Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Examination of Clients and Servers

Published byMaurice Copeland Modified over 6 years ago

Similar presentations

Presentation on theme: "Forensic Examination of Clients and Servers"— Presentation transcript:

1 Forensic Examination of E-mail Clients and Servers
Forensics Forensic Examination of Clients and Servers

2 E-mail Forensics Windows and Mail
Windows provides mail support through a series of clients included with Windows. A line of “free” clients was included with the operating system. Outlook Express, Windows Mail, and Windows Live Mail have used .mbx, .dbx, and .eml files to store mail. Outlook is the mail client included as a component of MS Office. Outlook uses the .pst to store mail. Windows Mail Location C:\Users\<username>\AppData\Local\Microsoft\Windows Mail C:\Users\<username>\AppData\Local\Microsoft\Windows Mail\Local Folders\ account{whatever #'s}.oeaccount *.eml files

3 E-mail Forensics Outlook Express DBX
A DBX is a text-based flat database composed of fixed-length segments and jump links. MIME encoded Attachments are stored with a non-standard MIME using 76-byte segments terminated with “0D 0A” or CRLF. A 16-byte link list is embedded every 512 bytes. [MS-PST]: Outlook Personal Folders (.pst) File Format Pages 11-16

4 E-mail Forensics Outlook Express DBX
The .dbx structure includes a 36-byte header and an arbitrary number of 512 byte segments that may be fragmented. Beginning each segment is a 16-byte link list with 4 values: 1) Landing value—matches previous jump value 2) Length of next block (02 00xh / 512xd) 3) Length of next block to read 4) Jump value to next segment’s beginning file offset. [MS-PST]: Outlook Personal Folders (.pst) File Format Pages 11-16

5 E-mail Forensics Outlook PST
The Personal Storage file is the local binary database that Outlook uses to store mail and numerous other details. A PST is a binary database that cannot be read without interpretation (unlike the Mbox mail spool or DBX). [MS-PST]: Outlook Personal Folders (.pst) File Format Pages 11-16 The .pst file has a different format and folder size limit in Outlook 2007 and in Outlook 2003

6 E-mail Forensics Definition PST
“This file format is a stand-alone, self-contained, structured binary file format that does not require any external dependencies. Each PST file represents a message store that contains an arbitrary hierarchy of folder objects, which contains message objects, which can contain attachment objects. Information about [these] are stored in properties, which collectively contain all of the information about the particular item.” Definition [MS-PST]: Outlook Personal Folders (.pst) File Format p

7 E-mail Forensics Outlook PST
For MS Outlook™ 2003 and earlier running under Windows XP, the PST file can be found at : C:\Documents and Settings\<user_id>\Local Settings\Application Data\Microsoft\Outlook

8 E-mail Forensics Outlook Account Information
Stored in the registry, not in a file. HKEY_CURRENT_USER\Software \Microsoft\Windows NT \CurrentVersion\Windows Messaging Subsystem\Profiles

9 E-mail Forensics Outlook Data Files In Windows XP and 2K:
C:\Documents and Settings\<user_id>\Application Data\Microsoft\Outlook

10 E-mail Forensics Outlook file Locations in Win2K/WinXP

11 E-mail Forensics Outlook PST
For MS Outlook™ 2007 and later running under Windows Vista/Windows 7, the PST file can be found at : C:\Documents and Settings\<user_id>\Local Settings\Application Data\Microsoft\Outlook

12 E-mail Forensics Outlook file Locations in Vista/Win7

13 E-mail Forensics Exchange Servers
When Outlook connects to an Exchange server, it creates an offline storage file called an OST. OST’s are not encrypted; however, a tool is required to view them (like a PST). Forensic packages can do this or a mail administration utility like OST2PST may be required.

14 E-mail Forensics Outlook Attachments
Outlook stores opened attachments in a temporary folder that is hidden to users. Each user profile has its own attachment directory. This is confirmation that an attachment has been opened on the user profile.

15 E-mail Forensics Outlook Attachments
If an attachment is opened twice, a new copy is created and a number is appended in brackets. If the user inadvertently saves changes to the attachment, they persist in the directory.

16 E-mail Forensics Outlook Temporary Attachment Directory
In general, Windows 2K/XP C:\Documents and Settings\<username>\Local Settings\ Temporary Internet Files\OLK??? In general, Windows Vista/Win7 C:\Users\<username>\AppData\Local\Microsoft\Windows\ Temporary Internet Files\Content.Outlook\

17 Marcel Marceau

18 E-mail Forensics Definition MIME
Multipurpose Internet Mail Extensions (MIME) is a text-based encoding scheme to allow binary attachments* in text-based systems (e.g. or newsgroups). MIME uses base-64 encoding to transfer arbitrary octets that would not be allowed by 7bit* mail systems. Definition * Other mail systems would disallow some content, but 7bit is the most restrictive standard.

19 Forensics MIME MIME is used for much more than attachments. MIME encoding in the body of the message is converted by the mail server upon receipt. MIME is also widely used outside the context of . We only care about one. 7bit quoted-printable Base64 8BITMIME BINARYMIME Base 64 is used to store attachments.

20 Log Analysis Base 64 Encoding
Base 64 encoding allows the “/” and “+” characters, but a Web safe version uses “-” and “_” in place of those characters. The “=” character is a padding character found at the end of a base64 set. Others are used for various purposes like URL’s and Regex. RFC 3548 © Dr. D. Kall Loper, all rights reserved

21 E-mail Forensics Base64 MIME
Content-Transfer-Encoding: base64 Content-ID: Content-Type: image/jpeg; name="image001.jpg"; Content-Disposition: inline; filename="image001.jpg"; /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAQDAwMDAgQDAwMEBAQFBgoGBgUFBgwICQcKDgwPDg4M DQ0PERYTDxAVEQ0NExoTFRcYGRkZDxIbHRsYHRYYGRj/2wBDAQQEBAYFBgsGBgsYEA0QGBgYGBgY GBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBj/wAARCABaAK0DASIA AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA <omitted for brevity> F1Q3IzvkV3lcsTzkgBTwRXuQHArKrOpTm4qdzWKjJXseBWXwS8U2ml68H1bTprvU9Oi0iIXLz3CQ wIxO7cx3bhxtAwBivX/CXhy38KeCdM8O2jM8dlAsRkP3pWx8znPdmyx+tb2Oc0tRVxFSqrTen9Iq FNRd0FIRkYpaKxLOM+IXwz8KfEnw9/ZPiWwEwXJguYztlgY/xI3b6dD3r5yHwn+PHwSun1D4Ya5/ wkekFi02mOBlhnvExwT7oQfavr5vvfhUTdPwrsoY6pQjybx7PVf8A46+Cp1Zc+0u63Pm7wf+1Nd6 j4xsPCPiv4e6npuqXUy2yiDn5ycZKOAQvfrX0ogBHGKzLuwsJtRtryWyt5LiNiUmaNS6cdmxkVqJ 0H0qMVKlNqVOHLfzuVho1IpqpLm+Vhdg9aAgFOorlsdQ3YKNvHWnUUwG7RRtFOooAbsHfmjYPQU6 igBu0Zo2inUUAN2DPNGwfhTqKAE2iloooAKKKKAP/9k= --=_dd09d0028a818480fe8d28e4105bc327

22 E-mail Forensics MIME headers
A MIME segment contains from 2-5 headers fields. MIME-Version Content-Type Content-Transfer-Encoding Content-ID Content-Description Searchable for carving Only metadata for MIME attachment file. 2045

23 E-mail Forensics Base64 MIME
Content-Transfer-Encoding: base64 Content-ID: Content-Type: image/jpeg; name="image001.jpg"; Content-Disposition: inline; filename="image001.jpg"; /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAQDAwMDAgQDAwMEBAQFBgoGBgUFBgwICQcKDgwPDg4M DQ0PERYTDxAVEQ0NExoTFRcYGRkZDxIbHRsYHRYYGRj/2wBDAQQEBAYFBgsGBgsYEA0QGBgYGBgY GBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBj/wAARCABaAK0DASIA AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA <omitted for brevity> F1Q3IzvkV3lcsTzkgBTwRXuQHArKrOpTm4qdzWKjJXseBWXwS8U2ml68H1bTprvU9Oi0iIXLz3CQ wIxO7cx3bhxtAwBivX/CXhy38KeCdM8O2jM8dlAsRkP3pWx8znPdmyx+tb2Oc0tRVxFSqrTen9Iq FNRd0FIRkYpaKxLOM+IXwz8KfEnw9/ZPiWwEwXJguYztlgY/xI3b6dD3r5yHwn+PHwSun1D4Ya5/ wkekFi02mOBlhnvExwT7oQfavr5vvfhUTdPwrsoY6pQjybx7PVf8A46+Cp1Zc+0u63Pm7wf+1Nd6 j4xsPCPiv4e6npuqXUy2yiDn5ycZKOAQvfrX0ogBHGKzLuwsJtRtryWyt5LiNiUmaNS6cdmxkVqJ 0H0qMVKlNqVOHLfzuVho1IpqpLm+Vhdg9aAgFOorlsdQ3YKNvHWnUUwG7RRtFOooAbsHfmjYPQU6 igBu0Zo2inUUAN2DPNGwfhTqKAE2iloooAKKKKAP/9k= --=_dd09d0028a818480fe8d28e4105bc327

24 E-mail Forensics Base64 MIME
MIME segments can be decoded to their original content. Contents can be ANY type of file. There is no file system metadata associated with MIME encoded files. Unless decoded, their contents will not show up in key word searches

25 E-mail Forensics Deleted Mail in Outlook
Outlook maintains deleted messages in the database; however, it de-references them. Most forensic tool packages automatically recover such messages. When maintenance is run on the PST, deleted s are pushed into freespace. However, the is not converted to plain text during this process.

26 Forensics Illustration

27 E-mail Forensics Outlook Compressible Encryption
OCE only prevents direct reading of the PST with a text editor or hex editor. It is routinely “broken” without cryptanalysis tools. Most forensics packages do this automatically. OCE settings and insecurity warnings

28 E-mail Forensics Outlook Compressible Encryption
OCE is the default setting, but no encryption or high encryption can also be selected. High encryption uses a password (with typical MS Office insecurity). No encryption allows a PST to be read with a text editor. OCE settings and insecurity warnings

29 E-mail Forensics Outlook Compressible Encryption
OCE segments can be found in freespace and rendered in plain text. No encryption segments can be found in free space by carving for RFC 822 headers. OCE settings and insecurity warnings

30 E-mail Recovery Trivia Outlook .PST files
An Outlook .PST file does not change in size when you delete something… Use a Hex editor and mark positions 7-13 in the .pst file as "00". Then run scanpst to “repair.” Then import the file into outlook. This way you get back all the deleted mails, calendar items, etc.. Trivia

31 Server Forensics

32 E-mail Forensics Exchange Servers
“If you connect to a Microsoft Exchange Server…, your messages, Calendar, and other items are delivered to and stored on the Exchange Server [in an .edb file]. If you do not connect to an Exchange Server computer, your messages, Calendar, and other items are delivered to and stored on your local computer in a .pst file.”

33 Live E-mail Server Acquisitions
Brick-level Backup The Exchange database stores messages with multiple local recipients in one instance. Brick-level backups include a copy of all the messages available to a user in the backup. Definitions © Dr. D. Kall Loper, all rights reserved

34 Using ExMerge Illustration © Dr. D. Kall Loper, all rights reserved

35 Using ExMerge Illustration
DO NOT import data to server you are trying to acquire. © Dr. D. Kall Loper, all rights reserved

36 Using ExMerge Illustration
Two step procedure allows you to take the PST home  © Dr. D. Kall Loper, all rights reserved

37 Using ExMerge Illustration
In multiple domain environments specify the name and LDAP port number of your Domain Controller. Give the server name or DC and LDAP port for multi-domain systems © Dr. D. Kall Loper, all rights reserved

38 Using ExMerge Illustration
Be sure to have enough storage available to extract the file. © Dr. D. Kall Loper, all rights reserved

39 Using ExMerge Illustration © Dr. D. Kall Loper, all rights reserved

40 Using ExMerge Illustration © Dr. D. Kall Loper, all rights reserved

41 Using ExMerge Illustration © Dr. D. Kall Loper, all rights reserved

42 Using ExMerge Illustration
No errors, operation complete—but see next slide for possible errors. © Dr. D. Kall Loper, all rights reserved

43 Using ExMerge Illustration
Configure your user account to have full mailbox rights for the specific mailbox/mailboxes that you want to open. On Exchange 2000/2003 the Exchange Full Administrator permissions does NOT, by default, allow you to open any other user's mailbox. OOPS! You need full rights on the mailbox you try to extract © Dr. D. Kall Loper, all rights reserved

Download ppt "Forensic Examination of Clients and Servers"

Similar presentations

How to Get Back Outlook OST File ?

How to Get Back Outlook OST File ?
Installation and Deployment in Microsoft Dynamics CRM 4.0

Installation and Deployment in Microsoft Dynamics CRM 4.0
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how e-mail server and client software work Use FTP to transfer files Initiate.

How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
File Management Systems

File Management Systems
1 of 3 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 3 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Full Guaranteed & Safe OST Converter Software

Full Guaranteed & Safe OST Converter Software
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
E-mail-I CS-3505 Wb_e-mail-I.ppt. Email 4 The most useful feature of the internet 4 Lots of different email programs, but most of them can talk to each.

-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
1 © 2001, Cisco Systems, Inc. All rights reserved. Voice Connector Features 4.0.5 Voicemail Interoperability – 4.0(5) Voice Connector features Rahul Singh.

1 © 2001, Cisco Systems, Inc. All rights reserved. Voice Connector Features Voic Interoperability – 4.0(5) Voice Connector features Rahul Singh.
Practical PC, 7 th Edition Chapter 9: Sending E-mail and Attachments.

Practical PC, 7 th Edition Chapter 9: Sending and Attachments.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 E-mail Investigations.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
© 2006 Global Knowledge Training LLC All rights reserved. Deploying Outlook 2003 Configuring Clients Outlook 2003 Security and Performance New Outlook.

© 2006 Global Knowledge Training LLC All rights reserved. Deploying Outlook 2003 Configuring Clients Outlook 2003 Security and Performance New Outlook.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.

Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.
1 Email. 2 Electronic Mail Originally –Memo sent from one user to another Now –Memo sent to one or more mailboxes Mailbox –Destination point for messages.

Electronic Mail Originally –Memo sent from one user to another Now –Memo sent to one or more mailboxes Mailbox –Destination point for messages.
CPSC 203 Introduction to Computers Lab 21, 22 By Jie Gao.

CPSC 203 Introduction to Computers Lab 21, 22 By Jie Gao.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Simple Mail Transfer Protocol (SMTP)

Simple Mail Transfer Protocol (SMTP)

Similar presentations

Ads by Google