Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

8- Email & Web Forensics.

8-1 Introduction
The Internet is a very easy way to reach any system. If confidential data is not
properly protected, then it becomes opens to vulnerable access and misuse. Cyber-
crime can cause varying degrees of damage by hackers. So, detailed forensic
analysis is required to come to a conclusion about an incident and to prove or
disprove someone’s guilt.

Some criminal activities like child pornography, hacking, and identity theft can be
traced and the criminals can be punished if proper evidence is found against them.

8-2 Email Forensics

8-2-1 Email Structure
E-mail works much the same way as U.S. Postal Service mail. The central post office
corresponds to the e-mail server, and the computers connected to it are the clients.
Two types of e-mail systems are client/server and Web-based. Here’s how a
client/server setup works:

Client: The computer that’s receiving or sending the e-mail. Think of the
client as your home mail box.
Server: The computer that’s storing e-mail it receives until the destination client
retrieves them. Think of the server as your local post office where mail is sent and
received.

70
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

8-2-2 E-mail addressing

The structure of the e-mail address, as originally designed by Ray Tomlinson,
consists of these two parts, separated by the familiar @ symbol:
_ Mailbox: The part on the left, often referred to as the username.
_ Domain (or host): The part on the right; the name of the domain server.

Under this two-part structure, e-mail servers can find an e-mail’s destination
quickly by looking up the IP address of the domain in a domain name server
(DNS).

8-2-3 Seeing the E-Mail Forensics Perspective

From a forensic point of view, client/server e-mail systems are best for finding
information because messages are downloaded to the user’s or local computer’s
hard drive. You usually have access to the server too, from which you can access
e-mail messages and logs of e-mail activity.
E-mail servers are hard to shut down to investigate because companies can’t
afford to be cut off from their e-mail systems. Your first step should be to look
at backups of the e-mail system and if all fails then take down the live e-mail
server.

8-2-4 The Message Details

This list describes the two parts of an e-mail message, as shown in Figure 9-3:
_ Header: Like the outside of an envelope, contains the source and destination
addresses. You use header information to track an e-mail back to its source or
sender.
_ Body: Contains the actual message and often has the “smoking gun”
information.

71
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

When you’re looking at an e-mail message, you see only these two parts and not the
packets that were used to deliver the message because you’re looking at it after
delivery. Anyone who wants to capture packets of e-mail en route from source
to destination can do so by using packet sniffer software. Unless it has been
encrypted, e-mail is sent in plain text and is readable like a post card.

8-2-4 Expanding headers

Most e-mail clients display by default only regular header information. Here are the
basic four fields of information in the header:
_ From: The sender’s address. Be careful about relying on this information.
This field can be spoofed (disguised) to make it look as though another person sent
the e-mail while hiding the IP address of the real sender.
_ To: The recipient’s address, which can also be faked or spoofed.
_ Subject: Sometimes left blank or contains misleading information.
_ Date: Recorded from the sending computer, but may not be accurate if
the sender’s computer clock was set incorrectly.
Obviously, you cannot trust header information. You may not be able to verify
the real information. To confirm the information, you need to expand the header.
The expanded mail header has quite a bit more information that’s needed by
routers to deliver the e-mail to its destination. For the most part, e-mail client
software doesn’t show you full headers unless you specifically ask, and even then
you may have to look at the raw e-mail to find all the headers you’re after.

72
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

The piece of information most useful to you is the originating IP address (source
IP address) or domain. You can use this address to try to track down the person
who sent the e-mail — unless it has been spoofed or faked.
A unique ID is assigned to the message by the first e-mail server that the e-mail
passes through. You can find the e-mail’s footprints on the servers it had passed
through using this ID. If you can catch the e-mail server logs before they’re
overwritten, you can literally track the true date/time of the e-mail as it passes
through the network.
In most full headers, the path of the e-mail starts at the bottom and works its
way up. For example, in Figure 9-4, by following the date-and-time stamps, you see
that the e-mail traveled through two e-mail servers to arrive at its destination.

8-2-5 Extracting e-mail from clients

Most e-mail systems use SMTP, POP, or IMAP. The use of these protocols makes
e-mail transport fairly standard. Your challenge is to extract e-mail from different

73
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

e-mail client software. Here’s a description of the two most common e-mail client
systems:
_ Outlook: It can act as a data assistant with features such as a calendar, a task list,
and contact management. When you investigate cases where Outlook has been used
to manage the day-to-day affairs of a suspect, you find enormous detailed
information! Unlike Outlook Express, Outlook saves all its data into a single
identity using a .pst file extension. You need a viewer or forensic software to
view the contents of this file. FTK and EnCase offer the most complete method for
extracting Outlook files.
_ Outlook Express: From Microsoft, stores data in files with a .dbx file
extension and requires you to have a viewer to read them.
In Outlook Express, Outlook, AOL, Eudora, and Thunderbird, e-mail is stored on
the local client computer, which helps your investigation alot.

8-2-6 Investigating Web-Based Mail

Users often rely on Web-based e-mail for personal communication. The major
providers of Web mail are Yahoo!, Hotmail, and Google, which provide their basic
services for free. Web mail can be used without e-mail client software.
The only software that’s needed is the free Web browser already installed on most
computers. In reality, Web mail is a client/server system.

74
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

Figure 9-6 smmarizes the basic e-mail interactions on a Web mail server.

The easiest way to view the contents of a person’s Web mail account is to get
permission from that person. But unlikely that happening. Instead, you can find
data by using forensic methods on the local machine.
Extracting every Web page that a suspect has ever visited would take to view all
those pages into the next decade.

75
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

8-3 Web Forensics

The victims of Web attacks are clients and Web servers. Both clients and server side
protection is necessary. The attacks can be performed by using false URLs and redirects to
malicious sites. The medium of attack on the Internet are Web Browser, database
servers and application servers. On the client side, forensic analysis is done to find out
if a user has been involved or has been a victim of the crime. Potential evidence can be
found in the Browser history, registry entries, temporary files, index.dat, cookies,
favorites, html pages in unallocated space, emails sent and received by the user and the
cache etc.
On the server side, forensic analysis can be done by examining access logs, error
logs and FTP log files and network traffic. The intermediate site logs such as
antivirus server logs, Web filter logs, spam filter logs and firewall logs also help
in tracking an incident.

Web forensic analysis brings out some details like when and in what sequence
did somebody access a Web page.

8-3-1 Temporary Files. (client side)

The temporary files (created by applications sending and receiving data over a
network) are temporarily stored by the operating system. The files are first
stored in RAM. When RAM becomes full or the operating system pushes that
data down the priority list of data to be retrieved by applications, the files are
written to the storage device.
There is no single area for temporary files on modern day computers because
some applications also create temporary files in addition to the operating
system. For example, Internet Explorer handles temporary files downloaded from
the Internet through settings in the software. Not only do you find the location of the

76
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

temporary files, but you also find the number of days Internet Explorer keeps the
history of the Web sites you visited.

If the application doesn’t have the ability to temporarily store files for use later, it
often lets the operating system handle this function via the swap file or virtual
memory.
The swap file is an operating system function that acts like RAM, but uses the
hard drive or storage device instead of memory microchips. Because the swap
file is written and then deleted, the information is still physically on the storage
device and retrievable by you.

8-3-2 Internet History (client side)

Internet Explorer has the ability to keep track of where the Web browser has
visited. The user has quite a bit of control and can adjust the number of days
the browser hangs onto the list of Web sites (the Internet history).
Most users think that deleting the history deletes the files forever! The part
most users cannot control is the index.dat file. Internet Explorer uses the
index.dat file to create a database of Web sites visited, cookies, and assorted
other details pertaining to the use of the Web browser.
You can extract data from the index.dat file and re-create the tracks of where
you have been, often going back to the first day you ever surfed the Internet on that
particular computer. Other Web browsers, such as Mozilla and Opera, also have the
ability to keep these types of files.
Because most Web browsers keep histories, computer forensic software is
designed to open these types of files to extract the data quite easily. In the case
of EnCase and FTK, the process is automated to the point where the software not

77
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

only looks for active database files, but also deleted files in unallocated space that
contain web surfing histories.

8-3-3 Looking through Instant Messages (client side)

Instant messaging (IM) has exploded in the dynamic communication arena.
Whereas e-mail acts like an inbox, IM acts like a text-based cell call. Texting on
mobile devices is the preferred mode of communication for some people.
IM is important to forensic examiners because companies use this form of
communication for real-time customer service and internal business
communication.
On the personal side, people use IM to chat about everything.. IM software
works basically the same way as software used by e-mail systems — it’s just
done in real time.
In any real-time environment, your best chance of finding any data is to log the
data as it is being typed. Some IM software logs conversations for you, but most
people don’t activate the logs. If you rely on the caching system to save IM chats,
you may get pieces of the conversation or nothing, depending on how the cache
archived the data on the hard drive.
IM is migrating to mobile devices, where the technology is somewhat different
from desktop computers. The main problem that mobile devices have now is that
they don’t have the resources or power of conventional desktop computers and they
therefore use memory differently. Because mobile devices tend to not cache or
archive data in the same way that desktop devices do, retrieving chats is that
much more difficult, unless you’re recording them as they occur. You may be
able to catch some logging information from the mobile clients or even the IM
server. But finding a complete conversation in memory is almost impossible
unless logging has been turned on.

78
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

‫الفقرة التالية لالطالع‬

A relatively new area of computer forensics is the area of Web-based forensics. This
area of forensics deals with the use of software to log and track suspects such as
child predators in chat rooms while the investigator is using the Internet to pretend
they are a 14 year old child. Until recently, real time forensic tracking of live data
was problematic because the Internet was a real time environment. Computer
forensic software such as WebCase by VereSoft (www.veresoftware.com) is solving
this problem by allowing investigators to forensically record IP addresses, chat
sessions, and other communication across an Internet connection.

8-3-4 Web Forensics Mechanism ‫مهمة‬

The port number 80 is the standard port for Websites and is open for lot of
security issues. This is the port which listens to requests from a Web Client. The
potential attacks enter into the system through this port. Web forensics is carried
out on both client side and server side Both server side and client side forensic
evidence are sometimes insufficient for ascertaining ‫ التثبت‬the occurrence of an
activity.

Sources for web forensics:

1- Router: explained in details in previous lecture.

2- Application server: Intermediate logging locations like application server logs
play a crucial role in proving someone’s guilt.

8-3-5 Server Side Forensics.

Some of the information is found on the Webserver logs and Application Server
logs. But most of these don’t grant access to the HTTP information like headers and

79
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

requests. To know if the attack was done by an application, the following

information is needed.
(i) Date ; (ii) Time; (iii)IP Address of the client; (iv)HTTP method used
(v) URL; (vi)HTTP Query used to retrieve the information from the server
(vii) A total set of headers (HTTP headers); (viii) The full body of the request.

8-3-6 Methodology for Web Forensic investigation:

(1) Protect the system during forensic investigation from possible data
corruption/alteration.
(2) Discover all files needed for the forensic investigation
a. Web server and application server logs.
b. Server side scripts.
c. Configuration files of Application server and Web server.
d. Third party installed software logs and important files.
e. OS logs and registry entries.

8-3-8 Obtaining Information from the Registry ‫مهمة‬

Windows registry is a central hierarchical database used to store information
that is necessary to configure the system for one or more users. The Registry has
the information such as profiles for each user; the applications installed on the
computer and the types of documents that each can create; hardware existing on the
system and the ports in use. A registry hive ‫ خلية‬is a group of keys, subkeys, and
values in the registry that has a set of supporting files that contain backups of its
data.
[Microsoft 2010] Microsoft Support, "Windows registry information for advanced
users," http://support.Microsoft.com/kb/256986
Examining the Windows registry reveals the operations done by the user. The

80
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

Windows registry has keys which are similar to folders and values which are
name/data pairs. One such entry to be examined is the
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs key
which obtains all of the URLs that were typed into Internet Explorer by the current
user during their Website surfing.
[Skoudias 2008].
The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UBSTOR/s key obtains
the history on every USB device that was ever plugged into the user’s system.
The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces key
does not only obtain the current IP address but all recently used IP configurations.
In Internet Explorer, the history of visited sites is maintained in a file called
index.dat, which is referenced in the Windows Registry database. That is the
reason why one can see the history contents in the TypedURLs key.
Firefox keeps limited information in the registry. It stores its history in ASCII
format in a history.dat file located at C:\Documents and
Settings\<user>\Application Data\Mozilla\Firefox\Profiles\x.default\ in Windows
XP and C:\Documents and Settings\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\clfzo15s.default.

81