13.Digital Forensics

Download Report

Transcript 13.Digital Forensics

E-Mail and Webmail
Forensics
Objectives




Understand the flow of electronic mail across
a network
Explain the difference between resident email client programs and webmail
Identify the components of e-mail headers
Understand the flow of instant messaging
across the network
2
Introduction
E-mail has transcended social boundaries and
moved from a convenient way to communicate
to a corporate requirement. In many cases,
incriminating unintentional documentation of
people’s activities and attitudes can be found
through computer forensics of e-mail.
3
Investigating E-mail Crimes and
Violations


Similar to other types of investigations
Goals




Find who is behind the crime
Collect the evidence
Present your findings
Build a case
4
Investigating E-mail Crimes and
Violations (continued)


Becoming commonplace
Examples of crimes involving e-mails




Narcotics trafficking
Extortion
Sexual harassment
Child abductions and pornography
5
In Practice: E-Mail in Senate
Investigations of Finance Companies


Financial institutions helped Enron
manipulate its numbers and mislead
investors
E-mail proved that banks such as JPMorgan
Chase knew very well how Enron was hiding
its debt
6
Importance of E-Mail as Evidence



E-mail can be pivotal evidence in a case
Due to its informal nature, it does not always
represent corporate policy
Many other cases provide examples of the
use of e-mail as evidence



Knox v. State of Indiana
Harley v. McCoach
Nardinelli et al. v. Chevron
7
Working with E-Mail


Can be used by prosecutors or defense
parties
Two standard methods to send and receive
e-mail:


Client/server applications
Webmail
8
Working with E-Mail (Cont.)

E-mail data flow




User has a client program such as Outlook or
Eudora
Client program is configured to work with one or
more servers
E-mails sent by client reside on PC
A larger machine runs the server program that
communicates with the Internet, where it
exchanges data with other e-mail servers
9
Working with E-Mail (Cont.)
Sending E-Mail
User creates e-mail
on her client
User issues send
command
Client moves e-mail
to Outbox
Server acknowledges
client and
authenticates e-mail
account
Server sends e-mail to
destination e-mail
server
Client sends e-mail
to the server
If the client cannot connect with
the server, it keeps trying
10
Working with E-Mail (Cont.)
Receiving E-Mail
User opens client
and logs on
User issues receive
command
Client contacts
server
Server acknowledges,
authenticates, and
contacts mail box for
the account
Messages placed in
Inbox to be read
Mail downloaded to
local computer
POP deletes messages from server;
IMAP retains copy on server
11
Working with E-Mail (Cont.)

Working with resident e-mail files




Users are able to work offline with e-mail
E-mail is stored locally, a great benefit for forensic
analysts because the e-mail is readily available
when the computer is seized
Begin by identifying e-mail clients on system
You can also search by file extensions of common
e-mail clients
12
Working with E-Mail (Cont.)
E-Mail Client
Extension
Type of File
Eudora
.mbx
Eudora message base
Outlook Express
.dbx
.dgr
.email
.eml
OE mail database
OE fax page
OE mail message
OE electronic mail
Outlook
.pab
.pst
.wab
Personal address book
Personal folder
Windows address book
(Continued)
13
Working with E-Mail (Cont.)

Popular e-mail clients:



Outlook Express—installed by default with
Windows
Outlook—bundled with Microsoft Office
Eudora—popular free client
14
Working with Webmail

Webmail data flow





User opens a browser, logs in to the webmail
interface
Webmail server has already placed mail in Inbox
User uses the compose function followed by the
send function to create and send mail
Web client communicates behind the scenes to
the webmail server to send the message
No e-mails are stored on the local PC; the
webmail provider houses all e-mail
15
Working with Webmail (Cont.)

Working with webmail files



Entails a bit more effort to locate files
Temporary files is a good place to start
Useful keywords for webmail programs include:



Yahoo! mail: ShowLetter, ShowFolder Compose,
“Yahoo! Mail”
Hotmail: HoTMail, hmhome, getmsg, doattach, compose
Gmail: mail[#]
16
Working with Webmail (Cont.)
Type of E-Mail
Protocol
POP3
IMAP
Webmail
E-mail accessible
from anywhere
No
Yes
Yes
Remains stored on
server
No (unless Yes
included in
a backup of
server)
Yes, unless POP3 was used
too
Dependence on
Internet
Moderate
Strong
Strong
Special software
required
Yes
Yes
No
17
Examining E-mail Messages


Access victim’s computer to recover the
evidence
Using the victim’s e-mail client


Guide victim on the phone


Find and copy evidence in the e-mail
Open and copy e-mail including headers
Sometimes you will deal with deleted e-mails
18
Examining E-mail Messages
(continued)

Copying an e-mail message

Before you start an e-mail investigation



You need to copy and print the e-mail involved in the
crime or policy violation
You might also want to forward the message as
an attachment to another e-mail address
With many GUI e-mail programs, you can
copy an e-mail by dragging it to a storage
medium

Or by saving it in a different location
19
Examining E-mail Messages
(continued)
20
Examining E-mail Messages
(continued)

Understanding e-mail headers



The header records information about the sender,
receiver, and servers it passes along the way
Most e-mail clients show the header in a short
form that does not reveal IP addresses
Most programs have an option to show a long
form that reveals complete details
21
Examining E-Mails for Evidence
(Cont.)


Most common parts of the e-mail header are
logical addresses of senders and receivers
Logical address is composed of two parts


The mailbox, which comes before the @ sign
The domain or hostname that comes after the @
sign


The mailbox is generally the userid used to log in to the
e-mail server
The domain is the Internet location of the server that
transmits the e-mail
22
Examining E-Mails for Evidence
(Cont.)


Reviewing e-mail headers can offer clues to
true origins of the mail and the program used
to send it
Common e-mail header fields include:





Bcc
Cc
Content-Type
Date
From





Message-ID
Received
Subject
To
X-Priority
23
Viewing E-mail Headers
(continued)

Outlook




Open the Message Options dialog box
Copy headers
Paste them to any text editor
Outlook Express



Open the message Properties dialog box
Select Message Source
Copy and paste the headers to any text editor
24
Viewing E-mail Headers
(continued)
25
Viewing E-mail Headers
(continued)
26
27
Viewing E-mail Headers
(continued)

Hotmail


Demo!
Apple Mail


Click View from the menu, point to Message, and
then click Long Header
Copy and paste headers
28
Viewing E-mail Headers
(continued)
29
Viewing E-mail Headers
(continued)
30
Viewing E-mail Headers
(continued)

Yahoo

Demo
31
32
Examining Additional E-mail Files




E-mail messages are saved on the client
side or left at the server
Microsoft Outlook uses .pst file
Most e-mail programs also include an
electronic address book
In Web-based e-mail

Messages are displayed and saved as Web
pages in the browser’s cache folders
33
Examining E-Mails for Evidence
(Cont.)
Understanding e-mail attachments



MIME standard allows for HTML and multimedia
images in e-mail
Searching for base64 can find attachments in
unallocated or slack space
Anonymous remailers


Allow users to remove identifying IP data to
maintain privacy
34
Tracing an E-mail Message


Contact the administrator responsible for the
sending server
Finding domain name’s point of contact






www.arin.net American Registry for Internet
Numbers
www.internic.com
www.freeality.com
www.google.com
Find suspect’s contact information
Verify your findings by checking network email logs against e-mail addresses
35
Using Network E-mail Logs

Router logs




Firewall logs



Record all incoming and outgoing traffic
Have rules to allow or disallow traffic
You can resolve the path a transmitted e-mail
has taken
Filter e-mail traffic
Verify whether the e-mail passed through
You can use any text editor or specialized
tools
36
Using Network E-mail Logs
(continued)
37
Understanding E-mail Servers


Maintains logs you can examine and use in
your investigation
E-mail storage



Database
Flat file
Logs
38
Understanding E-mail Servers
(continued)

Log information






E-mail content
Sending IP address
Receiving and reading date and time
System-specific information
Contact suspect’s network e-mail
administrator as soon as possible
Servers can recover deleted e-mails

Similar to deletion of files on a hard drive
39
Using Specialized E-mail
Forensics Tools

Tools include:









AccessData’s Forensic Toolkit (FTK)
ProDiscover Basic
FINALeMAIL
Sawmill-GroupWise
DBXtract
Fookes Aid4Mail and MailBag Assistant
Paraben E-Mail Examiner
Ontrack Easy Recovery EmailRepair
R-Tools R-Mail
40
Using Specialized E-mail
Forensics Tools (continued)

Tools allow you to find:





E-mail database files
Personal e-mail files
Offline storage files
Log files
Advantage

Do not need to know how e-mail servers and
clients work
41
Using AccessData FTK to
Recover E-mail

FTK


Can index data on a disk image or an entire drive
for faster data retrieval
Filters and finds files specific to e-mail clients
and servers
42
Using a Hexadecimal Editor to
Carve E-mail Messages


Very few vendors have products for analyzing
e-mail in systems other than Microsoft
Example: carve e-mail messages from
Evolution
43
44
45
Using a Hexadecimal Editor to
Carve E-mail Messages
(continued)
46
Using a Hexadecimal Editor to
Carve E-mail Messages
(continued)
47
Working with Instant Messaging

Most widely used IM applications include:




Yahoo Messenger
Google Talk
Newer versions of IM clients and servers
allow the logging of activity
Can be more incriminating than e-mail
48
Summary




Electronic mail and instant messages can be
important evidence to find
They can provide a more realistic and candid
view of a person
Client and server programs are needed for
both e-mail and IM applications
Webmail does not leave a complete trail on
the local computer
49
Summary (Cont.)

It may be necessary to harvest data from a
server, in which case you need to consider
the following:



Data storage structure being used
Authority to access the data
A realistic plan for time and space needed to
house the forensic copy of the data
50
Summary (Cont.)


E-mail headers and IM logs can provide
additional evidence
Tracing IP addresses may involve searches
of international and regional registries
responsible for allocating IP addresses
51
Summary (Cont.)

Instant messaging, like e-mail, is a
client/server-based technology


Due to volume, records may not be kept by
providers
If found, can contribute significantly to a case
52