e-mail and webmail forensics

E-Mail and Webmail Forensics

2

Objectives

Understand the flow of electronic mail across a network

Explain the difference between resident e-mail client programs and webmail

Identify the components of e-mail headers Understand the flow of instant messaging

across the network

3

Introduction

E-mail has transcended social boundaries and moved from a convenient way to communicate to a corporate requirement. In many cases, incriminating unintentional documentation of people’s activities and attitudes can be found through computer forensics of e-mail.

4

Investigating E-mail Crimes and Violations Similar to other types of investigations Goals

Find who is behind the crime Collect the evidence Present your findings Build a case

5

Investigating E-mail Crimes and Violations (continued) Becoming commonplace Examples of crimes involving e-mails

Narcotics trafficking Extortion Sexual harassment Child abductions and pornography

6

In Practice: E-Mail in Senate Investigations of Finance Companies Financial institutions helped Enron

manipulate its numbers and mislead investors

E-mail proved that banks such as JPMorgan Chase knew very well how Enron was hiding its debt

7

Importance of E-Mail as Evidence

E-mail can be pivotal evidence in a case Due to its informal nature, it does not always

represent corporate policy Many other cases provide examples of the

use of e-mail as evidence Knox v. State of Indiana Harley v. McCoach Nardinelli et al. v. Chevron

8

Working with E-Mail

Can be used by prosecutors or defense parties

Two standard methods to send and receive e-mail: Client/server applications Webmail

9

Working with E-Mail (Cont.)

E-mail data flow User has a client program such as Outlook or

Eudora Client program is configured to work with one or

more servers E-mails sent by client reside on PC A larger machine runs the server program that

communicates with the Internet, where it exchanges data with other e-mail servers

10


Sending E-MailUser creates e-

mail on her client User issues send command Client moves e-

mail to Outbox

Server acknowledges client and

authenticates e-mail account

Client sends e-mail to the server

Server sends e-mail to destination e-mail

serverIf the client cannot connect with the server, it keeps trying

11


Receiving E-MailUser opens client

and logs on User issues receive command Client contacts

server

Server acknowledges,

authenticates, and contacts mail box for

the accountMail downloaded to

local computerMessages placed in Inbox to be read

POP deletes messages from server; IMAP retains copy on server

12


Working with resident e-mail files Users are able to work offline with e-mail E-mail is stored locally, a great benefit for forensic

analysts because the e-mail is readily available when the computer is seized

Begin by identifying e-mail clients on system You can also search by file extensions of common

e-mail clients

13


E-Mail Client Extension Type of File

Eudora .mbx Eudora message base

Outlook Express .dbx

.dgr

.email

.eml

OE mail database

OE fax page

OE mail message

OE electronic mail

Outlook .pab

.pst

.wab

Personal address book

Personal folder

Windows address book

(Continued)

14


Popular e-mail clients: Outlook Express—installed by default with

Windows Outlook—bundled with Microsoft Office Eudora—popular free client

15

Working with Webmail

Webmail data flow User opens a browser, logs in to the webmail

interface Webmail server has already placed mail in Inbox User uses the compose function followed by the

send function to create and send mail Web client communicates behind the scenes to

the webmail server to send the message No e-mails are stored on the local PC; the

webmail provider houses all e-mail

16

Working with Webmail (Cont.)

Working with webmail files Entails a bit more effort to locate files Temporary files is a good place to start Useful keywords for webmail programs include:

Yahoo! mail: ShowLetter, ShowFolder Compose, “Yahoo! Mail”

Hotmail: HoTMail, hmhome, getmsg, doattach, compose Gmail: mail[#]

17

Working with Webmail (Cont.)

Type of E-Mail Protocol POP3 IMAP Webmail

E-mail accessible from anywhere

No Yes Yes

Remains stored on server

No (unless included in a backup of server)

Yes Yes, unless POP3 was used too

Dependence on Internet

Moderate Strong Strong

Special software required

Yes Yes No

18

Examining E-mail Messages

Access victim’s computer to recover the evidence

Using the victim’s e-mail client Find and copy evidence in the e-mail

Guide victim on the phone Open and copy e-mail including headers

Sometimes you will deal with deleted e-mails

19

Examining E-mail Messages (continued) Copying an e-mail message

Before you start an e-mail investigation You need to copy and print the e-mail involved in the

crime or policy violation You might also want to forward the message as

an attachment to another e-mail address With many GUI e-mail programs, you can

copy an e-mail by dragging it to a storage medium Or by saving it in a different location

20

Examining E-mail Messages (continued)

21

Examining E-mail Messages (continued) Understanding e-mail headers

The header records information about the sender, receiver, and servers it passes along the way

Most e-mail clients show the header in a short form that does not reveal IP addresses

Most programs have an option to show a long form that reveals complete details

22

Examining E-Mails for Evidence (Cont.) Most common parts of the e-mail header are

logical addresses of senders and receivers Logical address is composed of two parts

The mailbox, which comes before the @ sign The domain or hostname that comes after the @

sign The mailbox is generally the userid used to log in to the

e-mail server The domain is the Internet location of the server that

transmits the e-mail

23

Examining E-Mails for Evidence (Cont.) Reviewing e-mail headers can offer clues to

true origins of the mail and the program used to send it

Common e-mail header fields include: Bcc Cc Content-Type Date From

Message-ID Received Subject To X-Priority

24

Viewing E-mail Headers (continued) Outlook

Open the Message Options dialog box Copy headers Paste them to any text editor

Outlook Express Open the message Properties dialog box Select Message Source Copy and paste the headers to any text editor

25

Viewing E-mail Headers (continued)

26


28

Viewing E-mail Headers (continued) Hotmail

Demo! Apple Mail

Click View from the menu, point to Message, and then click Long Header

Copy and paste headers

29


30


31

Viewing E-mail Headers (continued) Yahoo

Demo

33

Examining Additional E-mail Files E-mail messages are saved on the client

side or left at the server Microsoft Outlook uses .pst file Most e-mail programs also include an

electronic address book In Web-based e-mail

Messages are displayed and saved as Web pages in the browser’s cache folders

34

Examining E-Mails for Evidence (Cont.) Understanding e-mail attachments

MIME standard allows for HTML and multimedia images in e-mail

Searching for base64 can find attachments in unallocated or slack space

Anonymous remailers Allow users to remove identifying IP data to

maintain privacy

35

Tracing an E-mail Message Contact the administrator responsible for the

sending server Finding domain name’s point of contact

www.arin.net American Registry for Internet Numbers www.internic.com www.freeality.com www.google.com

Find suspect’s contact information Verify your findings by checking network e-mail logs

against e-mail addresses

36

Using Network E-mail Logs Router logs

Record all incoming and outgoing traffic Have rules to allow or disallow traffic You can resolve the path a transmitted e-mail has

taken Firewall logs

Filter e-mail traffic Verify whether the e-mail passed through

You can use any text editor or specialized tools

37

Using Network E-mail Logs (continued)

38

Understanding E-mail Servers

Maintains logs you can examine and use in your investigation

E-mail storage Database Flat file

Logs

39

Understanding E-mail Servers (continued) Log information

E-mail content Sending IP address Receiving and reading date and time System-specific information

Contact suspect’s network e-mail administrator as soon as possible

Servers can recover deleted e-mails Similar to deletion of files on a hard drive

40

Using Specialized E-mail Forensics Tools Tools include:

AccessData’s Forensic Toolkit (FTK) ProDiscover Basic FINALeMAIL Sawmill-GroupWise DBXtract Fookes Aid4Mail and MailBag Assistant Paraben E-Mail Examiner Ontrack Easy Recovery EmailRepair R-Tools R-Mail

41

Using Specialized E-mail Forensics Tools (continued) Tools allow you to find:

E-mail database files Personal e-mail files Offline storage files Log files

Advantage Do not need to know how e-mail servers and

clients work

42

Using AccessData FTK to Recover E-mail FTK

Can index data on a disk image or an entire drive for faster data retrieval

Filters and finds files specific to e-mail clients and servers

43

Using a Hexadecimal Editor to Carve E-mail Messages Very few vendors have products for analyzing

e-mail in systems other than Microsoft Example: carve e-mail messages from

Evolution

46

Using a Hexadecimal Editor to Carve E-mail Messages (continued)

47

Using a Hexadecimal Editor to Carve E-mail Messages (continued)

48

Working with Instant Messaging

Most widely used IM applications include: Yahoo Messenger Google Talk

Newer versions of IM clients and servers allow the logging of activity

Can be more incriminating than e-mail

49

Summary

Electronic mail and instant messages can be important evidence to find

They can provide a more realistic and candid view of a person

Client and server programs are needed for both e-mail and IM applications

Webmail does not leave a complete trail on the local computer

50

Summary (Cont.)

It may be necessary to harvest data from a server, in which case you need to consider the following: Data storage structure being used Authority to access the data A realistic plan for time and space needed to

house the forensic copy of the data

51

Summary (Cont.)

E-mail headers and IM logs can provide additional evidence

Tracing IP addresses may involve searches of international and regional registries responsible for allocating IP addresses

52

Summary (Cont.)

Instant messaging, like e-mail, is a client/server-based technology Due to volume, records may not be kept by

providers If found, can contribute significantly to a case

e-mail and webmail forensics

Documents