Module 2 - E-mail

Question 1

E-mail threats (3)

Answer 1

• inbound email allowed by design
• can be spoofed (if not digitally signed)
• two paths (corporate system, personal/web-based)

Question 2

Spam Characteristics

Answer 2

• unsolicited commercial e-mail
• no valid reply address
• no affiliation with recipient
• no ability to opt-out
• sale of goods or services

Question 3

Phishing Attack

Answer 3

email tailored to an org or group of individuals

- malicious payload (exe, office with macros, PDFs with Javascript, hyperlinks)

Question 4

Spear Phishing Attack

Answer 4

• Target individuals (executives, senior mgmt, executive assistants, IT Staff)

Question 5

Whaling attacks

Answer 5

form of spear phishing

Targets executives, senior mgmt

Question 6

Email artifacts for threats

Answer 6

• within e-mail
• browser or app that establishes outbound connection
• firewall/server logs

Question 7

Email Analysis (within)

Answer 7

email header (proof of delivery, sender and return-path, servers/IP addresses)
body
attachments

Question 8

Email Header correlations

Answer 8

Return-Path and From
X-Mailer with user and IP
Delivered-To and To (could be OK if BCC)

Question 9

Email locations (5)

Answer 9

Mail server
Journaling (if SOX compliant)
Local containers within profiles
temporary internet files
temp directories contain attachments

Question 10

Public IP and Emails

Answer 10

Yahoo appends public IP of sender to e-mails

Google does not.

Question 11

Outlook Personal Folders (location)

Answer 11

C:\users\%username%\Local\Application Data\Microsoft\Outlook\

Question 12

Thunderbird Mail (location)

Answer 12

%USERPROFILE%\Application Data\Thunderbird\Profiles\XXXXXXXX.default\Mail\

Question 13

Windows.edb

Answer 13

C:\ProgramData\Microsoft\Search\Data\Application\Windows

-Windows indexer for searching