We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published bySolomon Darsey
Modified over 2 years ago
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 8: E-Mail and Webmail Forensics
© Pearson Education Computer Forensics: Principles and Practices 2 In Practice: E-Mail in Senate Investigations of Finance Companies Financial institutions helped Enron manipulate its numbers and mislead investors E-mail proved that banks such as JPMorgan Chase knew very well how Enron was hiding its debt
© Pearson Education Computer Forensics: Principles and Practices 3 Importance of E-Mail as Evidence E-mail can be pivotal evidence in a case Due to its informal nature, it does not always represent corporate policy Many cases provide examples of the use of e-mail as evidence Knox v. State of Indiana Harley v. McCoach Nardinelli et al. v. Chevron Adelyn Lee v. Oracle Corporation
© Pearson Education Computer Forensics: Principles and Practices 4 Working with E-Mail E-mail evidence typically used to corroborate or refute other testimony or evidence Can be used by prosecutors or defense parties Two standard methods to send and receive e-mail: Client/server applications Webmail
© Pearson Education Computer Forensics: Principles and Practices 5 Working with E-Mail (Cont.) E-mail data flow User has a client program such as Outlook or Eudora Client program is configured to work with one or more servers E-mails sent by client reside on PC A larger machine runs the server program that communicates with the Internet, where it exchanges data with other e-mail servers
© Pearson Education Computer Forensics: Principles and Practices 6 Working with E-Mail (Cont.) Sending E-Mail User creates e-mail on her client User issues send command Client moves e-mail to Outbox Server acknowledges client and authenticates e-mail account Client sends e-mail to the server Server sends e-mail to destination e-mail server If the client cannot connect with the server, it keeps trying
© Pearson Education Computer Forensics: Principles and Practices 7 Working with E-Mail (Cont.) Receiving E-Mail User opens client and logs on User issues receive command Client contacts server Server acknowledges, authenticates, and contacts mail box for the account Mail downloaded to local computer Messages placed in Inbox to be read POP deletes messages from server; IMAP retains copy on server
© Pearson Education Computer Forensics: Principles and Practices 8 Working with E-Mail (Cont.) Working with resident e-mail files Users are able to work offline with e-mail E-mail is stored locally, a great benefit for forensic analysts because the e-mail is readily available when the computer is seized Begin by identifying e-mail clients on system You can also search by file extensions of common e-mail clients
© Pearson Education Computer Forensics: Principles and Practices 9 Working with E-Mail (Cont.) E-Mail ClientExtensionType of File AOL.abi.aim.arl.bag AOL6 organizer file Instant Message launch Organizer file Instant Messenger file Outlook Express.dbx.dgr.email.eml OE mail database OE fax page OE mail message OE electronic mail Outlook.pab.pst.wab Personal address book Personal folder Windows address book (Continued)
© Pearson Education Computer Forensics: Principles and Practices 10 Working with E-Mail (Cont.) E-Mail ClientExtensionType of File Lotus Notes.box.ncf.nsf Notes mailbox Notes internal clipboard Notes database Novell Groupwise.mlmSaved e-mail (using WP5.1 format) Eudora.mbxEudora message base
© Pearson Education Computer Forensics: Principles and Practices 11 Working with E-Mail (Cont.) Popular e-mail clients: America Online (AOL)—users have a month to download or save before AOL deletes messages Outlook Express—installed by default with Windows Outlook—bundled with Microsoft Office Eudora—popular free client Lotus Notes—integrated client option for Lotus Domino server
© Pearson Education Computer Forensics: Principles and Practices 12 Working with Webmail Webmail data flow User opens a browser, logs in to the webmail interface Webmail server has already placed mail in Inbox User uses the compose function followed by the send function to create and send mail Web client communicates behind the scenes to the webmail server to send the message No e-mails are stored on the local PC; the webmail provider houses all e-mail
© Pearson Education Computer Forensics: Principles and Practices 13 Working with Webmail (Cont.) Working with webmail files Entails a bit more effort to locate files Temporary files is a good place to start Useful keywords for webmail programs include: Yahoo! mail: ShowLetter, ShowFolder Compose, “Yahoo! Mail” Hotmail: HoTMail, hmhome, getmsg, doattach, compose Gmail: mail[#]
© Pearson Education Computer Forensics: Principles and Practices 14 Working with Webmail (Cont.) Type of E-Mail ProtocolPOP3IMAPWebmail E-mail accessible from anywhere NoYes Remains stored on server No (unless included in a backup of server) YesYes, unless POP3 was used too Dependence on Internet ModerateVery strongStrong Special software required Yes No
© Pearson Education Computer Forensics: Principles and Practices 15 Examining E-Mails for Evidence Understanding e-mail headers The header records information about the sender, receiver, and servers it passes along the way Most e-mail clients show the header in a short form that does not reveal IP addresses Most programs have an option to show a long form that reveals complete details
© Pearson Education Computer Forensics: Principles and Practices 16 Examining E-Mails for Evidence (Cont.) Most common parts of the e-mail header are logical addresses of senders and receivers Logical address is composed of two parts The mailbox, which comes before the @ sign The domain or hostname that comes after the @ sign The mailbox is generally the userid used to log in to the e-mail server The domain is the Internet location of the server that transmits the e-mail
© Pearson Education Computer Forensics: Principles and Practices 17 Examining E-Mails for Evidence (Cont.) Reviewing e-mail headers can offer clues to true origins of the mail and the program used to send it Common e-mail header fields include: Bcc Cc Content-Type Date From Message-ID Received Subject To X-Priority
© Pearson Education Computer Forensics: Principles and Practices 18 Examining E-Mails for Evidence (Cont.) IP address registries: African Network Information Asia Pacific Network Information American Registry for Internet Number Latin American and Caribbean Internet Addresses Registry Réseaux IP Européens Network Coordination Centre
© Pearson Education Computer Forensics: Principles and Practices 19 Examining E-Mails for Evidence (Cont.) Understanding e-mail attachments MIME standard allows for HTML and multimedia images in e-mail Searching for base64 can find attachments in unallocated or slack space Anonymous remailers Allow users to remove identifying IP data to maintain privacy Stems from users citing the First Amendment and freedom of speech
© Pearson Education Computer Forensics: Principles and Practices 20 In Practice: Attempted Attack by Chinese Hackers In December 2005, e-mails sent to the British embassy represented attempt to take control of embassy computers Filtering software logged addresses and identified origin of e-mails in China A Trojan was hidden in attachments to e-mails
© Pearson Education Computer Forensics: Principles and Practices 21 Working with Instant Messaging Most widely used IM applications include: Windows Messenger Google Talk AIM (AOL Instant Messenger) ICQ (“I Seek You”) Instant Messenger Newer versions of IM clients and servers allow the logging of activity Can be more incriminating than e-mail
© Pearson Education Computer Forensics: Principles and Practices 22 FYI: Vermont Supreme Court Affirms Conviction Based on IM Evidence Forensic investigator recovered IM conversations relating to photo shoot Expert noted that because IMs are not usually saved, storing them required a special effort
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 8: and Webmail Forensics.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Web Forensics.
and Webmail Forensics. 2 Objectives Understand the flow of electronic mail across a network Explain the difference between resident e- mail client.
What is and How Does it Work? Electronic mail ( ) is the most popular use of the Internet. It is a fast and inexpensive way of sending messages.
Technical Awareness on Analysis of Headers.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
(or ?) Short for Electronic Mail The transmission of messages over networks.
Backup Local Online For secure offsite storage of your , and making it available from any computer or smart phone. Backup accessed with.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.
Chapter 9 Sending and Attachments. Sending and Attachments FAQs: – How does work? – How do I use local ? – How do I use Web-based.
Practical PC, 7 th Edition Chapter 9: Sending and Attachments.
PYP002 Intro.to Computer Science Working with 1 Working With Chapter 18.
Technology ICT Option: . Electronic mail is the transmission of mainly text based messages across networks This can be within a particular.
Fall 2005 By: H. Veisi Computer networks course Olum-fonoon Babol Chapter 7 The Application Layer.
» Explain the way that electronic mail ( ) works » Configure an client » Identify message components » Create and send messages.
Mail Server Fitri Setyorini. Content SMTP POP3 How mail server works IMAP.
Dr. Adil Yousif University of Alneelian – Master of CS - IT Electronic Mail.
Electronic Mail (SMTP, POP, IMAP, MIME)
The Internet 8th Edition Tutorial 3 Using Web-Based Services for Communication and Collaboration.
Computer Concepts 2014 Chapter 7 The Web and .
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
Concepts messages are passed through the internet by using a protocol called simple mail transfer protocol. The incoming messages are.
RYAN HICKLING. WHAT IS AN An messages distributed by electronic means from one computer user to one or more recipients via a network.
(Electronic Mail) a message sent and received electronically via telecommunication links between computers.
-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.
1 Application Layer Lecture 5 Imran Ahmed University of Management & Technology.
18-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein.
Unit 10 Communication Services
Unit 10 Communication Services. Identify types of electronic communication Describe users of electronic communication Identify major components.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
Amanda Fristy Damara Thea Bayu Gerhana Yuda Evita Fitri Ila Uswatun Hasanah Putri Ayuning Kartika Presented by :
Unit 2—Using the Computer Lesson 14 and Electronic Communication.
Surrey Libraries Computer Learning Centres Totally New to Computers Easy Gmail September 2013 Easy Gmail Teaching Script.
is a system of electronic communication that allows the user to exchange messages over the internet Everyone’s address is unique Two.
Guide to Computer Forensics and Investigations, Second Edition Chapter 13 Investigations.
IT 424 Networks2 IT 424 Networks2 Ack.: Slides are adapted from the slides of the book: “Computer Networking” – J. Kurose, K. Ross Chapter 2: Application.
Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 9
Guide to Computer Forensics and Investigations Fourth Edition Unit 8 Investigations.
1 Computer Communication & Networks Lecture 27 Application Layer: Electronic mail and FTP Waleed.
Project 9 Communicating Over the Internet. 2 CHAPTER OBJECTIVES Launch Microsoft Outlook Express Open, read, print, reply to, and delete an message.
6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.
Surrey Libraries Computer Learning Centres Totally New to Computers Easy Gmail March 2013 Easy Gmail Teaching Script.
Basics. 2 Professional Development Centre Class Outline Part 1 - Introduction –Explaining –Parts of an address –Types of services.
Prepared by: Ms Melinda Chung Chapter 3: Basic Communication on the Internet: .
CS 3830 Day 9 Introduction 1-1. Announcements r Quiz #2 this Friday r Demo prog1 and prog2 together starting this Wednesday 2: Application Layer 2.
Managing Incoming Chapter 3 Bit Literacy. Terminology client – program which retrieves s from a mail server, lets you read the mails,
Spring 2006 CPE : Application Layer_ 1 Special Topics in Computer Engineering Application layer: Some of these Slides are Based on Slides.
SMTP, POP3, IMAP.
© 2017 SlidePlayer.com Inc. All rights reserved.