Guide to Computer Forensics and Investigations Third Edition Chapter 12 E-mail Investigations.

Slides:



Advertisements
Similar presentations
1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
Advertisements

Microsoft ® Office OneNote ® 2007 Training Using your Notebook to its fullest potential Kent School District presents:
Kalpesh Vyas & Seward Khem
The Internet 8th Edition Tutorial 3 Using Web-Based Services for Communication and Collaboration.
Basic Communication on the Internet:
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
Guide to Computer Forensics and Investigations Fourth Edition
6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.
Basics. 2 Class Outline Part 1 - Introduction –Explaining –Parts of an address –Types of services –Acquiring an account.
Basic Communication on the Internet: Integrated Browser Programs and Web-Based Services Tutorial 3.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Computer & Network Forensics Xinwen Fu Chapter 13 Investigations.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
COS 413 Day 17. Agenda Quiz 2 corrected –2 A’s, 6 B’s & 1 C Assignment 5 corrected –5 B’s, 2 C’s, 1 non-submit & 1 corrupt file that I cannot read Lab.
Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.
Guide to Operating System Security Chapter 10 Security.
-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.
Using Microsoft Outlook: Basics. Objectives Guided Tour of Outlook –Identification –Views Basics –Contacts –Folders –Web Access Q&A.
» Explain the way that electronic mail ( ) works » Configure an client » Identify message components » Create and send messages.
Hands-on: Capturing an Image with AccessData FTK Imager
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
Technology ICT Option: . Electronic mail is the transmission of mainly text based messages across networks This can be within a particular.
Section 6.1 Explain the development of operating systems Differentiate between operating systems Section 6.2 Demonstrate knowledge of basic GUI components.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Computer Concepts 2014 Chapter 7 The Web and .
1 Outlook Lesson 1 Outlook Basics and Microsoft Office 2010 Introductory Pasewark & Pasewark.
Computer Forensic Evidence Collection and Management Chapter 12 and Internet Investigations.
Pasewark & Pasewark 1 Outlook Lesson 1 Outlook Basics and Microsoft Office 2007: Introductory.
Prepared by: Ms Melinda Chung Chapter 3: Basic Communication on the Internet: .
Backup Local Online For secure offsite storage of your , and making it available from any computer or smart phone. Backup accessed with.
8. Internet and . Topics Internet Web browsers and evidence they create function and forensics Chat and social networking evidence.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.
Module 8: Managing Client Configuration and Connectivity.
Back to content Final Presentation Mr. Phay Sok Thea, class “2B”, group 3, Networking Topic: Mail Client “Outlook Express” *At the end of the presentation.
Guide to Computer Forensics and Investigations, Second Edition Chapter 13 Investigations.
and Webmail Forensics. 2 Objectives Understand the flow of electronic mail across a network Explain the difference between resident e- mail client.
Windows Internet Explorer 9 Chapter 1 Introduction to Internet Explorer.
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
Guide to Computer Forensics and Investigations Fourth Edition Unit 8 Investigations.
CIM6400 CTNW (04/05) 1 CIM6400 CTNW Lesson 6 – More on Windows 2000.
Microsoft Outlook 2007 Basics Distance Learning (860) 343 – 5756 Chapman 633/632 Middlesex Community College Visit
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
(or ?) Short for Electronic Mail The transmission of messages over networks.
Windows Tutorial 4 Working with the Internet and
The Internet 8th Edition Tutorial 2 Basic Communication on the Internet: .
Basics. 2 Professional Development Centre Class Outline Part 1 - Introduction –Explaining –Parts of an address –Types of services.
What is and How Does it Work?  Electronic mail ( ) is the most popular use of the Internet. It is a fast and inexpensive way of sending messages.
Unit 2—Using the Computer Lesson 14 and Electronic Communication.
Pasewark & Pasewark Microsoft Office 2003: Introductory 1 INTRODUCTORY MICROSOFT OUTLOOK Lesson 1 – Outlook Basics and .
Chapter 9 Sending and Attachments. 2Practical PC 5 th Edition Chapter 9 Getting Started In this Chapter, you will learn: − How works − How.
Concepts  messages are passed through the internet by using a protocol called simple mail transfer protocol.  The incoming messages are.
The Internet 8th Edition Tutorial 3 Using Web-Based Services for Communication and Collaboration.
NetTech Solutions Microsoft Outlook and Outlook Express Lesson Four.
NetTech Solutions Troubleshooting Office Applications Lesson Seven.
Technical Awareness on Analysis of Headers.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Chapter 9 Sending and Attachments. Sending and Attachments FAQs: – How does work? – How do I use local ? – How do I use Web-based.
Guide to Computer Forensics and Investigations Fifth Edition
SAK 4801 INTRODUCTION TO COMPUTER FORENSICS Chapter 9 Tracking s and Investigating Crimes Mohd Taufik Abdullah Department of Computer Science.
Windows Vista Configuration MCTS : Productivity Applications.
Objectives Understand the flow of electronic mail across a network
Internet Business Associate v2.0
Guide to Computer Forensics and Investigations Fifth Edition
Technology ICT Option: .
Unit-V Investigations
Technology ICT Option: .
Guide to Computer Forensics and Investigations Third Edition
Presentation transcript:

Guide to Computer Forensics and Investigations Third Edition Chapter 12 Investigations

Guide to Computer Forensics and Investigations2 Objectives Explain the role of in investigations Describe client and server roles in Describe tasks in investigating crimes and violations Explain the use of server logs Describe some available computer forensics tools

Guide to Computer Forensics and Investigations3 Exploring the Role of in Investigations With the increase in scams and fraud attempts with phishing or spoofing –Investigators need to know how to examine and interpret the unique content of messages Phishing s are in HTML format –Which allows creating links to text on a Web page One of the most noteworthy scams was 419, or the Nigerian Scam Spoofing can be used to commit fraud

Guide to Computer Forensics and Investigations4 Exploring the Roles of the Client and Server in Send and receive in two environments –Internet –Controlled LAN, MAN, or WAN Client/server architecture –Server OS and software differs from those on the client side Protected accounts –Require usernames and passwords

Guide to Computer Forensics and Investigations5 Exploring the Roles of the Client and Server in (continued)

Guide to Computer Forensics and Investigations6 Exploring the Roles of the Client and Server in (continued) Name conventions –Corporate: –Public: –Everything belongs to the domain name Tracing corporate s is easier –Because accounts use standard names the administrator establishes

Guide to Computer Forensics and Investigations7 Investigating Crimes and Violations Similar to other types of investigations Goals –Find who is behind the crime –Collect the evidence –Present your findings –Build a case

Guide to Computer Forensics and Investigations8 Investigating Crimes and Violations (continued) Depend on the city, state, or country –Example: spam –Always consult with an attorney Becoming commonplace Examples of crimes involving s –Narcotics trafficking –Extortion –Sexual harassment –Child abductions and pornography

Guide to Computer Forensics and Investigations9 Examining Messages Access victim’s computer to recover the evidence Using the victim’s client –Find and copy evidence in the –Access protected or encrypted material –Print s Guide victim on the phone –Open and copy including headers Sometimes you will deal with deleted s

Guide to Computer Forensics and Investigations10 Examining Messages (continued) Copying an message –Before you start an investigation You need to copy and print the involved in the crime or policy violation –You might also want to forward the message as an attachment to another address With many GUI programs, you can copy an by dragging it to a storage medium –Or by saving it in a different location

Guide to Computer Forensics and Investigations11 Examining Messages (continued)

Guide to Computer Forensics and Investigations12 Viewing Headers Learn how to find headers –GUI clients –Command-line clients –Web-based clients After you open headers, copy and paste them into a text document –So that you can read them with a text editor Headers contain useful information –Unique identifying numbers, IP address of sending server, and sending time

Guide to Computer Forensics and Investigations13 Viewing Headers (continued) Outlook –Open the Message Options dialog box –Copy headers –Paste them to any text editor Outlook Express –Open the message Properties dialog box –Select Message Source –Copy and paste the headers to any text editor

Guide to Computer Forensics and Investigations14 Viewing Headers (continued)

Guide to Computer Forensics and Investigations15 Viewing Headers (continued)

Guide to Computer Forensics and Investigations16

Guide to Computer Forensics and Investigations17 Viewing Headers (continued) Novell Evolution –Click View, All Message Headers –Copy and paste the header Pine and ELM –Check enable-full-headers AOL headers –Click Action, View Message Source –Copy and paste headers

Guide to Computer Forensics and Investigations18 Viewing Headers (continued)

Guide to Computer Forensics and Investigations19 Viewing Headers (continued)

Guide to Computer Forensics and Investigations20 Viewing Headers (continued)

Guide to Computer Forensics and Investigations21 Viewing Headers (continued)

Guide to Computer Forensics and Investigations22 Viewing Headers (continued) Hotmail –Click Options, and then click the Mail Display Settings –Click the Advanced option button under Message Headers –Copy and paste headers Apple Mail –Click View from the menu, point to Message, and then click Long Header –Copy and paste headers

Guide to Computer Forensics and Investigations23 Viewing Headers (continued)

Guide to Computer Forensics and Investigations24 Viewing Headers (continued)

Guide to Computer Forensics and Investigations25 Viewing Headers (continued) Yahoo –Click Mail Options –Click General Preferences and Show All headers on incoming messages –Copy and paste headers

Guide to Computer Forensics and Investigations26

Guide to Computer Forensics and Investigations27 Examining Headers Gather supporting evidence and track suspect –Return path –Recipient’s address –Type of sending service –IP address of sending server –Name of the server –Unique message number –Date and time was sent –Attachment files information

Guide to Computer Forensics and Investigations28 Examining Headers (continued)

Guide to Computer Forensics and Investigations29 Examining Additional Files messages are saved on the client side or left at the server Microsoft Outlook uses.pst and.ost files Most programs also include an electronic address book In Web-based –Messages are displayed and saved as Web pages in the browser’s cache folders –Many Web-based providers also offer instant messaging (IM) services

Guide to Computer Forensics and Investigations30 Tracing an Message Contact the administrator responsible for the sending server Finding domain name’s point of contact – – – – Find suspect’s contact information Verify your findings by checking network logs against addresses

Guide to Computer Forensics and Investigations31 Using Network Logs Router logs –Record all incoming and outgoing traffic –Have rules to allow or disallow traffic –You can resolve the path a transmitted has taken Firewall logs –Filter traffic –Verify whether the passed through You can use any text editor or specialized tools

Guide to Computer Forensics and Investigations32 Using Network Logs (continued)

Guide to Computer Forensics and Investigations33 Understanding Servers Computer loaded with software that uses protocols for its services –And maintains logs you can examine and use in your investigation storage –Database –Flat file Logs –Default or manual –Continuous and circular

Guide to Computer Forensics and Investigations34 Understanding Servers (continued) Log information – content –Sending IP address –Receiving and reading date and time –System-specific information Contact suspect’s network administrator as soon as possible Servers can recover deleted s –Similar to deletion of files on a hard drive

Guide to Computer Forensics and Investigations35 Understanding Servers (continued)

Guide to Computer Forensics and Investigations36 Examining UNIX Server Logs /etc/sendmail.cf –Configuration information for Sendmail /etc/syslog.conf –Specifies how and which events Sendmail logs /var/log/maillog –SMTP and POP3 communications IP address and time stamp Check UNIX man pages for more information

Guide to Computer Forensics and Investigations37 Examining UNIX Server Logs (continued)

Guide to Computer Forensics and Investigations38 Examining UNIX Server Logs (continued)

Guide to Computer Forensics and Investigations39 Examining Microsoft Server Logs Microsoft Exchange Server (Exchange) –Uses a database –Based on Microsoft Extensible Storage Engine Information Store files –Database files *.edb Responsible for MAPI information –Database files *.stm Responsible for non-MAPI information

Guide to Computer Forensics and Investigations40 Examining Microsoft Server Logs (continued) Transaction logs –Keep track of databases Checkpoints –Keep track of transaction logs Temporary files communication logs –res#.log Tracking.log –Tracks messages

Guide to Computer Forensics and Investigations41 Examining Microsoft Server Logs (continued)

Guide to Computer Forensics and Investigations42 Examining Microsoft Server Logs (continued) Troubleshooting or diagnostic log –Logs events –Use Windows Event Viewer –Open the Event Properties dialog box for more details about an event

Guide to Computer Forensics and Investigations43 Examining Microsoft Server Logs (continued)

Guide to Computer Forensics and Investigations44 Examining Microsoft Server Logs (continued)

Guide to Computer Forensics and Investigations45 Examining Novell GroupWise Logs Up to 25 databases for users –Stored on the Ofuser directory object –Referenced by a username, an unique identifier, and.db extension Shares resources with server databases Mailboxes organizations –Permanent index files –QuickFinder

Guide to Computer Forensics and Investigations46 Examining Novell GroupWise Logs (continued) Folder and file structure can be complex –It uses Novell directory structure Guardian –Directory of every database –Tracks changes in the GroupWise environment –Considered a single point of failure Log files –GroupWise generates log files (.log extension) maintained in a standard log format in GroupWise folders

Guide to Computer Forensics and Investigations47 Using Specialized Forensics Tools Tools include: –AccessData’s Forensic Toolkit (FTK) –ProDiscover Basic –FINAL –Sawmill-GroupWise –DBXtract –Fookes Aid4Mail and MailBag Assistant –Paraben Examiner –Ontrack Easy Recovery Repair –R-Tools R-Mail

Guide to Computer Forensics and Investigations48 Using Specialized Forensics Tools (continued) Tools allow you to find: – database files –Personal files –Offline storage files –Log files Advantage –Do not need to know how servers and clients work

Guide to Computer Forensics and Investigations49 Using Specialized Forensics Tools (continued) FINAL –Scans database files –Recovers deleted s –Searches computer for other files associated with e- mail

Guide to Computer Forensics and Investigations50 Using Specialized Forensics Tools (continued)

Guide to Computer Forensics and Investigations51

Guide to Computer Forensics and Investigations52 Using AccessData FTK to Recover FTK –Can index data on a disk image or an entire drive for faster data retrieval –Filters and finds files specific to clients and servers To recover from Outlook and Outlook Express –AccessData integrated dtSearch dtSearch builds a b-tree index of all text data in a drive, an image file, or a group of files

Guide to Computer Forensics and Investigations53

Guide to Computer Forensics and Investigations54 Using AccessData FTK to Recover (continued)

Guide to Computer Forensics and Investigations55

Guide to Computer Forensics and Investigations56 Using AccessData FTK to Recover (continued)

Guide to Computer Forensics and Investigations57 Using AccessData FTK to Recover (continued)

Guide to Computer Forensics and Investigations58 Using AccessData FTK to Recover (continued)

Guide to Computer Forensics and Investigations59 Using a Hexadecimal Editor to Carve Messages Very few vendors have products for analyzing e- mail in systems other than Microsoft mbox format –Stores s in flat plaintext files Multipurpose Internet Mail Extensions (MIME) format –Used by vendor-unique file systems, such as Microsoft.pst or.ost Example: carve messages from Evolution

Guide to Computer Forensics and Investigations60

Guide to Computer Forensics and Investigations61

Guide to Computer Forensics and Investigations62 Using a Hexadecimal Editor to Carve Messages (continued)

Guide to Computer Forensics and Investigations63 Using a Hexadecimal Editor to Carve Messages (continued)

Guide to Computer Forensics and Investigations64 Summary fraudsters use phishing and spoofing scam techniques Send and receive via Internet or a LAN –Both environments use client/server architecture investigations are similar to other kinds of investigations Access victim’s computer to recover evidence –Copy and print the message involved in the crime or policy violation Find headers

Guide to Computer Forensics and Investigations65 Summary (continued) Investigating abuse –Be familiar with servers and clients’ operations Check – message files, headers, and server log files Currently, only a few forensics tools can recover deleted Outlook and Outlook Express messages For applications that use the mbox format, a hexadecimal editor can be used to carve messages manually

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.