CIS 225 Chapter Seven
Email Server Forensics
. Even if the sender and the recipient have deleted the relevant emails, there is a good chance a copy is still on the email server. Many servers have a retention policy, which may be governed by law in certain industries. There are a variety of email server programs that could be in use. Microsoft Exchange is a very common server. Lotus Notes and Novell GroupWise are also popular email server products.
GroupWise
.db
Exchange Server
.edb
Lotus Notes
.nsf
"valid" emails
Appears as through mail is from trusted source Message content is suspicious Content may contain URL that points to malicious site
What an email review can reveal
Email messages related to the investigation Email addresses related to the investigation Sender and recipient information Information about those copied on the email Content of the communications Internet Protocol (IP) addresses Date and time information User information Attachments Passwords Application logs that show evidence of spoofing
paraben's email examiner
Exclusively for email forensics Works like the more complete forensic suites (Forensic Toolkit and EnCase) in that evidence is grouped by case
How to fake an email
Find a free public Wi-Fi in an area at least one hour from your home. Spoof both your IP address and MAC address. Send the email through an anonymous email account set up for that purpose. It is, however, very common for criminals to actually send emails from their own computers without even bothering to spoof their IP address or MAC address. Even computer-savvy criminals, who think to spoof their IP addresses, might not think to spoof the MAC address.
Getting Headers for Yahoo Email
First open the message. On the lower right, there is a link named Full Headers. Clicking on that link allows you to see the headers for that email.
Email Message Components
Header Addressing information Source and destination Body Contents of the message Attachments External data that travels along with each message
Electronic Communications Privacy Act (ECPA)
If an Internet service provider (ISP) or any other communications network stores an email, retrieval of that evidence must be analyzed under the Electronic Communications Privacy Act (ECPA). The ECPA creates statutory restrictions on government access to such evidence from ISPs or other electronic communications service providers. Requires different Legal processes to obtain specific types of information: Basic subscriber information—This information includes name, address, billing information, telephone number, etc. An investigator can obtain this type of information with a subpoena, court order, or search warrant. Transactional information—This information includes websites visited, email addresses of others with whom the subscriber exchanged email, and buddy lists. An investigator can obtain this type of information with a court order or search warrant. Content information—An investigator who has a search warrant can obtain content information from retrieved email messages and also acquire unretrieved stored emails. Real-time access—To intercept traffic as it is sent or received, an investigator needs to obtain a wiretap order.
Getting Header in Outlook
It is relatively easy to view the headers using Outlook. With a specific message open, select File and then Info. Then select Properties and you will be able to view the headers. Older versions of Outlook have a different method to get to headers. With Outlook 2000/2003/2007, there are two methods: Method #1—Right-click the message in the folder view, and then choose Options. Method #2—In an open message, choose View and then Options. With either method, you will see the Internet headers portion of the Message Options dialog box.
spoofing
Making an email message appear to come from someone or someplace other than the real sender or location First machine to receive spoofed message records machine's real IP address Header contains both the faked IP and the real IP address unless, of course, the perpetrator is clever enough to have also spoofed his or her actual IP address.
RFC 2822 Specifications for Email Headers
Message header must include From field-the email address and optionally the name of the sender Date field-the local time and date when the message was written Message header should include: (not required) Message-ID field-an automatically generated field in-Reply-To field- the message-ID of the message that is a reply to which is used to link related messages together
Getting Header in Apple Mail
Open Apple Mail. Click on the message for which you want to view headers. Go to the View menu. Select Message, then Long Headers. The full headers will appear in the window below your Inbox.
Getting Header in Hotmail
Select Inbox from the menu on the left. Right-click the message for which you want to view headers, and select View Message Source. The full headers will appear in a new window.
How Email Works
Sender uses a mail client to send a message Message travels to multiple mail servers Each mail server sends the message closer to its destination Destination mail server stores the message Receiver uses a mail client to retrieve the message from mail server
Email headers contain:
The sender, the application, and any servers it passed through. Header keeps record of the message's journey networks and mail servers Each server adds information to the header Each network device has an Internet Protocol (IP) address Identifies device Can be resolved to a location address
email client
The software program used to compose and read email messages
Foreign Intelligence Surveillance Act (FISA)
This U.S. law prescribes procedures for the physical and electronic surveillance and collection of "foreign intelligence information" between foreign powers and agents of foreign powers, which may include American citizens and permanent residents suspected of espionage or terrorism. The law does not apply outside the United States but may be encountered by a forensic investigator in researching intelligence even if it does not specifically regard espionage or terrorism. The law is an important part of many agencies' approaches to information gathering. It has been amended frequently so it is important to stay current on the latest revisions and court cases
18 U.S.C. 2252B
This law is about perpetrators who attempt to hide the pornographic nature of their website, often to make it more accessible to minors. This is a very serious concern, and one that sometimes arises in child predator cases.
Email Protocols: Post Office Protocol version 3 (POP3)
Used to receive email Operates on port 110, or 995 (secure) Designed to delete email on server as soon as user downloads email
Email Protocols: Internet Message Access Protocol (IMAP)
Used to receive email Operates on port 143 User views email on the server, decides whether to download the mail; email is retained on server allows client to only view headers so user can decide which message to download
Email Protocols:Simple Mail Transfer Protocol (SMTP)
Used to send email from a client to a mail server, and between servers Typically operates on port 25 SMTPS (secure) operates on port 465
Getting Header for Gmail
Viewing email headers in Gmail is fairly simple. Follow these steps: 1. Log on to Gmail. 2. Open the message for which you want to view headers. 3. Click the down arrow next to Reply, at the top of the message pane. 4. Select Show Original. The headers appear in a separate window.
Usiing Paraben
When you first start Paraben, you select New and then create a new case. Paraben will associate information about the investigator along with the case information. Next, select the type of email database you are going to be working with. The major email clients are all represented. At this point, you select the database you want to work with, and it is added to the case. From within Paraben, you can sort, search, scan, and otherwise work with the email data.
anonymous remailing
an attempt to throw tracing or tracking attempts off the trail Suspect sends an email message to an anonymizer To find out who sent remailed email, must examine logs maintained by remailer or anonymizer companies however most of these services usually do not maintain logs can also closely analyze the message for embedded information that might give clues to the user or system that sent the message . Often the remailing servers are outside of the jurisdiction of U.S. law enforcement and may even be on another continent.
Email files: .emi
common to several email clients
RFC 3864
describes message header field names. Common header fields for email include: • To—The email address and, optionally, name of the message's primary recipient(s) • Subject—A brief summary of the topic of the message • Cc—Carbon copy; a copy is sent to secondary recipients • Bcc—Blind carbon copy; a copy is sent to addresses added to the SMTP delivery list while the Bcc address remains invisible to other recipients • Content-Type—Information about how the message is to be displayed, usually a Multipurpose Internet Mail Extensions (MIME) type • Precedence—Commonly with values "bulk," "junk," or "list"; used to indicate that automated "vacation" or "out of office" responses should not be returned for this mail, for example, to prevent vacation notices from being sent to all other subscribers of a mailing list • Received—Tracking information generated by mail servers that have previously handled a message, in reverse order (last handler first) • References—Message-ID of the message to which this is a reply • Reply-To—Address that should be used to reply to the message • Sender—Address of the actual sender acting on behalf of the author listed in the From field
secure emails
each email protocol has secured version which is encrypted with Tranport Layer Security (TLS).
Anonymizer
email server that strips identifying information from message before forwarding it with anonymous mailing computer's IP address
Email files: .mbx
eudora
Communication Assistance for Law Enforcement Act (CALEA)
is a U.S. wiretapping law. Its purpose is to allow law enforcement and intelligence agencies to lawfully conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband Internet, and VoIP traffic in real time.
tracing email
is similar to traditional detective work. Tracing email involves looking at each point through which an email passed and working step by step back to the originating computer and, eventually, the perpetrator. Email header information is typically examined to look for clues about where a message has been. Investigators often use audits or paper trails of email traffic as evidence in court. Many investigators recommend use of the tracert command. However, because of the dynamic nature of the Internet, tracert does not provide reliable, consistent, or accurate routing information for an email. It may also be useful to determine the ownership of the source email server for a message. A number of whois databases are available on the Web that an investigator can use to find out to whom a given IP address is registered.
Linux EMail Server
logs/var/log/mail.*
Email files: .ost
offline outlook storage
Email files: .pst
outlook
Email files: .mbx or .dbx
outlook express
Exchange Private folder
priv.edb
Streaming Data
priv.stm
Exchange Public Folders
pub.edb
Three ways to fake emails
spoofing anonymous remailing "valid" emails
CAN-SPAM Act (2003)
the first law meant to curtail unsolicited email, referred to as spam. However, the law has loopholes. You do not need permission before sending email. This means that unsolicited email is not prohibited. It applies only to commercial emails—emails that are trying to sell some product or service. Therefore, mass emailings for political, religious, or ideological purposes are not covered by the Act. The only requirement of CAN-SPAM is that the sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out. Restrictions on how the sender can acquire the recipient's email address and how the sender can actually transmit the email: A message cannot be sent through an open relay. A message cannot be sent to a harvested email address. A message cannot contain a false header. These methods are often used by people who send spam email. Tracking down the original sender of the email is the first step in investigating spam. Unfortunately, the email is sometimes sent from offshore sites or relayed through an innocent third party's servers. This makes prosecuting spam very difficult and enforcing a judgment almost impossible in most cases.
RFC 2822
the standard for email format including headers replaced RFC 822 which was originally designed for text messages over ARPANET, the precursor to the internet allows user to read emails using a variety of programs and operating systems
Email Laws: Fourth Amendment to U.S. Constiution
this as well as state requirements govern the seizure and collection of any email messages that reside on a sender's or recipient's computer or other device. Does the person on whose computer the evidence resides have a reasonable expectation of privacy on that computer? If so, requires a search warrant or one of the recognized exceptions to the search warrant requirements, such as consent from the device owner.
GroupWise User Databases
userxxx.db
USA Patriot Act (2001)
was passed into law as a response to the terrorist attacks of September 11, 2001. The Act: Reduced restrictions on law enforcement agencies' intelligence gathering within the United States Expanded the Secretary of the Treasury's authority to regulate financial transactions Broadened the discretion of law enforcement and immigration authorities in detaining and/or deporting immigrants suspected of terrorism and related acts Expanded the definition of terrorism to include domestic terrorism, thus enlarging the number of activities to which the PATRIOT Act's extended law enforcement powers can be applied In May of 2011, President Barack Obama signed a four-year extension of three key provisions in the USA PATRIOT Act: roving wiretaps, searches of business records, and conducting surveillance of individuals suspected of terrorist-related activities not linked to terrorist groups. gives law enforcement dramatically enhanced powers for information gathering and should be a part of the knowledge base for any forensic investigator.
GroupWise Post Office Database
wphost.db