Scribd
Upload
85 views4 pages

lab-12-Email forensics

This lab focuses on email forensics using a Kali Linux virtual machine and specific tools to extract and analyze emails from a provided disk image. Participants are required to identify the email client used by a suspect, list their emails, and potentially recover deleted messages. A full-screen image of the completed lab must be submitted via email to the instructor with specific formatting instructions.

Uploaded by

phuongnxhe181705
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
85 views4 pages

lab-12-Email forensics

This lab focuses on email forensics using a Kali Linux virtual machine and specific tools to extract and analyze emails from a provided disk image. Participants are required to identify the email client used by a suspect, list their emails, and potentially recover deleted messages. A full-screen image of the completed lab must be submitted via email to the instructor with specific formatting instructions.

Uploaded by

phuongnxhe181705
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Lab 12: Email forensics

What You Need for this lab


 Install Virtualbox : https://www.virtualbox.org/wiki/Downloads
 Install Kali 2021.4. : https://old.kali.org/kali-images/kali-2021.4/
 Notes: Suggest You configure the disk size of Kali VM 80G because the size of
each leakage cases image is 30G+
 Image “cfreds_2015_data_leakage_pc.dd” from Lab 5
Goals
 Email forensics (Application Layer)
Step 1
What application was used for e-mail communication?

List of email clients


• https://en.wikipedia.org/wiki/Comparison_of_email_clients
What was the e-mail account used by the suspect?
fls -rF -o 206848 cfreds_2015_data_leakage_pc.dd | grep -P "\.ost\$“
fls -rF -o 206848 cfreds_2015_data_leakage_pc.dd | grep -E "\.ost$"

Step 2.
List all e-mails of the suspect. If possible, identify deleted e-mails
• Install email extracting tool: libpff
• Copy .ost file from a DD image
• Extract email via libpff
 Install pffexport tool

1
 Verify installation

 Copy email to current directory

 Extract emails via pffexport

 Verify the default output directory

 Access a message in suspect’s Mailbox


ls -l iaman.informant\@nist.gov.ost.export/Root\ -\ Mailbox/

2
 Access a message in suspect’s IPM_SUBTREE

ls -l iaman.informant\@nist.gov.ost.export/Root\ -\ Mailbox/IPM_SUBTREE/Inbox/

cat iaman.informant\@nist.gov.ost.export/Root\ -\
Mailbox/IPM_SUBTREE/Inbox/Message00001/OutlookHeaders.txt | grep -Ei "time|suject|
name“
grep -E ‘strings’ Message*

3
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
Save the document with the filename "YOUR NAME Lab 12.pdf", replacing "YOUR
NAME" with your real name.
Email the image to the instructor as an attachment to an e-mail message. Send it
to: [email protected] with a subject line of "Lab 12 From YOUR NAME", replacing "YOUR
NAME" with your real name.

You might also like