and Webmail Forensics

2 Objectives Understand the flow of electronic mail across a network Explain the difference between resident e- mail client programs and webmail Identify the components of headers Understand the flow of instant messaging across the network

3 Introduction has transcended social boundaries and moved from a convenient way to communicate to a corporate requirement. In many cases, incriminating unintentional documentation of people’s activities and attitudes can be found through computer forensics of .

4 Investigating Crimes and Violations Similar to other types of investigations Goals  Find who is behind the crime  Collect the evidence  Present your findings  Build a case

5 Investigating Crimes and Violations (continued) Becoming commonplace Examples of crimes involving s  Narcotics trafficking  Extortion  Sexual harassment  Child abductions and pornography

6 In Practice: in Senate Investigations of Finance Companies Financial institutions helped Enron manipulate its numbers and mislead investors proved that banks such as JPMorgan Chase knew very well how Enron was hiding its debt

7 Importance of as Evidence can be pivotal evidence in a case Due to its informal nature, it does not always represent corporate policy Many other cases provide examples of the use of as evidence  Knox v. State of Indiana  Harley v. McCoach  Nardinelli et al. v. Chevron

8 Working with Can be used by prosecutors or defense parties Two standard methods to send and receive  Client/server applications  Webmail

9 Working with (Cont.) data flow  User has a client program such as Outlook or Eudora  Client program is configured to work with one or more servers  s sent by client reside on PC  A larger machine runs the server program that communicates with the Internet, where it exchanges data with other servers

10 Working with (Cont.) Sending User creates on her client User issues send command Client moves to Outbox Server acknowledges client and authenticates account Client sends to the server Server sends to destination server If the client cannot connect with the server, it keeps trying

11 Working with (Cont.) Receiving User opens client and logs on User issues receive command Client contacts server Server acknowledges, authenticates, and contacts mail box for the account Mail downloaded to local computer Messages placed in Inbox to be read POP deletes messages from server; IMAP retains copy on server

12 Working with (Cont.) Working with resident files  Users are able to work offline with  is stored locally, a great benefit for forensic analysts because the is readily available when the computer is seized  Begin by identifying clients on system  You can also search by file extensions of common clients

13 Working with (Cont.) ClientExtensionType of File Eudora.mbxEudora message base Outlook Express.dbx.dgr. .eml OE mail database OE fax page OE mail message OE electronic mail Outlook.pab.pst.wab Personal address book Personal folder Windows address book (Continued)

14 Working with (Cont.) Popular clients:  Outlook Express—installed by default with Windows  Outlook—bundled with Microsoft Office  Eudora—popular free client

15 Working with Webmail Webmail data flow  User opens a browser, logs in to the webmail interface  Webmail server has already placed mail in Inbox  User uses the compose function followed by the send function to create and send mail  Web client communicates behind the scenes to the webmail server to send the message  No s are stored on the local PC; the webmail provider houses all

16 Working with Webmail (Cont.) Working with webmail files  Entails a bit more effort to locate files  Temporary files is a good place to start  Useful keywords for webmail programs include: Yahoo! mail: ShowLetter, ShowFolder Compose, “Yahoo! Mail” Hotmail: HoTMail, hmhome, getmsg, doattach, compose Gmail: mail[#]

17 Working with Webmail (Cont.) Type of ProtocolPOP3IMAPWebmail accessible from anywhere NoYes Remains stored on server No (unless included in a backup of server) YesYes, unless POP3 was used too Dependence on Internet ModerateStrong Special software required Yes No

18 Examining Messages Access victim’s computer to recover the evidence Using the victim’s client  Find and copy evidence in the Guide victim on the phone  Open and copy including headers Sometimes you will deal with deleted s

19 Examining Messages (continued) Copying an message  Before you start an investigation You need to copy and print the involved in the crime or policy violation  You might also want to forward the message as an attachment to another address With many GUI programs, you can copy an by dragging it to a storage medium  Or by saving it in a different location

20 Examining Messages (continued)

21 Examining Messages (continued) Understanding headers  The header records information about the sender, receiver, and servers it passes along the way  Most clients show the header in a short form that does not reveal IP addresses  Most programs have an option to show a long form that reveals complete details

22 Examining s for Evidence (Cont.) Most common parts of the header are logical addresses of senders and receivers Logical address is composed of two parts  The mailbox, which comes before sign  The domain or hostname that comes after sign The mailbox is generally the userid used to log in to the server The domain is the Internet location of the server that transmits the

23 Examining s for Evidence (Cont.) Reviewing headers can offer clues to true origins of the mail and the program used to send it Common header fields include:  Bcc  Cc  Content-Type  Date  From  Message-ID  Received  Subject  To  X-Priority

24 Viewing Headers (continued) Outlook  Open the Message Options dialog box  Copy headers  Paste them to any text editor Outlook Express  Open the message Properties dialog box  Select Message Source  Copy and paste the headers to any text editor

25 Viewing Headers (continued)

26 Viewing Headers (continued)

27

28 Viewing Headers (continued) Hotmail  Demo! Apple Mail  Click View from the menu, point to Message, and then click Long Header  Copy and paste headers

29 Viewing Headers (continued)

30 Viewing Headers (continued)

31 Viewing Headers (continued) Yahoo  Demo

32

33 Examining Additional Files messages are saved on the client side or left at the server Microsoft Outlook uses.pst file Most programs also include an electronic address book In Web-based  Messages are displayed and saved as Web pages in the browser’s cache folders

34 Examining s for Evidence (Cont.) Understanding attachments  MIME standard allows for HTML and multimedia images in  Searching for base64 can find attachments in unallocated or slack space Anonymous r ers  Allow users to remove identifying IP data to maintain privacy

35 Tracing an Message Contact the administrator responsible for the sending server Finding domain name’s point of contact  American Registry for Internet Numbers    Find suspect’s contact information Verify your findings by checking network e- mail logs against addresses

36 Using Network Logs Router logs  Record all incoming and outgoing traffic  Have rules to allow or disallow traffic  You can resolve the path a transmitted has taken Firewall logs  Filter traffic  Verify whether the passed through You can use any text editor or specialized tools

37 Using Network Logs (continued)

38 Understanding Servers Maintains logs you can examine and use in your investigation storage  Database  Flat file Logs

39 Understanding Servers (continued) Log information  content  Sending IP address  Receiving and reading date and time  System-specific information Contact suspect’s network administrator as soon as possible Servers can recover deleted s  Similar to deletion of files on a hard drive

40 Using Specialized Forensics Tools Tools include:  AccessData’s Forensic Toolkit (FTK)  ProDiscover Basic  FINAL  Sawmill-GroupWise  DBXtract  Fookes Aid4Mail and MailBag Assistant  Paraben Examiner  Ontrack Easy Recovery Repair  R-Tools R-Mail

41 Using Specialized Forensics Tools (continued) Tools allow you to find:  database files  Personal files  Offline storage files  Log files Advantage  Do not need to know how servers and clients work

42 Using AccessData FTK to Recover FTK  Can index data on a disk image or an entire drive for faster data retrieval  Filters and finds files specific to clients and servers

43 Using a Hexadecimal Editor to Carve Messages Very few vendors have products for analyzing in systems other than Microsoft Example: carve messages from Evolution

44

45

46 Using a Hexadecimal Editor to Carve Messages (continued)

47 Using a Hexadecimal Editor to Carve Messages (continued)

48 Working with Instant Messaging Most widely used IM applications include:  Yahoo Messenger  Google Talk Newer versions of IM clients and servers allow the logging of activity Can be more incriminating than

49 Summary Electronic mail and instant messages can be important evidence to find They can provide a more realistic and candid view of a person Client and server programs are needed for both and IM applications Webmail does not leave a complete trail on the local computer

50 Summary (Cont.) It may be necessary to harvest data from a server, in which case you need to consider the following:  Data storage structure being used  Authority to access the data  A realistic plan for time and space needed to house the forensic copy of the data

51 Summary (Cont.) headers and IM logs can provide additional evidence Tracing IP addresses may involve searches of international and regional registries responsible for allocating IP addresses

52 Summary (Cont.) Instant messaging, like , is a client/server-based technology  Due to volume, records may not be kept by providers  If found, can contribute significantly to a case