![Page 1: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/1.jpg)
Computer Crime & Intellectual Property Section
Email Investigations An Introduction Email Investigations An Introduction
Al ReesTrial Attorney
Computer Crime and Intellectual Property Section (CCIPS)Criminal Division, U.S. Department of Justice
![Page 2: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/2.jpg)
August 2009 2
CCIPSUSDOJ
Understanding email basics
Collecting email and associated data
Finding information in email messages
![Page 3: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/3.jpg)
August 2009 3
CCIPSUSDOJ
Understanding email basics
Collecting email and associated data
Finding information in email messages
![Page 4: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/4.jpg)
August 2009 4
CCIPSUSDOJ
Requirements for EmailRequirements for Email
Email applicationComputer-based applicationWeb-based email (webmail)Generates an email address
Internet connectionRelies on an Internet Protocol (IP) address
Service providerInternet service provider (ISP)Webmail service provider
![Page 6: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/6.jpg)
August 2009 6
CCIPSUSDOJ
149.101.1.120
IP AddressIP Address
![Page 7: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/7.jpg)
August 2009 7
CCIPSUSDOJ
INTERNETINTERNET
E-Mail BasicsE-Mail Basics
E-mail travels from sender to recipient’s host, where it resides on a MAIL SERVERMAIL SERVER until therecipient retrieves it
SENDER’S ISPRECIPIENT’S ISP
![Page 8: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/8.jpg)
August 2009 8
CCIPSUSDOJ
Understanding email basics
Collecting email and associated data
Finding information in email messages
![Page 9: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/9.jpg)
August 2009 9
CCIPSUSDOJ
INTERNETINTERNET
Evidence of Past Activity – ContentEvidence of Past Activity – Content
Copies of a previously sent e-mail message may be stored on the
sender’s systemrecipient’s mail server(even after addressee has read it)recipient’s own machine
SENDER’S ISPRECIPIENT’S ISP
![Page 10: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/10.jpg)
August 2009 10
CCIPSUSDOJ
INTERNETINTERNET
Evidence of Past Activity – Traffic DataEvidence of Past Activity – Traffic Data
A record of the e-mail transmission (date, time, source, destination) usually resides in the MAIL LOGSMAIL LOGS of the
sender’s systemrecipient’s mail server
SENDER’S ISPRECIPIENT’S ISP
![Page 11: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/11.jpg)
August 2009 11
CCIPSUSDOJ
Gathering Evidence of Past Activity Gathering Evidence of Past Activity
Evidence on a computer or networkSearch and seizureImaging and analyzing
Evidence with a service providerData preservation or retentionAbility to provide evidenceLegal proceduresInternational considerations
LegalProcess
![Page 12: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/12.jpg)
August 2009 12
CCIPSUSDOJ
Prospective Evidence – ContentProspective Evidence – Content
Interception, “wiretap”Creates a “cloned” account
WiretapOrder
INTERNETINTERNET
SUBJECT’S ISPSUBJECT’S COMPUTER
LAW ENFORCEMENT
COMPUTER
![Page 13: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/13.jpg)
August 2009 13
CCIPSUSDOJ
INTERNETINTERNET
Prospective Evidence – Traffic DataProspective Evidence – Traffic Data
Install a pen/trap at user’s ISP to discover who corresponds with the user
SUBJECT’S ISP
Pen/TrapOrder
LAW ENFORCEMENT
SUBJECT’S COMPUTER
![Page 14: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/14.jpg)
August 2009 14
CCIPSUSDOJ
Understanding email basics
Collecting email and associated data
Finding information in email messages
![Page 15: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/15.jpg)
August 2009 15
CCIPSUSDOJ
Finding Information in EmailFinding Information in Email
ContentSubjectBodyAttachmentsLinks
Traffic dataSender and recipientRouting informationDate and time
![Page 16: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/16.jpg)
August 2009 16
CCIPSUSDOJ
ContentContent
![Page 17: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/17.jpg)
August 2009 17
CCIPSUSDOJ
ContentContent
Subject line
Body
Attachments
Hyperlinks
![Page 18: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/18.jpg)
August 2009 18
CCIPSUSDOJ
Email HeadersEmail Headers
![Page 19: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/19.jpg)
August 2009 19
CCIPSUSDOJ
Traffic DataTraffic Data
When created
How created
When sent
When received
Who sent and received
Routing
![Page 20: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/20.jpg)
August 2009 20
CCIPSUSDOJ
Email Analysis: A Starting PointEmail Analysis: A Starting Point
Iterative process
Generates leads
Direct evidence
Timeline analysis
![Page 21: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/21.jpg)
August 2009 21
CCIPSUSDOJ
Timeline of EventsTimeline of Events
![Page 22: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/22.jpg)
August 2009 22
CCIPSUSDOJ
IssuesIssues
Spoofing
Phishing
Spamming
![Page 23: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline](https://reader034.vdocuments.net/reader034/viewer/2022050502/5f94a1be035931350517e596/html5/thumbnails/23.jpg)
August 2009 23
CCIPSUSDOJ
In Closing…In Closing…
Understanding email basics
Collecting email and associated data
Finding information in email messages
…any questions?…any questions?