Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 8: E-Mail and Webmail Forensics.

Similar presentations


Presentation on theme: "Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 8: E-Mail and Webmail Forensics."— Presentation transcript:

1 Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 8: and Webmail Forensics

2 © Pearson Education Computer Forensics: Principles and Practices 2 In Practice: in Senate Investigations of Finance Companies Financial institutions helped Enron manipulate its numbers and mislead investors proved that banks such as JPMorgan Chase knew very well how Enron was hiding its debt

3 © Pearson Education Computer Forensics: Principles and Practices 3 Importance of as Evidence can be pivotal evidence in a case Due to its informal nature, it does not always represent corporate policy Many cases provide examples of the use of as evidence  Knox v. State of Indiana  Harley v. McCoach  Nardinelli et al. v. Chevron  Adelyn Lee v. Oracle Corporation

4 © Pearson Education Computer Forensics: Principles and Practices 4 Working with evidence typically used to corroborate or refute other testimony or evidence Can be used by prosecutors or defense parties Two standard methods to send and receive  Client/server applications  Webmail

5 © Pearson Education Computer Forensics: Principles and Practices 5 Working with (Cont.) data flow  User has a client program such as Outlook or Eudora  Client program is configured to work with one or more servers  s sent by client reside on PC  A larger machine runs the server program that communicates with the Internet, where it exchanges data with other servers

6 © Pearson Education Computer Forensics: Principles and Practices 6 Working with (Cont.) Sending User creates on her client User issues send command Client moves to Outbox Server acknowledges client and authenticates account Client sends to the server Server sends to destination server If the client cannot connect with the server, it keeps trying

7 © Pearson Education Computer Forensics: Principles and Practices 7 Working with (Cont.) Receiving User opens client and logs on User issues receive command Client contacts server Server acknowledges, authenticates, and contacts mail box for the account Mail downloaded to local computer Messages placed in Inbox to be read POP deletes messages from server; IMAP retains copy on server

8 © Pearson Education Computer Forensics: Principles and Practices 8 Working with (Cont.) Working with resident files  Users are able to work offline with  is stored locally, a great benefit for forensic analysts because the is readily available when the computer is seized  Begin by identifying clients on system  You can also search by file extensions of common clients

9 © Pearson Education Computer Forensics: Principles and Practices 9 Working with (Cont.) ClientExtensionType of File AOL.abi.aim.arl.bag AOL6 organizer file Instant Message launch Organizer file Instant Messenger file Outlook Express.dbx.dgr. .eml OE mail database OE fax page OE mail message OE electronic mail Outlook.pab.pst.wab Personal address book Personal folder Windows address book (Continued)

10 © Pearson Education Computer Forensics: Principles and Practices 10 Working with (Cont.) ClientExtensionType of File Lotus Notes.box.ncf.nsf Notes mailbox Notes internal clipboard Notes database Novell Groupwise.mlmSaved (using WP5.1 format) Eudora.mbxEudora message base

11 © Pearson Education Computer Forensics: Principles and Practices 11 Working with (Cont.) Popular clients:  America Online (AOL)—users have a month to download or save before AOL deletes messages  Outlook Express—installed by default with Windows  Outlook—bundled with Microsoft Office  Eudora—popular free client  Lotus Notes—integrated client option for Lotus Domino server

12 © Pearson Education Computer Forensics: Principles and Practices 12 Working with Webmail Webmail data flow  User opens a browser, logs in to the webmail interface  Webmail server has already placed mail in Inbox  User uses the compose function followed by the send function to create and send mail  Web client communicates behind the scenes to the webmail server to send the message  No s are stored on the local PC; the webmail provider houses all

13 © Pearson Education Computer Forensics: Principles and Practices 13 Working with Webmail (Cont.) Working with webmail files  Entails a bit more effort to locate files  Temporary files is a good place to start  Useful keywords for webmail programs include: Yahoo! mail: ShowLetter, ShowFolder Compose, “Yahoo! Mail” Hotmail: HoTMail, hmhome, getmsg, doattach, compose Gmail: mail[#]

14 © Pearson Education Computer Forensics: Principles and Practices 14 Working with Webmail (Cont.) Type of ProtocolPOP3IMAPWebmail accessible from anywhere NoYes Remains stored on server No (unless included in a backup of server) YesYes, unless POP3 was used too Dependence on Internet ModerateVery strongStrong Special software required Yes No

15 © Pearson Education Computer Forensics: Principles and Practices 15 Examining s for Evidence Understanding headers  The header records information about the sender, receiver, and servers it passes along the way  Most clients show the header in a short form that does not reveal IP addresses  Most programs have an option to show a long form that reveals complete details

16 © Pearson Education Computer Forensics: Principles and Practices 16 Examining s for Evidence (Cont.) Most common parts of the header are logical addresses of senders and receivers Logical address is composed of two parts  The mailbox, which comes before sign  The domain or hostname that comes after sign The mailbox is generally the userid used to log in to the server The domain is the Internet location of the server that transmits the

17 © Pearson Education Computer Forensics: Principles and Practices 17 Examining s for Evidence (Cont.) Reviewing headers can offer clues to true origins of the mail and the program used to send it Common header fields include:  Bcc  Cc  Content-Type  Date  From  Message-ID  Received  Subject  To  X-Priority

18 © Pearson Education Computer Forensics: Principles and Practices 18 Examining s for Evidence (Cont.) IP address registries:  African Network Information  Asia Pacific Network Information  American Registry for Internet Number  Latin American and Caribbean Internet Addresses Registry  Réseaux IP Européens Network Coordination Centre

19 © Pearson Education Computer Forensics: Principles and Practices 19 Examining s for Evidence (Cont.) Understanding attachments  MIME standard allows for HTML and multimedia images in  Searching for base64 can find attachments in unallocated or slack space Anonymous r ers  Allow users to remove identifying IP data to maintain privacy  Stems from users citing the First Amendment and freedom of speech

20 © Pearson Education Computer Forensics: Principles and Practices 20 In Practice: Attempted Attack by Chinese Hackers In December 2005, s sent to the British embassy represented attempt to take control of embassy computers Filtering software logged addresses and identified origin of s in China A Trojan was hidden in attachments to s

21 © Pearson Education Computer Forensics: Principles and Practices 21 Working with Instant Messaging Most widely used IM applications include:  Windows Messenger  Google Talk  AIM (AOL Instant Messenger)  ICQ (“I Seek You”) Instant Messenger Newer versions of IM clients and servers allow the logging of activity Can be more incriminating than

22 © Pearson Education Computer Forensics: Principles and Practices 22 FYI: Vermont Supreme Court Affirms Conviction Based on IM Evidence Forensic investigator recovered IM conversations relating to photo shoot Expert noted that because IMs are not usually saved, storing them required a special effort


Download ppt "Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 8: E-Mail and Webmail Forensics."

Similar presentations


Ads by Google