Transcript Email and Internet Evidence

Email and Internet Evidence
Mark Pollitt
Associate Professor,
Engineering Technology
1
Web 1.0 Technologies
• Technologies
– Email
– Web
– Skype
– IM
• Web 1.0 because:
– Static content
– Application standards
– Client based
Forensics on Web 1.0 Technologies
• Focus on two elements:
– The application
– The data
• Looking for:
– The content
– The connections
Applications
• Developers need to build three things into
communications applications:
– User interface
– Data processing/storage
– Communications protocols
• Multiple Applications can share a common
protocol
– Outlook, Thunderbird, Zimbra
– Hotmail, Yahoo, Gmail
Web Browsers
• All share HTML
• Some support other technologies:
– Active X, Flash, XML, etc.
• All store a cache of recent files and a history
– Most store those differently
– Usually, it takes a specific tool to look at browser
histories
• Documenting both Internet history and
reconstructing web pages is important evidence
Doing Browser Forensics
•
•
•
•
Know how the browser stores data
Know the location of the data
Have a tool that can read that data
Great resources:
http://www.symantec.com/connect/articles/webbrowser-forensics-part-1
http://www.symantec.com/connect/articles/webbrowser-forensics-part-2
Email
• Very simple in concept:
– Client/Server
– SMTP protocol
• Two basic interfaces:
– Web mail (Hotmail, Yahoo, Gmail)
– Client based (POP, IMAP, SMTP)
– Some support both
• Features vary by client
Email Clients
• Like Browsers, they share some features:
– Communications protocols (POP, IMAP, SMTP, etc.)
– User Interface
– Storage – usually some form of database
Internet History Browsers
• Nirsoft – IEHistory View/Mozilla Cache View
• Security Exploded – Browser History Spy*
• Sqlite Viewer - Firefox
Email Investigations
• Client Software
– Outlook
– Thunderbird
– Zimbra
• Forensic Suites
– EnCase
– FTK
• Webmail
– Use browser forensics
Thank You for your Attention!