467 integration2010 proceedings

7/29/2019 467 Integration2010 Proceedings

1/12

Proceedings of Regional Conference on Knowledge Integration in ICT 2010 467

EVALUATION OF E-MAIL ACTIVITY RECONSTRUCTION TOOLS

FOR E-MAIL CLIENT

Chew Eng Hin1, Asrul Hadi Bin Yaacob

2, Mohd Fikri Azli Bin Abdullah

3

1

Faculty of Information Science & Technology,Multimedia University (MMU) Melaka Campus, Malaysia

[email protected]

2Faculty of Information Science & Technology,

Multimedia University (MMU) Melaka Campus, Malaysia

[email protected]

3School of Electronics and Computer Engineering

Chonnam National University, South Korea

[email protected]

Abstract

Electronic mail (E-mail) is one of the most common and important messaging infrastructures

used in the organization. Among all the critical and important systems in the organization, E-

mail system is the one that required significant ongoing investment both in technology and

personnel to run smoothly. E-mail crimes are increasing from years to years. In order to cutdown the number of the E-mail crime, various E-mail Forensics Tools had been introduced to

recover and trace the source of the particular E-mail. Tools for E-mails allow E-mailadministrators to complete common and time consuming tasks in their E-mail environment

more effectively. The function of E-mail Forensics Tools can be divided into ActivityReconstruction, Message Tracing, Investigation, Forensics, Compliance, and Trend Analysis.

However, the focus of this evaluation is more into E-mail Activity Reconstruction which isthe first necessary step in E-mail Forensics. In E-mail Activity Reconstruction, there are tools

that could read the proprietary E-mail repository format. Thus, an evaluation of E-mail

Activity Reconstruction Tools is done on two open source tools and one commercial tool.

These E-mail Activity Reconstruction Tools which could read DBX files are tested not only

based on the basic characteristics and requirements that serve as test criteria; they are also

being compared and contrasted as well. All the tests are done under a constant environment

and the results are documented to provide a clear view of efficiency and accuracy of tools.

Informative analysis of the results of evaluation is provided to increase understanding of E-

mail Activity Reconstruction.

Keywords: E-mail Forensics, E-mail Activity Reconstruction, DBX

1. IntroductionE-mail is a communication method of exchanging digital information between two or more

parties. E-mail system is basically based on infrastructure in which E-mail server systemsaccept, forward, deliver and store messages on behalf of users. From years to years, E-mail

system has been improved and now it is the most widely preferred communication tool within

the business field. Thus, it is the first board electronic communication in business.
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


2/12


E-mail is one of the most common and important messaging infrastructures used in

the organization. Among all the critical and important systems in the organization, messaging

infrastructure is the one that required significant ongoing investment both in technology and

personnel to run smoothly. Moreover, E-mail crimes are increasing from years to years. In

order to cut down the number of the E-mail crime, various E-mail Forensics Tools had been

introduced to recover and trace the source of the particular E-mail. Klein (2006) mentionedthat the overall impact of E-mail Forensics in fixing this vulnerability can only be speculatedat, it is unquestionable that the number of cases will be reduced. Tools for E-mails allow E-

mail administrators to complete common and time consuming tasks in their E-mailenvironment more effectively. Demands from end users increasing every year and IT

managers are required to answer more detailed questions about their messaging infrastructure

than ever before. Solutions are needed to helps organizations to implement E-mail Forensics

quickly.

The function of E-mail Forensics Tools can be divided into Activity Reconstruction,

Message Tracing, Investigation, Forensics, Compliance, and Trend Analysis. However, the

focus of this evaluation is more into E-mail Activity Reconstruction which is the firstnecessary step in E-mail Forensics. In E-mail Activity Reconstruction, there are tools that

could read the proprietary E-mail Clients repository format. The chosen E-mail repositories

format is DBX which is the repository of Microsoft Outlook Express. The focuses are on

Microsoft Outlook Express mainly because based on Figure 1 which is according to E-mail

client popularity (2009, June) it is the default E-mail Client that has high usage percentage. It

also comes free with Windows XP which is the most preferred Microsoft OS inOrganizations.

The most important step of E-mail Forensics is the E-mail Activity Reconstruction

which is also the very first step before any analysis could be done. Jones, Bejtlich and Rose

(2006) stated E-mail Activity Reconstruction Tools are used to reconstruct the E-mail

repositories that local E-mail applications use to store the E-mail a suspect sends or receives.

Usually, Reconstruction of E-mail requires some applications installed on the Forensics

workstation. The main reason is the proprietary repository format that used by E-mail

applications. Although the Forensics could be done with the proper E-mail application

installed, E-mail Activity Reconstruction Tools that could read the E-mail without original

application will be much more efficient.

40%

16%15%

8%

6%5%

3%2% 1% 4%

E-mail Client User Usage

Microsoft Outlook

Yahoo! Mail

Hotmail

Apple Mail

iPhone/iPod Touch

Gmail

Figure 1: E-mail Client User Usage


3/12


2. The Architecture2.1 E-mail Client

Leung and Hou (n.d.) mentioned E-mail client, also known as E-mail reader or more formallyknown Mail User Agent (MUA), is a computer program that is used to manage E-mail. Theterm E-mail client may refer to any agent that acting as a client toward an E-mail server,

regardless of it being a mail user agent, a relaying server, or a human typing on a terminal.Moreover, a web application providing message management, composition, and reception

functionality is sometimes considered as E-mail client as well.

MUA like most client programs, need to be activated when users want to retrieve

message from a mailbox like in Figure 2. Messages are stored on a remote server and the

MUA has to request them on behalfof the users. Access to remote servers mailboxes comes

in two flavors. American Prosecutors Research Institute (2005) provided much information

about how E-mail works. The first one is the Post Office Protocol (POP) which allows the

client to download messages one at a time and only delete them from the sever after theyhave been successfully saved on local storage. POP is suitable for multi clients as it is

possible to leave the messages on the server for another client to download them. Besides

that, there is no provision for flagging a specific message as seen, answered, or forwarded,thus POP might not convenient for users who access the same mail from different machines

or clients.

On the other hand, the Internet Message Access Protocol (IMAP) allows users to keepmessages on the server and flagging them as appropriate. Moreover, IMAP provides sub-

folders like Sent, Drafts, and Trash folders are created by default. Both POP and IMAP

clients can be configured to access more than one mailboxes at the same time. However,

IMAP is equipped with extra features such as idle extension for real time updates. It could

Mail User Agent Mail User Agent

Mail Server Mail Server

Sender Receiver

Internet

Figure 2: Mail User Agent


4/12


provide faster notification than polling where long lasting connections are feasible. Lastly

settings like IP address, user name and password on Client are required for each remote

incoming mailbox.

Protocol Use Plain Text/EncryptSessions

Plain TextSessions Only

EncryptSessions Only

POP3 Incoming Mail 110 995

IMAP4 Incoming Mail 143 993

SMTP Outgoing Mail 25 (unofficial) 465

MSA Outgoing Mail 587

HTTP Webmail 80 443

2.2 DBX

According to Jones et al. (2005), there are two types of DBX files as shown in Figure 3.

The first type is called Folder DBX file which is a catalogue of the other DBX files on thesystem. The second type of DBX file is called an E-Mail DBX file. This is the file that

contains the actual E-Mail messages which includes the content and also the attachments.Each E-Mail DBX file is catalogued in the Folders DBX file so that Outlook Express can re-

create the folder structure for the user.

3. Purpose of The EvaluationThe purpose of the evaluation of E-mail Activity Reconstruction Tools is to determine

whether the tested tools meet the basic characteristics and requirements as a forensics tools.

There are two open source tools, Eideutig and libDBX will be tested. In addition, anothercommercial tool, Parabens E-mail Examiner is added into the evaluation in order to compare

and contrast the open source tool and the commercial tool.

These tools are critical to E-mail forensics application because E-mail Activity

Reconstruction is the very first basic steep of E-mail forensics. Yet the quality of these tools

are very often an unknown. Thus, a specific tool evaluation and testing are required andessential in order to determine the performance and quality of the tools.

Table 1: E-mail Protocols Port Assignment

Figure 3: DBX Files

Folder DBX File

Inbox E-Mail DBX Drafts E-Mail DBXDeleted Items E-Mail

DBX

Sent Items E-Mail

DBX


5/12


4. Software and HardwareTwo test computers, one desktop and one laptop will be used in this test. Complete hardware

specifications for both machines are listed below.

DesktopDell Dimension 5150Intel i945 Motherboard

Dell BIOS version A07

Intel Pentium D 820 CPU

2GiB DDR2 Memory

LaptopDell Latitude E6400

Intel GM 45

Dell BIOS version A20

Intel Mobile Core 2 Duo T9800

4GiB DDR2 Memory

On the other hand, the software listed below were used in order to perform the testing.

CygwinTool that provides a Linux-like environment to run the tools.

EindeutigThe tool under test.

libDBXThe tool under test.

Parabens E-mail ExaminerThe tool under test.

FTK ImagerTool that mount the image for forensics purposes5. Methodology

Figure 4: Environment of Tools Comparison

Comparison

n = 1, 2, 3 , 4.

Testing Environment for Tool 1

Tools

Basic

Characteristics

and Requirements

Based On

ResourcesInput

Testing Environment for Tool n

Tools

Basic

Characteristics

and Requirements

Based On

ResourcesInput

.


6/12


Figure 4 shows the methodology for E-mail Activity Reconstruction Tools testing and

evaluation. All the tools will be given the same resources as the input and comparison will be

based on the basic characteristics and requirements that already been set earlier. Moreover,

each tool will be tested in separate environment so that all the uncertainty can be isolated.

The result of the testing will be collected and well documented. Then these results will be

compiled and tabled, thus, will be formed as the comparison of the tools.

After the comparison of E-mail Activity Reconstruction Tools, all of the valuable data

will then be collected and documented. A table of results will be established in order toprovide a better view of tools testing. The table will then be analyzed and evaluated. Analysis

and evaluation could increase the understanding of E-mail Activity Reconstruction Tools.

6. TestingThe tools testing are done on each tool and compare to Microsoft Outlook Express. Based on

all the criteria, tools will be rated as either Passed or Failed. Below are the basic

characteristics and requirements that serve as testing criteria.

Basic Characteristics and Requirements (Criteria)

1. The tool shall be able to interpret DBX repository correctly.2. The tool shall be able to preserve the integrity of both E-mail and DBX repository.3. The tool shall be able to reconstruct E-mail activity.4. The tool shall be able to extract selected E-mail.5. The tool shall be able to warn users if there is an error occurs.6. The tool shall be able to extract any attachments found in the E-mail.7. The tool shall be user-friendly and easy to be executed.

6.1Microsoft Outlook Express


7/12


6.2Eindeutig

Eindeutig is tested with following command:

6.3 libDBX

Figure 5: Microsoft Outlook Express

Figure 6: Eindeutig

Figure 7: libDBX

Command: dbxparse [-e|-f] [options]

-t The field delimiter for spreadsheet output.

-f FORCE the input file as FOLDER type

-e FORCE the input file as E-MAIL type

-s Only an E-mail summary spreadsheet will be listed.-o The output directory for exported E-mail.


8/12


libDBX is tested with following command:

6.4 Parabens E-mail Examiner

Parabens E-mail Examiner is equipped with user-friendly GUI. Thus, clicking with cursor isthe only action required in order to execute the program.

Figure 8: Parabens E-mail Examiner

Command: readdbx [OPTIONS]-h display this help and exit-V output version information and exit

-f "file" input DBX file-o "file" file to write mbox format to

-q don't display extra information.


9/12


7. Result

Criteria

Tools 1 2 3 4 5 6 7

Eindeutig libDBX Parabens E-

mail Examiner

8. Analysis and Evaluation8.1 Analysis

8.1.1 Analysis of Test of Criteria 1

From the information of the test of Criteria 1, all the tools are performed very well in

interpreting the DBX repository. All tools could read the hexadecimal string contained in

DBX file correctly. Meaningful information is the result of the interpretation.

8.1.2 Analysis of test of Criteria 2

The second test shows that the tools could preserve the integrity of the E-mail and also theDBX repository. Both E-mail and DBX file are not altered or changed after the interpretation

of the tools. Preservation of the E-mail and the DBX repository is very important in order to

use these data as digital evidence in court.

8.1.3 Analysis of test of Criteria 3

From the result above, all tools are able to reconstruct the E-mail activity from the DBX file

without any error. E-mail activity describes the activity or action that the users have donewith his/her E-mail system. E-mail activity includes number of E-mail that has been sent,

read, deleted and etc.

8.1.4Analysis of test of Criteria 4As the fourth test shows, all tools are able to extract E-mail from the DBX file successfully.

The contents of E-mail like E-mail header and Message body could be viewed without any

problem.

8.1.5Analysis of test of Criteria 5

Table 2: Result of Tools Testing


10/12


All the tools that are tested are able to warn users if there is any error occurs during the E-

mail activity reconstruction process. Alerts or errors will be displayed to warn users in order

to avoid any faults to be included In E-mail forensics.

8.1.6Analysis of test of Criteria 6The result of the test above indicates the shortcoming of both open source tools (Eindeutig &

libDBX) compared to commercial tool that are full of features. Both open source tools are notable to extract the attachments that found on the extracted E-mail. Although the extraction of

attachments could be done with another tool named munpack, the Parabens E-mail Examiner

appears to be a more complete package.

8.1.7Analysis of test of Criteria 7The last test was about the user-friendliness of the tools. The results shows that both opensource tools that are developed in CLI interface are not as easy and simple to be used

compare to the commercial tool. The GUI interface that appears on the commercial tool

simplifies the execution of the tool as clicking is the only action required.

8.2 Evaluation

E-mail Activity Reconstruction Tools can be divided into open source tools and commercial

tools. Eindeutig and libDBX appeared to be open source tools while Parabens E-mailExaminer is the commercial tool. However, Parabens E-mail Examiner always appear to be

a more complete package with user-friendly GUI and lots of extra features that always comein handy. On the other hand, Eindeutig and libDBX are more specific into certain function as

they could on parse DBX file compare to multiple file format that supported by Parabens E-mail Examiner. Thus, other open source tools like munpack might have to be combined in

order to achieve certain function that provided by Parabens E-mail Examiner.

Moreover, support and development of Eindeutig are inactive since year 2005 just like

open source tools that frequently described as being developed slower and supported lesser

compared to commercial tools. At the bright side, open source tools are much more flexible

as the source code is freely available and modification could be done based on specific needs.

A GUI could be added to Eindeutig as the front-end that could interact with users at a more

friendly and easy-to-use manner. Open source tools are great for research and study as well.

9 ConclusionE-mail Activity Reconstruction Tools are essential in E-mail Forensics as Activity

Reconstruction is the very first necessary step in E-mail Forensics. These tools must at leastbe able to meet the basic characteristics and requirements such as:

1. The tool shall be able to interpret DBX repository correctly.2. The tool shall be able to preserve the integrity of both E-mail and DBX repository.3. The tool shall be able to reconstruct E-mail activity.4. The tool shall be able to extract selected E-mail.


11/12


5. The tool shall be able to warn users if there is an error occurs.All the tools tested met the criteria and done well in the test. However, there is still a long

way for open source tools to keep up with commercial tools. As the benefits of society, open

source tools should be given more attention and support from developers.

10 AcknowledgementI would like to take this opportunity to express my gratitude to Mr. Asrul Hadi Bin Yaacob

and Mr. Mohd Fikri Azli Abdullah for their supervision, guidance, encouragement and

support throughout the whole project. Both of them showed me different ways to approach a

research problem and the need to be persistent to accomplish any goal. Besides that, I would

also like to thank my family: my parents for giving me unconditional support and

encouragement to pursue my interests and dreams. My sisters who often help me in search for

materials related to the project title. My brothers who share their experience throughout their

research and always there to give me advices whenever I needed. Besides that, thanks for my

family who always remind me that my research should always be useful and provide goodinformation to the community.

References

American Prosecutors Research Institute. (2005). Understanding E-mail: A primer for localprosecutors (Grant No. 98LS-VX-0002). Washington, DC: U. S. Government Printing

Office.E-mail client popularity. (2009, June). Retrieved from

http://www.campaignmonitor.com/stats/E-mail-clients/Jones, K., Bejtlich, R., & Rose, C. (2005). Real digital Forensics: computer security and

incident response. Addison-Wesley Professional.Klein, D. V. (2006). A Forensic analysis of a distributed two-stage web-based spam attack.

Leung, Y. W., Hou, R. (n.d.) Mail Server[Presentation slides]. Retrieved from Hong Kong

Baptist University web site:

http://www.comp.hkbu.edu.hk/~comp2650/tutorial/notes/lab_notes_5.pdf


12/12


467 integration2010 proceedings

Documents