Chapter 11: E-mail and Social Media Investigations

For digital investigators, tracking intranet e-mail is easier because accounts use standard names the administrator establishes.

True

Investigating crimes or policy violations involving e-mail is different than investigating other types of computer abuse and crimes.

False

E-mail programs either save e-mail messages on the client computer or leave them on the server.

True

All e-mail servers use databases that store multiple users' e-mails.

False

Like UNIX e-mail servers, Exchange maintains logs to track e-mail communication.

True

E-mail messages are distributed from a central server to many connected client computers, a configuration called ____.

client/server architecture

In an e-mail address, everything after the ____ symbol represents the domain name.

@

With many ____ e-mail programs, you can copy an e-mail message by dragging the message to a storage medium, such as a folder or drive.

GUI

After you open e-mail headers, copy and paste them into a text document so that you can read them with a text editor, such as Windows ____.

Notepad+

To retrieve e-mail headers in Microsoft Outlook, double-click the e-mail message, and then click File, ____. The "Internet headers" text box at the bottom of the dialog box contains the message header.

Properties

Some popular Web-based e-mail service providers are Gmail, ____, Outlook Online, and Yahoo!

Zoho

____ trains people to listen to voice recordings to determine who's speaking or read e-mail and other writings known to be by a certain person and determine whether that person wrote the e-mail or letter in question.

Forensic linguistics

To view Gmail Web e-mail headers open the e-mail, click the down arrow next to the Reply circular arrow, and click ____.

Show original

To view e-mail headers on Yahoo! click the ____ list arrow, and click View Raw Message.

More

In Microsoft Outlook, you can save sent, drafted, deleted, and received e-mails in a file with a file extension of ____.

.pst

____ is a way to verify the names of domains a message is flowing through.

www.dkim.org

____ allocates space for a log file on the server, and then starts overwriting from the beginning when logging reaches the end of the time frame or the specified log size.

Circular logging

The files that provide helpful information to an e-mail investigation are log files and ____ files.

configuration

____ contains configuration information for Sendmail, helping the investigator to determine where the log files reside.

/etc/sendmail.cf

Typically, UNIX installations are set to store logs in the ____ directory.

/var/log

Exchange logs information about changes to its data in a(n) ____ log.

transaction

In Exchange, to prevent loss of data from the last backup, a ____ file or marker is inserted in the transaction log to mark the last point at which the database was written to disk.

checkpoint

In Microsoft Exchange, a(n) ____ file is responsible for messages formatted with MAPI.

.edb

Some e-mail systems store messages in flat plaintext files, known as a(n) ____ format.

mbox

In Facebook the ____ info simply tells you the last time a person logged on.

basic subscriber

Describe how e-mail account names are created on an intranet environment.

In most cases, an intranet e-mail system is specific to a company, used only by its employees, and regulated by its business practices, which usually include strict security and acceptable use policies. For example, network users can't create their own e-mail accounts, and usernames tend to follow some type of naming convention that the e-mail administrator determines. For example, for John Smith at Some Company, jsmith is the username followed by the company's domain name, somecompany.com, to create the e-mail address jsmith@somecompany.com.

Describe the process of examining e-mail messages when you have access to the victim's computer and when this access is not possible.

After you have determined that a crime has been committed involving e-mail, access the victim's computer or mobile device to recover the evidence on it. Using the victim's e-mail client, find and copy any potential evidence. It might be necessary to log on to the e-mail service and access any protected or encrypted files or folders. If you can't actually sit down at the victim's computer, you might have to guide the victim on the phone to open and print a copy of an offending message, including the header. The header contains unique identifying numbers, such as the IP address of the server that sent the message. This information helps you trace the e-mail to the suspect.

What are the steps for copying an e-mail message in Outlook or Outlook Express?

1. Insert a USB drive into a USB port.
2. Open File Explorer, navigate to the USB drive
3. Start Outlook
4. click the folder containing the message you want to copy.
5. Resize the Outlook window
6. Drag the message from the Outlook window to the USB drive icon in File Explorer.
7. Click the File tab, and then click Print to open the Print pane. After printing the e-mail so that you have a copy to include in your final report, exit Outlook.

What is forensic linguistics?

Forensic linguistics - training people to listen to voice recordings to determine who's speaking or read e-mail and other writings known to be by a certain person and determine whether that person wrote the e-mail or letter

What kind of information can you find in an e-mail header?

The sender/reciver, Date and time, the subject line, and information about the route the e-mail took through e-mail servers, and IP address.

Explain how to handle attachments during an e-mail investigation.

An attachment can be any type of file, from a program to a picture. If a message includes an attachment, investigate it as a supporting piece of evidence. If you're working with the victim, the attachment is usually still attached to the e-mail. If you're investigating a suspect's computer, remember to work with the copied version. On a suspect's computer or forensic image, search for the attached file with a forensics tool or the OS's Search or Find feature to determine whether the file was saved and still exists on the drive.​If you're investigating an e-mail attachment with an unfamiliar file extension, such as .mdf, you can search the Internet to find out what program creates a file of this type.

Why are network router logs important during an e-mail investigation?

Network administrators maintain logs of the inbound and outbound traffic routers handle. Routers have rules to allow or deny traffic based on source or destination IP address. In most cases, a router is set up to track all traffic flowing through its ports. Using these logs, you can determine the path a transmitted e-mail has taken. The network administrator who manages routers can supply the log files you need. Review the router logs to find the victim's (recipient's) e-mail, and look for the unique ID number

What kind of information is normally included in e-mail logs?

E-mail logs generally identify the e-mail messages an account received, the IP address from which they were sent, the time and date the e-mail server received them, the time and date the client computer accessed the e-mail, the e-mail contents, system-specific information, and any other information the e-mail administrator wants to track.

Provide a brief description of Microsoft Exchange Server.

Microsoft e-mail server software. Exchange uses an Exchange database and is based on the Microsoft Extensible Storage Engine (ESE), which uses several files in different combinations to provide e-mail service. The files most useful to an investigation are .edb database files, checkpoint files, and temporary files.

Briefly explain forensic tools for social media investigations.

Software for social media forensics is being developed, but not many tools are available. A number of social media tools that were free or inexpensive have now been incorporated into forensics suites, such as FTK Social Analyzer, or offer only 14-day to 30-day trials. In addition, there are many questions about how the information these tools gather can be used in court or in arbitration. Investigators often run into the problem of finding information unrelated to a case, and sometimes they must stop to get another warrant or subpoena, such as investigating a claim of fraud and finding evidence of corporate espionage. Using social media forensics software might also require getting the permission of people whose information is being examined.

A privacy law in the United States

Electronic Communications Privacy Act (ECPA)

Text editor for macOS

TextEdit

Text editor used with Windows

Notepad+

Unique to each message an e-mail server transmits

ESMTP number

Facebook extended subscriber info profile

Neoprint

Used to conduct business, brag about criminal activities, raise money, and have class discussions

OSNs

Where language and the law intersect

Forensics linguistic

A registry Web site

www.arin.net

Attempt to get personal information by luring readers with false promises

Phishing e-mails

A Microsoft system that enables different e-mail applications to work together

Messaging Application Programming Interface (MAPI)

Forensic linguistics encompasses civil cases, criminal cases, cyberterrorism cases, and other legal proceedings.

True

E-mail crimes and violations rarely depend on the city, state, and country in which the e-mail originated.

False

Evidence artifacts vary depending on the social media channel and the device.

True

A challenge with using social media data in court is authenticating the author and the information.

True

You can send and receive e-mail in two environments: via the Internet or an intranet (an internal network).

True