E-Mail and Webmail Forensics
Objectives Understand the flow of electronic mail across a network Explain the difference between resident e-mail client programs and webmail Identify the components of e-mail headers Understand the flow of instant messaging across the network
Introduction E-mail has transcended social boundaries and moved from a convenient way to communicate to a corporate requirement. In many cases, incriminating unintentional documentation of people’s activities and attitudes can be found through computer forensics of e-mail. Introduce the chapter.
Investigating E-mail Crimes and Violations Similar to other types of investigations Goals Find who is behind the crime Collect the evidence Present your findings Build a case
Investigating E-mail Crimes and Violations (continued) Becoming commonplace Examples of crimes involving e-mails Narcotics trafficking Extortion Sexual harassment Child abductions and pornography
In Practice: E-Mail in Senate Investigations of Finance Companies Financial institutions helped Enron manipulate its numbers and mislead investors E-mail proved that banks such as JPMorgan Chase knew very well how Enron was hiding its debt and poor financial reporting, were able to hide billions in debt from failed deals and projects
Importance of E-Mail as Evidence E-mail can be pivotal evidence in a case Due to its informal nature, it does not always represent corporate policy Many other cases provide examples of the use of e-mail as evidence Knox v. State of Indiana Harley v. McCoach Nardinelli et al. v. Chevron Ornek 1: email messages in which a supervsiro repeatedly asked employee for personal favors served as key evidence in sexual harrassment suit. Ornek 2: almost similar but also inclides race discrimination case. Ornek 3: four employees files suit againts the firm claiming that they were sexually harrassed. To show that Chevron’s management allowed a hostile work environment, emails containing jokes such as “twenty-five reasons beer is better than women” were introduced as evidence.
Working with E-Mail Can be used by prosecutors or defense parties Two standard methods to send and receive e-mail: Client/server applications Webmail Begin discussing e-mail as it is used in court, and introduce the two standard methods of sending e-mail.
Working with E-Mail (Cont.) E-mail data flow User has a client program such as Outlook or Eudora Client program is configured to work with one or more servers E-mails sent by client reside on PC A larger machine runs the server program that communicates with the Internet, where it exchanges data with other e-mail servers 3: Thypically they can be found on the server machine as well, but this is not always tru.
Working with E-Mail (Cont.) Sending E-Mail User creates e-mail on her client User issues send command Client moves e-mail to Outbox Server acknowledges client and authenticates e-mail account 3. SMTP (Simple Mail Transfer Protocol). Usually uses TCP port number 25. Client sends e-mail to the server Server sends e-mail to destination e-mail server If the client cannot connect with the server, it keeps trying
Working with E-Mail (Cont.) Receiving E-Mail User opens client and logs on User issues receive command Client contacts server Server acknowledges, authenticates, and contacts mail box for the account 3- Client contacts server using Post Office Protocol version 3 (POP 3) or Internet Message Access Protocol (IMAP). POP3 assigned TCP port 110, and IMAP is assigned TCP port 143. Soru: What is the main difference between POP and IMAP when acquiring the email? Cevap: POP usually downloads all messages to the user’s local computer, placing them in the Inbox of the client and automatically deleting them from the e-mail server. With IMAP, the emails are also downloaded from the server mailbox and placed in the client Inbox, but they are not deleted from the server. Therefore, with IMAP, a copy is kept on server, and remote accounts can access all of their email from any machine. Mail downloaded to local computer Messages placed in Inbox to be read POP deletes messages from server; IMAP retains copy on server
Working with E-Mail (Cont.) Working with resident e-mail files Users are able to work offline with e-mail E-mail is stored locally, a great benefit for forensic analysts because the e-mail is readily available when the computer is seized Begin by identifying e-mail clients on system You can also search by file extensions of common e-mail clients
Working with E-Mail (Cont.) E-Mail Client Extension Type of File Eudora .mbx Eudora message base Outlook Express .dbx .dgr .email .eml OE mail database OE fax page OE mail message OE electronic mail Outlook .pab .pst .wab Personal address book Personal folder Windows address book Discuss the different types of file extensions, based on the client of the user, you might run into when examining e-mail message files. (Continued)
Working with E-Mail (Cont.) Popular e-mail clients: Outlook Express—installed by default with Windows Outlook—bundled with Microsoft Office Eudora—popular free client 1- Can be connected to several email servers.
Working with Webmail Webmail data flow User opens a browser, logs in to the webmail interface Webmail server has already placed mail in Inbox User uses the compose function followed by the send function to create and send mail Web client communicates behind the scenes to the webmail server to send the message No e-mails are stored on the local PC; the webmail provider houses all e-mail
Working with Webmail (Cont.) Working with webmail files Entails a bit more effort to locate files Temporary files is a good place to start Useful keywords for webmail programs include: Yahoo! mail: ShowLetter, ShowFolder Compose, “Yahoo! Mail” Hotmail: HoTMail, hmhome, getmsg, doattach, compose Gmail: mail[#] Gmail uses javascript and therefore may not leave any temporary files.
Working with Webmail (Cont.) Type of E-Mail Protocol POP3 IMAP Webmail E-mail accessible from anywhere No Yes Remains stored on server No (unless included in a backup of server) Yes, unless POP3 was used too Dependence on Internet Moderate Strong Special software required Explain the different types of e-mail protocols and how they work with associated servers.
Examining E-mail Messages Access victim’s computer to recover the evidence Using the victim’s e-mail client Find and copy evidence in the e-mail Guide victim on the phone Open and copy e-mail including headers Sometimes you will deal with deleted e-mails
Examining E-mail Messages (continued) Copying an e-mail message Before you start an e-mail investigation You need to copy and print the e-mail involved in the crime or policy violation You might also want to forward the message as an attachment to another e-mail address With many GUI e-mail programs, you can copy an e-mail by dragging it to a storage medium Or by saving it in a different location
Examining E-mail Messages (continued)
Examining E-mail Messages (continued) Understanding e-mail headers The header records information about the sender, receiver, and servers it passes along the way Most e-mail clients show the header in a short form that does not reveal IP addresses Most programs have an option to show a long form that reveals complete details Slayt Basi: Content of the email can be helpful. However, email header is important as well.. Suchs as who created it, what software used to create it, what IP address was used to send it, and the path through the Internet across email servers.
Examining E-Mails for Evidence (Cont.) Most common parts of the e-mail header are logical addresses of senders and receivers Logical address is composed of two parts The mailbox, which comes before the @ sign The domain or hostname that comes after the @ sign The mailbox is generally the userid used to log in to the e-mail server The domain is the Internet location of the server that transmits the e-mail
Examining E-Mails for Evidence (Cont.) Reviewing e-mail headers can offer clues to true origins of the mail and the program used to send it Common e-mail header fields include: Bcc Cc Content-Type Date From Message-ID Received Subject To X-Priority BCC-blind carbon copy. Can be seen only in the sender side, not in the receiver side. CC-reply all vs. reply Content type: Deals with non-text items, such as HTML or pictures that are included in the email content. Date: Can we trust this info? No, because the clock on the sending PC may not be set to the correct time. From: Be careful, this can be spoofed by a spammer or malicious user. Message-ID: Important. It is a unique identifier assigned to each message by the first email server it encounters, usually the sender’s local email server or the ISP’s email server is webmail is used. This can be forged, so beware of relying solely on this data. Received: Each server that relays the message puts its IP adress and the date and time the email was processes in a received header.
Viewing E-mail Headers (continued) Outlook Open the Message Options dialog box Copy headers Paste them to any text editor Outlook Express Open the message Properties dialog box Select Message Source Copy and paste the headers to any text editor
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued) Hotmail Demo! Apple Mail Click View from the menu, point to Message, and then click Long Header Copy and paste headers
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued) Yahoo Demo
Examining Additional E-mail Files E-mail messages are saved on the client side or left at the server Microsoft Outlook uses .pst file Most e-mail programs also include an electronic address book In Web-based e-mail Messages are displayed and saved as Web pages in the browser’s cache folders
Examining E-Mails for Evidence (Cont.) Understanding e-mail attachments MIME standard allows for HTML and multimedia images in e-mail Searching for base64 can find attachments in unallocated or slack space Anonymous remailers Allow users to remove identifying IP data to maintain privacy When electronic mail was first introduced it can only handle simple text messages based on 7-bit ASCII coding. Then MIME (Multipurpose Internet Mail extensions) introduced. Attachments are handled by using Base64, which is a binary-to-text encoding scheme. 2. sonu: Use Data carving techniques to pull the significant data from the unallocated space. Anonymous e-mail programs allow users to either remove their identifying information from the header of the e-mail or spoof a phony address.
Tracing an E-mail Message Contact the administrator responsible for the sending server Finding domain name’s point of contact www.arin.net American Registry for Internet Numbers www.internic.com www.freeality.com www.google.com Find suspect’s contact information Verify your findings by checking network e-mail logs against e-mail addresses
Using Network E-mail Logs Router logs Record all incoming and outgoing traffic Have rules to allow or disallow traffic You can resolve the path a transmitted e-mail has taken Firewall logs Filter e-mail traffic Verify whether the e-mail passed through You can use any text editor or specialized tools
Using Network E-mail Logs (continued)
Understanding E-mail Servers Maintains logs you can examine and use in your investigation E-mail storage Database Flat file Logs
Understanding E-mail Servers (continued) Log information E-mail content Sending IP address Receiving and reading date and time System-specific information Contact suspect’s network e-mail administrator as soon as possible Servers can recover deleted e-mails Similar to deletion of files on a hard drive
Using Specialized E-mail Forensics Tools Tools include: AccessData’s Forensic Toolkit (FTK) ProDiscover Basic FINALeMAIL Sawmill-GroupWise DBXtract Fookes Aid4Mail and MailBag Assistant Paraben E-Mail Examiner Ontrack Easy Recovery EmailRepair R-Tools R-Mail
Using Specialized E-mail Forensics Tools (continued) Tools allow you to find: E-mail database files Personal e-mail files Offline storage files Log files Advantage Do not need to know how e-mail servers and clients work
Using AccessData FTK to Recover E-mail Can index data on a disk image or an entire drive for faster data retrieval Filters and finds files specific to e-mail clients and servers
Using a Hexadecimal Editor to Carve E-mail Messages Very few vendors have products for analyzing e-mail in systems other than Microsoft Example: carve e-mail messages from Evolution
Using a Hexadecimal Editor to Carve E-mail Messages (continued)
Using a Hexadecimal Editor to Carve E-mail Messages (continued)
Working with Instant Messaging Most widely used IM applications include: Yahoo Messenger Google Talk Newer versions of IM clients and servers allow the logging of activity Can be more incriminating than e-mail Instant messaging works similar to a client/server environment. Chat messages can be acquired from RAM slack or a memory dump.
Summary Electronic mail and instant messages can be important evidence to find They can provide a more realistic and candid view of a person Client and server programs are needed for both e-mail and IM applications Webmail does not leave a complete trail on the local computer
Summary (Cont.) It may be necessary to harvest data from a server, in which case you need to consider the following: Data storage structure being used Authority to access the data A realistic plan for time and space needed to house the forensic copy of the data
Summary (Cont.) E-mail headers and IM logs can provide additional evidence Tracing IP addresses may involve searches of international and regional registries responsible for allocating IP addresses
Summary (Cont.) Instant messaging, like e-mail, is a client/server-based technology Due to volume, records may not be kept by providers If found, can contribute significantly to a case