Guide to Computer Forensics

and Investigations
Fourth Edition

Chapter 12
E-mail Investigations
 Objectives

• Exploring the role of e-mail in investigations

• Exploring the roles client and server roles in e-mail
• investigating e-mail crimes and violations
• Understandinge-mail server logs
• E-mail computer forensics tools
Exploring the Role of E-mail in
Investigations
 Exploring the Role of E-mail in
Investigations

• With the increase in e-mail scams and fraud

attempts with phishing or spoofing
– Investigators need to know how to examine and
interpret the unique content of e-mail messages
• Phishing e-mails are in HTML format
– Which allows creating links to text on a Web page
• One of the most noteworthy e-mail scams was 419,
or the Nigerian Scam
• Spoofing e-mail can be used to commit fraud
Munshani v. Signal Lake Venture Fund

• Munshani received an email and altered it

• But he failed to alter the ESMTP numbers which
uniquely identify each message an SMTP server
transmits
• Comparing ESMTP numbers from the server and
the spoofed email revealed the fraud
Exploring the Roles of the
Client and Server in E-mail
 Exploring the Roles of the Client and
Server in E-mail

• Send and receive e-mail in two environments

– Internet
– Controlled LAN, MAN, or WAN
• Client/server architecture
– Server OS and e-mail software differs from those on
the client side
• Protected accounts
– Require usernames and passwords
Exploring the Roles of the Client and
Server in E-mail (continued)
 Exploring the Roles of the Client and
Server in E-mail (continued)

• Name conventions
– Corporate: john.smith@somecompany.com
– Public: whatever@hotmail.com
– Everything after @ belongs to the domain name
• Tracing corporate e-mails is easier
– Because accounts use standard names the
administrator establishes
Investigating E-mail Crimes
and Violations
 Investigating E-mail Crimes and
Violations

• Similar to other types of investigations

• Goals
– Find who is behind the crime
– Collect the evidence
– Present your findings
– Build a case
 Investigating E-mail Crimes and
Violations (continued)

• Depend on the city, state, or country

– Example: spam
– Always consult with an attorney
• Becoming commonplace
• Examples of crimes involving e-mails
– Narcotics trafficking
– Extortion
– Sexual harassment
– Child abductions and pornography
 Examining E-mail Messages

• Access victim’s computer to recover the evidence

• Using the victim’s e-mail client
– Find and copy evidence in the e-mail
– Access protected or encrypted material
– Print e-mails
• Guide victim on the phone
– Open and copy e-mail including headers
• Sometimes you will deal with deleted e-mails
 Examining E-mail Messages
(continued)

• Copying an e-mail message

– Before you start an e-mail investigation
• You need to copy and print the e-mail involved in the
crime or policy violation
– You might also want to forward the message as an
attachment to another e-mail address
• With many GUI e-mail programs, you can copy an
e-mail by dragging it to a storage medium
– Or by saving it in a different location
Examining E-mail Messages
(continued)
 Viewing E-mail Headers

• Learn how to find e-mail headers

– GUI clients
– Command-line clients
– Web-based clients
• After you open e-mail headers, copy and paste them
into a text document
– So that you can read them with a text editor
• Headers contain useful information
– Unique identifying numbers, IP address of sending
server, and sending time
 Viewing E-mail Headers (continued)

• Outlook
– Open the Message Options dialog box
– Copy headers
– Paste them to any text editor
• Outlook Express
– Open the message Properties dialog box
– Select Message Source
– Copy and paste the headers to any text editor
Email Headers in Gmail

• Click “Reply” drop-down arrow,

“Show original”
Viewing E-mail Headers (continued)
 Examining E-mail Headers
• Gather supporting evidence and track suspect
– Return path
– Recipient’s e-mail address
– Type of sending e-mail service
– IP address of sending server
– Name of the e-mail server
– Unique message number
– Date and time e-mail was sent
– Attachment files information
• See link Ch 12b for an example—tracing the source of spam
 Examining Additional E-mail Files
• E-mail messages are saved on the client side or left
at the server
• Microsoft Outlook uses .pst and .ost files
• Most e-mail programs also include an electronic
address book
• In Web-based e-mail
– Messages are displayed and saved as Web pages in
the browser’s cache folders
– Many Web-based e-mail providers also offer instant
messaging (IM) services
 Tracing an E-mail Message

• Contact the administrator responsible for the sending

server
• Finding domain name’s point of contact
– www.arin.net
– www.internic.com
– www.freeality.com
– www.google.com
• Find suspect’s contact information
• Verify your findings by checking network e-mail logs
against e-mail addresses
 Using Network E-mail Logs

• Router logs
– Record all incoming and outgoing traffic
– Have rules to allow or disallow traffic
– You can resolve the path a transmitted e-mail has
taken
• Firewall logs
– Filter e-mail traffic
– Verify whether the e-mail passed through
• You can use any text editor or specialized tools
Using Network E-mail Logs
(continued)
Understanding E-mail Servers
 Understanding E-mail Servers
• Computer loaded with software that uses e-mail
protocols for its services
– And maintains logs you can examine and use in your
investigation
• E-mail storage
– Database
– Flat file
• Logs
– Default or manual
– Continuous and circular
 Understanding E-mail Servers
(continued)

• Log information
– E-mail content
– Sending IP address
– Receiving and reading date and time
– System-specific information
• Contact suspect’s network e-mail administrator as
soon as possible
• Servers can recover deleted e-mails
– Similar to deletion of files on a hard drive
Understanding E-mail Servers
(continued)
 Examining UNIX E-mail Server Logs

• /etc/sendmail.cf
– Configuration information for Sendmail
• /etc/syslog.conf
– Specifies how and which events Sendmail logs
• /var/log/maillog
– SMTP and POP3 communications
• IP address and time stamp
• Check UNIX man pages for more information
Examining UNIX E-mail Server Logs
(continued)
Examining UNIX E-mail Server Logs
(continued)
 Examining Microsoft E-mail Server
Logs

• Microsoft Exchange Server (Exchange)

– Uses a database
– Based on Microsoft Extensible Storage Engine
• Messaging Application Programming Interface
(MAPI)
– A Microsoft system that enables different e- mail
applications to work together
 Examining Microsoft E-mail Server
Logs

• The “Information Store” is made of tw0 files

– Database files *.edb
• Responsible for MAPI information
– Database files *.stm
• Responsible for non-MAPI information
 Examining Microsoft E-mail Server
Logs (continued)

• Administrators can recover lost or deleted emails

from these files:
– Transaction log
• Keep track of e-mail databases
– Checkpoints
• Marks the place in the transaction log where the last
backup was made
 Examining Microsoft E-mail Server
Logs (continued)

• Other useful files

– Temporary files
– E-mail communication logs
• res#.log
– Tracking.log
• Tracks messages
Examining Microsoft E-mail Server
Logs (continued)
 Examining Microsoft E-mail Server
Logs (continued)

• Troubleshooting or diagnostic log

– Logs events
– Use Windows Event Viewer
– Open the Event Properties dialog box for more
details about an event
Examining Microsoft E-mail Server
Logs (continued)
Examining Microsoft E-mail Server
Logs (continued)
 Examining Novell GroupWise E-mail
Logs

• Up to 25 databases for e-mail users

– Stored on the Ofuser directory object
– Referenced by a username, an unique identifier, and
.db extension
• Shares resources with e-mail server databases
• Mailboxes organizations
– Permanent index files
– QuickFinder
 Examining Novell GroupWise E-mail
Logs (continued)

• Folder and file structure can be complex

– It uses Novell directory structure
• Guardian
– Directory of every database
– Tracks changes in the GroupWise environment
– Considered a single point of failure
• Log files
– GroupWise generates log files (.log extension)
maintained in a standard log format in GroupWise
folders
Using Specialized E-mail
Forensics Tools
 Using Specialized E-mail Forensics
Tools
• Tools include:
– AccessData’s Forensic Toolkit (FTK)
– ProDiscover Basic
– FINALeMAIL
– Sawmill-GroupWise
– DBXtract
– Fookes Aid4Mail and MailBag Assistant
– Paraben E-Mail Examiner
– Ontrack Easy Recovery EmailRepair
– R-Tools R-Mail
 Using Specialized E-mail Forensics
Tools (continued)

• Tools allow you to find:

– E-mail database files
– Personal e-mail files
– Offline storage files
– Log files
• Advantage
– Do not need to know how e-mail servers and clients
work
 Using Specialized E-mail Forensics
Tools (continued)

• FINALeMAIL
– Scans e-mail database files
– Recovers deleted e-mails
– Searches computer for other files associated with e-
mail
Using Specialized E-mail Forensics
Tools (continued)
Using Specialized E-mail Forensics Tools
(continued)
 Using AccessData FTK to Recover
E-mail
• FTK
– Can index data on a disk image or an entire drive for
faster data retrieval
– Filters and finds files specific to e-mail clients and
servers
• To recover e-mail from Outlook and Outlook
Express
– AccessData integrated dtSearch
• dtSearch builds a b-tree index of all text data in a
drive, an image file, or a group of files
Using AccessData FTK to Recover
E-mail (continued)
Using AccessData FTK to Recover
E-mail (continued)
Using AccessData FTK to Recover
E-mail (continued)
 Using a Hexadecimal Editor to Carve
E-mail Messages

• Very few vendors have products for analyzing e-

mail in systems other than Microsoft
• mbox format
– Stores e-mails in flat plaintext files
• Multipurpose Internet Mail Extensions (MIME)
format
– Used by vendor-unique e-mail file systems, such as
Microsoft .pst or .ost
• Example: carve e-mail messages from Evolution
Using a Hexadecimal Editor to Carve
E-mail Messages (continued)
Using a Hexadecimal Editor to Carve
E-mail Messages (continued)
 Recovering Deleted Outlook Files

• Microsoft's Inbox Repair Tool (scanpst)

– Link Ch 12d
• EnCase
• Advanced Outlook Repair from DataNumen, Inc.
– Link Ch 12e