Forensic Examination of Clients and Servers

Slides:



Advertisements
Similar presentations
How to Get Back Outlook OST File ?
Advertisements

Installation and Deployment in Microsoft Dynamics CRM 4.0
Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
File Management Systems
1 of 3 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Full Guaranteed & Safe OST Converter Software
Operating System & Application Files BACS 371 Computer Forensics.
-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.
OS and Application Files BACS 371 Computer Forensics.
1 © 2001, Cisco Systems, Inc. All rights reserved. Voice Connector Features Voic Interoperability – 4.0(5) Voice Connector features Rahul Singh.
Practical PC, 7 th Edition Chapter 9: Sending and Attachments.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
© 2006 Global Knowledge Training LLC All rights reserved. Deploying Outlook 2003 Configuring Clients Outlook 2003 Security and Performance New Outlook.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.
Electronic Mail Originally –Memo sent from one user to another Now –Memo sent to one or more mailboxes Mailbox –Destination point for messages.
CPSC 203 Introduction to Computers Lab 21, 22 By Jie Gao.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Simple Mail Transfer Protocol (SMTP)
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
JavaScript, Fourth Edition
CPSC 203 Introduction to Computers Lab 23 By Jie Gao.
Microsoft Exchange 2000 Service Pack 2 Features Mark Barringer Support Professional Enterprise Messaging Support Microsoft Corporation.
Chapter 6 Electronic Mail Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Two Installing and Configuring Exchange Server 2003.
1 Chapter Overview Preparing to Upgrade Performing a Version Upgrade from Microsoft SQL Server 7.0 Performing an Online Database Upgrade from SQL Server.
Module 7 Planning and Deploying Messaging Compliance.
CS 3830 Day 9 Introduction 1-1. Announcements r Quiz #2 this Friday r Demo prog1 and prog2 together starting this Wednesday 2: Application Layer 2.
Lesson 3: Migrating and Configuring User Data
Technical Awareness on Analysis of Headers.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
HOW CREATE AN OUTLOOK DATA FILE (.PST FILE?) ERICSON BRANDON M. BASCUG Alternate – REGIONAL NETWORK ADMINISTRATOR.
OST TO PST How to deal with the problem of OST when Outlook gets terminated abruptly ?
Tutorial 1 Getting Started with Adobe Dreamweaver CS5.
Spring 2006 CPE : Application Layer_ 1 Special Topics in Computer Engineering Application layer: Some of these Slides are Based on Slides.
Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.
Clinical Data Exchange using HL7 and Mirth Connect Lecture 14 - DICOM connectors - Encoding/decoding Base64 data - Message Attachments - System Events.
Best OST to PST Converter. What is OST File? OST stands for Offline storage table or offline folder file in Microsoft Outlook. It allows you to use Cached.
OST to PST Converter Convert OST into PST, MSG, EML, MBOX and DBX migrate s.com/2016/01/23/convert-ost-to-pst-format.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
Office 365 Help Desk Troubleshooting Guide
Chapter Objectives In this chapter, you will learn:
DXL to PST Converter presents
Networking Applications
Security is one of the most widely used and regarded network services
Maintaining Windows Server 2008 File Services
HTTP – An overview.
Using E-Business Suite Attachments
6/11/2018 4:36 AM Services Course Outlook Live Participant Guide
Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 9
SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH
File Management.
Windows Operating Systems (Cont.)
Exchange OST Recovery Tool Recover mailboxes from damaged or inaccessible OST files
Exchange OST Recovery Freeware Tool. Index Introduction What is OST File? Reasons for OST file corruption Possible ways to fix OST file corruption issue.
Outlook Recovery Freeware is the professional tool to fix Outlook Error and PST corruption.
MBOX to PST Converter tool to convert MBOX to Outlook PST.
Interpreting Binary Data
ELECTRONIC MAIL SECURITY
ELECTRONIC MAIL SECURITY
4.02 Develop web pages using various layouts and technologies.
William Stallings Data and Computer Communications
Microsoft Office Not in Textbook.
Unit-V Investigations
INDEX Introduction What is OST file? What is the default location of OST file in MS Outlook? Causes behind OST file corruption How to fix these errors?
Guide to Computer Forensics and Investigations Third Edition
Chapter 9: Managing Groups, Folders, Files, and Object Security
How To Repair Outlook Express Inbox.dbx File After Crash.
Presentation transcript:

Forensic Examination of E-mail Clients and Servers E-mail Forensics Forensic Examination of E-mail Clients and Servers

E-mail Forensics Windows and Mail Windows provides mail support through a series of clients included with Windows. A line of “free” clients was included with the operating system. Outlook Express, Windows Mail, and Windows Live Mail have used .mbx, .dbx, and .eml files to store mail. Outlook is the mail client included as a component of MS Office. Outlook uses the .pst to store mail. Windows Mail Location C:\Users\<username>\AppData\Local\Microsoft\Windows Mail C:\Users\<username>\AppData\Local\Microsoft\Windows Mail\Local Folders\ account{whatever #'s}.oeaccount *.eml files

E-mail Forensics Outlook Express DBX A DBX is a text-based flat database composed of fixed-length segments and jump links. MIME encoded Attachments are stored with a non-standard MIME using 76-byte segments terminated with “0D 0A” or CRLF. A 16-byte link list is embedded every 512 bytes. [MS-PST]: Outlook Personal Folders (.pst) File Format http://msdn.microsoft.com/en-us/library/ff385210.aspx Pages 11-16

E-mail Forensics Outlook Express DBX The .dbx structure includes a 36-byte header and an arbitrary number of 512 byte segments that may be fragmented. Beginning each segment is a 16-byte link list with 4 values: 1) Landing value—matches previous jump value 2) Length of next block (02 00xh / 512xd) 3) Length of next block to read 4) Jump value to next segment’s beginning file offset. [MS-PST]: Outlook Personal Folders (.pst) File Format http://msdn.microsoft.com/en-us/library/ff385210.aspx Pages 11-16

E-mail Forensics Outlook PST The Personal Storage file is the local binary database that Outlook uses to store mail and numerous other details. A PST is a binary database that cannot be read without interpretation (unlike the Mbox mail spool or DBX). [MS-PST]: Outlook Personal Folders (.pst) File Format http://msdn.microsoft.com/en-us/library/ff385210.aspx Pages 11-16 The .pst file has a different format and folder size limit in Outlook 2007 and in Outlook 2003 http://support.microsoft.com/kb/830336/

E-mail Forensics Definition PST “This file format is a stand-alone, self-contained, structured binary file format that does not require any external dependencies. Each PST file represents a message store that contains an arbitrary hierarchy of folder objects, which contains message objects, which can contain attachment objects. Information about [these] are stored in properties, which collectively contain all of the information about the particular item.” Definition [MS-PST]: Outlook Personal Folders (.pst) File Format p. 11-12

E-mail Forensics Outlook PST For MS Outlook™ 2003 and earlier running under Windows XP, the PST file can be found at : C:\Documents and Settings\<user_id>\Local Settings\Application Data\Microsoft\Outlook

E-mail Forensics Outlook Account Information Stored in the registry, not in a file. HKEY_CURRENT_USER\Software \Microsoft\Windows NT \CurrentVersion\Windows Messaging Subsystem\Profiles

E-mail Forensics Outlook Data Files In Windows XP and 2K: C:\Documents and Settings\<user_id>\Application Data\Microsoft\Outlook

E-mail Forensics Outlook file Locations in Win2K/WinXP http://www.slipstick.com/config/backup2007.asp

E-mail Forensics Outlook PST For MS Outlook™ 2007 and later running under Windows Vista/Windows 7, the PST file can be found at : C:\Documents and Settings\<user_id>\Local Settings\Application Data\Microsoft\Outlook

E-mail Forensics Outlook file Locations in Vista/Win7 http://www.slipstick.com/config/backup2007.asp

E-mail Forensics Exchange Servers When Outlook connects to an Exchange server, it creates an offline storage file called an OST. OST’s are not encrypted; however, a tool is required to view them (like a PST). Forensic packages can do this or a mail administration utility like OST2PST may be required. http://support.microsoft.com/kb/829971

E-mail Forensics Outlook Attachments Outlook stores opened attachments in a temporary folder that is hidden to users. Each user profile has its own attachment directory. This is confirmation that an attachment has been opened on the user profile.

E-mail Forensics Outlook Attachments If an attachment is opened twice, a new copy is created and a number is appended in brackets. If the user inadvertently saves changes to the attachment, they persist in the directory.

E-mail Forensics Outlook Temporary Attachment Directory In general, Windows 2K/XP C:\Documents and Settings\<username>\Local Settings\ Temporary Internet Files\OLK??? In general, Windows Vista/Win7 C:\Users\<username>\AppData\Local\Microsoft\Windows\ Temporary Internet Files\Content.Outlook\ http://www.groovypost.com/howto/microsoft/outlook/find-the-microsoft-outlook-temporary-olk-folder/

Marcel Marceau 1923-2007

E-mail Forensics Definition MIME Multipurpose Internet Mail Extensions (MIME) is a text-based encoding scheme to allow binary attachments* in text-based systems (e.g. E-mail or newsgroups). MIME uses base-64 encoding to transfer arbitrary octets that would not be allowed by 7bit* mail systems. Definition * Other mail systems would disallow some content, but 7bit is the most restrictive standard.

E-mail Forensics MIME MIME is used for much more than E-mail attachments. MIME encoding in the body of the message is converted by the mail server upon receipt. MIME is also widely used outside the context of E-mail. We only care about one. 7bit quoted-printable Base64 8BITMIME BINARYMIME Base 64 is used to store attachments. http://www.cse.ohio-state.edu/cgi-bin/rfc/rfc2045.html

Log Analysis Base 64 Encoding Base 64 encoding allows the “/” and “+” characters, but a Web safe version uses “-” and “_” in place of those characters. The “=” character is a padding character found at the end of a base64 set. Others are used for various purposes like URL’s and Regex. RFC 3548 © Dr. D. Kall Loper, all rights reserved

E-mail Forensics Base64 MIME Content-Transfer-Encoding: base64 Content-ID: <image001.jpg@01CB7A71.3C90D950> Content-Type: image/jpeg; name="image001.jpg"; Content-Disposition: inline; filename="image001.jpg"; /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAQDAwMDAgQDAwMEBAQFBgoGBgUFBgwICQcKDgwPDg4M DQ0PERYTDxAVEQ0NExoTFRcYGRkZDxIbHRsYHRYYGRj/2wBDAQQEBAYFBgsGBgsYEA0QGBgYGBgY GBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBj/wAARCABaAK0DASIA AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA <omitted for brevity> F1Q3IzvkV3lcsTzkgBTwRXuQHArKrOpTm4qdzWKjJXseBWXwS8U2ml68H1bTprvU9Oi0iIXLz3CQ wIxO7cx3bhxtAwBivX/CXhy38KeCdM8O2jM8dlAsRkP3pWx8znPdmyx+tb2Oc0tRVxFSqrTen9Iq FNRd0FIRkYpaKxLOM+IXwz8KfEnw9/ZPiWwEwXJguYztlgY/xI3b6dD3r5yHwn+PHwSun1D4Ya5/ wkekFi02mOBlhnvExwT7oQfavr5vvfhUTdPwrsoY6pQjybx7PVf8A46+Cp1Zc+0u63Pm7wf+1Nd6 j4xsPCPiv4e6npuqXUy2yiDn5ycZKOAQvfrX0ogBHGKzLuwsJtRtryWyt5LiNiUmaNS6cdmxkVqJ 0H0qMVKlNqVOHLfzuVho1IpqpLm+Vhdg9aAgFOorlsdQ3YKNvHWnUUwG7RRtFOooAbsHfmjYPQU6 igBu0Zo2inUUAN2DPNGwfhTqKAE2iloooAKKKKAP/9k= --=_dd09d0028a818480fe8d28e4105bc327 http://www.cse.ohio-state.edu/cgi-bin/rfc/rfc1521.html

E-mail Forensics MIME headers A MIME segment contains from 2-5 headers fields. MIME-Version Content-Type Content-Transfer-Encoding Content-ID Content-Description Searchable for carving Only metadata for MIME attachment file. 2045 http://www.cse.ohio-state.edu/cgi-bin/rfc/rfc2045.html

E-mail Forensics Base64 MIME Content-Transfer-Encoding: base64 Content-ID: <image001.jpg@01CB7A71.3C90D950> Content-Type: image/jpeg; name="image001.jpg"; Content-Disposition: inline; filename="image001.jpg"; /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAQDAwMDAgQDAwMEBAQFBgoGBgUFBgwICQcKDgwPDg4M DQ0PERYTDxAVEQ0NExoTFRcYGRkZDxIbHRsYHRYYGRj/2wBDAQQEBAYFBgsGBgsYEA0QGBgYGBgY GBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBj/wAARCABaAK0DASIA AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA <omitted for brevity> F1Q3IzvkV3lcsTzkgBTwRXuQHArKrOpTm4qdzWKjJXseBWXwS8U2ml68H1bTprvU9Oi0iIXLz3CQ wIxO7cx3bhxtAwBivX/CXhy38KeCdM8O2jM8dlAsRkP3pWx8znPdmyx+tb2Oc0tRVxFSqrTen9Iq FNRd0FIRkYpaKxLOM+IXwz8KfEnw9/ZPiWwEwXJguYztlgY/xI3b6dD3r5yHwn+PHwSun1D4Ya5/ wkekFi02mOBlhnvExwT7oQfavr5vvfhUTdPwrsoY6pQjybx7PVf8A46+Cp1Zc+0u63Pm7wf+1Nd6 j4xsPCPiv4e6npuqXUy2yiDn5ycZKOAQvfrX0ogBHGKzLuwsJtRtryWyt5LiNiUmaNS6cdmxkVqJ 0H0qMVKlNqVOHLfzuVho1IpqpLm+Vhdg9aAgFOorlsdQ3YKNvHWnUUwG7RRtFOooAbsHfmjYPQU6 igBu0Zo2inUUAN2DPNGwfhTqKAE2iloooAKKKKAP/9k= --=_dd09d0028a818480fe8d28e4105bc327 http://www.cse.ohio-state.edu/cgi-bin/rfc/rfc1521.html

E-mail Forensics Base64 MIME MIME segments can be decoded to their original content. Contents can be ANY type of file. There is no file system metadata associated with MIME encoded files. Unless decoded, their contents will not show up in key word searches http://www.cse.ohio-state.edu/cgi-bin/rfc/rfc1521.html

E-mail Forensics Deleted Mail in Outlook Outlook maintains deleted messages in the database; however, it de-references them. Most forensic tool packages automatically recover such messages. When maintenance is run on the PST, deleted E-mails are pushed into freespace. However, the E-mail is not converted to plain text during this process.

E-mail Forensics Illustration

E-mail Forensics Outlook Compressible Encryption OCE only prevents direct reading of the PST with a text editor or hex editor. It is routinely “broken” without cryptanalysis tools. Most forensics packages do this automatically. OCE settings and insecurity warnings http://support.microsoft.com/kb/829971

E-mail Forensics Outlook Compressible Encryption OCE is the default setting, but no encryption or high encryption can also be selected. High encryption uses a password (with typical MS Office insecurity). No encryption allows a PST to be read with a text editor. OCE settings and insecurity warnings http://support.microsoft.com/kb/829971

E-mail Forensics Outlook Compressible Encryption OCE segments can be found in freespace and rendered in plain text. No encryption segments can be found in free space by carving for RFC 822 headers. OCE settings and insecurity warnings http://support.microsoft.com/kb/829971

E-mail Recovery Trivia Outlook .PST files An Outlook .PST file does not change in size when you delete something… Use a Hex editor and mark positions 7-13 in the .pst file as "00". Then run scanpst to “repair.” Then import the file into outlook. This way you get back all the deleted mails, calendar items, etc.. Trivia

Server Forensics

E-mail Forensics Exchange Servers “If you connect to a Microsoft Exchange Server…, your e-mail messages, Calendar, and other items are delivered to and stored on the Exchange Server [in an .edb file]. If you do not connect to an Exchange Server computer, your e-mail messages, Calendar, and other items are delivered to and stored on your local computer in a .pst file.” http://support.microsoft.com/kb/829971

Live E-mail Server Acquisitions Brick-level Backup The Exchange database stores messages with multiple local recipients in one instance. Brick-level backups include a copy of all the messages available to a user in the backup. Definitions © Dr. D. Kall Loper, all rights reserved

Using ExMerge Illustration © Dr. D. Kall Loper, all rights reserved

Using ExMerge Illustration DO NOT import data to server you are trying to acquire. © Dr. D. Kall Loper, all rights reserved

Using ExMerge Illustration Two step procedure allows you to take the PST home  © Dr. D. Kall Loper, all rights reserved

Using ExMerge Illustration In multiple domain environments specify the name and LDAP port number of your Domain Controller. Give the server name or DC and LDAP port for multi-domain systems © Dr. D. Kall Loper, all rights reserved

Using ExMerge Illustration Be sure to have enough storage available to extract the file. © Dr. D. Kall Loper, all rights reserved

Using ExMerge Illustration © Dr. D. Kall Loper, all rights reserved

Using ExMerge Illustration © Dr. D. Kall Loper, all rights reserved

Using ExMerge Illustration © Dr. D. Kall Loper, all rights reserved

Using ExMerge Illustration No errors, operation complete—but see next slide for possible errors. © Dr. D. Kall Loper, all rights reserved

Using ExMerge Illustration Configure your user account to have full mailbox rights for the specific mailbox/mailboxes that you want to open. On Exchange 2000/2003 the Exchange Full Administrator permissions does NOT, by default, allow you to open any other user's mailbox. OOPS! You need full rights on the mailbox you try to extract © Dr. D. Kall Loper, all rights reserved

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.