Analysis Villanova University Department of Computing Sciences D. Justin Price Fall 2014

Similar documents
Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014

Guide to Computer Forensics. Third Edition. Chapter 12 Chapter 12 Investigations

10 th National Investigations Symposium

How To Remove Only Outlook From Office 2007 Pst Files Outlook

File Backup Windows Live Mail Contacts Folder Location Xp

How To Remove Only Outlook From Office 2007 Pst Files

Stellar OST to PST Converter - Technician 8.0. User Guide

File Backup Windows Live Mail 2012 Contacts Import Pst

is still the most used Internet app. According to some studies around 85% of Internet users still use for communication.

Stellar Phoenix Outlook PST Repair - Technician User Guide

Lesson 2: Working with

Shoviv Exchange Recovery Manager

Kernel for Exchange Server. Installation and Configuration Guide

An Overview of Webmail

Objectives. What Is and How Does It Work? Objectives. and How Does It Work? and How Does It Work?

Exchange Protection Whitepaper

User Manual. [Outlook Web App 2013] Central Information Systems Division

Paraben Examiner 9.0 Release Notes

File Backup Windows Live Mail s Into

Outlook Express. Setting up the View. Toolbar. Listing of messages OUTLOOK BAR. Status Bar

File Backup Windows Live Mail 2012 Contacts Location Xp

File Backup Windows Live Mail s Stored

Chapter 9: Internet

Outline. Tools

AccessData Advanced Forensics

Migration Instructions for All Users

Overview. Top. Welcome to SysTools MailXaminer

Introduction. Logging in. WebMail User Guide

Introduction to Apple Mail with IMAP

e-storage Mail Archive e-storage Mai Archive

Outlook True Archive Main Screen

OWA 2013 Getting Started

Manual Archive Outlook 2007 Doesn't Work

Webmail 7.0 is an online client which runs in your web browser. Webmail 7.0 allows you to access your , contact list, and calendar from

Header- A Forensic Key to Examine an

This document contains information that will help you to quickly get started and manage your accounts within Webmail.

File Backup Windows Live Mail 2011 Calendar Corruption

WebMail. A NWOCA Training Session

Microsoft PST Capture & C2C s PST Enterprise A Feature Comparison for PST Migration & Elimination

File Backup Windows Live Mail 2011 For Gmail Imap Settings

Instructions To Remove Outlook Express From Xp Computer

User Guide. Chapter 23. Saf User Guide


Enter your username Enter your password

Accessing WebMail. Logging In. Check your Mail. Main Mail Screen. Reading Messages. Search. Sending a new message

Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase

Web Outlook. Tenafly Technology Department

Getting started in Outlook Web App

File Backup Windows Live Mail Contacts Folder Located Book (contacts)

Life after Lotus Notes

LAUSD ITD Service Desk. Microsoft Outlook Web Access User Guide Windows OS

1. Launch your web browser. 2. Go to < Enter your address and Password as requested. Click on login.

Microsoft Office 2007, 2010 Registry Artifacts Dustin Hurlbut September 16, 2010

How Do I Transfer My Outlook s From One Computer To Another

Getting Started With Outlook Express For Windows 2000/XP Author Marcie Matsuo Revised by Darren Kato

56 Common Problems and Solutions

Stellar Phoenix Mailbox Exchange. Recovery 8.0

Stellar OST to PST Converter - Technician 8.0. Installation Guide

Using the Inbox to Manage Messages

User Manual of Webmail Version 5

Install & Configure Thunderbird E- mail

Using Your New Webmail

Web Mail Check v 1.0

Mail overview. What you ll see in Mail.

Contents. Management. Client. Choosing One 1/20/17

Source:

Warrick County School Corp.

Backing Up: Copying Files from your School Computer to a Network Folder or Flash Drive

Processing Microsoft Outlook PST Files

Life After Webmail Reference Guide

USER GUIDE. EBMS SECURE MailGate

CLOUD MAIL End User Guide. (Version 1.0)

File Backup Windows Live Mail 2012 Contacts Import

Oracle Connector for Outlook User s Guide

Getting Started With Web Mail Help Desk

CSC 4900 Computer Networks:

Along the top of the Inbox is a toolbar with icons for commonly used functions within .

AccessData. Forensic Toolkit. Upgrading, Migrating, and Moving Cases. Version: 5.x

School Mail System. - Access through Outlook Web Access. User Guide FOR. Education Bureau (EDB)

VRABE Outlook Web Access (OWA)Basics

New Web Outlook. Look and Feel: You can personalize your Web Outlook by using Themes. Click on Options and select the desired Theme.

NEOMIN Webmail Instructions

Outlook 2007 Manually Archive Calendar Not Working

Tutorial for Horde . Contents

A. Outlook Web App -

Getting Started With Web Mail

Kerio Outlook Connector (Offline Edition)

Ontrack PowerControls for Microsoft Exchange Server ReadMe

Oracle Beehive. Webmail Help and Release Notes Release 2 ( )

Electronic Mail

How Do I Retrieve My Archive s In Outlook 2010 To Hard Drive

Manually Archive Calendar Items Outlook 2007

Hostopia WebMail Help

AccessMail Users Manual for NJMLS members Rev 6

Outlook tips for road warriors

1. Overview... 2 Documentation... 2 Licensing... 2 File Archiving requirements... 2

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Mobile er (Version 1.0) User's Guide

Using web-based

Paraben s Network Examiner 7.0 Release Notes

Transcription:

Email Analysis Villanova University Department of Computing Sciences D. Justin Price Fall 2014

EMAIL ANALYSIS With the increase in e-mail scams and fraud attempts with phishing or spoofing Investigators need to know how to examine and interpret the unique content of e-mail messages Phishing e-mails are in HTML format Which allows creating links to text on a Web page One of the most noteworthy e-mail scams was 419, or the Nigerian Scam Spoofing e-mail can be used to commit fraud Similar to other types of investigations Goals Find who is behind the crime Collect the evidence Present your findings Build a case Villanova University Department of Computing Sciences D. Justin Price Digital Forensics - Fall 2014

EMAIL ANALYSIS Who? Email Addresses IP Address When? Header Timestamps Timestamps Each Mail Transfer Agent (MTA) will append a timestamp to the header Where? IP Addresses Domains Villanova University Department of Computing Sciences D. Justin Price Digital Forensics - Fall 2014

EMAIL ANALYSIS Additional Artifacts Message Body Written by sender Signature Lines Analysis is accomplish by: Keyword Search Terms Manual Review Attachments Accounts for ~80% of email data Attachments must be encoded MIME / base64 Common Infection Point for Viruses Address Books Calendar Entries Tasks Notes Villanova University Department of Computing Sciences D. Justin Price Digital Forensics - Fall 2014

EMAIL HEADER ANALYSIS Email Header Envelope used by email messages to reach destination. Transaction log of the email message. Traditional Information From To CC BCC Subject Date More Specific Information Message ID Unique ID assigned by the originating mail server Logged by each receiving mail servers Effective search term to use when analyzing email servers to prove if an email was sent or received. Villanova University Department of Computing Sciences D. Justin Price Digital Forensics - Fall 2014

EMAIL HEADER ANALYSIS Email Header More Specific Information Received Trace the email message s path by analyzing the Received entries. The bottom-most entry is from the originating email server. Documents server s IP address, server name, timestamps and time zone. X-Originating-IP (X-IP) - Optional IP address of the device used to send the email Can be spoofed if user has access to the original MTA X-Mailer - Optional Documents the email client used to send the email message. Helps determine if created from email client or web-based. Villanova University Department of Computing Sciences D. Justin Price Digital Forensics - Fall 2014

EMAIL HEADER ANALYSIS Villanova University Department of Computing Sciences D. Justin Price Digital Forensics - Fall 2014

EMAIL HEADER ANALYSIS https://www.robtex.com/ Villanova University Department of Computing Sciences D. Justin Price Digital Forensics - Fall 2014

EMAIL HEADER ANALYSIS Villanova University Department of Computing Sciences D. Justin Price Digital Forensics - Fall 2014

EMAIL HEADER ANALYSIS https://toolbox.googleapps.com/apps/messageheader/analyzeheader Villanova University Department of Computing Sciences D. Justin Price Digital Forensics - Fall 2014

EMAIL HEADER ANALYSIS https://toolbox.googleapps.com/apps/messageheader/analyzeheader Villanova University Department of Computing Sciences D. Justin Price Digital Forensics - Fall 2014

EMAIL HEADER ANALYSIS https://toolbox.googleapps.com/apps/messageheader/analyzeheader Villanova University Department of Computing Sciences D. Justin Price Digital Forensics - Fall 2014

EMAIL THREADING References or In-Reply-To Fields: Contains the Message-ID assigned to the original email message. Used by advance tools (forensic & e-discovery) tools to thread related email messages. Villanova University Department of Computing Sciences D. Justin Price Digital Forensics - Fall 2014

EMAIL ANALYSIS Send and receive e-mail in different environments Host-based Email Email s Webmail Mobile Email Client/server architecture OS and e-mail software differs from those on the client side Protected accounts Require usernames and passwords Villanova University Department of Computing Sciences D. Justin Price Digital Forensics - Fall 2014

EMAIL ANALYSIS Name conventions Corporate: john.smith@somecompany.com Public: whatever@hotmail.com Everything after @ belongs to the domain name Tracing corporate e-mails is easier Because accounts use standard names the administrator establishes Villanova University Department of Computing Sciences D. Justin Price Digital Forensics - Fall 2014

HOST BASED EMAIL Microsoft Outlook! Win XP C:\Documents and Settings\<USERNAME>\Local Settings \Application Data\Microsoft\Outlook\! Win Vista/7/8 C:\Users\<USERNAME>\AppData\Local\Microsoft\Outlook\! Personal Storage Table (*.pst) Default name is Outlook.pst Email Messages, Contacts, Calendar Entries, Tasks, Notes, etc. Can find multiple archive files Registry key that identifies what PST is being used NTUSER.DAT \Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

HOST BASED EMAIL Microsoft Outlook Kernel Outlook PST Viewer (http://www.nucleustechnologies.com/pstviewer.html) The software is absolutely free to download and helps in viewing the contents of PST files. The user can open PST files without using MS Office Outlook, that is, MS Office Outlook does not needs to be installed on the computer system. The user can open files easily created using any available version of MS Outlook. The utility displays all the email folders such as Inbox, Drafts, Outbox, Sent Items, and so on in the same way as seen in MS Outlook. The software is easy-to-use, easy-to-understand and self-descriptive and provides user-friendly graphical user interface such that no technical expertise is required for operating the software. The tool lets users to view the content of files having minor corruptions. Allows users for viewing the password-protected files even if the password is not known to the user. Helps in opening files that got corrupted due to 2GB size issue.

HOST BASED EMAIL Microsoft Outlook Exchange Offline Folder Files Cached Exchange Mode *.OST File Extension Once user has an active connection to the Exchange server, the user s data is synchronized. 12 months of user data is kept by default. OST files cannot be imported into Outlook for processing. Kernel OST Viewer (http://www.nucleustechnologies.com/ost-viewer.html) ost2pst.exe will convert OST to PST format for processing. Most forensic suites support OST processing.

How Microsoft Outlook Saves, Deletes and Compresses Email

Microsoft Outlook stores email messages within a single file. The Outlook file will have a.pst extension. Inbox Message 1 Message 2 Message 3 Sent Items Message 4 Message 5 Deleted Items Outlook.pst

User deletes Message 2 and Message 5. Outlook moves the email messages to the Deleted Items folder. Inbox Message 1 Message 3 Sent Items Message 4 Deleted Items Message 2 Message 5 Outlook.pst

User empties his or her Deleted Items folder. Outlook flags the email messages as being removed. Normal user cannot recover the email messages. The Outlook file does not get smaller. Inbox Message 1 Message 3 Sent Items Message 4 Deleted Items *Message 2 *Message 5 Outlook.pst

User receives Messages 6 and 7. User sends another email message (Message 8). The Outlook file gets larger in size. Inbox Message 1 Message 3 Message 6 Message 7 Sent Items Message 4 Message 8 Deleted Items *Message 2 *Message 5 Outlook.pst

User deletes Message 6 and Message 8. Outlook moves the email messages to the Deleted Items folder. Inbox Message 1 Message 3 Message 7 Sent Items Message 4 Deleted Items *Message 2 *Message 5 Message 6 Message 8 Outlook.pst

User empties his or her Deleted Items folder. Outlook flags the email messages as being removed. A normal user cannot recover the email messages. The Outlook file does not get smaller. Inbox Message 1 Message 3 Message 7 Sent Items Message 4 Deleted Items *Message 2 *Message 5 *Message 6 *Message 8 Outlook.pst

User compacts his or her Outlook file. All active email messages are moved to the beginning of the file. All email messages flagged as being removed are truncated. The Outlook file reduces in size. The removed email messages are now located in the unallocated space of the hard drive. Inbox Message 1 Message 3 Message 7 Sent Items Message 4 Deleted Items Outlook.pst *Message 2 *Message 5 *Message 6 *Message 8 Unallocated Space

Microsoft Outlook Express Default email client prior to Windows Vista/7/8. Uses file extension *.DBX File Location:! Win XP! HOST BASED EMAIL C:\Documents and Settings\<USERNAME>\Local Settings \Application Data\Identities\<GUID>\Microsoft\Outlook Express Deleted email messages are flagged as deleted and not removed from the DBX file until compacted. Cleanup.log records the last date of compaction. Replaced by Windows Mail (Vista/7/8) (*.EML) Processing Most forensic suites supports processing DBX MiTec Mail Viewer http://www.mitec.cz/mailview.html

EMAIL SERVERS Computer loaded with software that uses e-mail protocols for its services POP (Post Office Protocol) By default, email is downloaded to local computer and deleted on server. IMAP (Internet Message Access Protocol) By default, email is kept on the server. E-mail storage Database Flat file Logs Default or manual Continuous and circular

EMAIL SERVERS Deployed by most corporate environments Could be physically offsite Acquisition could be difficult Massive amount of data Downtime can be an issue to consider. Log information E-mail content Sending IP address Receiving and reading date and time System-specific information Contact suspect s network e-mail administrator as soon as possible s can recover deleted e-mails Similar to deletion of files on a hard drive

MICROSOFT EMAIL SERVER Microsoft Exchange (Exchange) Leader in the email server market Most often a standalone server Container holding individual mailboxes Email Messages, Attachments, Contacts, Notes, Tasks, Calendar Entires, etc. Information Store files Database files *.edb (Extensible Storage Engine) Proprietary Microsoft Database priv1.edb is the default database name. Database files *.stm (Prior to Exchange 2007) Streaming file that contains multimedia data formatted as MIME data.

MICROSOFT EMAIL SERVER Microsoft Exchange Exchange Log Files (*.log) Very important to acquire along with the EDB files. All transactions for the server are written to the log prior to being committed to the Exchange database. Deletion Process Similar to PST files Deleted Items Folder Exchange Dumpster Emails are retained for 14 days Accounts are retained for 30 days Acquisition Options Physical / Logical Image Logical Export of the Exchange Files Exchange services must be stopped. Administrators can export individual mailboxes to PST files.

Understanding How Email Is Sent and Received

A Email Email! File File B District Office Staff C Headquarters Staff! IMAP Users Internet D I H G Mobile Staff E F

POP Client to POP Client Email Message

Email User A sends an email to User B. The email is transferred to the email server via an Internet connection. File A B C Internet District Office Staff D E I H G HQ Staff! IMAP Users Mobile Staff F

Email The email is now located in User B s Inbox on the email server and User A s Sent Items on the local file server. File A B C User B s Inbox User A s Sent Items Internet District Office Staff D E I H G HQ Staff! IMAP Users Mobile Staff F

Email User B logs into the system, the email is moved from the email server to User B s Inbox on the local file server. User B s Inbox File A B C User B s Inbox User A s Sent Items Internet District Office Staff D E I H G HQ Staff! IMAP Users Mobile Staff F

Email When the transfer is complete, the email is located on the file server within User A s Sent Items and User B s Inbox. User B s Inbox File A B C User A s Sent Items Internet District Office Staff D E I H G HQ Staff! IMAP Users Mobile Staff F

Mobile POP Client to POP Client Email Message

Email User D sends an email to User B. The email is transferred to the email server via an Internet connection. File A B C Internet District Office Staff D E I H G HQ Staff! IMAP Users Mobile Staff F

Email The email is now located in User B s Inbox on the email server and User D s Sent Items on his laptop. File A B C User B s Inbox Internet District Office Staff D User D s Sent Items E I H G HQ Staff! IMAP Users Mobile Staff F

Email When User B logs into the system, the email is moved from the email server to User B s Inbox on the local file server. User B s Inbox File A B C User B s Inbox Internet District Office Staff D User D s Sent Items E I H G HQ Staff! IMAP Users Mobile Staff F

Email When the transfer is complete, the email resides on User D s laptop within the Sent Items and User B s Inbox on the local file server. User B s Inbox File A B C Internet District Office Staff D User D s Sent Items E I H G HQ Staff! IMAP Users Mobile Staff F

IMAP Client to IMAP Client Email Message

Email User G sends an email to User H. When User G sends the email, the email server recognizes that the recipient's account exists on the same email server. File A B User H s Inbox C User G s Sent Items Internet District Office Staff D E I H G HQ Staff! IMAP Users Mobile Staff F

Email The email is now located in User H s Inbox and User G s Sent Items, both on the email server. File A B User H s Inbox C User G s Sent Items Internet District Office Staff D E I H G HQ Staff! IMAP Users Mobile Staff F

Email User H logs into the system and accesses the email sent from User G. File A B User H s Inbox C User G s Sent Items Internet District Office Staff D E I H G HQ Staff! IMAP Users Mobile Staff F

Putting It All Together...

Email To bring it all together, let s say User G sends an email to User A, User D and User H. User A s Inbox File A B User D s Inbox User H s Inbox C User G s Sent Items Internet District Office Staff D E I H G HQ Staff! IMAP Users Mobile Staff F

Email User A, User D and User H log into their email. User A s Inbox User D s Inbox User H s Inbox File A B C User G s Sent Items Internet District Office Staff D E I H G HQ Staff! IMAP Users Mobile Staff F

Email User A and User D are configured to use POP; their messages would be found on their respective computers. File A B C User G s Sent Items Internet User A s Inbox District Office Staff D User D s Inbox E I H G HQ Staff! IMAP Users Mobile Staff F

Email User G and User H are configured to use IMAP; their messages would be found on the email server. File A B User H s Inbox C User G s Sent Items Internet User A s Inbox District Office Staff D User D s Sent Items E I H G HQ Staff! IMAP Users Mobile Staff F

ACCESSDATA FTK FTK Can index data on a disk image or an entire drive for faster data retrieval Filters and finds files specific to e-mail clients and servers To recover e-mail from Outlook and Outlook Express AccessData integrated dtsearch dtsearch builds a b-tree index of all text data in a drive, an image file, or a group of files

WEBMAIL FORENSICS Email messages stored on ISP servers In addition to storing email messages, ISP may also maintain user s IP addresses and subscriber information Important to establish email accounts and how the user has been accessing those accounts. Artifacts can be recovered from Internet browser cache folders. Usually stored as compressed archives. Forensic tools must identify the file type and mount the compressed files in order for search strings to be effective. Gmail uses a no cache options Another important reason to process RAM captures and the pagefile.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback