Chapter 8: Emails

Question 1

where can you find digital evidence relating to an email investigation

Answer 1

local machine

Question 2

what will the local machine tell you about an email

Answer 2

• destination
• email server(s)
• device that was used to access the email
• logs from the internet service provider

Question 3

what is an emaill protocol

Answer 3

a standard that is used to allow 2 computer hosts to exchange email communication

Question 4

what does SMTP stand for

Answer 4

simple mail transfer protocol

Question 5

what does RFC stand for and what is it

Answer 5

• request for comments
• used on internet/communications technology to create standards

Question 6

what do mail servers use SMTP for

Answer 6

to send and receive email messages from all points of the internet

Question 7

what is the SMTP pathway

Answer 7

Question 8

describe POP3

Answer 8

• standardized protocol
• allows users to access their inbox and download emails
• cannot send emails (only receive)

Question 9

what does POP3 stand for

Answer 9

post office protocol

Question 10

what does IMAP stand for

Answer 10

internet message access protocol

Question 11

describe IMAP

Answer 11

• standard protocol
• used by clients to access emails on an email server
• complete inbox management w multiple clients

Question 12

what is the main difference between IMAP and POP

Answer 12

• POP retrieves contents of the mailbox
• IMAP was designed as a remote access mailbox protocol

Question 13

what are some examples of standard webmail providers

Answer 13

• gmail
• yahoo
• outlook

Question 14

what happens to user deleted emails on web-based email servers

Answer 14

remain on the server until the system deletes them

Question 15

what is a characteristc feature of web-based emails

Answer 15

when a user deletes an email, it goes into “trash/deleted” folder for a period of time before actually being deleted

Question 16

what allows a DFI to serve judicially approved subpoenas/search warrants on emails

Answer 16

• mailbox and domain name
• message ID

Question 17

what info does the email header contain

Answer 17

• source
• transmission
• destination
• (of a specific email)

Question 18

what is Message-Id field

Answer 18

• unique identification for every email that has been sent
• it is globally unique

Question 19

what does it mean if 2 emails have the same message ID

Answer 19

• the email server is not compliant w the standard
• OR
• a user has altered the email

Question 20

what does Return-Path mean

Answer 20

it is the address where undeliverable messages will be sent

Question 21

what are the different types of IPv4 addresses

Answer 21

• public
• private

Question 22

what happens when you see a private IP address in emails

Answer 22

you cannot identify the provider

Question 23

what does MIME stand for

Answer 23

multipurpose internet mail extensions

Question 24

what is MIME

Answer 24

internet standard for allowing emails to accept text

Question 25

what unique thing does the system do when email attachments are present

Answer 25

- the system separates the body of the email based upon the data type for each segment - each segment will start w a MIME header including *_PART_*

Question 26

what clients are prevalent in the consumer market and why

Answer 26

- microsoft outlook/ outlook express - cause its preinstalled on the system

Question 27

in what file type does outlook store info

Answer 27

- various - including pst, .mdb or .ost

Question 28

what is an OST file

Answer 28

an offline file that may be stored on the user's hard drive

Question 29

where do you find a MDB file

Answer 29

on the server

Question 30

where do clients store windows emails

Answer 30

as an .eml file under the windows live mail folder

Question 31

what is Mozilla Thunderbird

Answer 31

a free + open source email client

Question 32

how does thunderbird store emails

Answer 32

- within a .MBOX file

Question 33

what does MSF stand for

Answer 33

Mail summary files

Question 34

how can users access emails without a client

Answer 34

webmail

Question 35

can users use a client to access web-based emails

Answer 35

yes, but nobody really does

Question 36

if a DFI wants to access content on a web-based email, what will they need

Answer 36

A search warrant

Question 37

what can be found in the temporary internet files/cache

Answer 37

- images - text - any component of the web page the user has viewed in their browser

Question 38

what did Gmail do differently regarding images and files

Answer 38

- no longer saved to the users local storage device - instead **they used Asynchronous JavaScript and XML files**

Question 39

what do we look at before accessing the cache

Answer 39

the internet history