Investigating E-mail Crimes Flashcards
Port 25
SMTP
Port 110
POP3 (Store and Forward)
Port 143
IMAP4 (File Server)
Email Message Parts
Header
Body
Signature
What is MUA?
Mail User Agent
What is MTA?
Mail Transfer Agent
User E-mail Clients?
Standalone - Microsoft Outlook and Thunderbird
Web-based - Gmail and Yahoo
What are the three components of an e-mail server?
POP3
IMAP
SMTP
Where are e-mails stored with POP3?
Local computer. User is unable to access from a remote computer or the web.
Where are e-mails stored with IMPA?
The mail server.
What are the two ways you can catagorize e-mail crime?
Crimes committed by sending e-mails
Crimes supported by e-mails
What are crimes committed by sending e-mails?
Spamming
Phishing
Mail Bombing
Mail Storms
What are crimes supported by e-mails?
Identity Fraud
Cyber-stalking
Child Pornography
Child Abduction
SPAM E-mail
Spam is unsolicited commercial email (UCE) or junk mail. Spam mail involves sending the same content to a huge number of addresses at the same time. Spamming or junk mail fills mailboxes and prevents users from accessing their regular emails. These regular emails start bouncing because the server exceeds its capacity limit. Spammers hide their identities by forging the email header. To avoid getting responses from annoyed receivers, spammers provide misleading information in the FROM and REPLY-TO fields and post them to a mailing list or newsgroup
Phishing
Phishing has emerged as an effective method used to steal personal and confidential data of users. It is an Internet scam that tricks users into divulging their personal and confidential information by making interesting statements and offers. Phishers can attack users by mass mailings to millions of email addresses across the world.
Mail Bombing
Email bombing refers to the process of repeatedly sending an email message to a particular address at a specific victim’s site. In many instances, the messages will be large and constructed from meaningless data in an effort to consume additional system and network resources. Multiple accounts at the target site may be abused, increasing the denial of service impact.
Mail bombing is an intentional act of sending multiple copies of identical content to the same recipient. The primary objective behind mail bombing is to overload the email server and degrade the communication system by making it unserviceable.
RFC 5322
defines the Internet email message format
RFC 2045 through RFC 2049
defines multi-media content attachments, together called Multipurpose Internet Mail Extensions or MIME
Max and Min size of e-mails
The maximum size for email body with attachments is 10-25 MB. The minimum size allowed for both email header lines and body is 64 KB.
X-Headers
Headers is the generic term for headers starting with a capital X and a hyphen.
X-headers are nonstandard and are provided for information only.
Steps involved in investigating e-mail crimes and violations:
- Obtain a Search Warrant
- Examine e-mail messages
- Copy and print the e-mail messages
- View the e-mail headers
- Analyze the e-mail headers
- Trace the e-mail
- Acquire e-mail archives
- Examine e-mail logs
.pst
Personal e-mail file
.ost
offline email file
E-mail Dossier
is a part of the CentralOps.net suite of online network utilities . It is a scanning tool that the investigator can use to check the validity of an e-mail address. It provides information about e-mail address, including the mail exchange records. This tool initiates SMTP sessions to check address acceptance, but it never actually sends e-mail
Email Address Verifier
This email address verification technology connects to mailboxes to check whether an email address exists or not.
Email Checker
Email Checker is a simple tool for verifying an email address. It’s free and quite easy to use. Just enter the email address and hit check button. Then it tells you whether the email address is real or not. It extracts the MX records from the email address and connect to mail server (over SMTP and also simulates sending a message) to make sure the mailbox really exists for that user/address.
G-Lock Software Email Verifier
G-Lock Software E-mail Verifier will check every email address from a database or a mailing list and determine if the e-mails are still valid.
Trace Email Analyzer Tool
Tool used to examine the originating IP address
The investigators may use the following registry sites to determine the Email origin
www. arin.net: It employs the American Registry for Internet Numbers (ARIN) to match the domain name for an IP address. It also provides the point of contact for the domain name.
www. internic.com: It provides the identical information given by www.arin.net.
www. freeality.com: This site provides the various options for searching such as email address, phone numbers, and names. One can do a reverse email search, which could reveal the subject’s real name. This site can do other searches such as reverse phone number searches and address searches.
Local Archive
Any archive that has an archive format independent of a mail server
Ex: Microsoft Outlook (Index + Messages: *.pst), FoxMail (Index + Messages: *.box ), etc.
Server Storage Archive
Any archive that has mixed storage for all the clients that exist on a server Ex: MS Exchange (.STM, .EDB), IBM Notes (.NSF, .ID), GroupWise (.DB), etc.
Types of encoding in e-mails
MIME Uuencode BinHex Attachment 4. Attachment
MIME
MIME extends the email format to support the following:
- Text in non-ASCII character sets
- Attachments like application programs, images, audio, video, other than text
- Multiple part message bodies
- Non-ASCII character set header information
Uuencode
Uuencode, also known as UNIX-to-UNIX encoding or Uuencode/Uudecode, is a utility for encoding and decoding files shared between users or systems using the UNIX operating systems. It is also available for all other operating systems, and many e-mail applications offer it as an encoding alternative, especially for e-mail attachments.
BenHex
BinHex is the short form for “binary-to-hexadecimal.” It is a binary-to-text encoding system used in the Mac OS to send binary files via e-mails. This system is similar to Uuencode, but BinHex combines both “forks” of the Mac file system including extended file information.
Server Storage Archives
Microsoft Exchange
IBM Notes
Novell GroupWise
IBM Notes
is an enterprise email client that integrates messaging, business applications, and social collaboration. It allows the users to archive the messages sent and received, calendar, contacts, etc. in an encrypted format. Uses a .nsf extension.
Novel GroupWise
Using the Novel GroupWise archiving process, the users and investigators can store the email contents from the main GroupWise server to a local or networked drive. The process assigns a networked drive in the AS server to each account.
MS Exchange
the investigators should not access an active Exchange server. The best way is to create a backup of the server, which will be available for users to connect to the Exchange server. Investigators must collect all the data files associated with the server, as there is more than one file associated with Exchange email. The archive file consists of the PRIV.EDB file, PUB.EDB file, and PRIV.STM file. The files available will vary according to the Exchange server you are dealing with.
PRIV.EDB
It is a rich-text database file that contains message headers, message text, and a standard attachment
PUB.EDB
It is a database file to store public folder hierarchies and contents.
PRIV.STM
It is a streaming Internet content file containing video, audio, and other media that are streams of MIMEs.
Thunderbird deleted e-mails
Messages deleted from the mailbox are tagged for deletion and are no longer visible in the mailbox. However, these deleted messages reside in the trash folder, until the trash folder is cleared
Outlook PST deleted e-mails
Data is taken from the active part of the archive to a recycle bin. If the recycle bin is emptied, it will go to the unallocated space of the email archive where it resides for a specific period. Recovery of this data varies depending on the size of the archive
Examining Linux E-mail Server Logs
Sendmail is the command used to send e-mails via Linux or Unix system. Both Linux and Unix use Syslog to maintainlogs. The config file, /etc/syslog.conf determines the location of syslog service logs.
The syslog.conf provides the location of the log file for e-mail, which is usually
/var/log/mailog
/var/log/mailog file contains source and destination IP addresses, date and time stamps, and other information necessary to validate the data within an e-mail header
Examining Microsoft Exchange E-mail Server Logs
Microsoft Exchange uses the Microsoft Extensible Storage Engine (ESE)
While investigating an e-mail sent via Microsoft Exchange server, you should primarily focus on the following files:
.edb database files (responsible for MAPI information)
.stm database files (responsible for non-MAPI information)
checkpoint files
temporary files
Checkpoint files helps to find out if any data loss occurred after last backup, allowing you to recover lost or deleted messages
Temporary files store the information received by the server when it was too busy to process it immediately
Transaction log preserves and processes modifications done in the database file, so that it can be used to determine if the email has been sent or received by the server
U.S laws against E-mail related crimes:
- CAN-SPAM Act - (Controlling the Assault of Non-Solicited Pornography and Marketing Act)
- 18 U.S.C. § 2252A - Transmission of Child Pornography
- 18 U.S.C. § 2252B - Manipulation of domain names or other means to provide access to Child Pornography
- Residents of Washington D.C. are governed by RCW 19.190.020
E-mail Forensic Tools
Recover My Email - Recover deleted emails from PST/OST
MailXaminer - e-mail searching, reporting, and exporting tool used by law enforcement agencies.
Stellar Phoenix Deleted Email Recovery - Recover deleted emails from PST or DBX files.
Forensic Toolkit (FTK) - A court-cited digital investigations platform
Paraben’s Email Examiner - forensically examines email formats. Allows you to analyze message headers, bodies, and attachments.
Kernel for PST Recovery - to repair corrupted PST file and recover all email items from them. It successfully fixes errors resulted due to damaged or corrupted PST file, virus attacks, deleted emails, broken
MxToolBox Email Header Analyzer - This tool will make email headers humanly readable by parsing them according to RFC 822.
Wise Data Recovery - a data recovery program to get back deleted photos, documents, videos, emails etc. from your local or removable drives for free.
EaseUS Email Recovery Wizard - an email recovery software to recover deleted or lost emails, folders, calendars, appointments, meeting requests, contacts, tasks, task requests, journals, notes and attachments from corrupted .pst file. It is a safe and read-only utility which reads the lost/deleted mail items without modifying the existing content and restores the lost data into a new file.
DiskInternals Mail Recovery - can automatically locate, recover and fix broken Outlook Express, Vista Mail, Microsoft Outlook, Server Storage Archive and The Bat email databases on severely corrupted and damaged disks in one action.
Aid4Mail Email Forensic software - is used to quickly and reliably migrate email accounts, easily transfer messages between email apps and web-based services.
Paraben’s Network E-mail Examiner - Network E-mail Examiner makes it easy to analyze and filter messages and output the results into PST files.
Nuix Investigator Lab - is for organizations looking to set up a dedicated facility that can rapidly ingest and process terabytes of digital evidence per day and make it available for timely analysis. It enables multiple investigators and subject matter experts simultaneously to review and collaborate on an investigation with secure remote access, and produce comprehensive reports on your findings.
emailTrackerPro - not only offers the ability to trace an email using the email header but it also comes with a spam filter (advanced edition), which scans each email as it arrives and warns the user if it is suspected spam. Stops spam email before it reaches its intended recipient.
EnCase Forensic - It empowers examiners with efficiency and results in forensic investigations.
OSForensics - It helps discover relevant forensic data faster with high performance file searches and indexing as well as restores deleted files. It identifies suspicious files and activity with hash matching, drive signature comparisons and looks into e-mails, memory and binary data. It also manages digital investigation, organizes information and creates reports about collected forensic data.
Exchange Deleted Email Recovery - This Product features MS Exchange Server Email Data EDB File recovery from any extent of file corruption, protection and deletion thus eliminating server downtime.
Kernel Email Recovery Software - Kernel data recovery group presents a wide range of email recovery products which recover the lost and deleted emails, email attachments, images, files and email properties. This recovery software is developed to restore and repair files of MS Outlook (OST and PST), Outlook Express (DBX), IncrediMail (.IMM, .IMH, .IMB) which might get corrupt due to accidental deletion of emails, virus attacks, emails corrupted in the transit and even when the emails are emptied from the ‘Deleted Items’ folder of the email clients.
Intella TEAM - enables multiple individuals to review evidence independently. It is an email investigation and eDiscovery software tool for an agency, law firm or investigative team that needs to coordinate the search and analysis of ESI and files that exceed 250 gigabytes. Investigators can quickly and easily process, search, review and analyze email and ESI as well as process and search multiple email sources, file types and metadata. It allows viewing results in a visual layout of choice and exporting the documents of interest in a wide variety of file formats.
EMail Detective - Forensic Software Tool - This application is used to extract any MBOX or AOL email that has been cached or saved on a user’s disk. Additionally, a comprehensive report is produced that contains all the emails for a user. This report can then be instantly viewed and searched for any specific words or phrases by the investigator.
Lotus Notes Forensics Tool - It recovers and extracts evidence from NSF Files
Stellar Phoenix Mailbox Exchange Recovery - repairs corrupt Exchange Database (EDB) files. It is capable of handling any level of corruption in EDB and restoring mailbox contents like emails, attachments, contacts, calendars, tasks, etc.
PST Outlook Repair - Outlook PST stores the Outlook files and maintains the Outlook data till the space does not gets consumed or the MS Outlook itself does not encounter some technical glitches.
Forensic Email Recovery Tools Kit - This kit looks into suspect’s mailbox even if he/she played the trick to corrupt/delete the relevant emails from his/her email database of Outlook application, Exchange email system or from Mac Outlook email program.
Repair PST - Outlook PST Recovery - Repair PSTis an Outlook PST Recovery Software to recover emails from corrupt PST files of Microsoft Outlook. It successfully recovers emails from Outlook PST with tasks, contacts, calendar, journal, notes and attachments.
Kroll Ontrack Email Recovery - It is an email management tool that helps IT administrators granularly search and restore mailboxes, messages, attachments and other Microsoft® Office Outlook items without restoring the entire database.
Unistal Email Recovery Software - This software tool helps recover and restore MS Outlook Files, Lotus Notes email files, Incredimail as well as MS Exchange email files.
InFixi® Email Recovery Tools - InFixi Software group offers a great range of software product for “Email Recovery”, “Email Conversion”, “File Repair”, “File Recovery” and “Password Recovery”.
DataNumen Outlook Repair - scans the corrupt Outlook personal folders (.pst) files and recovers mail messages, folders, posts, calendars, appointments, meeting requests, contacts, distribution lists, tasks, task requests, journals, notes, etc. in them, thereby minimizing the loss in file corruption.
Stellar Phoenix Outlook PST Repair Software - Stellar Phoenix® Outlook PST Repair is a reliable solution to repair and recover Outlook personal storage file ‘.PST’. After repair, the contents are restored to a new importable PST file. The application also facilitates the recovery of folders.
Recovery Toolbox for Outlook - helps to restore emails, attachments, contacts and other from damaged .PST or .OST file. PST repair software helps to fix errors detected in Outlook.
MS Outlook PST Recovery Tool - It is a reliable solution to repair corrupted PST files, recover shift deleted emails, contacts, tasks, and save data in the different formats like; PST, MSG, or EML.
CAN-SPM Act
Controlling the Assault of Non-Solicited Pornography and Marketing Act
CAN-SPAM’s main requirements meant for senders:
Do not use false or misleading header information
Do not use deceptive subject lines
The commercial e-mail must be identified as an ad
The email must have your valid physical postal address
The email must contain the necessary information regarding how to stop receiving e-mails from the sender in future
Honor recipients’ opt-out request within 10 business days
Both the company whose product is promoted in the message and the e-mailer hired on contract to send messages must comply with the law
As per the CAN-SPAM Act, there are certain specified violations that may involve additional fines. Criminal penalties and imprisonment may be sentenced for
- Accessing someone else’s computer to send spam mails without permission
- Using false information to register for multiple email accounts or domain names
- Relaying or retransmitting multiple spam messages through a computer to mislead others, about the origin of the message
- Harvesting email addresses or generating them through a dictionary attack (the practice of sending e-mails to addresses made up of random letters and numbers in the hope of reaching valid ones)
- Taking advantage of open relays or open proxies without permission