1

Email and Internet Evidence

Mark PollittAssociate Professor,

Engineering Technology

Web 1.0 Technologies

• Technologies– Email– Web– Skype– IM

• Web 1.0 because:– Static content– Application standards– Client based

Forensics on Web 1.0 Technologies

• Focus on two elements:– The application– The data

• Looking for:– The content– The connections

Applications

• Developers need to build three things into communications applications:– User interface– Data processing/storage– Communications protocols

• Multiple Applications can share a common protocol– Outlook, Thunderbird, Zimbra– Hotmail, Yahoo, Gmail

Web Browsers

• All share HTML• Some support other technologies:– Active X, Flash, XML, etc.

• All store a cache of recent files and a history– Most store those differently– Usually, it takes a specific tool to look at browser

histories• Documenting both Internet history and

reconstructing web pages is important evidence

Doing Browser Forensics

• Know how the browser stores data• Know the location of the data• Have a tool that can read that data• Great resources:

http://www.symantec.com/connect/articles/web-browser-forensics-part-1http://www.symantec.com/connect/articles/web-browser-forensics-part-2

Email

• Very simple in concept:– Client/Server– SMTP protocol

• Two basic interfaces:– Web mail (Hotmail, Yahoo, Gmail)– Client based (POP, IMAP, SMTP)– Some support both

• Features vary by client

Email Clients

• Like Browsers, they share some features:– Communications protocols (POP, IMAP, SMTP, etc.)– User Interface– Storage – usually some form of database

Internet History Browsers

• Nirsoft – IEHistory View/Mozilla Cache View• Security Exploded – Browser History Spy*• Sqlite Viewer - Firefox

Email Investigations

• Client Software– Outlook– Thunderbird– Zimbra

• Forensic Suites– EnCase– FTK

• Webmail– Use browser forensics

Thank You for your Attention!