Investigating E-mail Crimes

Question 1

Port 25

Answer 1

SMTP

Question 2

Port 110

Answer 2

POP3 (Store and Forward)

Question 3

Port 143

Answer 3

IMAP4 (File Server)

Question 4

Email Message Parts

Answer 4

Header
Body
Signature

Question 5

What is MUA?

Answer 5

Mail User Agent

Question 6

What is MTA?

Answer 6

Mail Transfer Agent

Question 7

User E-mail Clients?

Answer 7

Standalone - Microsoft Outlook and Thunderbird

Web-based - Gmail and Yahoo

Question 8

What are the three components of an e-mail server?

Answer 8

POP3
IMAP
SMTP

Question 9

Where are e-mails stored with POP3?

Answer 9

Local computer. User is unable to access from a remote computer or the web.

Question 10

Where are e-mails stored with IMPA?

Answer 10

The mail server.

Question 11

What are the two ways you can catagorize e-mail crime?

Answer 11

Crimes committed by sending e-mails

Crimes supported by e-mails

Question 12

What are crimes committed by sending e-mails?

Answer 12

Spamming
Phishing
Mail Bombing
Mail Storms

Question 13

What are crimes supported by e-mails?

Answer 13

Identity Fraud
Cyber-stalking
Child Pornography
Child Abduction

Question 14

SPAM E-mail

Answer 14

Spam is unsolicited commercial email (UCE) or junk mail. Spam mail involves sending the same content to a huge number of addresses at the same time. Spamming or junk mail fills mailboxes and prevents users from accessing their regular emails. These regular emails start bouncing because the server exceeds its capacity limit. Spammers hide their identities by forging the email header. To avoid getting responses from annoyed receivers, spammers provide misleading information in the FROM and REPLY-TO fields and post them to a mailing list or newsgroup

Question 15

Phishing

Answer 15

Phishing has emerged as an effective method used to steal personal and confidential data of users. It is an Internet scam that tricks users into divulging their personal and confidential information by making interesting statements and offers. Phishers can attack users by mass mailings to millions of email addresses across the world.

Question 16

Mail Bombing

Answer 16

Email bombing refers to the process of repeatedly sending an email message to a particular address at a specific victim’s site. In many instances, the messages will be large and constructed from meaningless data in an effort to consume additional system and network resources. Multiple accounts at the target site may be abused, increasing the denial of service impact.
Mail bombing is an intentional act of sending multiple copies of identical content to the same recipient. The primary objective behind mail bombing is to overload the email server and degrade the communication system by making it unserviceable.

Question 17

RFC 5322

Answer 17

defines the Internet email message format

Question 18

RFC 2045 through RFC 2049

Answer 18

defines multi-media content attachments, together called Multipurpose Internet Mail Extensions or MIME

Question 19

Max and Min size of e-mails

Answer 19

The maximum size for email body with attachments is 10-25 MB. The minimum size allowed for both email header lines and body is 64 KB.

Question 20

X-Headers

Answer 20

Headers is the generic term for headers starting with a capital X and a hyphen.

X-headers are nonstandard and are provided for information only.

Question 21

Steps involved in investigating e-mail crimes and violations:

Answer 21

1. Obtain a Search Warrant
2. Examine e-mail messages
3. Copy and print the e-mail messages
4. View the e-mail headers
5. Analyze the e-mail headers
6. Trace the e-mail
7. Acquire e-mail archives
8. Examine e-mail logs

Question 22

.pst

Answer 22

Personal e-mail file

Question 23

.ost

Answer 23

offline email file

Question 24

E-mail Dossier

Answer 24

is a part of the CentralOps.net suite of online network utilities . It is a scanning tool that the investigator can use to check the validity of an e-mail address. It provides information about e-mail address, including the mail exchange records. This tool initiates SMTP sessions to check address acceptance, but it never actually sends e-mail

Question 25

Email Address Verifier

Answer 25

This email address verification technology connects to mailboxes to check whether an email address exists or not.

Question 26

Email Checker

Answer 26

Email Checker is a simple tool for verifying an email address. It’s free and quite easy to use. Just enter the email address and hit check button. Then it tells you whether the email address is real or not. It extracts the MX records from the email address and connect to mail server (over SMTP and also simulates sending a message) to make sure the mailbox really exists for that user/address.

Question 27

G-Lock Software Email Verifier

Answer 27

G-Lock Software E-mail Verifier will check every email address from a database or a mailing list and determine if the e-mails are still valid.

Question 28

Trace Email Analyzer Tool

Answer 28

Tool used to examine the originating IP address

Question 29

The investigators may use the following registry sites to determine the Email origin

Answer 29

www. arin.net: It employs the American Registry for Internet Numbers (ARIN) to match the domain name for an IP address. It also provides the point of contact for the domain name.
www. internic.com: It provides the identical information given by www.arin.net.
www. freeality.com: This site provides the various options for searching such as email address, phone numbers, and names. One can do a reverse email search, which could reveal the subject’s real name. This site can do other searches such as reverse phone number searches and address searches.

Question 30

Local Archive

Answer 30

Any archive that has an archive format independent of a mail server
Ex: Microsoft Outlook (Index + Messages: *.pst), FoxMail (Index + Messages: *.box ), etc.

Question 31

Server Storage Archive

Answer 31

Any archive that has mixed storage for all the clients that exist on a server Ex: MS Exchange (.STM, .EDB), IBM Notes (.NSF, .ID), GroupWise (.DB), etc.

Question 32

Types of encoding in e-mails

Answer 32

MIME
Uuencode
BinHex
Attachment
4. Attachment

Question 33

MIME

Answer 33

MIME extends the email format to support the following:

1. Text in non-ASCII character sets
2. Attachments like application programs, images, audio, video, other than text
3. Multiple part message bodies
4. Non-ASCII character set header information

Question 34

Uuencode

Answer 34

Uuencode, also known as UNIX-to-UNIX encoding or Uuencode/Uudecode, is a utility for encoding and decoding files shared between users or systems using the UNIX operating systems. It is also available for all other operating systems, and many e-mail applications offer it as an encoding alternative, especially for e-mail attachments.

Question 35

BenHex

Answer 35

BinHex is the short form for “binary-to-hexadecimal.” It is a binary-to-text encoding system used in the Mac OS to send binary files via e-mails. This system is similar to Uuencode, but BinHex combines both “forks” of the Mac file system including extended file information.

Question 36

Server Storage Archives

Answer 36

Microsoft Exchange
IBM Notes
Novell GroupWise

Question 37

IBM Notes

Answer 37

is an enterprise email client that integrates messaging, business applications, and social collaboration. It allows the users to archive the messages sent and received, calendar, contacts, etc. in an encrypted format. Uses a .nsf extension.

Question 38

Novel GroupWise

Answer 38

Using the Novel GroupWise archiving process, the users and investigators can store the email contents from the main GroupWise server to a local or networked drive. The process assigns a networked drive in the AS server to each account.

Question 39

MS Exchange

Answer 39

the investigators should not access an active Exchange server. The best way is to create a backup of the server, which will be available for users to connect to the Exchange server. Investigators must collect all the data files associated with the server, as there is more than one file associated with Exchange email. The archive file consists of the PRIV.EDB file, PUB.EDB file, and PRIV.STM file. The files available will vary according to the Exchange server you are dealing with.

Question 40

PRIV.EDB

Answer 40

It is a rich-text database file that contains message headers, message text, and a standard attachment

Question 41

PUB.EDB

Answer 41

It is a database file to store public folder hierarchies and contents.

Question 42

PRIV.STM

Answer 42

It is a streaming Internet content file containing video, audio, and other media that are streams of MIMEs.

Question 43

Thunderbird deleted e-mails

Answer 43

Messages deleted from the mailbox are tagged for deletion and are no longer visible in the mailbox. However, these deleted messages reside in the trash folder, until the trash folder is cleared

Question 44

Outlook PST deleted e-mails

Answer 44

Data is taken from the active part of the archive to a recycle bin. If the recycle bin is emptied, it will go to the unallocated space of the email archive where it resides for a specific period. Recovery of this data varies depending on the size of the archive

Question 45

Examining Linux E-mail Server Logs

Answer 45

Sendmail is the command used to send e-mails via Linux or Unix system. Both Linux and Unix use Syslog to maintainlogs. The config file, /etc/syslog.conf determines the location of syslog service logs.

The syslog.conf provides the location of the log file for e-mail, which is usually
/var/log/mailog

/var/log/mailog file contains source and destination IP addresses, date and time stamps, and other information necessary to validate the data within an e-mail header

Question 46

Examining Microsoft Exchange E-mail Server Logs

Answer 46

Microsoft Exchange uses the Microsoft Extensible Storage Engine (ESE)
While investigating an e-mail sent via Microsoft Exchange server, you should primarily focus on the following files:
 .edb database files (responsible for MAPI information)
 .stm database files (responsible for non-MAPI information)
 checkpoint files
 temporary files

Checkpoint files helps to find out if any data loss occurred after last backup, allowing you to recover lost or deleted messages

Temporary files store the information received by the server when it was too busy to process it immediately

Transaction log preserves and processes modifications done in the database file, so that it can be used to determine if the email has been sent or received by the server

Question 47

U.S laws against E-mail related crimes:

Answer 47

1. CAN-SPAM Act - (Controlling the Assault of Non-Solicited Pornography and Marketing Act)
2. 18 U.S.C. § 2252A - Transmission of Child Pornography
3. 18 U.S.C. § 2252B - Manipulation of domain names or other means to provide access to Child Pornography
4. Residents of Washington D.C. are governed by RCW 19.190.020

Question 48

E-mail Forensic Tools

Answer 48

Recover My Email - Recover deleted emails from PST/OST

MailXaminer - e-mail searching, reporting, and exporting tool used by law enforcement agencies.

Stellar Phoenix Deleted Email Recovery - Recover deleted emails from PST or DBX files.

Forensic Toolkit (FTK) - A court-cited digital investigations platform

Paraben’s Email Examiner - forensically examines email formats. Allows you to analyze message headers, bodies, and attachments.

Kernel for PST Recovery - to repair corrupted PST file and recover all email items from them. It successfully fixes errors resulted due to damaged or corrupted PST file, virus attacks, deleted emails, broken

MxToolBox Email Header Analyzer - This tool will make email headers humanly readable by parsing them according to RFC 822.

Wise Data Recovery - a data recovery program to get back deleted photos, documents, videos, emails etc. from your local or removable drives for free.

EaseUS Email Recovery Wizard - an email recovery software to recover deleted or lost emails, folders, calendars, appointments, meeting requests, contacts, tasks, task requests, journals, notes and attachments from corrupted .pst file. It is a safe and read-only utility which reads the lost/deleted mail items without modifying the existing content and restores the lost data into a new file.

DiskInternals Mail Recovery - can automatically locate, recover and fix broken Outlook Express, Vista Mail, Microsoft Outlook, Server Storage Archive and The Bat email databases on severely corrupted and damaged disks in one action.

Aid4Mail Email Forensic software - is used to quickly and reliably migrate email accounts, easily transfer messages between email apps and web-based services.

Paraben’s Network E-mail Examiner - Network E-mail Examiner makes it easy to analyze and filter messages and output the results into PST files.

Nuix Investigator Lab - is for organizations looking to set up a dedicated facility that can rapidly ingest and process terabytes of digital evidence per day and make it available for timely analysis. It enables multiple investigators and subject matter experts simultaneously to review and collaborate on an investigation with secure remote access, and produce comprehensive reports on your findings.

emailTrackerPro - not only offers the ability to trace an email using the email header but it also comes with a spam filter (advanced edition), which scans each email as it arrives and warns the user if it is suspected spam. Stops spam email before it reaches its intended recipient.

EnCase Forensic - It empowers examiners with efficiency and results in forensic investigations.

OSForensics - It helps discover relevant forensic data faster with high performance file searches and indexing as well as restores deleted files. It identifies suspicious files and activity with hash matching, drive signature comparisons and looks into e-mails, memory and binary data. It also manages digital investigation, organizes information and creates reports about collected forensic data.

Exchange Deleted Email Recovery - This Product features MS Exchange Server Email Data EDB File recovery from any extent of file corruption, protection and deletion thus eliminating server downtime.

Kernel Email Recovery Software - Kernel data recovery group presents a wide range of email recovery products which recover the lost and deleted emails, email attachments, images, files and email properties. This recovery software is developed to restore and repair files of MS Outlook (OST and PST), Outlook Express (DBX), IncrediMail (.IMM, .IMH, .IMB) which might get corrupt due to accidental deletion of emails, virus attacks, emails corrupted in the transit and even when the emails are emptied from the ‘Deleted Items’ folder of the email clients.

Intella TEAM - enables multiple individuals to review evidence independently. It is an email investigation and eDiscovery software tool for an agency, law firm or investigative team that needs to coordinate the search and analysis of ESI and files that exceed 250 gigabytes. Investigators can quickly and easily process, search, review and analyze email and ESI as well as process and search multiple email sources, file types and metadata. It allows viewing results in a visual layout of choice and exporting the documents of interest in a wide variety of file formats.

EMail Detective - Forensic Software Tool - This application is used to extract any MBOX or AOL email that has been cached or saved on a user’s disk. Additionally, a comprehensive report is produced that contains all the emails for a user. This report can then be instantly viewed and searched for any specific words or phrases by the investigator.

Lotus Notes Forensics Tool - It recovers and extracts evidence from NSF Files

Stellar Phoenix Mailbox Exchange Recovery - repairs corrupt Exchange Database (EDB) files. It is capable of handling any level of corruption in EDB and restoring mailbox contents like emails, attachments, contacts, calendars, tasks, etc.

PST Outlook Repair - Outlook PST stores the Outlook files and maintains the Outlook data till the space does not gets consumed or the MS Outlook itself does not encounter some technical glitches.

Forensic Email Recovery Tools Kit - This kit looks into suspect’s mailbox even if he/she played the trick to corrupt/delete the relevant emails from his/her email database of Outlook application, Exchange email system or from Mac Outlook email program.

Repair PST - Outlook PST Recovery - Repair PSTis an Outlook PST Recovery Software to recover emails from corrupt PST files of Microsoft Outlook. It successfully recovers emails from Outlook PST with tasks, contacts, calendar, journal, notes and attachments.

Kroll Ontrack Email Recovery - It is an email management tool that helps IT administrators granularly search and restore mailboxes, messages, attachments and other Microsoft® Office Outlook items without restoring the entire database.

Unistal Email Recovery Software - This software tool helps recover and restore MS Outlook Files, Lotus Notes email files, Incredimail as well as MS Exchange email files.

InFixi® Email Recovery Tools - InFixi Software group offers a great range of software product for “Email Recovery”, “Email Conversion”, “File Repair”, “File Recovery” and “Password Recovery”.

DataNumen Outlook Repair - scans the corrupt Outlook personal folders (.pst) files and recovers mail messages, folders, posts, calendars, appointments, meeting requests, contacts, distribution lists, tasks, task requests, journals, notes, etc. in them, thereby minimizing the loss in file corruption.

Stellar Phoenix Outlook PST Repair Software - Stellar Phoenix® Outlook PST Repair is a reliable solution to repair and recover Outlook personal storage file ‘.PST’. After repair, the contents are restored to a new importable PST file. The application also facilitates the recovery of folders.

Recovery Toolbox for Outlook - helps to restore emails, attachments, contacts and other from damaged .PST or .OST file. PST repair software helps to fix errors detected in Outlook.

MS Outlook PST Recovery Tool - It is a reliable solution to repair corrupted PST files, recover shift deleted emails, contacts, tasks, and save data in the different formats like; PST, MSG, or EML.

Question 49

CAN-SPM Act

Answer 49

Controlling the Assault of Non-Solicited Pornography and Marketing Act

Question 50

CAN-SPAM’s main requirements meant for senders:

Answer 50

Do not use false or misleading header information

Do not use deceptive subject lines

The commercial e-mail must be identified as an ad

The email must have your valid physical postal address

The email must contain the necessary information regarding how to stop receiving e-mails from the sender in future

Honor recipients’ opt-out request within 10 business days

Both the company whose product is promoted in the message and the e-mailer hired on contract to send messages must comply with the law

Question 51

As per the CAN-SPAM Act, there are certain specified violations that may involve additional fines. Criminal penalties and imprisonment may be sentenced for

Answer 51

• Accessing someone else’s computer to send spam mails without permission
• Using false information to register for multiple email accounts or domain names
• Relaying or retransmitting multiple spam messages through a computer to mislead others, about the origin of the message
• Harvesting email addresses or generating them through a dictionary attack (the practice of sending e-mails to addresses made up of random letters and numbers in the hope of reaching valid ones)
• Taking advantage of open relays or open proxies without permission