email and internet evidence
DESCRIPTION
Email and Internet Evidence. Mark Pollitt Associate Professor, Engineering Technology. Web 1.0 Technologies. Technologies Email Web Skype IM Web 1.0 because: Static content Application standards Client based. Forensics on Web 1.0 Technologies. Focus on two elements: - PowerPoint PPT PresentationTRANSCRIPT
1
Email and Internet Evidence
Mark PollittAssociate Professor,
Engineering Technology
Web 1.0 Technologies
• Technologies– Email– Web– Skype– IM
• Web 1.0 because:– Static content– Application standards– Client based
Forensics on Web 1.0 Technologies
• Focus on two elements:– The application– The data
• Looking for:– The content– The connections
Applications
• Developers need to build three things into communications applications:– User interface– Data processing/storage– Communications protocols
• Multiple Applications can share a common protocol– Outlook, Thunderbird, Zimbra– Hotmail, Yahoo, Gmail
Web Browsers
• All share HTML• Some support other technologies:– Active X, Flash, XML, etc.
• All store a cache of recent files and a history– Most store those differently– Usually, it takes a specific tool to look at browser
histories• Documenting both Internet history and
reconstructing web pages is important evidence
Doing Browser Forensics
• Know how the browser stores data• Know the location of the data• Have a tool that can read that data• Great resources:
http://www.symantec.com/connect/articles/web-browser-forensics-part-1http://www.symantec.com/connect/articles/web-browser-forensics-part-2
• Very simple in concept:– Client/Server– SMTP protocol
• Two basic interfaces:– Web mail (Hotmail, Yahoo, Gmail)– Client based (POP, IMAP, SMTP)– Some support both
• Features vary by client
Email Clients
• Like Browsers, they share some features:– Communications protocols (POP, IMAP, SMTP, etc.)– User Interface– Storage – usually some form of database
Internet History Browsers
• Nirsoft – IEHistory View/Mozilla Cache View• Security Exploded – Browser History Spy*• Sqlite Viewer - Firefox
Email Investigations
• Client Software– Outlook– Thunderbird– Zimbra
• Forensic Suites– EnCase– FTK
• Webmail– Use browser forensics
Thank You for your Attention!