Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 8: E-Mail and Webmail Forensics

Computer ForensicsPrinciples and Practices

by Volonino, Anzaldua, and Godwin

Chapter 8: E-Mail and Webmail Forensics

© Pearson Education Computer Forensics: Principles and Practices 2

Objectives

Understand the flow of electronic mail across a network

Explain the difference between resident e-mail client programs and webmail

Understand the difference between typical desktop data storage and server data storage

Identify the components of e-mail headers Understand the flow of instant messaging

across the network


Introduction

E-mail has transcended social boundaries and moved from a convenient way to communicate to a corporate requirement. In many cases, incriminating unintentional documentation of people’s activities and attitudes can be found through computer forensics of e-mail.


In Practice: E-Mail in Senate Investigations of Finance Companies Financial institutions helped Enron

manipulate its numbers and mislead investors

E-mail proved that banks such as JPMorgan Chase knew very well how Enron was hiding its debt


Importance of E-Mail as Evidence

E-mail can be pivotal evidence in a case Due to its informal nature, it does not always

represent corporate policy Many cases provide examples of the use of

e-mail as evidence Knox v. State of Indiana Harley v. McCoach Nardinelli et al. v. Chevron Adelyn Lee v. Oracle Corporation


Working with E-Mail

E-mail evidence typically used to corroborate or refute other testimony or evidence

Can be used by prosecutors or defense parties

Two standard methods to send and receive e-mail: Client/server applications Webmail


Working with E-Mail (Cont.)

E-mail data flow User has a client program such as Outlook or

Eudora Client program is configured to work with one or

more servers E-mails sent by client reside on PC A larger machine runs the server program that

communicates with the Internet, where it exchanges data with other e-mail servers



Sending E-MailUser creates e-

mail on her client User issues send command Client moves e-

mail to Outbox

Server acknowledges client and

authenticates e-mail account

Client sends e-mail to the server

Server sends e-mail to destination e-mail

serverIf the client cannot connect with the server, it keeps trying



Receiving E-MailUser opens client

and logs on User issues receive command Client contacts

server

Server acknowledges,

authenticates, and contacts mail box for

the accountMail downloaded to

local computerMessages placed in Inbox to be read

POP deletes messages from server; IMAP retains copy on server



Working with resident e-mail files Users are able to work offline with e-mail E-mail is stored locally, a great benefit for forensic

analysts because the e-mail is readily available when the computer is seized

Begin by identifying e-mail clients on system You can also search by file extensions of common

e-mail clients



E-Mail Client Extension Type of File

AOL .abi

.aim

.arl

.bag

AOL6 organizer file

Instant Message launch

Organizer file

Instant Messenger file

Outlook Express .dbx

.dgr

.email

.eml

OE mail database

OE fax page

OE mail message

OE electronic mail

Outlook .pab

.pst

.wab

Personal address book

Personal folder

Windows address book

(Continued)



E-Mail Client Extension Type of File

Lotus Notes .box

.ncf

.nsf

Notes mailbox

Notes internal clipboard

Notes database

Novell Groupwise .mlm Saved e-mail (using WP5.1 format)

Eudora .mbx Eudora message base



Popular e-mail clients: America Online (AOL)—users have a month to

download or save before AOL deletes messages Outlook Express—installed by default with

Windows Outlook—bundled with Microsoft Office Eudora—popular free client Lotus Notes—integrated client option for Lotus

Domino server


Working with Webmail

Webmail data flow User opens a browser, logs in to the webmail

interface Webmail server has already placed mail in Inbox User uses the compose function followed by the

send function to create and send mail Web client communicates behind the scenes to

the webmail server to send the message No e-mails are stored on the local PC; the

webmail provider houses all e-mail


Working with Webmail (Cont.)

Working with webmail files Entails a bit more effort to locate files Temporary files is a good place to start Useful keywords for webmail programs include:

Yahoo! mail: ShowLetter, ShowFolder Compose, “Yahoo! Mail”

Hotmail: HoTMail, hmhome, getmsg, doattach, compose Gmail: mail[#]


Working with Webmail (Cont.)

Type of E-Mail Protocol POP3 IMAP Webmail

E-mail accessible from anywhere

No Yes Yes

Remains stored on server

No (unless included in a backup of server)

Yes Yes, unless POP3 was used too

Dependence on Internet

Moderate Very strong Strong

Special software required

Yes Yes No


Working with Mail Servers

Some initial things to consider: How many users are serviced? E-mail retention policies of the company Accessibility of the e-mail server


Working with Mail Servers (Cont.)

Redundant array of independent disks (RAID) RAID 0: Basic disk striping RAID 1: Disk mirroring RAID 3: Striping with parity RAID 5: Striping with distributed parity RAID 0+1 and 10 (1+0): Mirror of stripes and

striped mirroring


Working with Mail Servers (Cont.)

Harvesting data from RAID servers Easiest way to obtain the data is over the network Considerations:

Time to obtain the data Physical configuration and space Production server downtime


Examining E-Mails for Evidence

Understanding e-mail headers The header records information about the sender,

receiver, and servers it passes along the way Most e-mail clients show the header in a short

form that does not reveal IP addresses Most programs have an option to show a long

form that reveals complete details


Examining E-Mails for Evidence (Cont.) Most common parts of the e-mail header are

logical addresses of senders and receivers Logical address is composed of two parts

The mailbox, which comes before the @ sign The domain or hostname that comes after the @

sign The mailbox is generally the userid used to log in to the

e-mail server The domain is the Internet location of the server that

transmits the e-mail


Examining E-Mails for Evidence (Cont.) Reviewing e-mail headers can offer clues to

true origins of the mail and the program used to send it

Common e-mail header fields include: Bcc Cc Content-Type Date From

Message-ID Received Subject To X-Priority


Examining E-Mails for Evidence (Cont.) IP address registries:

African Network Information Asia Pacific Network Information American Registry for Internet Number Latin American and Caribbean Internet Addresses

Registry Réseaux IP Européens Network Coordination

Centre


Examining E-Mails for Evidence (Cont.) Understanding e-mail attachments

MIME standard allows for HTML and multimedia images in e-mail

Searching for base64 can find attachments in unallocated or slack space

Anonymous remailers Allow users to remove identifying IP data to

maintain privacy Stems from users citing the First Amendment

and freedom of speech


Private IP Address Classifications

IP Address Range Classification Use

10.0.0.0 to 10.255.255.255

Class A Local network use—not recognized on the Internet

172.16.0.0 to 172.31.255.255

Class B Local network use—not recognized on the Internet

192.168.0.0 to 192.168.255.255

Class C Local network use—not recognized on the Internet


In Practice: Attempted Attack by Chinese Hackers In December 2005, e-mails sent to the British

embassy represented attempt to take control of embassy computers

Filtering software logged addresses and identified origin of e-mails in China

A Trojan was hidden in attachments to e-mails


Working with Instant Messaging

Most widely used IM applications include: Windows Messenger Google Talk AIM (AOL Instant Messenger) ICQ (“I Seek You”) Instant Messenger

Newer versions of IM clients and servers allow the logging of activity

Can be more incriminating than e-mail


FYI: Vermont Supreme Court Affirms Conviction Based on IM Evidence Forensic investigator recovered IM

conversations relating to photo shoot Expert noted that because IMs are not

usually saved, storing them required a special effort


Summary

Electronic mail and instant messages can be important evidence to find

They can provide a more realistic and candid view of a person

Client and server programs are needed for both e-mail and IM applications

Webmail does not leave a complete trail on the local computer


Summary (Cont.)

It may be necessary to harvest data from a server, in which case you need to consider the following: Data storage structure being used Authority to access the data A realistic plan for time and space needed to

house the forensic copy of the data


Summary (Cont.)

E-mail headers and IM logs can provide additional evidence

Tracing IP addresses may involve searches of international and regional registries responsible for allocating IP addresses


Summary (Cont.)

Instant messaging, like e-mail, is a client/server-based technology Due to volume, records may not be kept by

providers If found, can contribute significantly to a case

Documents

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 8: E-Mail and Webmail Forensics