Digital Forensics

Lecture 11
Email & Social Media Investigations
 Exploring the Role of E-mail in
Investigations
• An increase in e-mail scams and fraud attempts with
phishing or spoofing
• Phishing e-mails contain links to text on a Web
page
– Attempts to get personal information from reader
• Pharming - DNS poisoning takes user to a fake site
• Spoofing e-mail can be used to commit fraud
• Investigators can use the Enhanced/Extended
Simple Mail Transfer Protocol (ESMTP) number in
the message’s header to check for legitimacy of
email
 Exploring the Roles of the Client
and Server in E-mail
• E-mail can be sent
and received in two
environments
– Internet and Intranet
(an internal network)
• Client/server
architecture
– Server OS and e-mail
software differs from
those on the client side
 Exploring the Roles of the Client
and Server in E-mail (Cont.)
• Protected accounts
– User_Name@Domain_Name
– Require usernames and passwords
• Tracing Intranet e-mails is easier
– Internet e-mails don’t always use standard naming
schemes, and users are not always use true
identities
• For email service in cloud
– Adds a layer of complexity
 Investigating E-mail Crimes and
Violations
• Goals
– Find who is behind the crime
– Collect the evidence
– Present your findings
– Build a case
• Know the applicable privacy laws for your
jurisdiction
– E-mail crimes depend on the city, state, or country
• Example: spam may not be a crime in some states
• Examples of crimes involving e-mails
– Narcotics trafficking, Extortion, Sexual harassment and
stalking, Fraud, Child abductions and pornography,
Terrorism
 E-mail Message Components
• Header (RFC 2822)
– Source and destination Address
information
– Date and time information
• Body
– Contents of the message
• Attachments
– External data that travels along with each
message
RFC 2822 Specifications for
E-mail Headers
E-mail Header Fields (RFC 3864)
 E-mail Protocols
• Simple Mail Transfer Protocol (SMTP)
– Used to send e-mail from a client to a mail server, and
between servers
– Typically operates on port 25 or 587
• Post Office Protocol version 3 (POP3)
– Used to receive e-mail
– Operates on port 110 or 995
– Designed to delete e-mail on server as soon as user
downloads e-mail
• Internet Message Access Protocol (IMAP)
▪ Used to receive e-mail
▪ Operates on port 143
▪ User views e-mail on the server, decides whether to
download the mail; e-mail is retained on server
 E-mail Protocol Process
Outbound E-mail

SMTP SMTP Internet

User Server

Inbound E-mail

Internet SMTP POP3/IMAP

Server User
 Examining E-mail Messages
• Access victim’s computer or mobile device to
recover the evidence
• Using the victim’s e-mail client
– Find and copy evidence in the e-mail
• You may have to recover deleted e-mails
• Open and copy e-mail including headers
– Access protected or encrypted material
– Print e-mails
• Copying an e-mail message
– Before you start an e-mail investigation
• You need to copy and print the e-mail involved in the crime or
policy violation
– You might also want to forward the message as an
attachment to another e-mail address
 Examining E-mail Messages
• With many GUI e-mail programs, you can copy
an e-mail by dragging it to a storage medium
– Or by saving it in a different location
• For copying Outlook or outlook express
– Open File Explorer and navigate a USB drive
– Start Outlook, click the folder in the Mail folder pane
(e.g., Inbox).
– Click the message(s) and drag the message(s) to
the USB drive icon in File Explorer.
 Viewing E-mail Headers

• Investigators should learn how to find e-mail

headers in GUI clients or Web-based clients
• After you open e-mail headers, copy and paste
them into a text document
– So that you can read/serch them with a text editor
• Become familiar with as many e-mail programs
as possible
– Often more than one e-mail program is installed
 Outlook E-mail Headers
• Outlook
– Double-click the
message and
then click File,
Properties
– Copy headers
– Paste them to
any text editor
– Save the
document as
OutlookHeade
[Link] in your
work folder
 AOL/Yahoo E-mail Headers
• AOL
– Click the Options link, click
E-mail Settings
– Click Always show full
headers check box (Save
settings)
– Click Back to E-mail
• Yahoo
– Click Inbox to view a list of
messages
– Above the message window,
click More and click View
Full Header
– Copy and paste headers to a
text file
Find Gmail Headers
View Gmail Headers
 Examining E-mail Headers
• Headers contain
useful information
– The mail piece of
information you’re
looking for is the
originating e-mail’s
IP address
– Date and time the
message was sent
– Filenames of any
attachments
– Unique message
number (if
supplied)
 Examining Additional E-mail Files
• E-mail messages are saved on the client side
or left at the server
• Microsoft Outlook uses .pst and .ost files
• Most e-mail programs also include an electronic
address book, calendar, task list, and memos
• In Web-based e-mail
– Messages are displayed and saved as Web pages in
the browser’s cache folders
– Many Web-based e-mail providers also offer instant
messaging (IM) services
 View Apple Mail E-mail Headers
1. Open Apple Mail.
2. Click on the message for which you want to
view headers.
3. Go to the View menu.
4. Select Message, then Long Headers.
5. Select Inbox from the menu on the left.
6. Right-click the message for which you want to
view headers and select View Message Source.
The full headers will appear in the window below
your Inbox.
 Tracing an E-mail Message
• Determining message origin is referred to as
“tracing”
• Contact the administrator responsible for the
sending server
• Use a registry site to find point of contact:
– [Link]
– [Link]
– [Link]
• Verify your findings by checking network e-mail
logs against e-mail addresses
 Using Network E-mail Logs
• Router logs
– Record all incoming and outgoing traffic
– Have rules to allow or disallow traffic
– You can resolve the path a transmitted e-mail has
taken
• Firewall logs
– Filter e-mail traffic
– Verify whether the e-mail passed through
• You can use any text editor or specialized tools
Using Network E-mail Logs
 Understanding E-mail Servers
• An e-mail server is loaded with software that uses
e-mail protocols for its services
– And maintains logs you can examine and use in your
investigation
• E-mail storage uses database or flat file system
• Logs
– Some servers are set up to log e-mail transactions
by default; others have to be configured to do so
 Understanding E-mail Servers
• E-mail logs generally identify the following:
– E-mail messages an account received
– Sending IP address
– Receiving and reading date and time
– E-mail content
– System-specific information
• Contact suspect’s network e-mail administrator as
soon as possible
• Servers can recover deleted e-mails
– Similar to deletion of files on a hard drive
 UNIX E-mail Server Logs
• UNIX e-mail servers: Postfix and Sendmail
• /etc/[Link]: Configuration file for Sendmail
• /etc/[Link]: Specifies how and which events
Sendmail logs
• Postfix has two configuration files
– master. cf and [Link] (found in /etc/postfix)
• /var/log/maillog
– Records SMTP, POP3, and IMAP4 communications
• Contains an IP address and time stamp that you can
compare with the e-mail the victim received
• /var/log: Default location for storing log
files:
– An administrator can change the log location
– Use the find or locate command to find them
• Check UNIX man pages for more information
 Microsoft E-mail Server Logs
• Microsoft Exchange Server (Exchange)
– Uses a database and Based on Microsoft Extensible
Storage Engine (ESE)
• Most useful files in an investigation:
– .edb database files, checkpoint files, and temporary
files
• Information Store files
– Database files *.edb
• Responsible for MAPI information
• Transaction logs
– Keep track of changes to its data
• Checkpoints
– Marks the last point at which the database was written
to disk
 Microsoft E-mail Server Logs
• Temporary files
– Created to prevent loss when the server is busy
converting binary data to readable text
• To retrieve log files created by Exchange
– Use the Windows PowerShell cmdlet
GetTransactionLogStats.ps1 -Gather
• [Link]
– An Exchange server log that tracks messages
• Another log used for investigating the
Exchange environment is the troubleshooting
log
– Use Windows Event Viewer to read the log
Microsoft E-mail Server Logs
 Using Specialized E-mail
Forensics Tools
• Tools include:
– DataNumen for Outlook and Outlook Express
– FINALeMAIL for Outlook Express and Eudora
– Sawmill for Novell GroupWise
– DBXtract for Outlook Express
– Fookes Aid4Mail and MailBag Assistant
– Paraben E-Mail Examiner
– AccessData FTK for Outlook and Outlook Express
– Ontrack Easy Recovery EmailRepair
– R-Tools R-Mail
– OfficeRecovery’s MailRecovery
 Using Specialized E-mail
Forensics Tools
• Tools allow you to find:
– E-mail database files
– Personal e-mail files
– Offline storage files
– Log files
• Advantage of using data recovery tools
– You don’t need to know how e-mail servers and
clients work to extract data from them
 Using Specialized E-mail
Forensics Tools
• After you compare e-mail logs with messages, you
should verify the:
– Email account, message ID, IP address, date and
time stamp to determine whether there’s enough
evidence for a warrant
• With some tools
– You can scan e-mail database files on a suspect’s
Windows computer, locate any e-mails the suspect
has deleted and restore them to their original state
 Using OSForensics to Recover
E-mail
• OSForensics
– Indexes data on a disk image or an entire drive for faster data
retrieval
– Filters or finds files specific to e-mail clients and servers
Using a Hex Editor to Carve E-mail
Messages
• Very few vendors have products for analyzing e-
mail in systems other than Microsoft
• mbox format
– Stores e-mails in flat plaintext files
• Multipurpose Internet Mail Extensions (MIME)
format
– Used by vendor-unique e-mail file systems, such as
Microsoft .pst or .ost
• Example: carve e-mail messages from
Evolution
 Recovering Outlook Files
• May need to reconstruct .pst files and
messages
• Deleted .pst files can be partially or completely
recovered with forensics tools
• *[Link] recovery tool
– Comes with Microsoft Office (?)
– Can repair .ost files as well as .pst files
• SysTools plug-in for Outlook e-mail
– SysTools outlook explorer for Encase and others
• DataNumen Outlook Repair
– One of the better e-mail recovery tools
– Can recovery files from VMware and Virtual PC
 E-mail Case Studies
• In the Enron Case, more than 10,000 emails
contained the following personal information:
– 60 containing credit card numbers
– 572 containing thousands of Social Security or other
identity numbers
– 292 containing birth dates
– 532 containing information of a highly personal
nature
• Such as medical or legal matters
 Applying Digital Forensics to
Social Media
• Online social networks (OSNs) are used to conduct
business, brag about criminal activities, raise
money, and have class discussions
• Social media can contain:
– Evidence of cyberbullying and witness tampering
– A company’s position on an issue
– Whether intellectual property rights have been
violated
– Who posted information and when
 Applying Digital Forensics to
Social Media (Cont.)
• Social media can often substantiate a party’s
claims
• OSNs involve multiple jurisdictions that might even
cross national boundaries
• A warrant or subpoena is needed to access social
media servers
• In cases involving imminent danger, law
enforcement can file for emergency requests
Forensics Tools for Social Media Investigations
• Manual Screen Capture/Video Capture/Image Format
– Print screen
– SnagIt
• Temporary Internet Files
– Web browsing artifacts
– Temporary Pictures
• Residual Data/Unallocated Space
– Deleted data (Temporary Internet Files)
– Partial web pages
• New Software Tools
– X1 Social Discovery
Industry's first investigative solution specifically designed to enable eDiscovery and computer
forensics professionals to effectively address social media content. X1 Social Discovery
provides for a powerful platform to collect, authenticate, search, review and produce
electronically stored information (ESI) from popular social media sites, such as Facebook,
Twitter and LinkedIn.
 Forensics Tools for Social Media
Investigations
• Software for social media forensics is being
developed
– Not many tools are available now
• There are questions about how the information
these tools gather can be used in court or in
arbitration
• Using social media forensics software might also
require getting the permission of the people whose
information is being examined
Thank you!