16 email analysis - villanova university
Post on 08-Jan-2022
6 Views
Preview:
TRANSCRIPT
Villanova University – Department of Computing Sciences – D. Justin Price – Fall 2014
Email Analysis
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EMAIL ANALYSIS• With the increase in e-mail scams and fraud attempts with
phishing or spoofing • Investigators need to know how to examine and interpret the
unique content of e-mail messages • Phishing e-mails are in HTML format
• Which allows creating links to text on a Web page • One of the most noteworthy e-mail scams was 419, or the
Nigerian Scam • Spoofing e-mail can be used to commit fraud • Similar to other types of investigations • Goals
• Find who is behind the crime • Collect the evidence • Present your findings • Build a case
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EMAIL ANALYSIS
• Who? • Email Addresses • IP Address
• When? • Header Timestamps • Server Timestamps
• Each Mail Transfer Agent (MTA) will append a timestamp to the header
• Where? • IP Addresses • Server Domains
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EMAIL ANALYSIS• Additional Artifacts
• Message Body • Written by sender
• Signature Lines • Analysis is accomplish by:
• Keyword Search Terms • Manual Review
• Attachments • Accounts for ~80% of email data • Attachments must be encoded
• MIME / base64 • Common Infection Point for Viruses
• Address Books • Calendar Entries • Tasks • Notes
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EMAIL HEADER ANALYSIS• Email Header
• “Envelope” used by email messages to reach destination. • Transaction log of the email message. • Traditional Information
• From • To • CC • BCC • Subject • Date
• More Specific Information • Message ID
• Unique ID assigned by the originating mail server • Logged by each receiving mail servers • Effective search term to use when analyzing email servers
to prove if an email was sent or received.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EMAIL HEADER ANALYSIS• Email Header
• More Specific Information • Received
• Trace the email message’s path by analyzing the “Received” entries.
• The bottom-most entry is from the originating email server.
• Documents server’s IP address, server name, timestamps and time zone.
• X-Originating-IP (X-IP) - Optional • IP address of the device used to send the email • Can be spoofed if user has access to the original MTA
• X-Mailer - Optional • Documents the email client used to send the email
message. • Helps determine if created from email client or web-based.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EMAIL HEADER ANALYSIS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EMAIL HEADER ANALYSIShttps://www.robtex.com/
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EMAIL HEADER ANALYSIS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EMAIL HEADER ANALYSIShttps://toolbox.googleapps.com/apps/messageheader/analyzeheader
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EMAIL HEADER ANALYSIShttps://toolbox.googleapps.com/apps/messageheader/analyzeheader
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EMAIL HEADER ANALYSIShttps://toolbox.googleapps.com/apps/messageheader/analyzeheader
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EMAIL THREADING• References or In-Reply-To Fields:
• Contains the Message-ID assigned to the original email message. • Used by advance tools (forensic & e-Discovery) tools to thread
related email messages.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EMAIL ANALYSIS
• Send and receive e-mail in different environments • Host-based Email • Email Servers • Webmail • Mobile Email
• Client/server architecture • Server OS and e-mail software differs from
those on the client side • Protected accounts
• Require usernames and passwords
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EMAIL ANALYSIS
• Name conventions • Corporate: john.smith@somecompany.com • Public: whatever@hotmail.com • Everything after @ belongs to the domain
name • Tracing corporate e-mails is easier
• Because accounts use standard names the administrator establishes
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• Microsoft Outlook !!!
• Personal Storage Table (*.pst) • Default name is Outlook.pst • Email Messages, Contacts, Calendar Entries,
Tasks, Notes, etc. • Can find multiple archive files • Registry key that identifies what PST is being
used
HOST BASED EMAIL
Win XP C:\Documents and Settings\<USERNAME>\Local Settings\Application Data\Microsoft\Outlook\
Win Vista/7/8 C:\Users\<USERNAME>\AppData\Local\Microsoft\Outlook\
NTUSER.DAT \Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• Microsoft Outlook • Kernel Outlook PST Viewer (http://www.nucleustechnologies.com/pst-
viewer.html) • The software is absolutely free to download and helps in viewing the
contents of PST files. • The user can open PST files without using MS Office Outlook, that is,
MS Office Outlook does not needs to be installed on the computer system.
• The user can open files easily created using any available version of MS Outlook.
• The utility displays all the email folders such as Inbox, Drafts, Outbox, Sent Items, and so on in the same way as seen in MS Outlook.
• The software is easy-to-use, easy-to-understand and self-descriptive and provides user-friendly graphical user interface such that no technical expertise is required for operating the software.
• The tool lets users to view the content of files having minor corruptions. • Allows users for viewing the password-protected files even if the
password is not known to the user. • Helps in opening files that got corrupted due to 2GB size issue.
HOST BASED EMAIL
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• Microsoft Outlook • Exchange Offline Folder Files
• “Cached Exchange Mode” • *.OST File Extension
• Once user has an active connection to the Exchange server, the user’s data is synchronized.
• 12 months of user data is kept by default. • OST files cannot be imported into Outlook for
processing. • Kernel OST Viewer (http://www.nucleustechnologies.com/ost-viewer.html)
• ost2pst.exe will convert OST to PST format for processing.
• Most forensic suites support OST processing.
HOST BASED EMAIL
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
How Microsoft Outlook Saves, Deletes and Compresses
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• Microsoft Outlook stores email messages within a single file. • The Outlook file will have a .PST extension.
Inbox Message 1 Message 2 Message 3
Sent Items Message 4 Message 5
Deleted Items
Outlook.pst
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• User deletes Message 2 and Message 5. • Outlook moves the email messages to the “Deleted Items”
folder.
Inbox Message 1 Message 3
Sent Items Message 4
Deleted Items Message 2 Message 5
Outlook.pst
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• User empties his or her “Deleted Items” folder. • Outlook flags the email messages as being removed. • Normal user cannot recover the email messages. • The Outlook file does not get smaller.
Inbox Message 1 Message 3
Sent Items Message 4
Deleted Items *Message 2 *Message 5
Outlook.pst
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Outlook.pst
Inbox Message 1 Message 3 Message 6 Message 7 Sent Items Message 4 Message 8 Deleted Items *Message 2 *Message 5
• User receives Messages 6 and 7. • User sends another email message (Message 8). • The Outlook file gets larger in size.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Outlook.pst
• User deletes Message 6 and Message 8. • Outlook moves the email messages to the “Deleted Items” folder.
Inbox Message 1 Message 3 Message 7
Sent Items Message 4
Deleted Items *Message 2 *Message 5 Message 6 Message 8
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Outlook.pst
• User empties his or her “Deleted Items” folder. • Outlook flags the email messages as being removed. • A normal user cannot recover the email messages. • The Outlook file does not get smaller.
Inbox Message 1 Message 3 Message 7
Sent Items Message 4
Deleted Items *Message 2 *Message 5 *Message 6 *Message 8
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Outlook.pst
• User compacts his or her Outlook file. • All active email messages are moved to the beginning of the file. • All email messages flagged as being removed are truncated. • The Outlook file reduces in size. • The removed email messages are now located in the unallocated
space of the hard drive.
Inbox Message 1 Message 3 Message 7
Sent Items Message 4
Deleted Items
*Message 2 *Message 5 *Message 6 *Message 8
Unallocated Space
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• Microsoft Outlook Express • Default email client prior to Windows Vista/7/8. • Uses file extension *.DBX • File Location: !
!• Deleted email messages are flagged as deleted and not
removed from the DBX file until compacted. • Cleanup.log records the last date of compaction. • Replaced by Windows Mail (Vista/7/8) (*.EML) • Processing
• Most forensic suites supports processing DBX • MiTec Mail Viewer
• http://www.mitec.cz/mailview.html
HOST BASED EMAIL
Win XP C:\Documents and Settings\<USERNAME>\Local Settings\Application Data\Identities\<GUID>\Microsoft\Outlook Express
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• Computer loaded with software that uses e-mail protocols for its services
• POP (Post Office Protocol) • By default, email is downloaded to local computer
and deleted on server. • IMAP (Internet Message Access Protocol)
• By default, email is kept on the server. • E-mail storage
• Database • Flat file
• Logs • Default or manual • Continuous and circular
EMAIL SERVERS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• Deployed by most corporate environments • Could be physically offsite • Acquisition could be difficult
• Massive amount of data • Downtime can be an issue to consider.
• Log information • E-mail content • Sending IP address • Receiving and reading date and time • System-specific information
• Contact suspect’s network e-mail administrator as soon as possible
• Servers can recover deleted e-mails • Similar to deletion of files on a hard drive
EMAIL SERVERS
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
• Microsoft Exchange Server (Exchange) • Leader in the email server market • Most often a standalone server • Container holding individual mailboxes
• Email Messages, Attachments, Contacts, Notes, Tasks, Calendar Entires, etc.
• Information Store files • Database files *.edb (Extensible Storage Engine)
• Proprietary Microsoft Database • priv1.edb is the default database name.
• Database files *.stm (Prior to Exchange 2007) • Streaming file that contains multimedia data
formatted as MIME data.
MICROSOFT EMAIL SERVER
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
MICROSOFT EMAIL SERVER• Microsoft Exchange Server
• Exchange Log Files (*.log) • Very important to acquire along with the EDB files. • All transactions for the server are written to the log prior to being
committed to the Exchange database. • Deletion Process
• Similar to PST files • Deleted Items Folder • Exchange Dumpster
• Emails are retained for 14 days • Accounts are retained for 30 days
• Acquisition Options • Physical / Logical Image • Logical Export of the Exchange Files
• Exchange services must be stopped. • Administrators can export individual mailboxes to PST files.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Understanding How Email Is Sent and Received
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Mobile Staff POP Users
Email Server ! File Server
Headquarters Staff !IMAP Users
District Office Staff POP Users
Internet
I H G
B
A
C
D
E
F
ServerFile
Server
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
POP Client to POP Client Email Message
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Server
User A sends an email to User B. The email is transferred to the email server
via an Internet connection.
Internet
A
B
C
H I G
D
E
F
File
Server
HQ Staff !IMAP Users
Mobile Staff POP Users
District Office Staff POP Users
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Server
The email is now located in User B’s “Inbox” on the email server and User A’s “Sent Items”
on the local file server.
Internet
A
B
C
H I G
D
E
F
File
Server
HQ Staff !IMAP Users
Mobile Staff POP Users
District Office Staff POP Users
User A’s “Sent Items”
User B’s “Inbox”
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Server
User B logs into the system, the email is moved from the email server to User B’s “Inbox” on the
local file server.
Internet
A
B
C
H I G
D
E
F
File
Server
HQ Staff !IMAP Users
Mobile Staff POP Users
District Office Staff POP Users
User A’s “Sent Items”
User B’s “Inbox”
User B’s “Inbox”
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Server
Internet
A
B
C
H I G
D
E
F
File
Server
HQ Staff !IMAP Users
Mobile Staff POP Users
District Office Staff POP Users
User A’s “Sent Items”
User B’s “Inbox”
When the transfer is complete, the email is located on the file server within User A’s
“Sent Items” and User B’s “Inbox”.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Mobile POP Client to POP Client Email Message
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
A
B
C
D
User D sends an email to User B. The email is transferred to the email server
via an Internet connection.
Internet
H
E
F
I G
ServerFile
Server
HQ Staff !IMAP Users
District Office Staff POP Users
Mobile Staff POP Users
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
A
B
C
D
The email is now located in User B’s “Inbox” on the email server and User D’s
“Sent Items” on his laptop.
Internet
H
E
F
I G
ServerFile
Server
HQ Staff !IMAP Users
District Office Staff POP Users
Mobile Staff POP Users
User B’s “Inbox”
User D’s “Sent Items”
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
A
B
C
D
When User B logs into the system, the email is moved from the email server to User B’s “Inbox”
on the local file server.
Internet
H
E
F
I G
ServerFile
Server
HQ Staff !IMAP Users
District Office Staff POP Users
Mobile Staff POP Users
User B’s “Inbox”
User B’s “Inbox”
User D’s “Sent Items”
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
A
B
C
D
When the transfer is complete, the email resides on User D’s laptop within the “Sent Items” and User B’s
“Inbox” on the local file server.
Internet
H
E
F
I G
ServerFile
Server
HQ Staff !IMAP Users
District Office Staff POP Users
Mobile Staff POP Users
User B’s “Inbox”
User D’s “Sent Items”
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
IMAP Client to IMAP Client Email Message
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
I H G
User G sends an email to User H. When User G sends the email, the email server recognizes that
the recipient's account exists on the same email server.
Internet
A
B
C
D
E
F
ServerFile
Server
HQ Staff !IMAP Users
District Office Staff POP Users
Mobile Staff POP Users
User G’s “Sent Items”
User H’s “Inbox”
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
I H G
The email is now located in User H’s “Inbox” and User G’s “Sent Items,” both on the email
server.
Internet
A
B
C
D
E
F
ServerFile
Server
HQ Staff !IMAP Users
District Office Staff POP Users
Mobile Staff POP Users
User G’s “Sent Items”
User H’s “Inbox”
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
I H G
User H logs into the system and accesses the email sent from User G.
Internet
A
B
C
D
E
F
ServerFile
Server
HQ Staff !IMAP Users
District Office Staff POP Users
Mobile Staff POP Users
User G’s “Sent Items”
User H’s “Inbox”
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
Putting It All Together .....
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
To bring it all together, let’s say User G sends an email to User A, User D and
User H.
Internet
A
B
C
D
GH I
E
F
ServerFile
Server
HQ Staff !IMAP Users
District Office Staff POP Users
Mobile Staff POP Users
User G’s “Sent Items”
User H’s “Inbox”
User A’s “Inbox”
User D’s “Inbox”
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
User A, User D and User H log into their email.
Internet
A
B
C
D
GH I
E
F
ServerFile
Server
HQ Staff !IMAP Users
District Office Staff POP Users
Mobile Staff POP Users
User G’s “Sent Items”
User H’s “Inbox”
User A’s “Inbox”
User D’s “Inbox”
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
User A and User D are configured to use POP; their messages would be
found on their respective computers.
Internet
A
B
C
D
GH I
E
F
ServerFile
Server
HQ Staff !IMAP Users
District Office Staff POP Users
Mobile Staff POP Users
User G’s “Sent Items”
User D’s “Inbox”
User A’s “Inbox”
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
User G and User H are configured to use IMAP; their messages would be found on
the email server.
Internet
A
B
C
D
GH I
E
F
ServerFile
Server
HQ Staff !IMAP Users
District Office Staff POP Users
Mobile Staff POP Users
User G’s “Sent Items”
User H’s “Inbox”
User D’s “Sent Items”
User A’s “Inbox”
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
ACCESSDATA FTK • FTK
• Can index data on a disk image or an entire drive for faster data retrieval
• Filters and finds files specific to e-mail clients and servers
• To recover e-mail from Outlook and Outlook Express
• AccessData integrated dtSearch • dtSearch builds a b-tree index of all text
data in a drive, an image file, or a group of files
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014
WEBMAIL FORENSICS• Email messages stored on ISP servers • In addition to storing email messages, ISP may also
maintain user’s IP addresses and subscriber information • Important to establish email accounts and how the user has
been accessing those accounts. • Artifacts “can be” recovered from Internet browser cache
folders. • Usually stored as compressed archives.
• Forensic tools must identify the file type and mount the compressed files in order for search strings to be effective.
• Gmail uses a “no cache” options • Another important reason to process RAM captures and
the pagefile.
top related