Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations.

Published byBrittany Green Modified over 9 years ago

Similar presentations

Presentation on theme: "Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations."— Presentation transcript:

1 Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations

2 Guide to Computer Forensics and Investigations, 2e2 Objectives Explore the roles of the client and server in e-mail Investigate e-mail crimes and violations Understand e-mail servers Use specialized e-mail computer forensics tools

3 Guide to Computer Forensics and Investigations, 2e3 Exploring the Roles of the Client and Server in E-mail Two environments –Internet –Controlled LAN, MAN, or WAN Client/server architecture –Server OS and e-mail software differ from those on the client side Protected accounts –Require usernames and passwords

4 Guide to Computer Forensics and Investigations, 2e4 Exploring the Roles of the Client and Server in E-mail (continued)

5 Guide to Computer Forensics and Investigations, 2e5 Exploring the Roles of the Client and Server in E-mail (continued) Name conventions –Corporate: john.smith@somecompany.com –Public: whatever@hotmail.com –Everything after @ belongs to the domain name Tracing corporate e-mails is easier

6 Guide to Computer Forensics and Investigations, 2e6 Investigating E-mail Crimes and Violations Similar to other types of investigations Goals –Find who is behind the crime –Collect the evidence –Present your findings –Build a case

7 Guide to Computer Forensics and Investigations, 2e7 Identifying E-mail Crimes and Violations Depend on the city, state, or country –Spam –Always consult with an attorney Becoming commonplace Examples of crimes involving e-mails: –Narcotics trafficking –Extortion –Sexual harassment

8 Guide to Computer Forensics and Investigations, 2e8 Examining E-mail Messages Access victim’s computer and retrieve evidence Use victim’s e-mail client –Find and copy evidence in the e-mail –Access protected or encrypted material –Print e-mails Guide victim on the phone –Open and copy e-mail including headers Sometimes you will deal with deleted e-mails

9 Guide to Computer Forensics and Investigations, 2e9 Examining E-mail Messages (continued)

10 Guide to Computer Forensics and Investigations, 2e10 Viewing E-mail Headers Learn how to find e-mail headers –GUI clients –Command-line clients –Web-based clients Headers contain useful information –Unique identifying numbers –IP address of sending server –Sending time

11 Guide to Computer Forensics and Investigations, 2e11 Viewing E-mail Headers (continued) Outlook –Open the Message Options dialog box –Copy headers –Paste them to any text editor Outlook Express –Open the message properties dialog box –Select Message Source –Copy and paste the headers to any text editor

12 Guide to Computer Forensics and Investigations, 2e12 Viewing E-mail Headers (continued)

13 Guide to Computer Forensics and Investigations, 2e13 Viewing E-mail Headers (continued)

14 Guide to Computer Forensics and Investigations, 2e14 Viewing E-mail Headers (continued)

15 Guide to Computer Forensics and Investigations, 2e15 Viewing E-mail Headers (continued) Eudora –Click the BLAH BLAH BLAH button –Copy and paste the e-mail header Pine and ELM –Check enable-full-headers AOL headers –Open e-mail Details dialog window –Copy and paste headers

16 Guide to Computer Forensics and Investigations, 2e16 Viewing E-mail Headers (continued)

17 Guide to Computer Forensics and Investigations, 2e17 Viewing E-mail Headers (continued)

18 Guide to Computer Forensics and Investigations, 2e18 Viewing E-mail Headers (continued)

19 Guide to Computer Forensics and Investigations, 2e19 Viewing E-mail Headers (continued) Hotmail –Click Options, Preferences in menu –Click Advanced Headers –Copy and paste headers Juno –Click Options and select Show Headers –Copy and paste headers

20 Guide to Computer Forensics and Investigations, 2e20 Viewing E-mail Headers (continued)

21 Guide to Computer Forensics and Investigations, 2e21 Viewing E-mail Headers (continued)

22 Guide to Computer Forensics and Investigations, 2e22 Viewing E-mail Headers (continued) Yahoo –Click Mail Options –Click General Preferences and Show All headers on incoming messages WebTV –Send the message to yourself –Open it with your regular e-mail client –Message will contain the headers

23 Guide to Computer Forensics and Investigations, 2e23 Examining E-mail Headers Gather supporting evidence and track suspect –Return path –Recipient’s e-mail address –Type of sending e-mail service –IP address of sending server –Name of the e-mail server –Unique message number –Date and time e-mail was sent –Attachment files information

24 Guide to Computer Forensics and Investigations, 2e24 Examining E-mail Headers (continued)

25 Guide to Computer Forensics and Investigations, 2e25 Examining Additional E-mail Files E-mail messages are saved on the client side or left at the server Microsoft Outlook.pst and.ost files Personal address book UNIX e-mail groups –Members read same messages Web-based mail files and folders –History, Cookies, Cache, Temp files

26 Guide to Computer Forensics and Investigations, 2e26 Tracing an E-mail Message Contact those responsible for the sending server Finding domain names point of contact –www.arin.net –www.internic.com –www.freeality.com –www.google.com Find suspect’s contact information Verify your findings against network logs

27 Guide to Computer Forensics and Investigations, 2e27 Using Network Logs Related to E-mail Confirm e-mail route Router logs –Record all incoming and outgoing traffic –Have rules to allow or disallow traffic Firewall logs –Filter e-mail traffic –Verify whether the e-mail passed through You can use any text editor or specialized tools

28 Guide to Computer Forensics and Investigations, 2e28 Using Network Logs Related to E-mail (continued)

29 Guide to Computer Forensics and Investigations, 2e29 Understanding E-mail Servers Computer running server OS and e-mail package E-mail storage –Database –Flat file Logs –Default or manual –Continuous and circular

30 Guide to Computer Forensics and Investigations, 2e30 Understanding E-mail Servers (continued) Log information –E-mail content –Sending IP address –Receiving and reading date and time –System-specific information Contact suspect’s network as soon as possible Servers can recover deleted e-mails –Similar to deletion of files on a hard drive

31 Guide to Computer Forensics and Investigations, 2e31 Understanding E-mail Servers (continued)

32 Guide to Computer Forensics and Investigations, 2e32 Examining UNIX E-mail Server Logs /Etc/Sendmail.cf –Configuration information for Sendmail /Etc/Syslog.conf –Specifies how and which events Sendmail logs /Var/Log/Maillog –SMTP and POP3 communications IP address and time stamp Check UNIX main pages for more information

33 Guide to Computer Forensics and Investigations, 2e33 Examining UNIX E-mail Server Logs (continued)

34 Guide to Computer Forensics and Investigations, 2e34 Examining UNIX E-mail Server Logs (continued)

35 Guide to Computer Forensics and Investigations, 2e35 Examining UNIX E-mail Server Logs (continued)

36 Guide to Computer Forensics and Investigations, 2e36 Examining Microsoft E-mail Server Logs Microsoft Exchange Server (Exchange) –Uses a database –Based on Microsoft Extensible Storage Engine Information Store files –Database files *.edb Responsible for MAPI information –Database files *.stm Responsible for non-MAPI information

37 Guide to Computer Forensics and Investigations, 2e37 Examining Microsoft E-mail Server Logs (continued) Transaction logs –Keep track of e-mail databases Checkpoints –Keep track of transaction logs Temporary files E-mail communication logs –RES#.log Tracking log

38 Guide to Computer Forensics and Investigations, 2e38 Examining Microsoft E-mail Server Logs (continued)

39 Guide to Computer Forensics and Investigations, 2e39 Examining Microsoft E-mail Server Logs (continued) Troubleshooting or diagnostic log –Log events –Use Windows Event Viewer –Open the Event Properties dialog box for more details about an event

40 Guide to Computer Forensics and Investigations, 2e40 Examining Novell GroupWise E-mail Logs Up to 25 databases for e-mail users –Stored on the Ofuser directory object –Referenced by a username, an unique identifier, and.db extension Shares resources with e-mail server databases Mailboxes organizations –Permanent index files –QuickFinder

41 Guide to Computer Forensics and Investigations, 2e41 Examining Novell GroupWise E-mail Logs (continued) Folder and file structure can be complex –It uses Novell directory structure Guardian –Directory of every database –Tracks changes in the GroupWise environment –Considered a single point of failure Log files –GW\volz\*.log

42 Guide to Computer Forensics and Investigations, 2e42 Using Specialized E-mail Forensics Tools Tools –AccessData’s FTK –EnCase –FINALeMAIL –Sawmill-GroupWise –DBXtract –MailBag –Assistant –Paraben

43 Guide to Computer Forensics and Investigations, 2e43 Using Specialized E-mail Forensics Tools (continued) Tools allow you to find: –E-mail database files –Personal e-mail files –Off-line storage files –Log files Advantage –Do not need to know how e-mail servers and clients work

44 Guide to Computer Forensics and Investigations, 2e44 Using Specialized E-mail Forensics Tools (continued) FINALeMAIL –Scans e-mail database files –Recovers deleted e-mails –Search computer for lost or delete e-mails FTK –All-purpose program –Filters and finds files specific to e-mail clients and servers

45 Guide to Computer Forensics and Investigations, 2e45 Using Specialized E-mail Forensics Tools (continued)

46 Guide to Computer Forensics and Investigations, 2e46 Summary Send and receive e-mail via Internet or a LAN –Both environments use client/server architecture E-mail investigations are similar to other kinds of investigations Access victim’s computer to recover evidence Copy and print the e-mail message involved in the crime or policy violation Find e-mail headers

47 Guide to Computer Forensics and Investigations, 2e47 Summary (continued) Investigating e-mail abuse –Be familiar with e-mail server’s and client’s operations Check: –E-mail message files –E-mail headers –E-mail server log files

Download ppt "Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations."

Similar presentations

Kalpesh Vyas & Seward Khem

Kalpesh Vyas & Seward Khem
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.

6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.
Email Basics. 2 Class Outline Part 1 - Introduction –Explaining email –Parts of an email address –Types of email services –Acquiring an email account.

Basics. 2 Class Outline Part 1 - Introduction –Explaining –Parts of an address –Types of services –Acquiring an account.
Basic Communication on the Internet: E-Mail Integrated Browser E-Mail Programs and Web-Based E-Mail Services Tutorial 3.

Basic Communication on the Internet: Integrated Browser Programs and Web-Based Services Tutorial 3.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how e-mail server and client software work Use FTP to transfer files Initiate.

How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
XP Browser and E-mail Basics1. XP Browser and E-mail Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.

XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
91.580.203 Computer & Network Forensics Xinwen Fu Chapter 13 E-mail Investigations.

Computer & Network Forensics Xinwen Fu Chapter 13 Investigations.
Guide to Computer Forensics and Investigations Third Edition Chapter 12 E-mail Investigations.

Guide to Computer Forensics and Investigations Third Edition Chapter 12 Investigations.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.

COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
COS 413 Day 17. Agenda Quiz 2 corrected –2 A’s, 6 B’s & 1 C Assignment 5 corrected –5 B’s, 2 C’s, 1 non-submit & 1 corrupt file that I cannot read Lab.

COS 413 Day 17. Agenda Quiz 2 corrected –2 A’s, 6 B’s & 1 C Assignment 5 corrected –5 B’s, 2 C’s, 1 non-submit & 1 corrupt file that I cannot read Lab.
Browser and E-mail Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.

Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.
Guide to Operating System Security Chapter 10 E-mail Security.

Guide to Operating System Security Chapter 10 Security.
POP Email Configuration Microsoft Outlook Express 6.x.

POP Configuration Microsoft Outlook Express 6.x.
Welcome to the St James POA website navigation tool. Learn how to navigate the website, edit your profile and learn what’s going on in St James!

Welcome to the St James POA website navigation tool. Learn how to navigate the website, edit your profile and learn what’s going on in St James!
GroupWise Tutorial What is GroupWise? GroupWise is an email and calendar service (much like Microsoft outlook) for Collin College faculty and staff.

GroupWise Tutorial What is GroupWise? GroupWise is an and calendar service (much like Microsoft outlook) for Collin College faculty and staff.
Setting up Email in Outlook Express. Select “Tools” from the toolbar menu.

Setting up in Outlook Express. Select “Tools” from the toolbar menu.
Free Powerpoint Templates Page 1 MICROSOFT OFFICE OUTLOOK 2007 PRESENTED BY: BRANDO P. DUMALI.

Free Powerpoint Templates Page 1 MICROSOFT OFFICE OUTLOOK 2007 PRESENTED BY: BRANDO P. DUMALI.
E-mail-I CS-3505 Wb_e-mail-I.ppt. Email 4 The most useful feature of the internet 4 Lots of different email programs, but most of them can talk to each.

-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.

Similar presentations

Ads by Google