3.5 Email Investigations Au : May.17.18.Dec.

-17
• Email is usedin criminalacts,but also in inappropriateactions,stxh as threatsand frauds
(phishing).Whilein principleemail is hardto connectto an in practice,email
can be tracedandconnectedto the perpetrator.
Over a period Of year's e-mail protocols have been secured through several security
extensionsand producers,however.cybercrinunalscontinueto misuse it for illegitimate
purposesby sending spam, phishing e-mails. distributingchild pornography.and hate e-
mails besidespropagatingviruses,worms.hoaxesand trojanhorses.
• E-mailforensicanalysisis used to studythe sourceand contentof e-mailmessageas
evidence.identifyingthe actualsender.recipientand date and tirneit wassent, etc. to
collectcredibleevidenceto bringcriminalsto justice.

Cyber ForensÉs Amb•sisand

• For networks. a port means an endpoint to a logical connection. The number i&ntifies
what type (application/serviceoffered) of port it is. The commonlyused default port
numbers used in e-mail are shown below
Protocol Portnumber
25
HVIP
POP3 110
IMAP 143
HITPS 443
SMTPS 465
MSA 587
IMAI'S 993
POP3S
spop
MSA 587
Identities used in e-mail are globally unique and are: mailbox, domain name. message-ID
and ENVID.Mailboxesare conceptualentities identifiedby e-nuil addressand receive
mail.
• E-mailforensicsrefersto the studyofsourceand contentof e-nuil as evidetxeto identify
the actualsenderand recipientof a message,data/timeof transmission,detailedrecordof e-
mail transaction. intent of the sender, etc
• A forensicinvestigation
of e-rnailcan examineboth email headerand body. An
investigation Should have the following
I. Examiningsender'se-mailaddress
2. Examiningmessageinitiationprotocol(HITP,SMTP)
3. ExaminingmessageID
4. Examiningsender'sIPaddress
Email headers
• Wheninvestigatingemail, we usually start with the piece of email itself and analyzethe
headersof the email. Sinceeach SMTPserverthat handlesa messageadds lines on top Of
the header.
• Metadata in the e-mailnrssage in the formof controlinformationi.e. envelopeand
headersincludingheadersin the messagebodycontaininformationaboutthe senderand/or
the pathalongwhichthe messagehas traversed.
• Inconsistencies
betweenthe data that subsequentSMTPserverssupposedlycreatedcan
is that Ofthe
provethat the emailin questionis faked.Anotherinvestigation
contentsitself.
• If a message does not have these. then it is faked. If possible. one can obtain
followingsupposedlythe samepathas the email underinvestigationand Sec
ideosyncraticlines have changed.While it is possiblethat the admimstratc
nodechangedthe behavioror eventhe routing,thesechangestend to be far a
• In email server investigation, copies Of delivered e-mails and server logs are investigated to
identifysourceOfan e-mailmessage.E-mailspurgedfromthe clients(sendersor receivers)
whose recovery is impossible may be requested from servers (Proxy Or ISP) as most Of
them store a copy Of all e-mails after their deliveries
• Some Other aspects that controls forensics Step include the following properties
l. Storage format Of email : Server side storage format may include maildir, Inbox
format.Server-sideStoresemail in SQL Serverdatabases.Readingdifferenttypes Of
formats can be done for forensics analysis by using notepad editor and applying regular
expression-basedsearches.At the client-side,an email is stored Inboxformat.Client
side may also store emails as .PST (MSOut100k),and NSF (Lotus Notes) files
2. Availability Of backup copy Of email : When checking from the serve side, all copies
are transferred to the client. This requires seizing the client computer. For webmail,
copies are always saved at the Server side.
3. Protocol used to transport email : Email Canbe initiated and transportedbased on
SMTP or HVl•p depending on the email Server applications.
E-Mailforensic tools :
1. eMailTrackerPro analysesthe headersof an e-rnail to detect the IP addressof the
machine that sent the message So that the sender can be tracked down. It can trace
multiple e-mails at the same time and easily keep track of them.
2. EmailTracer is an Indianeffort in cyber forensicsby the ResourceCentrefor Cyber
Forensics(RCCF)whichis a premiercentre for cyberforensicsin India. It develops
cyber forensic tools based on the requirements of law enforcement agencies.
3. Adcomplnin is a tool for reporting inappropnatecommerciale-mail and usenet
postings, as well as chain letters and "make money fast" postings.
3.5.1 ChockingUNIX E-mailServer Logs
• Log file provides useful information for investigation. After sending the mail, it creates
number of files on the server to track and maintain the email service.
• The "/ete/sendmail.ci" is the file for configuration information for send mail. The
"/etc/syslog.conf• file specifies how and which events send mail logs
• Communication between SMTP and pop3 is maintained in Ivar/log/maillog file. It also
record IP address and time Stamp
• Email evidence is in the email itself (header). ? Email evidence is behind as the email
travelsfromsenderto recipient.
• Reviewinge-mailheaderscan Offerclues to true origins Ofthe and the programused
to sendit.
• Received is the most essential field Of the email header : It creates a list Of all the email
servers through which the message traveled in order to reach the receiver
• The best way to read are from bottom to top.
l. The bottom "Received" shows the IP address of the sender's mail server.
2. The top *'Received" shows the IP address of receiver mail server.
rECHN'CAL nonse. An

Cyber Forensics Ana&sis and Vabdation

3. The middle "Received" shows the IP address of the mail server through which email
passes from sender to receiver.
• The syslog.conf file simply specifies where to save different types of e-mail log files. The
first log file it configures is /var/log/maillog, which usually contains a record of simple mail
transfer protocol communication between servers.
UNIX systems are set to store log files in the /var/log directory.

3 5.2 MicrosoftE-mail Server Log

• Microsoft e-mail server software is exchange server. It uses database and based on the
Microsoft Extensible Storage Engine
• MicrosoftExtensibleStorageEngine(ESE)usesdifferentfiles in variouscombinationsfor
providingE-mailservice.For investigationtwo databasefiles are helpful.Theyare ".edb"
and"stm " files.
• Checkpoint and temporary files also helpful for investigation- The .edb file contains many
tables that hold metadata for all e-mail messages and other items in the exchange store.
• The -Stm file stores native Internet content. Because Intemet content is written in native
format, there is no need to convert messages and other items to exchange format-
• An .edb file is responsible for messages formatted with Messaging Application
ProgrammingInterface (MAPI), a Microsoftsystem that enables different e-mail
applications to work together
• The _edb and _stm files function as a pair, and the database signature is stored as a header in
both files.Theinternalschemafor the stm pagesis storedin the .edbfile.

3.5.3 E-mail Forensic Tools : Mail)(aminer

• MailXaminer is a tool-kit having multiple functionalities out Of which powerful search
• The _stmfile stores native Internet content_Because Internet content is written in native
format, there is no need to convert messages and other items to exchange format.
An _edb file is responsible for messages formatted with Messaging Application
Programming Interface (MAPI), a Microsoft system that enables different e-mail
applications to work together.
The _edb and _stm files function as a pair, and the database signature is stored as a header in
both files. The internal schema for the _stm pages is stored in the _edb file

3.5.3 E-mail Forensic Tools : MailXaminer

• MailXaminer is a tool-kit having multiple functionalities out of which powerfulsearch
mechanismis the best featurewithoutany limitation. With this email searchsoftware,users
can scan, view, search, investigate, analyze, smart review and generate a report of emails in
a very less amount of time.
l) Input file in disk required : This indicates the presenceOf email file at the local disk.
MailXanunerrequiresinput file to be presentin the disk
2) Search option : This featureindicates how to performsearch of interestingwords in the
content of an email. MailXaminer can perform plain text-based search.
3) Informationprovided: This feature indicates the informationextractedand shownas
part of forensic analysis. The MailXanuner tool shows the message, date and time
details of an email.
4) Recoverycapability : A forensic tools should have the capability to recover corrupted
email or deleted email to be useful for investigation. The MailXaminer can recover
corrupted email. It also has the capability to import corrupted contacts. calendar.
5) Email formatsupported: This feature indicatesthe file type supportedby a tool. The
MailXaminer supports Gmail, yahoo, Hotmail. IMAP. Mozilla Thunderbird. Lotus
Notes, Outlook, Exchange, Mac Outlook email format.
TECHNICAL ptAJCA T'ONS@•An

Cyber Forensics (3-19) Analysis and Validation

6) Visualization format supported : A forensic tool should allow investigator different

types of display of the extracted information to enable more intelligence gathering.
MailXaminer supports different view options.
7) OS Supported : Ideally, a forensic tool should support different types of operating
systems to make it useful for email applications running on different platforms. The
MailXaminer can run on Windows
8) Export format : A forensic tools should have friendly format for saving the examination
results for compatible analysis with other forensic tools.
9) Extendeddevice support : This feature indicates if a tool can act on plug-ins devices
such as added hard disk or USB nw•mory stick, etc.
universit Questions
Examine and list the procedure to analyze the UNIX and Microsoft e-mail server logs.
AU : Ma -17, Marks 16
2. Explain the process of investing e-mail crimes and violation. AU : Ma -18, Marks 16
3. Describe in detail about specialized E - mail forensic tools. AU Dec.-17, Marks 8
4. Elaborate about mobile device forensics. AU Dec-17. Marks 8
5. List out the steps involved in eximining in Microsoft e-mail server logs
AU : Doc,.17, Marks 8

3.6 Cell Phone and Mobile Devices Forensics AU : Dec.-16.May-18

• Mobile devices are an evolving form of computing, used widely for personal and
organizationalpurposes.These compact devices are useful in managing information.such
as contactdetails and appointments,correspondingelectronically,and conveyingelectronic
documents.
• Over time, they accumulatea sizeable amount of informationabout the owner. When
involved in crimes or Otherincidents. proper tools and techniquesare needed to recover
evidence from such devices and their associated media.
• Mobile device forensicsis the science of recoveringdigital evidence from a rmbile device
under forensicallysound conditions using accepted methods.Mobile device forensicsis an
evolving specialty in the field of digital forensics.
• Different mobile devices have different technical and physical characteristics
(e.g., size, weight, processor speed. memory capacity). Mobile devices may also use
different types Of expansion capabilities to provide additional functionality. Furthermore,
mobile device capabilities sometimesinclude those of other devices such as handheld
Global Positioning Systems (GPS), cameras (still and video) or personal computers.
• People store a lot of informationon cell phones. But people do not think about securing
their cell phones.Data storedon rmbile phonesare as follows •
1. Incoming, outgoing and missed calls 2. SMS
3. E-mail 4. Instant-messaginglogs