guide to computer forensics and investigations, second edition chapter 13 e-mail investigations
TRANSCRIPT
![Page 1: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/1.jpg)
Guide to Computer Guide to Computer Forensics and Forensics and Investigations, Investigations, Second EditionSecond Edition
Chapter 13E-mail Investigations
![Page 2: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/2.jpg)
Guide to Computer Forensics and Investigations, 2e 2
ObjectivesObjectives
• Explore the roles of the client and server in e-mail
• Investigate e-mail crimes and violations
• Understand e-mail servers
• Use specialized e-mail computer forensics tools
![Page 3: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/3.jpg)
Guide to Computer Forensics and Investigations, 2e 3
Exploring the Roles of the Client and Exploring the Roles of the Client and Server in E-mailServer in E-mail
• Two environments– Internet– Controlled LAN, MAN, or WAN
• Client/server architecture– Server OS and e-mail software differ from those on
the client side
• Protected accounts– Require usernames and passwords
![Page 4: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/4.jpg)
Guide to Computer Forensics and Investigations, 2e 4
Exploring the Roles of the Client and Exploring the Roles of the Client and Server in E-mail (continued)Server in E-mail (continued)
![Page 5: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/5.jpg)
Guide to Computer Forensics and Investigations, 2e 5
Exploring the Roles of the Client and Exploring the Roles of the Client and Server in E-mail (continued)Server in E-mail (continued)
• Name conventions– Corporate: [email protected]– Public: [email protected]– Everything after @ belongs to the domain name
• Tracing corporate e-mails is easier
![Page 6: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/6.jpg)
Guide to Computer Forensics and Investigations, 2e 6
Investigating E-mail Crimes and Investigating E-mail Crimes and ViolationsViolations
• Similar to other types of investigations
• Goals– Find who is behind the crime– Collect the evidence– Present your findings– Build a case
![Page 7: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/7.jpg)
Guide to Computer Forensics and Investigations, 2e 7
Identifying E-mail Crimes and Identifying E-mail Crimes and ViolationsViolations
• Depend on the city, state, or country– Spam– Always consult with an attorney
• Becoming commonplace
• Examples of crimes involving e-mails:– Narcotics trafficking– Extortion– Sexual harassment
![Page 8: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/8.jpg)
Guide to Computer Forensics and Investigations, 2e 8
Examining E-mail MessagesExamining E-mail Messages
• Access victim’s computer and retrieve evidence
• Use victim’s e-mail client– Find and copy evidence in the e-mail– Access protected or encrypted material– Print e-mails
• Guide victim on the phone– Open and copy e-mail including headers
• Sometimes you will deal with deleted e-mails
![Page 9: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/9.jpg)
Guide to Computer Forensics and Investigations, 2e 9
Examining E-mail Messages Examining E-mail Messages (continued)(continued)
![Page 10: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/10.jpg)
Guide to Computer Forensics and Investigations, 2e 10
Viewing E-mail HeadersViewing E-mail Headers
• Learn how to find e-mail headers– GUI clients– Command-line clients– Web-based clients
• Headers contain useful information– Unique identifying numbers– IP address of sending server– Sending time
![Page 11: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/11.jpg)
Guide to Computer Forensics and Investigations, 2e 11
Viewing E-mail Headers (continued)Viewing E-mail Headers (continued)
• Outlook– Open the Message Options dialog box– Copy headers– Paste them to any text editor
• Outlook Express– Open the message properties dialog box– Select Message Source– Copy and paste the headers to any text editor
![Page 12: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/12.jpg)
Guide to Computer Forensics and Investigations, 2e 12
Viewing E-mail Headers (continued)Viewing E-mail Headers (continued)
![Page 13: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/13.jpg)
Guide to Computer Forensics and Investigations, 2e 13
Viewing E-mail Headers (continued)Viewing E-mail Headers (continued)
![Page 14: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/14.jpg)
Guide to Computer Forensics and Investigations, 2e 14
Viewing E-mail Headers (continued)Viewing E-mail Headers (continued)
![Page 15: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/15.jpg)
Guide to Computer Forensics and Investigations, 2e 15
Viewing E-mail Headers (continued)Viewing E-mail Headers (continued)
• Eudora– Click the BLAH BLAH BLAH button– Copy and paste the e-mail header
• Pine and ELM– Check enable-full-headers
• AOL headers– Open e-mail Details dialog window– Copy and paste headers
![Page 16: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/16.jpg)
Guide to Computer Forensics and Investigations, 2e 16
Viewing E-mail Headers (continued)Viewing E-mail Headers (continued)
![Page 17: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/17.jpg)
Guide to Computer Forensics and Investigations, 2e 17
Viewing E-mail Headers (continued)Viewing E-mail Headers (continued)
![Page 18: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/18.jpg)
Guide to Computer Forensics and Investigations, 2e 18
Viewing E-mail Headers (continued)Viewing E-mail Headers (continued)
![Page 19: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/19.jpg)
Guide to Computer Forensics and Investigations, 2e 19
Viewing E-mail Headers (continued)Viewing E-mail Headers (continued)
• Hotmail– Click Options, Preferences in menu– Click Advanced Headers– Copy and paste headers
• Juno– Click Options and select Show Headers– Copy and paste headers
![Page 20: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/20.jpg)
Guide to Computer Forensics and Investigations, 2e 20
Viewing E-mail Headers (continued)Viewing E-mail Headers (continued)
![Page 21: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/21.jpg)
Guide to Computer Forensics and Investigations, 2e 21
Viewing E-mail Headers (continued)Viewing E-mail Headers (continued)
![Page 22: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/22.jpg)
Guide to Computer Forensics and Investigations, 2e 22
Viewing E-mail Headers (continued)Viewing E-mail Headers (continued)
• Yahoo– Click Mail Options– Click General Preferences and Show All headers on
incoming messages
• WebTV– Send the message to yourself– Open it with your regular e-mail client– Message will contain the headers
![Page 23: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/23.jpg)
Guide to Computer Forensics and Investigations, 2e 23
Examining E-mail HeadersExamining E-mail Headers
• Gather supporting evidence and track suspect– Return path– Recipient’s e-mail address– Type of sending e-mail service– IP address of sending server– Name of the e-mail server– Unique message number– Date and time e-mail was sent– Attachment files information
![Page 24: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/24.jpg)
Guide to Computer Forensics and Investigations, 2e 24
Examining E-mail Headers (continued)Examining E-mail Headers (continued)
![Page 25: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/25.jpg)
Guide to Computer Forensics and Investigations, 2e 25
Examining Additional E-mail FilesExamining Additional E-mail Files
• E-mail messages are saved on the client side or left at the server
• Microsoft Outlook .pst and .ost files
• Personal address book
• UNIX e-mail groups– Members read same messages
• Web-based mail files and folders– History, Cookies, Cache, Temp files
![Page 26: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/26.jpg)
Guide to Computer Forensics and Investigations, 2e 26
Tracing an E-mail MessageTracing an E-mail Message
• Contact those responsible for the sending server
• Finding domain names point of contact– www.arin.net– www.internic.com– www.freeality.com– www.google.com
• Find suspect’s contact information
• Verify your findings against network logs
![Page 27: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/27.jpg)
Guide to Computer Forensics and Investigations, 2e 27
Using Network Logs Related to E-mailUsing Network Logs Related to E-mail
• Confirm e-mail route
• Router logs– Record all incoming and outgoing traffic– Have rules to allow or disallow traffic
• Firewall logs– Filter e-mail traffic– Verify whether the e-mail passed through
• You can use any text editor or specialized tools
![Page 28: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/28.jpg)
Guide to Computer Forensics and Investigations, 2e 28
Using Network Logs Related to E-mail Using Network Logs Related to E-mail (continued)(continued)
![Page 29: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/29.jpg)
Guide to Computer Forensics and Investigations, 2e 29
Understanding E-mail ServersUnderstanding E-mail Servers
• Computer running server OS and e-mail package
• E-mail storage– Database– Flat file
• Logs– Default or manual– Continuous and circular
![Page 30: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/30.jpg)
Guide to Computer Forensics and Investigations, 2e 30
Understanding E-mail Servers Understanding E-mail Servers (continued)(continued)
• Log information– E-mail content– Sending IP address– Receiving and reading date and time– System-specific information
• Contact suspect’s network as soon as possible
• Servers can recover deleted e-mails– Similar to deletion of files on a hard drive
![Page 31: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/31.jpg)
Guide to Computer Forensics and Investigations, 2e 31
Understanding E-mail Servers Understanding E-mail Servers (continued)(continued)
![Page 32: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/32.jpg)
Guide to Computer Forensics and Investigations, 2e 32
Examining UNIX E-mail Server LogsExamining UNIX E-mail Server Logs
• /Etc/Sendmail.cf– Configuration information for Sendmail
• /Etc/Syslog.conf– Specifies how and which events Sendmail logs
• /Var/Log/Maillog– SMTP and POP3 communications
• IP address and time stamp
• Check UNIX main pages for more information
![Page 33: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/33.jpg)
Guide to Computer Forensics and Investigations, 2e 33
Examining UNIX E-mail Server Logs Examining UNIX E-mail Server Logs (continued)(continued)
![Page 34: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/34.jpg)
Guide to Computer Forensics and Investigations, 2e 34
Examining UNIX E-mail Server Logs Examining UNIX E-mail Server Logs (continued)(continued)
![Page 35: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/35.jpg)
Guide to Computer Forensics and Investigations, 2e 35
Examining UNIX E-mail Server Logs Examining UNIX E-mail Server Logs (continued)(continued)
![Page 36: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/36.jpg)
Guide to Computer Forensics and Investigations, 2e 36
Examining Microsoft E-mail Server Examining Microsoft E-mail Server LogsLogs
• Microsoft Exchange Server (Exchange)– Uses a database– Based on Microsoft Extensible Storage Engine
• Information Store files– Database files *.edb
• Responsible for MAPI information
– Database files *.stm• Responsible for non-MAPI information
![Page 37: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/37.jpg)
Guide to Computer Forensics and Investigations, 2e 37
Examining Microsoft E-mail Server Examining Microsoft E-mail Server Logs (continued)Logs (continued)
• Transaction logs– Keep track of e-mail databases
• Checkpoints– Keep track of transaction logs
• Temporary files
• E-mail communication logs– RES#.log
• Tracking log
![Page 38: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/38.jpg)
Guide to Computer Forensics and Investigations, 2e 38
Examining Microsoft E-mail Server Examining Microsoft E-mail Server Logs (continued)Logs (continued)
![Page 39: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/39.jpg)
Guide to Computer Forensics and Investigations, 2e 39
Examining Microsoft E-mail Server Examining Microsoft E-mail Server Logs (continued)Logs (continued)
• Troubleshooting or diagnostic log– Log events– Use Windows Event Viewer– Open the Event Properties dialog box for more
details about an event
![Page 40: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/40.jpg)
Guide to Computer Forensics and Investigations, 2e 40
Examining Novell GroupWise E-mail Examining Novell GroupWise E-mail LogsLogs
• Up to 25 databases for e-mail users– Stored on the Ofuser directory object– Referenced by a username, an unique identifier, and
.db extension
• Shares resources with e-mail server databases
• Mailboxes organizations– Permanent index files– QuickFinder
![Page 41: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/41.jpg)
Guide to Computer Forensics and Investigations, 2e 41
Examining Novell GroupWise E-mail Examining Novell GroupWise E-mail Logs (continued)Logs (continued)
• Folder and file structure can be complex– It uses Novell directory structure
• Guardian– Directory of every database– Tracks changes in the GroupWise environment– Considered a single point of failure
• Log files– GW\volz\*.log
![Page 42: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/42.jpg)
Guide to Computer Forensics and Investigations, 2e 42
Using Specialized Using Specialized E-mail Forensics ToolsE-mail Forensics Tools
• Tools– AccessData’s FTK– EnCase– FINALeMAIL– Sawmill-GroupWise– DBXtract– MailBag– Assistant– Paraben
![Page 43: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/43.jpg)
Guide to Computer Forensics and Investigations, 2e 43
Using Specialized Using Specialized E-mail Forensics Tools (continued)E-mail Forensics Tools (continued)
• Tools allow you to find:– E-mail database files– Personal e-mail files– Off-line storage files– Log files
• Advantage– Do not need to know how e-mail servers and clients
work
![Page 44: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/44.jpg)
Guide to Computer Forensics and Investigations, 2e 44
Using Specialized Using Specialized E-mail Forensics Tools (continued)E-mail Forensics Tools (continued)
• FINALeMAIL– Scans e-mail database files– Recovers deleted e-mails– Search computer for lost or delete e-mails
• FTK– All-purpose program– Filters and finds files specific to e-mail clients and
servers
![Page 45: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/45.jpg)
Guide to Computer Forensics and Investigations, 2e 45
Using Specialized E-mail Forensics Using Specialized E-mail Forensics Tools (continued)Tools (continued)
![Page 46: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/46.jpg)
Guide to Computer Forensics and Investigations, 2e 46
SummarySummary
• Send and receive e-mail via Internet or a LAN– Both environments use client/server architecture
• E-mail investigations are similar to other kinds of investigations
• Access victim’s computer to recover evidence
• Copy and print the e-mail message involved in the crime or policy violation
• Find e-mail headers
![Page 47: Guide to Computer Forensics and Investigations, Second Edition Chapter 13 E-mail Investigations](https://reader035.vdocuments.mx/reader035/viewer/2022081603/56649e2a5503460f94b18dc5/html5/thumbnails/47.jpg)
Guide to Computer Forensics and Investigations, 2e 47
Summary (continued)Summary (continued)
• Investigating e-mail abuse– Be familiar with e-mail server’s and client’s
operations
• Check:– E-mail message files– E-mail headers– E-mail server log files