adam's notes

Email Forensics

Email Headers

  • standard for email format is RFC 2822
  • email headers include:
    • a record of the emails journey through networks
      • each server adds its own info to the message header
  • email message header includes:
    • required fields
      • From field
      • Date
    • recommended:
      • message-ID
      • in-reply-to field
        • used to link related messages together
  • RFC 3864 describes message header field names:
    • To
      • email address and name of primary recipient
    • Subject
      • brief summary of the topic of the message
    • Cc
      • carbon copy; a copy is sent to secondary recipients
    • Bcc
      • blind carbon copy; a copy is sent to addresses added to the SMTP delivery list
      • address remains invisible to other recipients
    • Content-Type
      • info about how the message is to be displayed
      • typically Multipurpose Internet Mail Extensions (MIME) type
    • Precedence
      • used to indicate that automated “vacation” or “out of office” responses should not be returned for this mail
      • e.g., prevents vacation notices from being sent to all other subscribers of a mailing list
      • common values: bulk, junk, list
    • Received
      • tracking information generated by mail servers that have previously handled a message
      • in reverse order (last handler first)
    • References
      • Message-ID of the message to which this is a reply
    • Reply-To
      • address that should be used to reply to the message
    • Sender
      • address of the actual sender acting on behalf of the author listed in the From Field

Email Files

Local storage archives are any archives that have an independent archive format from a mail server.

  • e.g.,
    • .pst (Outlook)
    • .ost (Offline Outlook Storage)
    • .mbx or .dbx (Outlook Express)
    • .mbx (Eudora)
    • .emi (common to several email clients)
  • this can be used as a separate set of email messages loaded in Outlook
    • criminal can load these only when commuting crimes
    • Viewing Outlook won’t show these if they’re not loaded
    • need to open the .pst data file in Outlook from the file system
  • tools can be used to convert one email format to another
    • Transend Migrator
  • email forensics tools
    • Paraben’s Email Examiner
    • Encase
    • Forensic Toolkit (FTK)
    • OSForensics
    • LibPST Package

Tracing Emails

Email tracing involves examining email header information to look for clues about where a message has been.

  • may be useful to determine the ownership of the source email server for a message
    • can use WHOIS databases
  • can check email logs and network usage

Email Server Forensics

  • If messages are deleted on a mail client, can often still be available on an email server
  • email servers often have retention policies
  • common email server software extensions:
    • Exchange Server (.edb)
    • Exchange Public Folders (pub.edb)
    • Exchange Private Folders (priv.edb)
    • Streaming Data (priv.stm)
    • Lotus Notes (nsf)
    • GroupWise (.db)
    • GroupWise Post Office Database (wphost.db)
    • GroupWise User Databases (userxxx.db)
    • Linux Email Server Logs (/var/log/mail.*)

Email and the Law

Fourth Amendment to the Constitution

  • if email resides on a sender’s or recipients computer,
    • then laws govern the seizure and collection of the message
  • determine if the user has a reasonable expectation of privacy on that computer
  • need a search warrant
    • unless exceptions apply (e.g., consent)

The Electronic Communications Privacy Act

  • if ISP or other communications network stores an email,
    • retrieval of that evidence must be analyzed under the ECPA
  • ECPA creates statutory restrictions on government access to information from ISPs or other communications providers
  • requires different legal processes to obtain specific types of information:
    • basic subscriber information
      • this info includes
        • name
        • address
        • billing information including
          • credit card number
          • telephone toll billing records
          • subscriber’s telephone number
          • type of service
          • length of service
      • can obtain this info with a subpoena, court order, or search warrant
    • transactional information
      • includes
        • websites visited
        • email addresses of other with whom subscriber exchanged email
        • buddy lists
      • can obtain this info with a court order or search warrant
    • content information
      • can obtain this info with a search warrant
    • real-time access
      • to intercept traffic in real-time, need a wiretap order

CAN-SPAM Act

  • meant to curtail unsolicited email
    • aka spam
  • has many loopholes
    • e.g.,
      • do not need permission before sending an email
        • thus unsolicited email is not prohibited
      • applies only to commercial emails
        • trying to sell a product or service
        • does not apply to mass emails for political, religious, or ideological purposes
  • law defines commercial email as “any electronic mail message the primary purpose of which is the commercial advertisement of promotion of a commercial product or service (including content on an internet website operated for a commercial purpose)”
  • requires sender to provide a mechanism to opt out of future emails
    • must meet guidelines:
      • visible and operable unsubscribe mechanism present in all emails
      • cannot cost money
      • opt-out requests are honored within 10 days
      • opt-out lists cannot be sold to other vendors/senders
  • restrictions on how the sender can acquire emails and send emails
    • message cannot be sent through an open relay
    • message cannot be sent to a harvested email address
    • message cannot contain a false header

18 USC 2252B

  • prohibits the use of misleading domains to deceive a person into viewing material constituting obscenity

The Communications Assistance to Law Enforcement Act

  • is a wiretapping law
  • allows law enforcement and intelligence agencies to lawfully conduct electronic surveillance
  • requires telecommunications equipment manufacturers to modify and design equipment, facilities, and services to ensure they have built-in surveillance capabilities
  • allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic

Foreign Intelligence Surveillance Act

  • prescribes procedures for the physical and electronic surveillance and collection of “foreign intelligence information”

USA PATRIOT Act

  • reduced restrictions on law enforcement agencies’ gathering of intelligence within the United States
  • expanded Secretary of the Treasury’s authority to regulate financial transactions
  • broadened discretion of law enforcement and immigration authorities in detaining and/or deporting immigrants suspected of terrorism and related acts
  • expanded the definition of terrorism to include domestic terrorism

Graph View

Backlinks