Email Investigation

Presented By
Animesh Shaw
(Psycho_Coder)
Digital Evidence Analyst Trainee
 Discussion Objectives

• Working Process of Email

• Explain the role of e-mail in investigations
• Describe client and server roles in e-mail
• Describe tasks in investigating e-mail crimes and
violations
• Explain the use of e-mail server logs
• Describe some available e-mail computer forensics
tools
HOW EMAIL WORKS
 HOW EMAIL WORKS

To send and
receive emails,
we need an email
client. There are
primarily two
types of email
clients:
1. Stand-
alone

2. Web
based
 HOW EMAIL WORKS

A client has 4 things

:
• 1) Messages in mailbox.
• 2) Contents can be seen by
selecting the header.
• 3) Messages can be
created and sent.
• 4) Attachments can be
added.
HOW EMAIL WORKS
KEY PROTOCOLS
HOW EMAIL WORKS
PROCEDURE OF EMAIL
TRANSMISSION
HOW EMAIL WORKS
BASIC TERMS
 Exploring the Role of E-mail in
Investigations

• With the increase in e-mail scams and fraud

attempts with phishing or spoofing
– Investigators need to know how to examine and
interpret the unique content of e-mail messages
• Phishing e-mails are in HTML format
– Which allows creating links to text on a Web page
• One of the most noteworthy e-mail scams was 419,
or the Nigerian Scam
• Spoofing e-mail can be used to commit fraud
 Exploring the Roles of the Client and
Server in E-mail

• Send and receive e-mail in two environments

– Internet
– Controlled LAN, MAN, or WAN
• Client/server architecture
– Server OS and e-mail software differs from those on
the client side
• Protected accounts
– Require usernames and passwords
Exploring the Roles of the Client and
Server in E-mail (continued)
 Exploring the Roles of the Client and
Server in E-mail (continued)

• Name conventions
– Corporate: [email protected]
– Public: [email protected]
– Everything after @ belongs to the domain name
• Tracing corporate e-mails is easier
– Because accounts use standard names the
administrator establishes

12
 Investigating E-mail Crimes and
Violations

• Similar to other types of investigations

• Goals
– Find who is behind the crime
– Collect the evidence
– Present your findings
– Build a case
 Investigating E-mail Crimes and
Violations (continued)

• Depend on the city, state, or country

– Example: spam
– Always consult with an attorney
• Becoming commonplace
• Examples of crimes involving e-mails
– Narcotics trafficking
– Extortion
– Sexual harassment
– Child abductions and pornography
 Examining E-mail Messages

• Access victim’s computer to recover the evidence

• Using the victim’s e-mail client
– Find and copy evidence in the e-mail
– Access protected or encrypted material
– Print e-mails
• Guide victim on the phone
– Open and copy e-mail including headers
• Sometimes you will deal with deleted e-mails
 Examining E-mail Messages
(continued)

• Copying an e-mail message

– Before you start an e-mail investigation
• You need to copy and print the e-mail involved in the
crime or policy violation
– You might also want to forward the message as an
attachment to another e-mail address
• With many GUI e-mail programs, you can copy an
e-mail by dragging it to a storage medium
– Or by saving it in a different location
Examining E-mail Messages
(continued)
 Viewing E-mail Headers

• Learn how to find e-mail headers

– GUI clients
– Command-line clients
– Web-based clients
• After you open e-mail headers, copy and paste
them into a text document
– So that you can read them with a text editor
• Headers contain useful information
– Unique identifying numbers, IP address of sending
server, and sending time
 Viewing E-mail Headers (continued)

• Yahoo (Client)
– Click Mail Options
– Click General Preferences and Show All headers on
incoming messages
– Copy and paste headers
Yahoo Mail Header

20
Yahoo Full Header View
 Viewing E-mail Headers (continued)

• Outlook
– Open the Message Options dialog box
– Copy headers
– Paste them to any text editor
• Outlook Express
– Open the message Properties dialog box
– Select Message Source
– Copy and paste the headers to any text editor
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued)
 Viewing E-mail Headers (continued)

• Novell Evolution
– Click View, All Message Headers
– Copy and paste the e-mail header
• Pine and ELM
– Check enable-full-headers
• AOL headers
– Click Action, View Message Source
– Copy and paste headers
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued)
 Viewing E-mail Headers (continued)

• Hotmail
– Click Options, and then click the Mail Display
Settings
– Click the Advanced option button under Message
Headers
– Copy and paste headers
• Apple Mail
– Click View from the menu, point to Message, and
then click Long Header
– Copy and paste headers
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued)
 Examining E-mail Headers

• Gather supporting evidence and track suspect

– Return path
– Recipient’s e-mail address
– Type of sending e-mail service
– IP address of sending server
– Name of the e-mail server
– Unique message number
– Date and time e-mail was sent
– Attachment files information
Examining E-mail Headers (continued)

35
 Examining Additional E-mail Files

• E-mail messages are saved on the client side or

left at the server
• Microsoft Outlook uses .pst and .ost files
• Most e-mail programs also include an electronic
address book
• In Web-based e-mail
– Messages are displayed and saved as Web pages in
the browser’s cache folders
– Many Web-based e-mail providers also offer instant
messaging (IM) services

36
 Validating Email Address
• We can use an online Tool Email Dossier to get
details about the validity of an email address.

37
 Tracing an E-mail Message

• Contact the administrator responsible for the

sending server
• Finding domain name’s point of contact
– www.arin.net
– www.internic.com
– www.freeality.com
– www.google.com
• Find suspect’s contact information
• Verify your findings by checking network e-mail
logs against e-mail addresses
 Online Email Tracer
• We can use Online Email Tracer to make our work easier. Such a
tool can be found here
http://www.cyberforensics.in/OnlineEmailTracer/index.aspx
Demo Trace :

39
 Using Network E-mail Logs

• Router logs
– Record all incoming and outgoing traffic
– Have rules to allow or disallow traffic
– You can resolve the path a transmitted e-mail has
taken
• Firewall logs
– Filter e-mail traffic
– Verify whether the e-mail passed through
• You can use any text editor or specialized tools
Using Network E-mail Logs
(continued)
 Understanding E-mail Servers
• Computer loaded with software that uses e-mail
protocols for its services
– And maintains logs you can examine and use in your
investigation
• E-mail storage
– Database
– Flat file
• Logs
– Default or manual
– Continuous and circular
 Understanding E-mail Servers
(continued)

• Log information
– E-mail content
– Sending IP address
– Receiving and reading date and time
– System-specific information
• Contact suspect’s network e-mail administrator as
soon as possible
• Servers can recover deleted e-mails
– Similar to deletion of files on a hard drive
Understanding E-mail Servers
(continued)

44
 Examining UNIX E-mail Server Logs

• /etc/sendmail.cf
– Configuration information for Sendmail
• /etc/syslog.conf
– Specifies how and which events Sendmail logs
• /var/log/maillog
– SMTP and POP3 communications
• IP address and time stamp
• Check UNIX man pages for more information

45
Examining UNIX E-mail Server Logs
(continued)

46
Examining UNIX E-mail Server Logs
(continued)

47
 Examining Microsoft E-mail Server
Logs

• Microsoft Exchange Server (Exchange)

– Uses a database
– Based on Microsoft Extensible Storage Engine
• Information Store files
– Database files *.edb
• Responsible for MAPI information
– Database files *.stm
• Responsible for non-MAPI information

48
 Examining Microsoft E-mail Server
Logs (continued)

• Transaction logs
– Keep track of e-mail databases
• Checkpoints
– Keep track of transaction logs
• Temporary files
• E-mail communication logs
– res#.log
• Tracking.log
– Tracks messages
49
Examining Microsoft E-mail Server
Logs (continued)

50
 Examining Microsoft E-mail Server
Logs (continued)

• Troubleshooting or diagnostic log

– Logs events
– Use Windows Event Viewer
– Open the Event Properties dialog box for more
details about an event
Examining Microsoft E-mail Server
Logs (continued)
Examining Microsoft E-mail Server
Logs (continued)
 Using Specialized E-mail Forensics
Tools
• Tools include:
– AccessData’s Forensic Toolkit (FTK)
– ProDiscover Basic
– FINALeMAIL
– Sawmill-GroupWise
– DBXtract
– Fookes Aid4Mail and MailBag Assistant
– Paraben E-Mail Examiner
– Ontrack Easy Recovery EmailRepair
– R-Tools R-Mail
 Using Specialized E-mail Forensics
Tools (continued)

• Tools allow you to find:

– E-mail database files
– Personal e-mail files
– Offline storage files
– Log files
• Advantage
– Do not need to know how e-mail servers and clients
work

55
 Using Specialized E-mail Forensics
Tools (continued)

• FINALeMAIL
– Scans e-mail database files
– Recovers deleted e-mails
– Searches computer for other files associated with e-
mail
Using Specialized E-mail Forensics
Tools (continued)

57
Using Specialized E-mail Forensics Tools
(continued)
 Using AccessData FTK to Recover
E-mail
• FTK
– Can index data on a disk image or an entire drive for
faster data retrieval
– Filters and finds files specific to e-mail clients and
servers
• To recover e-mail from Outlook and Outlook
Express
– AccessData integrated dtSearch
• dtSearch builds a b-tree index of all text data in a
drive, an image file, or a group of files
Using AccessData FTK to Recover
E-mail (continued)

60
Using AccessData FTK to Recover
E-mail (continued)
Using AccessData FTK to Recover
E-mail (continued)
 Using a Hexadecimal Editor to Carve
E-mail Messages

• Very few vendors have products for analyzing e-

mail in systems other than Microsoft
• mbox format
– Stores e-mails in flat plaintext files
• Multipurpose Internet Mail Extensions (MIME)
format
– Used by vendor-unique e-mail file systems, such as
Microsoft .pst or .ost
• Example: carve e-mail messages from Evolution
65
Using a Hexadecimal Editor to Carve
E-mail Messages (continued)
Using a Hexadecimal Editor to Carve
E-mail Messages (continued)

67
 Summary

• E-mail fraudsters use phishing and spoofing scam

techniques
• Send and receive e-mail via Internet or a LAN
– Both environments use client/server architecture
• E-mail investigations are similar to other kinds of
investigations
• Access victim’s computer to recover evidence
– Copy and print the e-mail message involved in the
crime or policy violation
• Find e-mail headers
 Summary (continued)

• Investigating e-mail abuse

– Be familiar with e-mail servers and clients’
operations
• Check
– E-mail message files, headers, and server log files
• Currently, only a few forensics tools can recover
deleted Outlook and Outlook Express messages
• For e-mail applications that use the mbox format, a
hexadecimal editor can be used to carve messages
manually
 Summary (continued)

• Advanced tools are available for recovering deleted

Outlook files
QUESTIONS ? DOUBTS ?
THANK YOU