Upload
khirulnizam-abd-rahman
View
232
Download
0
Embed Size (px)
Citation preview
7/29/2019 467 Integration2010 Proceedings
1/12
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 467
EVALUATION OF E-MAIL ACTIVITY RECONSTRUCTION TOOLS
FOR E-MAIL CLIENT
Chew Eng Hin1, Asrul Hadi Bin Yaacob
2, Mohd Fikri Azli Bin Abdullah
3
1
Faculty of Information Science & Technology,Multimedia University (MMU) Melaka Campus, Malaysia
2Faculty of Information Science & Technology,
Multimedia University (MMU) Melaka Campus, Malaysia
3School of Electronics and Computer Engineering
Chonnam National University, South Korea
Abstract
Electronic mail (E-mail) is one of the most common and important messaging infrastructures
used in the organization. Among all the critical and important systems in the organization, E-
mail system is the one that required significant ongoing investment both in technology and
personnel to run smoothly. E-mail crimes are increasing from years to years. In order to cutdown the number of the E-mail crime, various E-mail Forensics Tools had been introduced to
recover and trace the source of the particular E-mail. Tools for E-mails allow E-mailadministrators to complete common and time consuming tasks in their E-mail environment
more effectively. The function of E-mail Forensics Tools can be divided into ActivityReconstruction, Message Tracing, Investigation, Forensics, Compliance, and Trend Analysis.
However, the focus of this evaluation is more into E-mail Activity Reconstruction which isthe first necessary step in E-mail Forensics. In E-mail Activity Reconstruction, there are tools
that could read the proprietary E-mail repository format. Thus, an evaluation of E-mail
Activity Reconstruction Tools is done on two open source tools and one commercial tool.
These E-mail Activity Reconstruction Tools which could read DBX files are tested not only
based on the basic characteristics and requirements that serve as test criteria; they are also
being compared and contrasted as well. All the tests are done under a constant environment
and the results are documented to provide a clear view of efficiency and accuracy of tools.
Informative analysis of the results of evaluation is provided to increase understanding of E-
mail Activity Reconstruction.
Keywords: E-mail Forensics, E-mail Activity Reconstruction, DBX
1. IntroductionE-mail is a communication method of exchanging digital information between two or more
parties. E-mail system is basically based on infrastructure in which E-mail server systemsaccept, forward, deliver and store messages on behalf of users. From years to years, E-mail
system has been improved and now it is the most widely preferred communication tool within
the business field. Thus, it is the first board electronic communication in business.
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]7/29/2019 467 Integration2010 Proceedings
2/12
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 468
E-mail is one of the most common and important messaging infrastructures used in
the organization. Among all the critical and important systems in the organization, messaging
infrastructure is the one that required significant ongoing investment both in technology and
personnel to run smoothly. Moreover, E-mail crimes are increasing from years to years. In
order to cut down the number of the E-mail crime, various E-mail Forensics Tools had been
introduced to recover and trace the source of the particular E-mail. Klein (2006) mentionedthat the overall impact of E-mail Forensics in fixing this vulnerability can only be speculatedat, it is unquestionable that the number of cases will be reduced. Tools for E-mails allow E-
mail administrators to complete common and time consuming tasks in their E-mailenvironment more effectively. Demands from end users increasing every year and IT
managers are required to answer more detailed questions about their messaging infrastructure
than ever before. Solutions are needed to helps organizations to implement E-mail Forensics
quickly.
The function of E-mail Forensics Tools can be divided into Activity Reconstruction,
Message Tracing, Investigation, Forensics, Compliance, and Trend Analysis. However, the
focus of this evaluation is more into E-mail Activity Reconstruction which is the firstnecessary step in E-mail Forensics. In E-mail Activity Reconstruction, there are tools that
could read the proprietary E-mail Clients repository format. The chosen E-mail repositories
format is DBX which is the repository of Microsoft Outlook Express. The focuses are on
Microsoft Outlook Express mainly because based on Figure 1 which is according to E-mail
client popularity (2009, June) it is the default E-mail Client that has high usage percentage. It
also comes free with Windows XP which is the most preferred Microsoft OS inOrganizations.
The most important step of E-mail Forensics is the E-mail Activity Reconstruction
which is also the very first step before any analysis could be done. Jones, Bejtlich and Rose
(2006) stated E-mail Activity Reconstruction Tools are used to reconstruct the E-mail
repositories that local E-mail applications use to store the E-mail a suspect sends or receives.
Usually, Reconstruction of E-mail requires some applications installed on the Forensics
workstation. The main reason is the proprietary repository format that used by E-mail
applications. Although the Forensics could be done with the proper E-mail application
installed, E-mail Activity Reconstruction Tools that could read the E-mail without original
application will be much more efficient.
40%
16%15%
8%
6%5%
3%2% 1% 4%
E-mail Client User Usage
Microsoft Outlook
Yahoo! Mail
Hotmail
Apple Mail
iPhone/iPod Touch
Gmail
Figure 1: E-mail Client User Usage
7/29/2019 467 Integration2010 Proceedings
3/12
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 469
2. The Architecture2.1 E-mail Client
Leung and Hou (n.d.) mentioned E-mail client, also known as E-mail reader or more formallyknown Mail User Agent (MUA), is a computer program that is used to manage E-mail. Theterm E-mail client may refer to any agent that acting as a client toward an E-mail server,
regardless of it being a mail user agent, a relaying server, or a human typing on a terminal.Moreover, a web application providing message management, composition, and reception
functionality is sometimes considered as E-mail client as well.
MUA like most client programs, need to be activated when users want to retrieve
message from a mailbox like in Figure 2. Messages are stored on a remote server and the
MUA has to request them on behalfof the users. Access to remote servers mailboxes comes
in two flavors. American Prosecutors Research Institute (2005) provided much information
about how E-mail works. The first one is the Post Office Protocol (POP) which allows the
client to download messages one at a time and only delete them from the sever after theyhave been successfully saved on local storage. POP is suitable for multi clients as it is
possible to leave the messages on the server for another client to download them. Besides
that, there is no provision for flagging a specific message as seen, answered, or forwarded,thus POP might not convenient for users who access the same mail from different machines
or clients.
On the other hand, the Internet Message Access Protocol (IMAP) allows users to keepmessages on the server and flagging them as appropriate. Moreover, IMAP provides sub-
folders like Sent, Drafts, and Trash folders are created by default. Both POP and IMAP
clients can be configured to access more than one mailboxes at the same time. However,
IMAP is equipped with extra features such as idle extension for real time updates. It could
Mail User Agent Mail User Agent
Mail Server Mail Server
Sender Receiver
Internet
Figure 2: Mail User Agent
7/29/2019 467 Integration2010 Proceedings
4/12
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 470
provide faster notification than polling where long lasting connections are feasible. Lastly
settings like IP address, user name and password on Client are required for each remote
incoming mailbox.
Protocol Use Plain Text/EncryptSessions
Plain TextSessions Only
EncryptSessions Only
POP3 Incoming Mail 110 995
IMAP4 Incoming Mail 143 993
SMTP Outgoing Mail 25 (unofficial) 465
MSA Outgoing Mail 587
HTTP Webmail 80 443
2.2 DBX
According to Jones et al. (2005), there are two types of DBX files as shown in Figure 3.
The first type is called Folder DBX file which is a catalogue of the other DBX files on thesystem. The second type of DBX file is called an E-Mail DBX file. This is the file that
contains the actual E-Mail messages which includes the content and also the attachments.Each E-Mail DBX file is catalogued in the Folders DBX file so that Outlook Express can re-
create the folder structure for the user.
3. Purpose of The EvaluationThe purpose of the evaluation of E-mail Activity Reconstruction Tools is to determine
whether the tested tools meet the basic characteristics and requirements as a forensics tools.
There are two open source tools, Eideutig and libDBX will be tested. In addition, anothercommercial tool, Parabens E-mail Examiner is added into the evaluation in order to compare
and contrast the open source tool and the commercial tool.
These tools are critical to E-mail forensics application because E-mail Activity
Reconstruction is the very first basic steep of E-mail forensics. Yet the quality of these tools
are very often an unknown. Thus, a specific tool evaluation and testing are required andessential in order to determine the performance and quality of the tools.
Table 1: E-mail Protocols Port Assignment
Figure 3: DBX Files
Folder DBX File
Inbox E-Mail DBX Drafts E-Mail DBXDeleted Items E-Mail
DBX
Sent Items E-Mail
DBX
7/29/2019 467 Integration2010 Proceedings
5/12
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 471
4. Software and HardwareTwo test computers, one desktop and one laptop will be used in this test. Complete hardware
specifications for both machines are listed below.
DesktopDell Dimension 5150Intel i945 Motherboard
Dell BIOS version A07
Intel Pentium D 820 CPU
2GiB DDR2 Memory
LaptopDell Latitude E6400
Intel GM 45
Dell BIOS version A20
Intel Mobile Core 2 Duo T9800
4GiB DDR2 Memory
On the other hand, the software listed below were used in order to perform the testing.
CygwinTool that provides a Linux-like environment to run the tools.
EindeutigThe tool under test.
libDBXThe tool under test.
Parabens E-mail ExaminerThe tool under test.
FTK ImagerTool that mount the image for forensics purposes5. Methodology
Figure 4: Environment of Tools Comparison
Comparison
n = 1, 2, 3 , 4.
Testing Environment for Tool 1
Tools
Basic
Characteristics
and Requirements
Based On
ResourcesInput
Testing Environment for Tool n
Tools
Basic
Characteristics
and Requirements
Based On
ResourcesInput
.
7/29/2019 467 Integration2010 Proceedings
6/12
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 472
Figure 4 shows the methodology for E-mail Activity Reconstruction Tools testing and
evaluation. All the tools will be given the same resources as the input and comparison will be
based on the basic characteristics and requirements that already been set earlier. Moreover,
each tool will be tested in separate environment so that all the uncertainty can be isolated.
The result of the testing will be collected and well documented. Then these results will be
compiled and tabled, thus, will be formed as the comparison of the tools.
After the comparison of E-mail Activity Reconstruction Tools, all of the valuable data
will then be collected and documented. A table of results will be established in order toprovide a better view of tools testing. The table will then be analyzed and evaluated. Analysis
and evaluation could increase the understanding of E-mail Activity Reconstruction Tools.
6. TestingThe tools testing are done on each tool and compare to Microsoft Outlook Express. Based on
all the criteria, tools will be rated as either Passed or Failed. Below are the basic
characteristics and requirements that serve as testing criteria.
Basic Characteristics and Requirements (Criteria)
1. The tool shall be able to interpret DBX repository correctly.2. The tool shall be able to preserve the integrity of both E-mail and DBX repository.3. The tool shall be able to reconstruct E-mail activity.4. The tool shall be able to extract selected E-mail.5. The tool shall be able to warn users if there is an error occurs.6. The tool shall be able to extract any attachments found in the E-mail.7. The tool shall be user-friendly and easy to be executed.
6.1Microsoft Outlook Express
7/29/2019 467 Integration2010 Proceedings
7/12
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 473
6.2Eindeutig
Eindeutig is tested with following command:
6.3 libDBX
Figure 5: Microsoft Outlook Express
Figure 6: Eindeutig
Figure 7: libDBX
Command: dbxparse [-e|-f] [options]
-t The field delimiter for spreadsheet output.
-f FORCE the input file as FOLDER type
-e FORCE the input file as E-MAIL type
-s Only an E-mail summary spreadsheet will be listed.-o The output directory for exported E-mail.
7/29/2019 467 Integration2010 Proceedings
8/12
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 474
libDBX is tested with following command:
6.4 Parabens E-mail Examiner
Parabens E-mail Examiner is equipped with user-friendly GUI. Thus, clicking with cursor isthe only action required in order to execute the program.
Figure 8: Parabens E-mail Examiner
Command: readdbx [OPTIONS]-h display this help and exit-V output version information and exit
-f "file" input DBX file-o "file" file to write mbox format to
-q don't display extra information.
7/29/2019 467 Integration2010 Proceedings
9/12
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 475
7. Result
Criteria
Tools 1 2 3 4 5 6 7
Eindeutig libDBX Parabens E-
mail Examiner
8. Analysis and Evaluation8.1 Analysis
8.1.1 Analysis of Test of Criteria 1
From the information of the test of Criteria 1, all the tools are performed very well in
interpreting the DBX repository. All tools could read the hexadecimal string contained in
DBX file correctly. Meaningful information is the result of the interpretation.
8.1.2 Analysis of test of Criteria 2
The second test shows that the tools could preserve the integrity of the E-mail and also theDBX repository. Both E-mail and DBX file are not altered or changed after the interpretation
of the tools. Preservation of the E-mail and the DBX repository is very important in order to
use these data as digital evidence in court.
8.1.3 Analysis of test of Criteria 3
From the result above, all tools are able to reconstruct the E-mail activity from the DBX file
without any error. E-mail activity describes the activity or action that the users have donewith his/her E-mail system. E-mail activity includes number of E-mail that has been sent,
read, deleted and etc.
8.1.4Analysis of test of Criteria 4As the fourth test shows, all tools are able to extract E-mail from the DBX file successfully.
The contents of E-mail like E-mail header and Message body could be viewed without any
problem.
8.1.5Analysis of test of Criteria 5
Table 2: Result of Tools Testing
7/29/2019 467 Integration2010 Proceedings
10/12
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 476
All the tools that are tested are able to warn users if there is any error occurs during the E-
mail activity reconstruction process. Alerts or errors will be displayed to warn users in order
to avoid any faults to be included In E-mail forensics.
8.1.6Analysis of test of Criteria 6The result of the test above indicates the shortcoming of both open source tools (Eindeutig &
libDBX) compared to commercial tool that are full of features. Both open source tools are notable to extract the attachments that found on the extracted E-mail. Although the extraction of
attachments could be done with another tool named munpack, the Parabens E-mail Examiner
appears to be a more complete package.
8.1.7Analysis of test of Criteria 7The last test was about the user-friendliness of the tools. The results shows that both opensource tools that are developed in CLI interface are not as easy and simple to be used
compare to the commercial tool. The GUI interface that appears on the commercial tool
simplifies the execution of the tool as clicking is the only action required.
8.2 Evaluation
E-mail Activity Reconstruction Tools can be divided into open source tools and commercial
tools. Eindeutig and libDBX appeared to be open source tools while Parabens E-mailExaminer is the commercial tool. However, Parabens E-mail Examiner always appear to be
a more complete package with user-friendly GUI and lots of extra features that always comein handy. On the other hand, Eindeutig and libDBX are more specific into certain function as
they could on parse DBX file compare to multiple file format that supported by Parabens E-mail Examiner. Thus, other open source tools like munpack might have to be combined in
order to achieve certain function that provided by Parabens E-mail Examiner.
Moreover, support and development of Eindeutig are inactive since year 2005 just like
open source tools that frequently described as being developed slower and supported lesser
compared to commercial tools. At the bright side, open source tools are much more flexible
as the source code is freely available and modification could be done based on specific needs.
A GUI could be added to Eindeutig as the front-end that could interact with users at a more
friendly and easy-to-use manner. Open source tools are great for research and study as well.
9 ConclusionE-mail Activity Reconstruction Tools are essential in E-mail Forensics as Activity
Reconstruction is the very first necessary step in E-mail Forensics. These tools must at leastbe able to meet the basic characteristics and requirements such as:
1. The tool shall be able to interpret DBX repository correctly.2. The tool shall be able to preserve the integrity of both E-mail and DBX repository.3. The tool shall be able to reconstruct E-mail activity.4. The tool shall be able to extract selected E-mail.
7/29/2019 467 Integration2010 Proceedings
11/12
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 477
5. The tool shall be able to warn users if there is an error occurs.All the tools tested met the criteria and done well in the test. However, there is still a long
way for open source tools to keep up with commercial tools. As the benefits of society, open
source tools should be given more attention and support from developers.
10 AcknowledgementI would like to take this opportunity to express my gratitude to Mr. Asrul Hadi Bin Yaacob
and Mr. Mohd Fikri Azli Abdullah for their supervision, guidance, encouragement and
support throughout the whole project. Both of them showed me different ways to approach a
research problem and the need to be persistent to accomplish any goal. Besides that, I would
also like to thank my family: my parents for giving me unconditional support and
encouragement to pursue my interests and dreams. My sisters who often help me in search for
materials related to the project title. My brothers who share their experience throughout their
research and always there to give me advices whenever I needed. Besides that, thanks for my
family who always remind me that my research should always be useful and provide goodinformation to the community.
References
American Prosecutors Research Institute. (2005). Understanding E-mail: A primer for localprosecutors (Grant No. 98LS-VX-0002). Washington, DC: U. S. Government Printing
Office.E-mail client popularity. (2009, June). Retrieved from
http://www.campaignmonitor.com/stats/E-mail-clients/Jones, K., Bejtlich, R., & Rose, C. (2005). Real digital Forensics: computer security and
incident response. Addison-Wesley Professional.Klein, D. V. (2006). A Forensic analysis of a distributed two-stage web-based spam attack.
Leung, Y. W., Hou, R. (n.d.) Mail Server[Presentation slides]. Retrieved from Hong Kong
Baptist University web site:
http://www.comp.hkbu.edu.hk/~comp2650/tutorial/notes/lab_notes_5.pdf
7/29/2019 467 Integration2010 Proceedings
12/12
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 478