Dr.

Zunera Jalil
Email: [email protected]
 Emails 2

• Email been around for ages, and almost every corporation

uses it in one way or another to conduct day-to-day business
and communicate both internally and out- side the
company.
• Organizations offer e-mail as a service to their employees,
and employees typically connect to a corporate mail server
via a client such as Microsoft Outlook.
 Email Investigations 3

• Risks are associated with corporate mail, and far greater risks
are associated with Web mail.
• In corporate mail environments, a user who intends to sneak
data out of the company can attach a file to their outgoing
message and send the file to any number of people,
including competitors, ex-coworkers, or even foreign
nationals.
• We can track such activity via the corporate mail server.
 Email Investigations 4

• Typically when an employee is being investigated :-

 All of their past e-mail will be investigated
 To determine any wrongdoing or to build a case against them.
• The difficulty arises when users begin to access Web mail servers such as
Gmail, Hotmail, Yahoo Mail, etc. These sites allow users to connect from
within an organization, and attach the same file and mail it to the same
people—but without leaving any sort of record of what they've done.
• Now, when an investigation is underway, the analyst or legal team
cannot go back to the mail server and pull up records of that person's
activities.
 Email Investigations… 5

• E-mail Investigations is a digital Forensics

process of finding out “evidence” from
suspect email , that allows investigators
to examine , preserve , and reveal digital
evidence.
• Analysis is carried out to study the source
and content of email message as
evidence , identifying the actual sender,
recipient and date and time it was send
to take credible evidence to take
action..
 Email Offenses 6

• E-mail crime is growing due to the ease at which it may be

committed.
• Offenses committed using e-mail may be classified into
crimes directly related to the sending of an e-mail (including
phishing, spam, and mail bombs)
• Many traditional crimes such as threats and harassment,
blackmail, fraud, and criminal defamation have not
changed in essence, but the ease of email has made them
more prevalent.
 Email Clients and Servers 7

• An E-mail client message is composed of two parts:

• a header that contains information about the e-mail's origins,
such as the address it came from, how it reached its
destination, and who sent it, and
• A body, which contains the e-mail message and/or file
attachments.
• The client connects to an e-mail server to send and receive
messages.
• Software such as Outlook, Pine, or Eudora serve as e-mail
clients.
 Email Clients 8

• E-mail clients perform functions such as showing a list of all

the messages in the mailbox by displaying the message
headers, as well as the time and date of the e-mail
messages, who sent them, the subject of the e-mail
messages, and their size.
• E-mail clients select a message header and read the body
of the e-mail message.
• An e-mail client creates new messages and sends them
with attachments and saves the attachments from
received messages.
Email Clients 9
Email Clients 10
 Email Server 11

• E-mail servers have lists of accounts; one account for each

person, with a text file for each account in the list.
• A person clicks a "send" button on the email client to pass the
e-mail server the name(s) of the recipient(s), the name of the
sender, and the body of the message.
• The server formats the information and appends it to the
bottom of the recipient‘s.txt file.
• When you want to look at e-mail, many e-mail clients connect
to the server machine by sending the request via port 25 (SMTP)
 Email Spamming 12

• Spamming can be defined as sending unsolicited commercial email

messages (UCE). The more common term for spam is junk mail.
• Spammers obtain e-mail addresses by harvesting them from Usenet,
bots, postings, DNS listings, and/or Web pages.
• Spammers use their brains and well-crafted tools to make money
and remain anonymous.
• Spam is generally sent to a large number of e-mail addresses
simultaneously.
• The sending address in the e-mail is generally forged, allowing
spammers to hide their identities.
• The From and Reply To fields in an Internet e-mail header allow the
spammer to provide false or other- wise misleading information designed
to entice the recipient into opening the e-mail.
 Anti Spamming Tools 13

• “SPAM Punisher” is an anti-spam tool that makes it easy to

determine the address of a spammer's ISP and generate and
send complaints. If the ISP receives a complaint generated
by SPAM Punisher, the ISP usually closes Internet access to
the spammer.
• “SpamArrest” (www.SpamArrest.com) protects an account
from spam by using a challenge/response technology that
blocks automated spam.
• “Red Condor” (www.redcondor.com) is a fully managed
spam blocker with automated lists, heuristics, and live
individuals that look for spam 24/7.
 Mail Bombing 14

• Mail bombing is a simple attack that has been around for

a long time. It involves the intentional sending of multiple
copies of an e-mail to a recipient.
• The objective is simply to overload the e-mail server.
 This is achieved by either filling the user's inbox so that he or she
cannot access any more mail or flooding the server connections.
 Flooding server connections would be aimed at the general
infrastructure, whereas flooding an inbox is aimed at an individual.
• Mail bombing is malicious and abusive, even when aimed
at an individual to prevent other users from accessing the
mail server
 Mail Storm 15

• A mail storm is a condition that occurs when computers start

communicating autonomously.
 This process results in a large volume of junk mail.
 This may happen innocently via the auto- forwarding of e-mail
messages when configured to a large number of mailing lists, by using
automated responses, and by using multiple e-mail addresses.
• Additionally, malicious software, including the “Melissa” and “I
love You” viruses, can result in mail storms.
• Mail storms interfere with the usual communication of an e-mail
system.
 Harassment 16

• Harassment may occur through all forms of media, and the

Internet is no exception.
• Junk mail e-mail messages, and threats delivered through
online means (including both e-mail and instant messaging)
are all forms of harassment.
 This type of harassment is a criminal action. The inappropriate
accessing of explicit, racist, or otherwise offensive material at the
workplace is another form of harassment.
 This includes the sending of unwelcome messages that may
contain offensive material to a coworker.
 Identity Fraud 17

• “Identity theft” is becoming more widespread due to the

ease and profitability.
• This action involves the stealing of someone's identity for
fraudulent financial gain.
• The sending of e-mail messages with offers that are too
good to be true, fake Web sites, and other forms of
phishing are all used to capture an identity.
• Many groups specialize in the capture of information and
make financial games by selling this information to groups
who will make illegitimate purchases or financial
transactions.
 Chain Letter 18

• “Chain letters” are another form of abuse that is seamlessly migrated from
the physical world to cyberspace.
• A chain letter is an e-mail that was sent progressively from e-mail user to
email user.
 It will generally instruct the recipient to circulate further copies of the
email and usually to multiple recipients.
 These chain letters often promise rewards or spiritual gain if the e-mail
was sent and may also threaten loss or harm if the recipient does not
forward it.
• The authenticity of a chain letter often cannot be verified because the
header information from the original sender has been lost in retransmission
 Fake Email 19

• Sending Fake E-mail is any E-mail that has been falsely created or altered
in some manner.
 It is often used as a method to hide the source address in spamming. Email
spoofing is a technique used for forged or fake mail.
 Fakemail can be sent by entering someone else's e-mail address in the <From>
or <Reply To> fields. These may also contain information about the origin of the
message.
 Fakemail may be created as simply as connecting to TCP port 25 using any
telnet client.
 Once this is done, it directly connects the machine to the SMTP (Simple Mail
Transfer Protocol) daemon running on that host. SMTP commands may then be
written to the SMTP daemon, allowing the sending of fake mail.
 Investigation of Email Crimes 20

• Examine the e-mail message, copy it, print it, view the e-mail headers,
examine the e-mail headers, examine any attachments, and trace
the e-mail.
• Steps in the investigation process include:
• Examining the email message
• Copying the email message
• Printing the email message
• Examining the e-mail headers
• Examining any attachments
• Tracing the email
 Exploring Role of Email in Investigations 21

• Spoofing e-mail can be used to commit fraud

• Investigators can use the Enhanced/Extended Simple Mail
Transfer Protocol (ESMTP) number in the message’s header
to check for legitimacy of email
 Exploring the Roles of the Client and Server in E-mail

• E-mail can be sent and received in two environments

 Internet
 Intranet (an internal network)
• Client/server architecture
 Server OS and e-mail software differs from those on the client side
• Protected accounts
 Require usernames and passwords
Exploring the Roles of the Client and Server in E-mail
 Exploring the Roles of the Client and Server in E-mail

• Name conventions
 Corporate: [email protected]
 Public: [email protected]
 Everything after @ belongs to the domain name
• Tracing corporate e-mails is easier
 Because accounts use standard names the administrator establishes
• Many companies are migrating their e-mail services to the cloud
 Investigating E-mail Crimes and Violations

• Goal of investigating email crimes, identical to other investigations,

find who is behind the crime
• Collect the evidence
• Present your findings
• Build a case
• Know the applicable privacy laws for your jurisdiction
 Investigating E-mail Crimes and Violations

• E-mail crimes depend on the city, state, or country

• Example: spam may not be a crime in some states
• Always consult with an attorney
• Examples of crimes involving e-mails
• Narcotics trafficking
• Blackmailing
• Harassment and Stalking
• Fraud
• Child kidnapping
• Terrorism
 Examining Email Messages 27

• Access victim’s PC or mobile device to recover the

evidence
• Using the victim’s e-mail client
 Find and copy evidence in the e-mail
 Access protected or encrypted material
 Print e-mails
• You may need to guide victim on the phone
• Open and copy e-mail including headers
• You may have to recover deleted e-mails
 Examining Email Messages 28

• Copying an e-mail message

 Before you start an e-mail investigation
• You need to copy and print the e-mail involved in the crime or
policy violation
 You might also want to forward the message as an
attachment to another e-mail address
• With many GUI e-mail programs, you can copy an e-mail by
dragging it to a storage medium
 Or by saving it in a different location
 Email Architecture 29

• When a user sends an email to a recipient, this email does

not travel directly into the recipient’s mail server. Instead it
passes through several servers.

• The MUA (mail user agent)is the email program that is used
to compose and read the email messages at the client
end.
• There are multiple MUAs available such as Outlook express,
Gmail, and Lotus Notes.
 Email Architecture 30

• MTA (message transfer agent) the server that receives the message
sent from the MUA.
• Once the MTA receives a message it decodes the header information
to determine where the message is going, and delivers the message
to the corresponding MTA on the receiving machine.
• Every time when the MTA receives the message, it modifies the
header by adding data.
 Email Architecture 31

• When the last MTA receives the message, it decodes it and sends to
the receiver’s MUA, so the message can then be seen by the
recipient.
• An email header has multiple pieces of server information, including IP
addresses.
• The receiving MTA which delivers the mail to the recipient is called
MDA (message delivery agent)
32
 Email Header 33

Email is made up of three components: the Envelop, the header and the
body of the message:
• The envelop is something an email user never see as it is the internal
process of routing email.
• The body is the part that we see as it’s the actual content of the
message
• The header which identifies routing info of the message, including
sender, recipient, date and subject.
• Some header (FROM, TO, DATE) are mandatory and some optional (SUBJECT
and CC).
• Other headers include sending & receiving time stamps,
 Examining Email Headers 34

• The primary evidence in email investigations is the email header.

• Email header analysis should start from bottom to top, because the
bottom-most information is the information from the sender, and the
top-most information is about the receiver.
• Email travels through multiple MTAs. These details can be found in the
email header.
 Examining Email Headers 35

• Header contain useful information:

 E-mail’s IP address
 Date and Time message was sent and received
 Filenames of any attachments
 Unique message number (if supplied)
Examining Email Headers 36
 Examining Additional E-mail Files 37

• Email messages are saved on the client side or left at the server
 Microsoft Outlook uses .pst and .ost files
• Most email programs also include an electronic address book,
calendar, task list and memos.
 Valuable for investigators
• In web-based e-mail
 Messages are displayed and saved as Web pages in the browser’s cache folder.
 Many web-based email providers also offer instant messaging services
Examining Additional E-mail Files 38
39
 Tracing an Email message 40

• IP address search will give general details only about what is on the
end of that IP address :-
 The ISP and organization's name
 The IP's host name
 The country it's in
 The region/state
 The city
 The latitude and longitude of the location (a best guess)
 The area code for that region
 Any known services running on that IP
 Tracing an Email message 41

• Determining message origin is referred to as “tracing”

• Contact the administrator responsible for the sending server
• Use a registry site to find point of contact:
• www.arin.net
• www.internic.com
• www.google.com
• Verify your findings by checking network e-mail logs against e-mail
addresses
 Using Network Email Logs 42

• Router logs
 Record all incoming and outgoing
traffic
 Have rules to allow or disallow traffic
 You can resolve the path a transmitted
e-mail has taken
• Firewall logs
 Filter e-mail traffic
 Verify whether the e-mail passed
through
• You can use any text editor or
specialized tools
 Email Investigations Techniques 43

• Header Analysis
 analyzing metadata in the email header.
 helps to identify the majority of email-related crimes such as Email spoofing, phishing, spam, scams and even internal data
leakages.

• Server Investigation
 involves investigating copies of delivered emails and server logs.
 Some organizations do provide separate email boxes for their employees with internal mail servers.
 Extraction of the entire email box related to the case and the server logs is done.

• Network Device Investigation

 In some investigations, the investigator requires the logs maintained by the network devices such as routers, firewalls and
switches to investigate the source of an email message.

• Software Embedded Analysis

 Some information about the sender of the email, attached files or documents may be included with the message by the
email software used by the sender for composing the email.
 This information may be included in the form of custom headers or in the form of MIME content.
 Email Investigations Techniques 44

• Sender Mail Fingerprints

 The “Received” field includes tracking information generated by mail servers that have previously handled a
message, in reverse order. The “X-Mailer” or “User-Agent” field helps to identify email software. Analyzing these fields
helps to understand the software, and the version used by the sender.

• Use of Email Trackers

 In some situations, attackers use different techniques and locations to generate emails. In such situations it is
important to find out the geographical location of the attacker. To get the exact location of the attacker,
investigators often use email tracking software embedded into the body of an email.
 When a recipient opens a message that has an email tracker attached, the investigator will be notified with the IP
address and geographical location of the recipient.

• Volatile Memory Analysis

 Recent research area…..analyzing spoofed mails from volatile memory. Since everything passes through volatile
memory, it is possible to extract email related evidence (header information) from volatile memory.

• Attachment Analysis
 Most viruses and malware are sent through email attachments.
 For the analysis of suspicious attachments, investigators can upload documents into an online sandbox such as
VirusTotal or Cuckoo to check whether the file is malware or not.
45
46
47
48
49
50
51
 Email Forensics Tools 52

• DataNumen for Outlook and Outlook Express

• FINALeMAIL for Outlook Express and Eudora
• Sawmill for Novell GroupWise
• DBXtract for Outlook Express
• Fookes Aid4Mail and MailBag Assistant
• Paraben E-Mail Examiner
• AccessData FTK for Outlook and Outlook Express
• Ontrack Easy Recovery EmailRepair
• R-Tools R-Mail & OfficeRecovery’s MailRecovery
 Assignment 2 53

• Identify challenges in Email Forensic

Investigations
 References 54

• https://www.stellarinfo.com/blog/email-forensics-investigation-guide-for-security-experts/
• https://www.forensicfocus.com/articles/email-forensics-investigation-techniques/
• https://youtu.be/nK5QpGSBR8c

• TECHNIQUES AND TOOLS FOR FORENSIC INVESTIGATION OF E-MAIL ( M. Tariq

Banday)- Uploaded on GCR
ANY QUESTIONS