Module 11 E-mail and Social Media Investigations
E-mail headers contain which of the following information?
- An ESMTP number or reference number - The sender and receiver e-mail addresses - The e-mail servers the message traveled through to reach its destination
Which of the following types of files can provide useful information when you're examining an e-mail server?
.log files
In Microsoft Outlook, e-mails are typically stored in which of the following?
.pst and .ost files
To trace an IP address in an e-mail header, what type of lookup service can you use?
A domain lookup service, such as www.arin.net, www.internic.com, or www.whois.net
forensic linguistics
A field where language and the law intersect to determine the author of e-mails, text messages, and other online communications. The International Association of Forensic Linguists divides this field into four categories: language and law, language in the legal process, language as evidence, and research/teaching. Digital forensics focuses on language as evidence.
Electronic Communications Privacy Act (ECPA)
A law enacted in 1986 to extend the Wiretap Act to cover e-mail and other data transmitted via the Internet.
mbox
A method of storing e-mail messages in a flat plaintext file.
client/server architecture
A network architecture in which each computer or process on the network is a client or server. Clients request services from a server, and a server processes requests from clients.
Post Office Protocol version 3 (POP3)
A protocol for retrieving e-mail messages from an e-mail server.
Internet Message Access Protocol 4 (IMAP4)
A protocol for retrieving e-mail messages; it's slowly replacing POP3. See also Post Office Protocol 3 (POP3).
Simple Mail Transfer Protocol (SMTP)
A protocol for sending e-mail messages between servers.
Multipurpose Internet Mail Extensions (MIME)
A specification for formatting non- ASCII messages, such as graphics, audio, and video, for transmission over the Internet.
online social networks (OSNs)
A term researchers use for social media.
pharming
A type of e-mail scam that uses DNS poisoning to redirect readers to a fake Web site.
phishing
A type of e-mail scam that's typically sent as spam soliciting personal identity information that fraudsters can use for identity theft.
Which of the following tools can be used to examine the contents of a .pst file?
Aid4Mail
Enhanced/Extended Simple Mail Transfer Protocol (ESMTP)
An enhancement of SMTP for sending and receiving e-mail messages. ESMTP generates a unique, nonrepeatable number that's added to a transmitted e-mail. No two messages transmitted from an e-mail server have the same ESMTP value. See also Simple Mail Transfer Protocol (SMTP).
What information is not in an e-mail header?
Blind copy (bcc) addresses
When you access your e-mail, what type of computer architecture are you using?
Client/server
What social media forensics tool was used in this chapter?
Facebook Forensics
A forensic linguist can determine an author's gender by analyzing chat logs and social media communications.
False
You can view e-mail headers in Notepad with all popular e-mail clients.
False
In a typical e-mail, where can you expect to find the IP address of the sender?
Header
Phishing does which of the following?
Lures users with false promises
Which of the following is a current formatting standard for e-mail?
MIME
What's the main piece of information you look for in an e-mail message you're investigating?
Originating e-mail domain or IP address
Stored Communications Act (SCA)
Part of the Electronic Communications Privacy Act that extends to the privacy of stored communications, such as e-mail.
What type of e-mail typically lures users to sites or asks for sensitive information?
Phishing
When confronted with an e-mail server that no longer contains a log with the date information you need for your investigation, and the client has deleted the e-mail, what should you do?
Restore the e-mail server from a backup.
Once you find the originating e-mail address, you can track the message to a suspect by doing what?
Reverse lookups
Messaging Application Programming Interface (MAPI)
The Microsoft system that enables other e-mail applications to work with each other.
Router logs can be used to verify what types of e-mail data?
Tracking flows through e-mail server ports
spoofing
Transmitting an e-mail message with its header information altered so that its point of origin appears to be from a different sender; typically used in phishing and spamming to hide the sender's identity. See also phishing.
After examining e-mail headers to find an e-mail's originating address, investigators use forward lookups to track an e-mail to a suspect.
True
E-mail accessed with a Web browser leaves files in temporary folders.
True
To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server's internal operations.
True
When searching a victim's computer for a crime committed with a specific e-mail, which of the following provides information for determining the e-mail's originator?
a: E-mail header c: Firewall log
Logging options on e-mail servers can be which of the following?
c: Configured to a specified size before being overwritten
Sendmail uses which file for instructions on processing an e-mail message?
sendmail.cf
On a UNIX-like system, which file specifies where to save different types of e-mail log files?
syslog.conf