16 Email Analysis - Villanova Universitydprice/9010sp14/Slides/16_Email Analysis.pdf · Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics

Villanova University – Department of Computing Sciences – D. Justin Price – Spring 2014

Email Analysis

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Spring 2014

EMAIL ANALYSIS• With the increase in e-mail scams and fraud attempts with

phishing or spoofing • Investigators need to know how to examine and interpret the

unique content of e-mail messages • Phishing e-mails are in HTML format

• Which allows creating links to text on a Web page • One of the most noteworthy e-mail scams was 419, or the

Nigerian Scam • Spoofing e-mail can be used to commit fraud • Similar to other types of investigations • Goals

• Find who is behind the crime • Collect the evidence • Present your findings • Build a case


EMAIL ANALYSIS

• Who? • Email Addresses • IP Address

• When? • Header Timestamps • Server Timestamps

• Each Mail Transfer Agent (MTA) will append a timestamp to the header

• Where? • IP Addresses • Server Domains


EMAIL ANALYSIS• Additional Artifacts

• Message Body • Written by sender

• Signature Lines • Analysis is accomplish by:

• Keyword Search Terms • Manual Review

• Attachments • Accounts for ~80% of email data • Attachments must be encoded

• MIME / base64 • Common Infection Point for Viruses

• Address Books • Calendar Entries • Tasks • Notes


EMAIL HEADER ANALYSIS• Email Header

• “Envelope” used by email messages to reach destination. • Transaction log of the email message. • Traditional Information

• From • To • CC • BCC • Subject • Date

• More Specific Information • Message ID

• Unique ID assigned by the originating mail server • Logged by each receiving mail servers • Effective search term to use when analyzing email servers

to prove if an email was sent or received.


EMAIL HEADER ANALYSIS• Email Header

• More Specific Information • Received

• Trace the email message’s path by analyzing the “Received” entries.

• The bottom-most entry is from the originating email server.

• Documents server’s IP address, server name, timestamps and time zone.

• X-Originating-IP (X-IP) - Optional • IP address of the device used to send the email • Can be spoofed is user has access to the original MTA

• X-Mailer - Optional • Documents the email client used to send the email

message. • Helps determine if created from email client or web-based.


EMAIL HEADER ANALYSIS


EMAIL HEADER ANALYSIShttps://www.robtex.com/

https://www.robtex.com/


EMAIL HEADER ANALYSIS


EMAIL HEADER ANALYSIShttps://toolbox.googleapps.com/apps/messageheader/analyzeheader

https://toolbox.googleapps.com/apps/messageheader/analyzeheader








EMAIL THREADING• References or In-Reply-To Fields:

• Contains the Message-ID assigned to the original email message. • Used by advance tools (forensic & e-Discovery) tools to thread

related email messages.


EMAIL ANALYSIS

• Send and receive e-mail in different environments • Host-based Email • Email Servers • Webmail • Mobile Email

• Client/server architecture • Server OS and e-mail software differs from

those on the client side • Protected accounts

• Require usernames and passwords


EMAIL ANALYSIS

• Name conventions • Corporate: [email protected] • Public: [email protected] • Everything after @ belongs to the domain

name • Tracing corporate e-mails is easier

• Because accounts use standard names the administrator establishes


• Microsoft Outlook !!!

• Personal Storage Table (*.pst) • Default name is Outlook.pst • Email Messages, Contacts, Calendar Entries,

Tasks, Notes, etc. • Can find multiple archive files • Registry key that identifies what PST is being

used

HOST BASED EMAIL

Win XP C:\Documents and Settings\<USERNAME>\Local Settings\Application Data\Microsoft\Outlook\

Win Vista/7/8 C:\Users\<USERNAME>\AppData\Local\Microsoft\Outlook\

NTUSER.DAT \Software\Microsoft\WindowsNT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook


• Microsoft Outlook • Kernel Outlook PST Viewer (http://www.nucleustechnologies.com/pst-

viewer.html) • The software is absolutely free to download and helps in viewing the

contents of PST files. • The user can open PST files without using MS Office Outlook, that is,

MS Office Outlook does not needs to be installed on the computer system.

• The user can open files easily created using any available version of MS Outlook.

• The utility displays all the email folders such as Inbox, Drafts, Outbox, Sent Items, and so on in the same way as seen in MS Outlook.

• The software is easy-to-use, easy-to-understand and self-descriptive and provides user-friendly graphical user interface such that no technical expertise is required for operating the software.

• The tool lets users to view the content of files having minor corruptions. • Allows users for viewing the password-protected files even if the

password is not known to the user. • Helps in opening files that got corrupted due to 2GB size issue.

HOST BASED EMAIL

http://www.nucleustechnologies.com/pst-viewer.html


• Microsoft Outlook • Exchange Offline Folder Files

• “Cached Exchange Mode” • *.OST File Extension

• Once user has an active connection to the Exchange server, the user’s data is synchronized.

• 12 months of user data is kept by default. • OST files cannot be imported into Outlook for

processing. • Kernel OST Viewer (http://www.nucleustechnologies.com/ost-viewer.html)

• ost2pst.exe will convert OST to PST format for processing.

• Most forensic suites support OST processing.

HOST BASED EMAIL

http://www.nucleustechnologies.com/ost-viewer.html


How Microsoft Outlook Saves, Deletes and Compresses

Email


• Microsoft Outlook stores email messages within a single file. • The Outlook file will have a .PST extension.

Inbox Message 1 Message 2 Message 3

Sent Items Message 4 Message 5

Deleted Items

Outlook.pst


• User deletes Message 2 and Message 5. • Outlook moves the email messages to the “Deleted Items”

folder.

Inbox Message 1 Message 3

Sent Items Message 4

Deleted Items Message 2 Message 5

Outlook.pst


• User empties his or her “Deleted Items” folder. • Outlook flags the email messages as being removed. • Normal user cannot recover the email messages. • The Outlook file does not get smaller.

Inbox Message 1 Message 3


Deleted Items *Message 2 *Message 5

Outlook.pst


Outlook.pst

Inbox Message 1 Message 3 Message 6 Message 7 Sent Items Message 4 Message 8 Deleted Items *Message 2 *Message 5

• User receives Messages 6 and 7. • User sends another email message (Message 8). • The Outlook file gets larger in size.


Outlook.pst

• User deletes Message 6 and Message 8. • Outlook moves the email messages to the “Deleted Items” folder.



Deleted Items *Message 2 *Message 5 Message 6 Message 8


Outlook.pst

• User empties his or her “Deleted Items” folder. • Outlook flags the email messages as being removed. • A normal user cannot recover the email messages. • The Outlook file does not get smaller.



Deleted Items *Message 2 *Message 5 *Message 6 *Message 8


Outlook.pst

• User compacts his or her Outlook file. • All active email messages are moved to the beginning of the file. • All email messages flagged as being removed are truncated. • The Outlook file reduces in size. • The removed email messages are now located in the unallocated

space of the hard drive.



Deleted Items

*Message 2 *Message 5 *Message 6 *Message 8

Unallocated Space


• Microsoft Outlook Express • Default email client prior to Windows Vista/7/8. • Uses file extension *.DBX • File Location: !

!• Deleted email messages are flagged as deleted and not

removed from the DBX file until compacted. • Cleanup.log records the last date of compaction. • Replaced by Windows Mail (Vista/7/8) (*.EML) • Processing

• Most forensic suites supports processing DBX • MiTec Mail Viewer

• http://www.mitec.cz/mailview.html

HOST BASED EMAIL

Win XP C:\Documents and Settings\<USERNAME>\Local Settings\Application Data\Identities\<GUID>\Microsoft\Outlook Express

http://www.mitec.cz/mailview.html


• Computer loaded with software that uses e-mail protocols for its services

• POP (Post Office Protocol) • By default, email is downloaded to local computer

and deleted on server. • IMAP (Internet Message Access Protocol)

• By default, email is kept on the server. • E-mail storage

• Database • Flat file

• Logs • Default or manual • Continuous and circular

EMAIL SERVERS


• Deployed by most corporate environments • Could be physically offsite • Acquisition could be difficult

• Massive amount of data • Downtime can be an issue to consider.

• Log information • E-mail content • Sending IP address • Receiving and reading date and time • System-specific information

• Contact suspect’s network e-mail administrator as soon as possible

• Servers can recover deleted e-mails • Similar to deletion of files on a hard drive

EMAIL SERVERS


• Microsoft Exchange Server (Exchange) • Leader in the email server market • Most often a standalone server • Container holding individual mailboxes

• Email Messages, Attachments, Contacts, Notes, Tasks, Calendar Entires, etc.

• Information Store files • Database files *.edb (Extensible Storage Engine)

• Proprietary Microsoft Database • priv1.edb is the default database name.

• Database files *.stm (Prior to Exchange 2007) • Streaming file that contains multimedia data

formatted as MIME data.

MICROSOFT EMAIL SERVER


MICROSOFT EMAIL SERVER• Microsoft Exchange Server

• Exchange Log Files (*.log) • Very important to acquire along with the EDB files. • All transactions for the server are written to the log prior to being

committed to the Exchange database. • Deletion Process

• Similar to PST files • Deleted Items Folder • Exchange Dumpster

• Emails are retained for 14 days • Accounts are retained for 30 days

• Acquisition Options • Physical / Logical Image • Logical Export of the Exchange Files

• Exchange services must be stopped. • Administrators can export individual mailboxes to PST files.


Understanding How Email Is Sent and Received


Mobile Staff POP Users

Email Server ! File Server

Headquarters Staff !IMAP Users

District Office Staff POP Users

Internet

I H G

B

A

C

D

E

F

Email

ServerFile

Server


POP Client to POP Client Email Message


Email

Server

User A sends an email to User B. The email is transferred to the email server

via an Internet connection.

Internet

A

B

C

H I G

D

E

F

File

Server

HQ Staff !IMAP Users




Email

Server

The email is now located in User B’s “Inbox” on the email server and User A’s “Sent Items”

on the local file server.

Internet

A

B

C

H I G

D

E

F

File

Server




User A’s “Sent Items”

User B’s “Inbox”


Email

Server

User B logs into the system, the email is moved from the email server to User B’s “Inbox” on the

local file server.

Internet

A

B

C

H I G

D

E

F

File

Server








Email

Server

Internet

A

B

C

H I G

D

E

F

File

Server






When the transfer is complete, the email is located on the file server within User A’s

“Sent Items” and User B’s “Inbox”.


Mobile POP Client to POP Client Email Message


A

B

C

D

User D sends an email to User B. The email is transferred to the email server

via an Internet connection.

Internet

H

E

F

I G

Email

ServerFile

Server





A

B

C

D

The email is now located in User B’s “Inbox” on the email server and User D’s

“Sent Items” on his laptop.

Internet

H

E

F

I G

Email

ServerFile

Server





User D’s “Sent Items”


A

B

C

D

When User B logs into the system, the email is moved from the email server to User B’s “Inbox”

on the local file server.

Internet

H

E

F

I G

Email

ServerFile

Server








A

B

C

D

When the transfer is complete, the email resides on User D’s laptop within the “Sent Items” and User B’s

“Inbox” on the local file server.

Internet

H

E

F

I G

Email

ServerFile

Server







IMAP Client to IMAP Client Email Message


I H G

User G sends an email to User H. When User G sends the email, the email server recognizes that

the recipient's account exists on the same email server.

Internet

A

B

C

D

E

F

Email

ServerFile

Server




User G’s “Sent Items”

User H’s “Inbox”


I H G

The email is now located in User H’s “Inbox” and User G’s “Sent Items,” both on the email

server.

Internet

A

B

C

D

E

F

Email

ServerFile

Server







I H G

User H logs into the system and accesses the email sent from User G.

Internet

A

B

C

D

E

F

Email

ServerFile

Server







Putting It All Together .....


To bring it all together, let’s say User G sends an email to User A, User D and

User H.

Internet

A

B

C

D

GH I

E

F

Email

ServerFile

Server






User A’s “Inbox”

User D’s “Inbox”


User A, User D and User H log into their email.

Internet

A

B

C

D

GH I

E

F

Email

ServerFile

Server









User A and User D are configured to use POP; their messages would be

found on their respective computers.

Internet

A

B

C

D

GH I

E

F

Email

ServerFile

Server








User G and User H are configured to use IMAP; their messages would be found on

the email server.

Internet

A

B

C

D

GH I

E

F

Email

ServerFile

Server









ACCESSDATA FTK • FTK

• Can index data on a disk image or an entire drive for faster data retrieval

• Filters and finds files specific to e-mail clients and servers

• To recover e-mail from Outlook and Outlook Express

• AccessData integrated dtSearch • dtSearch builds a b-tree index of all text

data in a drive, an image file, or a group of files


WEBMAIL FORENSICS• Email messages stored on ISP servers • In addition to storing email messages, ISP may also

maintain user’s IP addresses and subscriber information • Important to establish email accounts and how the user has

been accessing those accounts. • Artifacts “can be” recovered from Internet browser cache

folders. • Usually stored as compressed archives.

• Forensic tools must identify the file type and mount the compressed files in order for search strings to be effective.

• Gmail uses a “no cache” options • Another important reason to process RAM captures and

the pagefile.