Basic Cyber

Forensics
Vinny Lima
Nov 24
Module 13 – Email
and Social Media
Investigations
 Exploring the Role of Email in
Investigations
• Investigators need to know how to examine and interpret the unique content of
email messages

• Phishing emails contain links to text on a webpage

• The goal is to get personal information from the recipient

• Pharming takes readers to a fake website

• Spoofing occurs by changing header info to disguise the sender

• Investigators can use the Enhanced/Extended Simple Mail Transfer Protocol

(ESMTP) number in the message’s header to check for legitimacy of email
• It is unique to each message an email server transmits
Exploring the Client and Server
Roles in Email (1 of 2)
• Messages distributed from a central server to many connected client
computers is a configuration called client/server architecture

• An intranet email system is specific to a company and typically uses a

naming convention
• Corporate: [email protected]
• Public: [email protected]

• Tracing corporate emails is easier because accounts use standard

names the administrator establishes

• Many companies are migrating their email services to the cloud

Exploring the Client and Server
Roles in Email (2 of 2)
Email in a client/server
architecture
Investigating Email Crimes and
Violations
• Goals when investigating email crimes should include the following:
• Find out who is behind the crime
• Collect the evidence
• Present your findings to build a case

• Know the applicable privacy laws for your jurisdiction

• Electronic Communications Privacy Act (ECPA) and the
Stored Communications Act (SCA) apply to email
• For example, in some states sending unsolicited emails is illegal
Understanding Forensic
Linguistics
• Forensic Linguistics is a field where language and law intersect

• The field is divided into the following four categories:

• Language and law, language in the legal process, language as
evidence, and research/teaching

• It trains people to listen to voice recordings to determine who’s

speaking or to read email to determine authenticity

• Artificial intelligence (AI) may make it more difficult for

forensics linguists to correctly identify the author of some emails
Examining Email Messages
• Access victim’s computer or mobile device to recover the
evidence

• Using the victim’s email client, find and copy any potential
evidence
• Access protected or encrypted material and print emails

• You need a warrant for a criminal investigation

• You may need to guide the victim on the phone to open and copy
email including headers
Viewing Email Headers (1 of 2)
• Investigators should learn how to find email headers

• After you open email headers, copy and paste them into a text
document so that you can read them with a text editor

• Become familiar with as many email programs as possible

• Often more than one email program is installed
Viewing Email Headers (2 of 2)

Viewing a header
in Yahoo
Examining Email Headers (1 of
2)
• Headers contain useful information

• The main piece of information you’re looking for is the

originating email’s domain or IP address

• Other helpful information includes the following:

• Date and time the message was sent
• The file names of any attachments
• Unique message number (if it’s supplied)
Examining Email Headers (2 of
2)
An email
header with
line numbers
added
Examining Additional Email Files
• Email messages are saved on the client computer or left on the server

• Microsoft Outlook uses .pst and .ost files

• Most email programs also include an electronic address book, calendar,

task list, and memos

• In web-based email, messages are displayed and saved as webpages in

the browser’s cache folders
• Many web-based email providers also offer instant messaging (IM) services
but those messages may not be saved

• You may have to search the pagefile.sys to find message fragments

Tracing an Email Message
• Determining message origin is referred to as “tracing”

• Contact the administrator responsible for the sending server

• You can use a registry site to find the point of contact:
• www.arin.net
• www.internic.com
• www.google.com

• Verify your findings by checking network email logs against email

addresses
Using Network Email Logs (1 of
2)
• Router logs record all incoming and outgoing traffic
• Use these logs to determine the path a transmitted email has
taken

• Firewalls filter email traffic

• Firewalls logs track Internet traffic destined for other networks
• Use these logs to verify whether the email passed through the
firewall

• You can use text editors or specialized tools to view logs

Using Network Email Logs (2 of
2)
A Windows firewall log
Understanding Email Servers and
Server Logs (1 of 2)
• An email server contains software that uses email protocols for
its services and maintains logs you can examine and use in your
investigation

• Some email servers use databases that store users’ emails, and
others use a flat file system

• Some servers are set up to log email transactions by default;

others have to be configured to do so

• Administrators usually set email servers to continuous logging

mode
 • Email logs generally identify the following:
• Email messages an account received
• Sending IP address
• Date and time the server received the email
and when the client computer accessed the
email
• Email contents and system-specific
information
• After identifying the source of the email, contact
the suspect’s network email administrator as soon
as possible (logs are usually kept up to 30 days)

• Email Servers can keep backup of emails.

Understanding Email Servers

and Server Logs (2 of 2)
Examining UNIX/Linux Email
Server Logs (1 of 2)
• Common UNIX email servers: Postfix and Sendmail

• The configuration file for Sendmail is /etc/sendmail.cf

• /etc/syslog.conf specifies how and which events Sendmail

logs

• Postfix has two configuration files

• master. cf and main.cf (found in /etc/postfix)
Examining UNIX/Linux Email
Server Logs (2 of 2)
• /var/log/maillog records SMTP, POP3, and IMAP4
communications
• Contains an IP address and time stamp that you can
compare with the header of the email the victim received

• Default location for storing log files is /var/log

• An administrator can change the log location
• Use the find or locate command to find them

• Check UNIX man pages for more information

Examining Microsoft Email Server
Logs (1 of 3)
• Microsoft Exchange Server (generally called Exchange)
• It uses an Exchange database and is based on the Microsoft
Extensible Storage Engine (ESE)

• In older versions of Exchange, useful files in an investigation

were .edb database files and checkpoint files

• To retrieve Exchange logs, use the following PowerShell script:

• GetTransactionLogStats.psl -Gather
Examining Microsoft Email Server
Logs (2 of 3)
• Exchange servers can also maintain a log called tracking.log
that tracks messages
• If the Message Tracking feature has been enabled and the
email administrator selects verbose (detailed) logging, you
can see the timestamp, IP address of the sending computer,
and the email’s contents or body

• Another log used for troubleshooting and investigating the

Exchange environment is the troubleshooting log
• Use Windows Event Viewer to view this log
Examining Microsoft Email Server
Logs (3 of 3)
Viewing a log in
Event Viewer
Using Specialized Email Forensics
Tools (1 of 3)
• Some useful email recovery tools include the following:
• DataNumen for Outlook and Outlook Express
• FINALeMAIL for Outlook Express and Eudora
• Sawmill-Novell GroupWise for log analysis
• MailXaminer for multiple email formats and large data sets
• Fookes Aid4Mail and MailBag Assistant
• Paraben Email Examiner
• Exterro FTK for Outlook and Outlook Express
Using Specialized Email Forensics
Tools (2 of 3)
• Forensics tools enable you to find the following:
• Email database files (look for .db files)
• Personal email files
• Offline storage files
• Log files (look for .log files)

• An advantage of using data recovery tools:

• You don’t need to know how email servers and clients work to
extract data from them
Using Specialized Email Forensics
Tools (3 of 3)
• After you compare email logs with messages, you should verify
the following information:
• Email account, message ID, IP address, and date and
time stamp to determine whether there’s enough
evidence for a warrant

• With some tools, you can scan email database files on a

suspect’s Windows computer, locate any emails the suspect has
deleted and restore them to their original state
Using a Hex Editor to Carve Email
Messages
• Few vendors have products for analyzing email in systems other
than Microsoft
• This section shows how to carve emails from Evolution

• Some applications stores emails in the mbox format, which

is in flat plaintext files

• However, in most of the cases, applications use the Multipurpose

Internet Mail Extensions (MIME) format
• Used by vendor-unique email file systems, such as Microsoft .pst
or .ost
Recovering Outlook Files (1 of
2)
• A forensics examiner recovering email messages from Outlook
may need to reconstruct .pst files and messages

• With many advanced forensics tools, deleted .pst files can be

partially or completely recovered

• The scanpst.exe recovery tool comes with Microsoft Office

• It can repair .ost files as well as .pst files
Recovering Outlook Files (2 of
2)
• Guidance Software uses the SysTools plug-in for Outlook email
through version 2013
• SysTools extracts .pst files from EnCase Forensic for analysis

• DataNumen Outlook Repair is one of the better email recovery

tools
• It can recover files from VMware and Virtual PC
Email Case Studies
• In the Enron Case, more than 10,000 emails contained the
following personal information:
• 60 containing credit card numbers
• 572 containing thousands of Social Security or other identity
numbers
• 292 containing birth dates
• 532 containing information of a highly personal nature
• Such as medical or legal matters
Applying Digital Forensics Methods to Social Media
Communications and Channel-Based Messaging Tools (1 of
2)

• A social media platform is an online service that provides a virtual

environment where people can create and share text, pictures, and
videos

• The types of information that can be found on social media includes:

• Evidence of cyberbullying and witness tampering
• A company’s position on an issue
• Whether intellectual property rights have been
violated
• Who posted information and when
Applying Digital Forensics Methods to Social Media
Communications and Channel-Based Messaging Tools (2 of
2)

• Social media can often substantiate a party’s claims

• Social media sites involve multiple jurisdictions that might even

cross national boundaries

• A warrant or subpoena is needed to access social media servers

• In cases involving imminent danger, law enforcement can file

emergency requests for information
Social Media Forensics on Mobile
Devices
• The majority of social media clients use mobile devices to access
channels

• Evidence artifacts vary depending on the social media channel

and the device

• Forensics analysis shows that iPhone and Android devices yielded

the most information, and much of the data was stored in SQLite
databases
Privacy: Yours and Others'
• Most sites provide users with privacy options that allow them
to make all their information public or to restrict access.
• Most sites allow information to be restricted so that only
friends can view it.
• Some allow much more complex and fine-grained privacy settings.
• Posts can be limited to specific groups of friends or even
individual people.
• You also have privacy protections when you visit people's
profiles.
Basic Demographics

The “About” page on Facebook has a lot of demographic information.

The biographical information available on Twitter is very
brief.
Dating sites like OkCupid have extensive demographic information for users.
Social Connections and
Associates
• Most sites support the creation of
explicit social connections with other
people. These tend to come in two
forms:
• friending (mutual agreement) and following
(one-way relationship)

A friend list on Facebook (names and faces are blurred for

privacy).
Location Data

• Social media is geotagging which allows people to

associate GPS coordinates or other location data with
their posts.
Location Data

A map generated by GeoSocial Footprint, showing the locations Malcom visits most often.
Posted Content

A post from the Martin County Sheriff's Office about a suspect's selfies gone
wrong.
Behavior Patterns

• Discovering behavior patterns can be important:

• What a person does, when, where, and with whom
The Please Rob Me website, showing people who have just left home,
based on their Foursquare check-ins shared through Twitter, with locations.
Case study
• https://www.takethislollipop.com/
• …. or watch the youtube videos.
What You (Probably) Won't Find
• Truly private conversations.
• Email, instant messaging, and private or direct messages sent on social
media simply cannot be accessed by third parties.
• Things a user has deleted.
• Social media companies keep copies of deleted content.
• As a regular user, though, you simply won't be able to see or bring back
these deleted posts.
Forensics Tools for Social Media
Investigations
• Software for social media forensics continues to be developed
• Not many tools are available now

• There are questions about how the information these tools gather
can be used in court or in arbitration

• Using social media forensics software might also require getting

the permission of the people whose information is being examined

• You need a warrant or subpoena to ask a social media site to

produce its records
Investigating Channel-Based
Messaging Tools
• Slack is a communications tool that allows groups and companies
to set up private and public discussion channels

• Another popular social chat platform is Discord

• There was a recent case involving a young National Guardsmen

who used Discord to distribute classified documents

• Tools such as Magnet Axiom can be used by corporate

investigators to perform investigations on some of these
platforms
• More tools will certainly become available over time
Questions?
https://forms.gle/psXXdFUvdpRMeja58
 Guide to
Computer
Forensics and
Investigations,
7e
Module 9: Virtual Machine
Forensics and Live Acquisitions
Forensics

Nelson/Phillips/Steuart/Wilson, Guide to Computer Forensics and Investigations, 7th Edition. ©2025 Cengage Learning, Inc.
All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in 52
part.