Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology

The Pennsylvania State UniversityUniversity Park, PA 16802

chu@ist.psu.edu

Web Forensics & E-mail Tracing

8/24/06

LearningbyDoing

Theo

ry

Practi

ce

ObjectivesObjectives

• Understand the flow of electronic mail across a network

• Explain the difference between resident e-mail client programs and webmail

• Understand the difference between typical desktop data storage and server data storage

• Identify the components of e-mail headers• Understand the flow of instant messaging across

the network

Importance of E-Mail as EvidenceImportance of E-Mail as Evidence

• E-mail can be pivotal evidence in a case• Due to its informal nature, it does not always

represent corporate policy• Many cases provide examples of the use of e-mail as

evidence– Enron – Microsoft - Bill Gate– Knox vs. State of Indiana– Harley vs. McCoach– Nardinelli et al. vs. Chevron– Adelyn Lee vs. Oracle Corporation

Working with E-MailWorking with E-Mail

• E-mail evidence typically used to corroborate or refute other testimony or evidence

• Can be used by prosecutors or defense parties

• Two standard methods to send and receive e-mail:– Client/server applications– Webmail

E-mail Data FlowE-mail Data Flow

• User has a client program such as Outlook or Eudora

• Client program is configured to work with one or more servers

• E-mails sent by client reside on PC

• A larger machine runs the server program that communicates with the Internet, where it exchanges data with other e-mail servers

Sending E-MailSending E-Mail

User creates e-mail on her client User issues send

command Client moves e-mail to Outbox

Server acknowledges client and authenticates

e-mail account

Client sends e-mail to the serverServer sends e-mail to

destination e-mail server

If the client cannot connect with the server, it keeps trying

Receiving E-MailReceiving E-Mail

User opens client and logs on User issues receive

command Client contacts server

Server acknowledges, authenticates, and

contacts mail box for the account

Mail downloaded to local computerMessages placed in

Inbox to be read

POP deletes messages from server; IMAP retains copy on server

Working with Resident e-mail FilesWorking with Resident e-mail Files

• Users are able to work offline with e-mail• E-mail is stored locally, a great benefit for

forensic analysts because the e-mail is readily available when the computer is seized

• Begin by identifying e-mail clients on system

• You can also search by file extensions of common e-mail clients

Working with E-MailWorking with E-Mail

E-Mail Client Extension Type of File

AOL

.abi.aim.arl.bag

AOL6 organizer fileInstant Message launchOrganizer fileInstant Messenger file

Outlook Express

.dbx.dgr

.email.eml

OE mail databaseOE fax pageOE mail messageOE electronic mail

Outlook.pab.pst

.wab

Personal address bookPersonal folderWindows address book

(Continued)

Working with E-MailWorking with E-Mail

E-Mail Client Extension Type of File

Lotus Notes .box

.ncf

.nsf

Notes mailbox

Notes internal clipboard

Notes database

Novell Groupwise

.mlm Saved e-mail (using WP5.1 format)

Eudora .mbx Eudora message base

Popular e-mail ClientsPopular e-mail Clients

• America Online (AOL) - users have a month to download or save before AOL deletes messages

• Outlook Express - installed by default with Windows

• Outlook - bundled with Microsoft Office• Eudora - popular free client• Lotus Notes - integrated client option for

Lotus Domino server

Webmail Data FlowWebmail Data Flow

• User opens a browser, logs in to the webmail interface

• Webmail server has already placed mail in Inbox• User uses the compose function followed by the

send function to create and send mail• Web client communicates behind the scenes to the

webmail server to send the message• No e-mails are stored on the local PC; the

webmail provider houses all e-mail

Working with WebmailWorking with Webmail

• Entails a bit more effort to locate files• Temporary files is a good place to start• Useful keywords for webmail programs

include:– Yahoo! mail: ShowLetter, ShowFolder Compose,

“Yahoo! Mail”– Hotmail: HoTMail, hmhome, getmsg, doattach,

compose– Gmail: mail[#]

E-Mail ProtocolE-Mail Protocol

E-Mail Protocol POP3 IMAP Webmail

E-mail accessible from anywhere

No Yes Yes

Remains stored on server

No (unless included in a backup of server)

Yes Yes, unless POP3 was used too

Dependence on Internet

Moderate Very strong

Strong

Special software required

Yes Yes No

Working with Mail ServersWorking with Mail Servers

• Some initial things to consider:– How many users are serviced?– E-mail retention policies of the company– Accessibility of the e-mail server

Working with Mail ServersWorking with Mail Servers

• Redundant array of independent disks (RAID)– RAID 0: Basic disk striping– RAID 1: Disk mirroring– RAID 3: Striping with parity– RAID 5: Striping with distributed parity– RAID 0+1 and 10 (1+0): Mirror of stripes and

striped mirroring

Working with Mail ServersWorking with Mail Servers

• Harvesting data from RAID servers– Easiest way to obtain the data is over the network– Considerations:

• Time to obtain the data

• Physical configuration and space

• Production server downtime

Examining E-Mails for EvidenceExamining E-Mails for Evidence

• Understanding e-mail headers– The header records information about the sender,

receiver, and servers it passes along the way– Most e-mail clients show the header in a short

form that does not reveal IP addresses– Most programs have an option to show a long form

that reveals complete details

Examining E-Mails for EvidenceExamining E-Mails for Evidence

• Most common parts of the e-mail header are logical addresses of senders and receivers

• Logical address is composed of two parts– The mailbox, which comes before the @ sign

– The domain or hostname that comes after the @ sign

• The mailbox is generally the userid used to log in to the e-mail server

• The domain is the Internet location of the server that transmits the e-mail

Examining E-Mails for EvidenceExamining E-Mails for Evidence

• Reviewing e-mail headers can offer clues to true origins of the mail and the program used to send it

• Common e-mail header fields include:– Bcc– Cc– Content-Type– Date– From

– Message-ID– Received– Subject– To– X-Priority

IP Address RegistriesIP Address Registries

• African Network Information

• Asia Pacific Network Information

• American Registry for Internet Number

• Latin American and Caribbean Internet Addresses Registry

• Réseaux IP Européens Network Coordination Centre

Examining E-Mails for EvidenceExamining E-Mails for Evidence

• Understanding e-mail attachments– MIME standard allows for HTML and multimedia

images in e-mail– Searching for base64 can find attachments in

unallocated or slack space

• Anonymous remailers– Allow users to remove identifying IP data to

maintain privacy– Stems from users citing the First Amendment and

freedom of speech

Private IP Address ClassificationsPrivate IP Address Classifications

IP Address Range Classification Use

10.0.0.0 to 10.255.255.255 Class ALocal network use—not recognized on the Internet

172.16.0.0 to 172.31.255.255 Class BLocal network use—not recognized on the Internet

192.168.0.0 to 192.168.255.255 Class CLocal network use—not recognized on the Internet

Working with Instant MessagingWorking with Instant Messaging

• Most widely used IM applications include:– Windows Messenger– Google Talk– AIM (AOL Instant Messenger)– ICQ (“I Seek You”) Instant Messenger

• Newer versions of IM clients and servers allow the logging of activity

• Can be more incriminating than e-mail

Taking the Initial ReportTaking the Initial Report

• GET THE HEADERS!!!• Get as accurate a timeline as possible• Timezones are important!!

http://tycho.usno.navy.mil/tzonemap.html

• Be sure the original e-mail is not deleted• Simply forwarding e-mail does not preserve

the headers

Right Click

Tools for E-mail TracingTools for E-mail Tracing

• Nslookup – DOS Command Prompt– www.infobear.com/nslookup.shtml

• www.traceroute.org

• http://www.whois.net/

• American Registry. http://www.arin.net/index.shtml

• Sam Spade: www.samspade.org