Download Chapter 8 Slides

Computer Forensics
Principles and Practices
by Volonino, Anzaldua, and Godwin
Chapter 8: E-Mail and Webmail Forensics
In Practice: E-Mail in Senate
Investigations of Finance Companies


Financial institutions helped Enron
manipulate its numbers and mislead
investors
E-mail proved that banks such as JPMorgan
Chase knew very well how Enron was hiding
its debt
© Pearson Education Computer Forensics: Principles and Practices
2
Importance of E-Mail as Evidence



E-mail can be pivotal evidence in a case
Due to its informal nature, it does not always
represent corporate policy
Many cases provide examples of the use of
e-mail as evidence




Knox v. State of Indiana
Harley v. McCoach
Nardinelli et al. v. Chevron
Adelyn Lee v. Oracle Corporation
© Pearson Education Computer Forensics: Principles and Practices
3
Working with E-Mail



E-mail evidence typically used to corroborate
or refute other testimony or evidence
Can be used by prosecutors or defense
parties
Two standard methods to send and receive
e-mail:


Client/server applications
Webmail
© Pearson Education Computer Forensics: Principles and Practices
4
Working with E-Mail (Cont.)

E-mail data flow




User has a client program such as Outlook or
Eudora
Client program is configured to work with one or
more servers
E-mails sent by client reside on PC
A larger machine runs the server program that
communicates with the Internet, where it
exchanges data with other e-mail servers
© Pearson Education Computer Forensics: Principles and Practices
5
Working with E-Mail (Cont.)
Sending E-Mail
User creates e-mail
on her client
User issues send
command
Client moves e-mail
to Outbox
Server acknowledges
client and
authenticates e-mail
account
Server sends e-mail to
destination e-mail
server
Client sends e-mail
to the server
© Pearson Education Computer Forensics: Principles and Practices
If the client cannot connect with
the server, it keeps trying
6
Working with E-Mail (Cont.)
Receiving E-Mail
User opens client
and logs on
User issues receive
command
Client contacts
server
Server acknowledges,
authenticates, and
contacts mail box for
the account
Messages placed in
Inbox to be read
Mail downloaded to
local computer
POP deletes messages from server;
IMAP retains copy on server
© Pearson Education Computer Forensics: Principles and Practices
7
Working with E-Mail (Cont.)

Working with resident e-mail files




Users are able to work offline with e-mail
E-mail is stored locally, a great benefit for forensic
analysts because the e-mail is readily available
when the computer is seized
Begin by identifying e-mail clients on system
You can also search by file extensions of common
e-mail clients
© Pearson Education Computer Forensics: Principles and Practices
8
Working with E-Mail (Cont.)
E-Mail Client
Extension
Type of File
AOL
.abi
.aim
.arl
.bag
AOL6 organizer file
Instant Message launch
Organizer file
Instant Messenger file
Outlook Express
.dbx
.dgr
.email
.eml
OE mail database
OE fax page
OE mail message
OE electronic mail
Outlook
.pab
.pst
.wab
Personal address book
Personal folder
Windows address book
(Continued)
© Pearson Education Computer Forensics: Principles and Practices
9
Working with E-Mail (Cont.)
E-Mail Client
Extension
Type of File
Lotus Notes
.box
.ncf
.nsf
Notes mailbox
Notes internal clipboard
Notes database
Novell Groupwise
.mlm
Saved e-mail (using WP5.1 format)
Eudora
.mbx
Eudora message base
© Pearson Education Computer Forensics: Principles and Practices
10
Working with E-Mail (Cont.)

Popular e-mail clients:





America Online (AOL)—users have a month to
download or save before AOL deletes messages
Outlook Express—installed by default with
Windows
Outlook—bundled with Microsoft Office
Eudora—popular free client
Lotus Notes—integrated client option for Lotus
Domino server
© Pearson Education Computer Forensics: Principles and Practices
11
Working with Webmail

Webmail data flow





User opens a browser, logs in to the webmail
interface
Webmail server has already placed mail in Inbox
User uses the compose function followed by the
send function to create and send mail
Web client communicates behind the scenes to
the webmail server to send the message
No e-mails are stored on the local PC; the
webmail provider houses all e-mail
© Pearson Education Computer Forensics: Principles and Practices
12
Working with Webmail (Cont.)

Working with webmail files



Entails a bit more effort to locate files
Temporary files is a good place to start
Useful keywords for webmail programs include:



Yahoo! mail: ShowLetter, ShowFolder Compose,
“Yahoo! Mail”
Hotmail: HoTMail, hmhome, getmsg, doattach, compose
Gmail: mail[#]
© Pearson Education Computer Forensics: Principles and Practices
13
Working with Webmail (Cont.)
Type of E-Mail
Protocol
POP3
IMAP
Webmail
E-mail accessible
from anywhere
No
Yes
Yes
Remains stored on
server
No (unless Yes
included in
a backup of
server)
Yes, unless POP3 was used
too
Dependence on
Internet
Moderate
Very strong
Strong
Special software
required
Yes
Yes
No
© Pearson Education Computer Forensics: Principles and Practices
14
Examining E-Mails for Evidence

Understanding e-mail headers



The header records information about the sender,
receiver, and servers it passes along the way
Most e-mail clients show the header in a short
form that does not reveal IP addresses
Most programs have an option to show a long
form that reveals complete details
© Pearson Education Computer Forensics: Principles and Practices
15
Examining E-Mails for Evidence
(Cont.)


Most common parts of the e-mail header are
logical addresses of senders and receivers
Logical address is composed of two parts


The mailbox, which comes before the @ sign
The domain or hostname that comes after the @
sign


The mailbox is generally the userid used to log in to the
e-mail server
The domain is the Internet location of the server that
transmits the e-mail
© Pearson Education Computer Forensics: Principles and Practices
16
Examining E-Mails for Evidence
(Cont.)


Reviewing e-mail headers can offer clues to
true origins of the mail and the program used
to send it
Common e-mail header fields include:





Bcc
Cc
Content-Type
Date
From





Message-ID
Received
Subject
To
X-Priority
© Pearson Education Computer Forensics: Principles and Practices
17
Examining E-Mails for Evidence
(Cont.)

IP address registries:





African Network Information
Asia Pacific Network Information
American Registry for Internet Number
Latin American and Caribbean Internet Addresses
Registry
Réseaux IP Européens Network Coordination
Centre
© Pearson Education Computer Forensics: Principles and Practices
18
Examining E-Mails for Evidence
(Cont.)
Understanding e-mail attachments



MIME standard allows for HTML and multimedia
images in e-mail
Searching for base64 can find attachments in
unallocated or slack space
Anonymous remailers



Allow users to remove identifying IP data to
maintain privacy
Stems from users citing the First Amendment
and freedom of speech
© Pearson Education Computer Forensics: Principles and Practices
19
In Practice: Attempted Attack by
Chinese Hackers



In December 2005, e-mails sent to the British
embassy represented attempt to take control
of embassy computers
Filtering software logged addresses and
identified origin of e-mails in China
A Trojan was hidden in attachments
to e-mails
© Pearson Education Computer Forensics: Principles and Practices
20
Working with Instant Messaging

Most widely used IM applications include:






Windows Messenger
Google Talk
AIM (AOL Instant Messenger)
ICQ (“I Seek You”) Instant Messenger
Newer versions of IM clients and servers
allow the logging of activity
Can be more incriminating than e-mail
© Pearson Education Computer Forensics: Principles and Practices
21
FYI: Vermont Supreme Court Affirms
Conviction Based on IM Evidence


Forensic investigator recovered IM
conversations relating to photo shoot
Expert noted that because IMs are not
usually saved, storing them required a
special effort
© Pearson Education Computer Forensics: Principles and Practices
22