System Forensics,

Investigation, and Response

Lesson 7
E-mail Forensics

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Learning Objective

 Summarize various types of digital forensics.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 2
All rights reserved.
 Key Concepts

 E-mail clients and servers

 E-mail headers
 E-mail tracing
 E-mail server forensic examination
 Laws related to e-mail investigations

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 3
All rights reserved.
 Devices that Store E-mails

Netbook Desktop PC Server

Laptop
USB External Hard
Drive Drive

Cell Phone

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 4
All rights reserved.
 How E-mail Works
 Sender uses a mail client to send a
message
 Message travels to multiple mail servers
• Each mail server sends the message closer
to its destination
 Destination mail server stores the message
 Receiver uses a mail client to retrieve the
message from mail server

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 5
All rights reserved.
 How E-mail Works

© Jones & Bartlett Learning

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 6
All rights reserved.
 What an E-mail Review Can
Reveal
 Sender and recipient information
 Information about those copied on the e-
mail
 Content of the communications
 Internet Protocol (IP) addresses
 Date and time information
 User information

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 7
All rights reserved.
 What an E-mail Review Can
Reveal (cont.)
 Attachments
 Passwords
 Application logs that show evidence of
spoofing

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 8
All rights reserved.
 E-mail Protocols
 Simple Mail Transfer Protocol (SMTP)
• Used to send e-mail from a client to a mail
server, and between servers
• Typically operates on port 25 or 587

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 9
All rights reserved.
 E-mail Protocols (cont.)
 Post Office Protocol version 3 (POP3)
• Used to receive e-mail
• Operates on port 110 or 995
• Designed to delete e-mail on server as soon as
user downloads e-mail
 Internet Message Access Protocol (IMAP)
 Used to receive e-mail
 Operates on port 143
 User views e-mail on the server, decides whether
to download the mail; e-mail is retained on server

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 10
All rights reserved.
 E-mail Protocol Process
Outbound E-mail

SMTP SMTP Internet

User Server

Inbound E-mail

POP3/
Internet SMTP IMAP

User
Server

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 11
All rights reserved.
 Faking E-mails

Anonymous
Spoofing
remailing

"Valid"
e-mails

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 12
All rights reserved.
 Spoofing
 Making an e-mail message appear to come
from someone or someplace other than the
real sender or location
 First machine to receive spoofed message
records machine’s real IP address
 Header contains both the faked IP and the
real IP address

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 13
All rights reserved.
 Anonymous Remailing
 Suspect sends an e-mail message to an
anonymizer
• Anonymizer is e-mail server that strips
identifying information from message before
forwarding it with anonymous mailing
computer’s IP address
 To find out who sent remailed e-mail, must
examine logs maintained by remailer or
anonymizer companies

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 14
All rights reserved.
 "Valid" E-mails
 Appears as through mail is from trusted
source
 Message content is suspicious
 Content may contain URL that points to
malicious site

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 15
All rights reserved.
 How to Fake an E-mail

Send e-mail through

Spoof IP address
Use free public Wi-Fi anonymous
and MAC address
e-mail account

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 16
All rights reserved.
 E-mail Message Components
 Header
• Addressing information
• Source and destination
 Body
• Contents of the message
 Attachments
• External data that travels along with each
message

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 17
All rights reserved.
 E-mail Message Components

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 18
All rights reserved.
 E-mail Headers
 RFC 2822
• Standard for e-mail format, including
headers
 All e-mail programs use the same e-mail
format, regardless of operating system
• E-mail from Outlook on a Windows 8 PC
can be read by recipient using Hotmail on
Android phone

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 19
All rights reserved.
 E-mail Headers (cont.)
 Header keeps record of the message’s
journey networks and mail servers
 Each server adds information to the header
 Each network device has an Internet
Protocol (IP) address
• Identifies device
• Can be resolved to a
location address

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 20
All rights reserved.
 RFC 2822 Specifications for
E-mail Headers

Message header must include:

From field Date field
The e-mail address and, The local time and date
optionally, the name of when the message was
the sender written

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 21
All rights reserved.
 RFC 2822 Specifications for
E-mail Headers

Message header should include:

Message-ID field In-Reply-To field

The message-ID of the
An automatically
message that this is a
generated field
reply to

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 22
All rights reserved.
 E-mail Header Fields (RFC 3864)

To Subject Cc/Bcc

Content- Preceden
Received
Type ce

Referenc
es
Reply-To Sender
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
System Forensics, Investigation, and Response www.jblearning.com Page 23
All rights reserved.
 Find Microsoft Outlook 2010
Headers

Used with permission from Microsoft

Step 1
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
System Forensics, Investigation, and Response www.jblearning.com Page 24
All rights reserved.
 View Outlook 2010 Headers

Used with permission from Microsoft

Step 2
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
System Forensics, Investigation, and Response www.jblearning.com Page 25
All rights reserved.
 Microsoft Outlook 2010 Headers

Used with permission from Microsoft

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
System Forensics, Investigation, and Response www.jblearning.com Page 26
All rights reserved.
 Find Yahoo! Headers

Courtesy of Yahoo!

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 27
All rights reserved.
 View Yahoo! Headers

Courtesy of Yahoo!
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
System Forensics, Investigation, and Response www.jblearning.com Page 28
All rights reserved.
 Find Gmail Headers

Google and the Google logo are registered trademarks of Google Inc.,
used with permission

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 29
All rights reserved.
 View Gmail Headers

Google and the Google logo are registered trademarks of Google Inc.,
used with permission

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 30
All rights reserved.
 View Hotmail E-mail Headers
1. Select Inbox from the menu on the left.
2. Right-click the message for which you
want to view headers and select View
Message Source.

The full headers will appear in a new

window.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 31
All rights reserved.
 View Apple Mail E-mail Headers
1. Open Apple Mail.
2. Click on the message for which you want to
view headers.
3. Go to the View menu.
4. Select Message, then Long Headers.
5. Select Inbox from the menu on the left.
6. Right-click the message for which you want to
view headers and select View Message Source.
The full headers will appear in the window below
your Inbox.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
System Forensics, Investigation, and Response www.jblearning.com Page 32
All rights reserved.
 Opening a .pst File in Outlook

Used with permission from Microsoft

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
System Forensics, Investigation, and Response www.jblearning.com Page 33
All rights reserved.
 Creating a Paraben Case

Courtesy of Paraben Corporation

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
System Forensics, Investigation, and Response www.jblearning.com Page 34
All rights reserved.
 Adding the Investigator

Courtesy of Paraben Corporation

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
System Forensics, Investigation, and Response www.jblearning.com Page 35
All rights reserved.
 Selecting an E-mail Database

Courtesy of Paraben Corporation

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
System Forensics, Investigation, and Response www.jblearning.com Page 36
All rights reserved.
 Role of Investigator in Tracing
E-mail and Examing Mail Servers
 Tracing e-mail
• Looking at each point through which an e-
mail passed and working step by step back
to the originating computer
 Examining e-mail servers
• Searching through deleted e-mails retained
by the server

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 37
All rights reserved.
 E-mail Laws
 The Fourth Amendment to the U.S. Constitution
 The Electronic Communications Privacy Act
(ECPA)
 CAN-SPAM Act
 18 U.S.C. 2252B
 Communication Assistance to Law Enforcement
Act (CALEA)
 Foreign Intelligence Surveillance Act (FISA)
 The USA PATRIOT Act

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 38
All rights reserved.
 Summary
 E-mail clients and servers
 E-mail headers
 E-mail tracing
 E-mail server forensic examination
 Laws related to e-mail investigations

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 39
All rights reserved.
 Virtual Lab
 Automating E-mail Evidence Discovery
Using P2 Commander

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 40
All rights reserved.
 OPTIONAL SLIDES

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 41
All rights reserved.
 Challenges of Investigating E-mail
 Tracing e-mail depends on mail server log
files
 Not all mail servers keep complete log
information
 Some mail server owners will not release
log information without a court order
 Collecting information from multiple sources
may take a large effort

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

System Forensics, Investigation, and Response www.jblearning.com Page 42
All rights reserved.