Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 E-mail Investigations.

Similar presentations


Presentation on theme: "Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 E-mail Investigations."— Presentation transcript:

1 Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations

2 Guide to Computer Forensics and Investigations2 Objectives Explain the role of in investigations Describe client and server roles in Describe tasks in investigating crimes and violations Explain the use of server logs Describe some available computer forensics tools

3 Guide to Computer Forensics and Investigations3 Exploring the Role of in Investigations With the increase in scams and fraud attempts with phishing or spoofing –Investigators need to know how to examine and interpret the unique content of messages Phishing s are in HTML format –Which allows creating links to text on a Web page One of the most noteworthy scams was 419, or the Nigerian Scam Spoofing can be used to commit fraud

4 Guide to Computer Forensics and Investigations4 Exploring the Roles of the Client and Server in Send and receive in two environments –Internet –Controlled LAN, MAN, or WAN Client/server architecture –Server OS and software differs from those on the client side Protected accounts –Require usernames and passwords

5 Guide to Computer Forensics and Investigations5 Exploring the Roles of the Client and Server in (continued)

6 Guide to Computer Forensics and Investigations6 Exploring the Roles of the Client and Server in (continued) Name conventions –Corporate: –Public: –Everything belongs to the domain name Tracing corporate s is easier –Because accounts use standard names the administrator establishes

7 Guide to Computer Forensics and Investigations7 Investigating Crimes and Violations Similar to other types of investigations Goals –Find who is behind the crime –Collect the evidence –Present your findings –Build a case

8 Guide to Computer Forensics and Investigations8 Investigating Crimes and Violations (continued) Depend on the city, state, or country –Example: spam –Always consult with an attorney Becoming commonplace Examples of crimes involving s –Narcotics trafficking –Extortion –Sexual harassment –Child abductions and pornography

9 Guide to Computer Forensics and Investigations9 Examining Messages Access victim’s computer to recover the evidence Using the victim’s client –Find and copy evidence in the –Access protected or encrypted material –Print s Guide victim on the phone –Open and copy including headers Sometimes you will deal with deleted s

10 Guide to Computer Forensics and Investigations10 Examining Messages (continued) Copying an message –Before you start an investigation You need to copy and print the involved in the crime or policy violation –You might also want to forward the message as an attachment to another address With many GUI programs, you can copy an by dragging it to a storage medium –Or by saving it in a different location

11 Guide to Computer Forensics and Investigations11 Examining Messages (continued)

12 Guide to Computer Forensics and Investigations12 Viewing Headers Learn how to find headers –GUI clients –Command-line clients –Web-based clients After you open headers, copy and paste them into a text document –So that you can read them with a text editor Headers contain useful information –Unique identifying numbers, IP address of sending server, and sending time

13 Guide to Computer Forensics and Investigations13 Viewing Headers (continued) Outlook –Open the Message Options dialog box –Copy headers –Paste them to any text editor Outlook Express –Open the message Properties dialog box –Select Message Source –Copy and paste the headers to any text editor

14 Guide to Computer Forensics and Investigations14 Viewing Headers (continued)

15 Guide to Computer Forensics and Investigations15 Viewing Headers (continued)

16 Guide to Computer Forensics and Investigations16

17 Guide to Computer Forensics and Investigations17 Viewing Headers (continued) Novell Evolution –Click View, All Message Headers –Copy and paste the header Pine and ELM –Check enable-full-headers AOL headers –Click Action, View Message Source –Copy and paste headers

18 Guide to Computer Forensics and Investigations18 Viewing Headers (continued)

19 Guide to Computer Forensics and Investigations19 Viewing Headers (continued)

20 Guide to Computer Forensics and Investigations20 Viewing Headers (continued)

21 Guide to Computer Forensics and Investigations21 Viewing Headers (continued)

22 Guide to Computer Forensics and Investigations22 Viewing Headers (continued) Hotmail –Click Options, and then click the Mail Display Settings –Click the Advanced option button under Message Headers –Copy and paste headers Apple Mail –Click View from the menu, point to Message, and then click Long Header –Copy and paste headers

23 Guide to Computer Forensics and Investigations23 Viewing Headers (continued)

24 Guide to Computer Forensics and Investigations24 Viewing Headers (continued) Yahoo –Click Mail Options –Click General Preferences and Show All headers on incoming messages –Copy and paste headers

25 Viewing Headers (continued)

26 Guide to Computer Forensics and Investigations26 Examining Headers Gather supporting evidence and track suspect –Return path –Recipient’s address –Type of sending service –IP address of sending server –Name of the server –Unique message number –Date and time was sent –Attachment files information

27 Guide to Computer Forensics and Investigations27 Examining Headers (continued)

28 Guide to Computer Forensics and Investigations28 Examining Additional Files messages are saved on the client side or left at the server Microsoft Outlook uses.pst and.ost files Most programs also include an electronic address book In Web-based –Messages are displayed and saved as Web pages in the browser’s cache folders –Many Web-based providers also offer instant messaging (IM) services

29 Guide to Computer Forensics and Investigations29 Tracing an Message Contact the administrator responsible for the sending server Finding domain name’s point of contact –www.arin.net –www.internic.com –www.freeality.com –www.google.com Find suspect’s contact information Verify your findings by checking network logs against addresses

30 Guide to Computer Forensics and Investigations30 Using Network Logs Router logs –Record all incoming and outgoing traffic –Have rules to allow or disallow traffic –You can resolve the path a transmitted has taken Firewall logs –Filter traffic –Verify whether the passed through You can use any text editor or specialized tools

31 Guide to Computer Forensics and Investigations31 Using Network Logs (continued)

32 Guide to Computer Forensics and Investigations32 Understanding Servers Computer loaded with software that uses protocols for its services –And maintains logs you can examine and use in your investigation storage –Database –Flat file Logs –Default or manual –Continuous and circular

33 Guide to Computer Forensics and Investigations33 Understanding Servers (continued) Log information – content –Sending IP address –Receiving and reading date and time –System-specific information Contact suspect’s network administrator as soon as possible Servers can recover deleted s –Similar to deletion of files on a hard drive

34 Guide to Computer Forensics and Investigations34 Understanding Servers (continued)

35 Guide to Computer Forensics and Investigations35 Examining UNIX Server Logs /etc/sendmail.cf –Configuration information for Sendmail /etc/syslog.conf –Specifies how and which events Sendmail logs /var/log/maillog –SMTP and POP3 communications IP address and time stamp Check UNIX man pages for more information

36 Guide to Computer Forensics and Investigations36 Examining UNIX Server Logs (continued)

37 Guide to Computer Forensics and Investigations37 Examining UNIX Server Logs (continued)

38 Guide to Computer Forensics and Investigations38 Examining Microsoft Server Logs Microsoft Exchange Server (Exchange) –Uses a database –Based on Microsoft Extensible Storage Engine Information Store files –Database files *.edb Responsible for MAPI information –Database files *.stm Responsible for non-MAPI information

39 Guide to Computer Forensics and Investigations39 Examining Microsoft Server Logs (continued) Transaction logs –Keep track of databases Checkpoints –Keep track of transaction logs Temporary files communication logs –res#.log Tracking.log –Tracks messages

40 Guide to Computer Forensics and Investigations40 Examining Microsoft Server Logs (continued)

41 Guide to Computer Forensics and Investigations41 Examining Microsoft Server Logs (continued) Troubleshooting or diagnostic log –Logs events –Use Windows Event Viewer –Open the Event Properties dialog box for more details about an event

42 Guide to Computer Forensics and Investigations42 Examining Microsoft Server Logs (continued)

43 Guide to Computer Forensics and Investigations43 Examining Microsoft Server Logs (continued)

44 Guide to Computer Forensics and Investigations44 Examining Novell GroupWise Logs Up to 25 databases for users –Stored on the Ofuser directory object –Referenced by a username, an unique identifier, and.db extension Shares resources with server databases Mailboxes organizations –Permanent index files –QuickFinder

45 Guide to Computer Forensics and Investigations45 Examining Novell GroupWise Logs (continued) Folder and file structure can be complex –It uses Novell directory structure Guardian –Directory of every database –Tracks changes in the GroupWise environment –Considered a single point of failure Log files –GroupWise generates log files (.log extension) maintained in a standard log format in GroupWise folders

46 Guide to Computer Forensics and Investigations46 Using Specialized Forensics Tools Tools include: –AccessData’s Forensic Toolkit (FTK) –ProDiscover Basic –FINAL –Sawmill-GroupWise –DBXtract –Fookes Aid4Mail and MailBag Assistant –Paraben Examiner –Ontrack Easy Recovery Repair –R-Tools R-Mail

47 Guide to Computer Forensics and Investigations47 Using Specialized Forensics Tools (continued) Tools allow you to find: – database files –Personal files –Offline storage files –Log files Advantage –Do not need to know how servers and clients work

48 Guide to Computer Forensics and Investigations48 Using Specialized Forensics Tools (continued) FINAL –Scans database files –Recovers deleted s –Searches computer for other files associated with e- mail

49 Guide to Computer Forensics and Investigations49 Using Specialized Forensics Tools (continued)

50

51 Guide to Computer Forensics and Investigations51 Using AccessData FTK to Recover FTK –Can index data on a disk image or an entire drive for faster data retrieval –Filters and finds files specific to clients and servers To recover from Outlook and Outlook Express –AccessData integrated dtSearch dtSearch builds a b-tree index of all text data in a drive, an image file, or a group of files

52 Guide to Computer Forensics and Investigations52 Using AccessData FTK to Recover (continued)

53

54 Guide to Computer Forensics and Investigations54 Using AccessData FTK to Recover (continued)

55 Guide to Computer Forensics and Investigations55 Using a Hexadecimal Editor to Carve Messages Very few vendors have products for analyzing e- mail in systems other than Microsoft mbox format –Stores s in flat plaintext files Multipurpose Internet Mail Extensions (MIME) format –Used by vendor-unique file systems, such as Microsoft.pst or.ost Example: carve messages from Evolution

56 Guide to Computer Forensics and Investigations56

57 Guide to Computer Forensics and Investigations57

58 Guide to Computer Forensics and Investigations58 Using a Hexadecimal Editor to Carve Messages (continued)

59 Guide to Computer Forensics and Investigations59 Using a Hexadecimal Editor to Carve Messages (continued)

60 Guide to Computer Forensics and Investigations60 Summary fraudsters use phishing and spoofing scam techniques Send and receive via Internet or a LAN –Both environments use client/server architecture investigations are similar to other kinds of investigations Access victim’s computer to recover evidence –Copy and print the message involved in the crime or policy violation Find headers

61 Guide to Computer Forensics and Investigations61 Summary (continued) Investigating abuse –Be familiar with servers and clients’ operations Check – message files, headers, and server log files Currently, only a few forensics tools can recover deleted Outlook and Outlook Express messages For applications that use the mbox format, a hexadecimal editor can be used to carve messages manually

62 Summary (continued) Advanced tools are available for recovering deleted Outlook files


Download ppt "Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 E-mail Investigations."

Similar presentations


Ads by Google