • Google Talk • Newer versions of IM clients and servers allow the logging of activity • Can be more incriminating than e-mail

  45. Summary • Electronic mail and instant messages can be important evidence to find • They can provide a more realistic and candid view of a person • Client and server programs are needed for both e-mail and IM applications • Webmail does not leave a complete trail on the local computer

  46. Summary (Cont.) • It may be necessary to harvest data from a server, in which case you need to consider the following: • Data storage structure being used • Authority to access the data • A realistic plan for time and space needed to house the forensic copy of the data

More Related