Email Forensics & Malware Forensics Vocabulary

Email Forensics

• Email Forensics is used to investigate email crimes and violations.
• Malware Forensics is used to analyze and identify malicious software.

Objectives:

• Explain the role of e-mail in investigations.
• Describe client and server roles in e-mail.
• Describe tasks in investigating e-mail crimes and violations.
• Explain the use of e-mail server logs.
• Describe some specialized e-mail forensics tools.
• Explain how to apply digital forensics methods to investigating social media communications.
• Describe the importance of Malware Forensics.
• Explain Static and Run-Time Analysis in Malware Forensics.

Role of Email in Investigations:

• Increase in e-mail scams and fraud attempts with phishing or spoofing.
• Investigators need to know how to examine and interpret the unique content of e-mail messages.
• Phishing e-mails contain links to text on a Web page, attempting to get personal information from the reader.
• Pharming: DNS poisoning takes user to a fake site.
• A noteworthy e-mail scam was 419, or the Nigerian Scam.
• Spoofing e-mail can be used to commit fraud.

Spam Act 2003

• Prohibits sending unsolicited commercial electronic messages (spam) with an Australian link.
• An Australian link is if it originates/commissioned in Australia, or originates overseas but sent to an address accessed in Australia.

Roles of Client and Server in E-mail

• E-mail can be sent and received in two environments:
  • Internet
  • Intranet (an internal network)
• Client/server architecture:
  • Server OS and e-mail software differ from those on the client side.
  • Protected accounts require usernames and passwords.
    • E.g. Corporate: john.smith@somecompany.com
    • E.g. Public: whatever@gmail.com
• Email clients run programs such as Microsoft Outlook and Evolution.
• Email servers run programs such as Exchange Server and Sendmail.

Acquire Archives

• Local Archive
• Process all items with complete structure:
  • header
  • body
  • encoding
  • attachment
• Compute verification through hash value

Header

• It is the envelope of the email containing information such as sender and receiver address, subject, time of creation, delivery stamps, message author, CC, and BCC.
• All the above-mentioned data cannot be found on all email messages

Body

• It is the primary content or letter of the message.

Encoding

• Acts as a universal translator for the email, allowing different email programs to pass data to one another
• Types of encoding include:
  • MIME (Multipurpose Internet Mail Extensions): Protocol that allows non-ASCII files (video, graphics, and audio) to be built in the email message
  • UUCODE: UNIX format for attachment encoding
  • BINHEX: Mac format for attachment encoding

Attachment

• It is an extra item that comes as a supplement to the body

Detailed Email Transfer Process

• The detailed email transfer process involves multiple steps and servers:

  • Sending Client (Alice) composes email for bob@b.org and sends it to the sending server smtp.a.org.
  • DNS server dns.a.org is queried for the MX record of b.org.
  • DNS server responds with the MX record of b.org.
  • Sending server sends email to mx.b.org via SMTP.
  • Receiving server mx.b.org stores the email in Bob's mailbox.
  • Receiving Client (Bob) downloads the email to his local mailbox via POP3.

• Potential attackers:

  • Co-located attacker on client or recipient machine.
  • Snooping attacker intercepting communications and changing contents.
  • Unscrupulous server administrators.

Default Port Numbers in Email

• 25: SMTP - core Internet protocol used to transfer from client to server (MUA to MTA) and server to server (MTA to MTA)
• 110: POP3 - Post Office Protocol allows clients (MUA's) to retrieve stored e-mail
• 143: IMAP - Internet Message Access Protocol provides a means of managing e-mail messages on a remote server and retrieve stored e-mail
• 465: SMTPS - SMTP via SSL encrypted connection (Unofficial)
• 993: IMAPS - IMAP via SSL encrypted connection
• 995: POP3S SPOP - POP via SSL encrypted connection
• 587: Outgoing Mail (Submission) - MSA
• 80: HTTP - Webmail
• 443: HTTPS - Secure Webmail

Sender Policy Framework (SPF)

• Defined in IETF publication RFC 7208.

Investigating E-mail Crimes and Violations

• Similar to other types of investigations:
  • Find who is behind the crime.
  • Collect the evidence.
  • Present your findings.
  • Build a case.
• Know the applicable privacy laws for your jurisdiction:
  • Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA) apply to e-mail.

Examining E-mail Messages

• Access victim’s computer or mobile device to recover the evidence.
  • Using the victim’s e-mail client, find and copy any potential evidence, access protected or encrypted material, and print e-mails.
  • Guide victim on the phone to open and copy e-mail, including headers.
• You may have to recover deleted e-mails.

Investigation Process

• Obtain Search Warrant
• Create image
• Examine header information
• Trace origin
• Acquire archived or deleted email

Warrant

• Search warrant application should include proper language to perform an onsite examination of client and server.
• Forensic testing may only be permitted with permission!
• Seize computer and accounts suspected to be involved.
• For webmail, seizing may simply involve changing the password.

Viewing Email Headers

• Investigators should learn how to find e-mail headers in GUI clients and web-based clients.
• Copy and paste headers into a text document for reading with a text editor.
• Become familiar with as many e-mail programs as possible.

Examining Email Headers

• Know how to find the headers in various clients, and from within mail archives.

• Extract these and copy them into a text document to work on.

• Headers contain significant information about the message sender, recipient and intermediary servers.

• The message header must include at least the following fields:

  • From: Email address/Name of author
  • Date: The local time and date
  • Message-ID: Auto generated unique field
  • In-Reply-To: Message-ID of the message that this is a reply to.
  • To: The recipient email address(es)
  • Subject: A brief summary of the topic
  • CC/BCC: (Blind) carbon copy; addresses added to the SMTP delivery list
  • Content-Type: Display type/MIME Information about how the message is to be displayed, usually a MIME type.
  • Reply-To: Address that should be used to reply to the message.

• According to RFCs 822 and 2822 every email should have a message id field that "provides a unique message identifier that refers to a particular version of a particular message. The uniqueness of the message identifier is guaranteed by the host that generates it….This message identifier is intended to be machine readable and not necessarily meaningful to humans. A message identifier pertains to exactly one instantiation of a particular message; subsequent revisions to the message each receive new message identifiers."

Examining Additional Email Files

• E-mail messages are saved on the client side or left at the server.
  • Microsoft Outlook uses .pst and .ost files.
    • %AppData%\Local\Microsoft\Outlook (OST)
    • %UserRoot%\Documents\Outlook Files (PST)
  • Most e-mail programs also include an electronic address book, calendar, task list, and memos
  • In Web-based e-mail, messages are displayed and saved as Web pages in the browser’s cache folders.
  • Many Web-based e-mail providers also offer instant messaging (IM) services

Tracing an Email Message

• Determining message origin is referred to as “tracing.”
• Contact the administrator responsible for the sending server.
• Use a registry site to find point of contact:
  • American Registry for Internet Numbers (ARIN) www.arin.net
  • find a domain’s IP address and point of contact www.internic.com
  • more information on www.google.com
• Verify your findings by checking network e-mail logs against e-mail addresses
  • E.g. cmdlet available only in on-premises Exchange.
• A court order may be required to obtain the log files from the originating server.

Using Network Email Logs

• Router logs record all incoming and outgoing traffic; have rules to allow or disallow traffic; you can resolve the path a transmitted e-mail has taken.
• Firewall logs filter e-mail traffic; verify whether the e-mail passed through. You can use any text editor or specialized tools.

Understanding Email Servers

• An e-mail server is loaded with software that uses e-mail protocols for its services and maintains logs you can examine and use in your investigation.
• Servers can recover deleted e-mails.
• E-mail storage:
  • Database
  • Flat file system
  • Logs
• Some servers are set up to log e-mail transactions by default; others have to be configured to do so.
• Contact suspect’s network e-mail administrator as soon as possible.

Examining UNIX Email Server Logs

• Common UNIX e-mail servers include Postfix and Sendmail.
  • /etc/sendmail.cf: Configuration file for Sendmail
  • /etc/syslog.conf: Specifies how and which events Sendmail logs
  • Postfix has two configuration files: master.cf and main.cf (found in /etc/postfix)
  • /var/log/maillog
  • Use the find or locate command

Examining Microsoft Email Server Logs

• Microsoft Exchange Server (Exchange) uses a database based on Microsoft Extensible Storage Engine (ESE).

  • Most useful files in an investigation: .edb database files, Streaming Media (STM) file checkpoint files, and temporary files.
  • Information Store files: Database files (*.edb) are responsible for MAPI information.

• Transaction logs • Checkpoints ( RESx.logs) • Temporary files (.tmp)

• To retrieve log files created by Exchange, use the Windows PowerShell cmdlet Get-TransactionLogStats.ps1 - Gather

Using Magnet AXIOM to Recover Email

• Magnet AXIOM has two modules: Process and Examine.

Using a Hex Editor to Carve Email Messages

• Few vendors have products for analyzing e-mail in systems other than Microsoft.

Recovering Outlook Files

• A forensics examiner recovering e-mail messages from Outlook may need to reconstruct .pst files and messages.
• With many advanced forensics tools, deleted .pst files can be partially or completely recovered.
• Scanpst.exe recovery tool comes with Microsoft Office and can repair .ost files as well as .pst files.
• Guidance Software Encase uses the SysTools plug-in
• DataNumen OutlookRepair

Recover Deleted Emails

• Recovery depends on the kind of mail client used, but the process is generally similar…

Message Tracking Logs in Exchange

• Message Tracking is an Exchange feature that records log files of e-mail traffic as messages travel between mailboxes within the organization.
• Needs to be enabled on Mailbox Servers. By default it is enabled
• Shows that the email was sent.. But we don’t have message body

eDiscovery in Office 365

• Multi mailbox search or Item recovery. But these features need to be enabled and the data has to be within the retention period.
• Checking the Victims mailbox we find both versions of the message

Email Log Review and Retention

• Reviewing audit logs is time consuming
• Show the events that have occurred
• Network traffic or attacks
• Check the Mail Server Logs:
  • Long-term and
  • In-depth analysis
• Check all details on the Web based email, such as
  • Favourites
  • Cookies
  • History
  • Cache Files

Email Forensics Obstacles

• Obscuring web Email headers
• Open Relays
• False received from email header (backward tracking)
• Open Proxy
• SSH Tunnel (Logindata)

Using Specialized Email Forensics Tools

• Tools include:
  • DataNumen for Outlook and Outlook Express
  • FINALeMAIL for Outlook Express and Eudora
  • Sawmill-Novell GroupWise for log analysis
  • MailXaminer for multiple e-mail formatas and large data sets
  • Fookes Aid4Mail and MailBag Assistant
  • Paraben E-Mail Examiner
  • AccessData FTK for Outlook and Outlook Express
  • Ontrack Easy Recovery EmailRepair
  • R-Tools R-Mail
  • OfficeRecovery’s MailRecovery
  • MXToolBox for decoding e-mail headers
  • FreeViewer with free tools for various servers
• Tools allow you to find: E-mail database files, Personal e-mail files, Offline storage files, Log files
• Data recovery tools advantage: You don’t need to know how e-mail servers and clients work
• After you compare e-mail logs with messages, you should verify the: Email account, message ID, IP address, date and time stamp to determine whether there’s enough evidence for a warrant
• With some tools you can scan e-mail database files on a suspect’s Windows computer, locate any e-mails the suspect has deleted and restore them to their original state

Introduction to Malware Forensics

• Malware is the major source of many cyber attacks
• “Malware (short for 'malicious software') is software that cybercriminals use to harm your computer system or network. Cybercriminals can use malware to gain access to your computer without you knowing, in targeted or broad-based attacks” which could be done through
  • Search engines
  • Software bugs
  • Fake or corrupted programs
  • Removable media
  • Malicious emails
  • Malicious files, games, etc
  • NetBIOS/ File sharing
  • Instant messenger applications and IRC
• Examples of Malware components include
  • Malicious code, injector, crypter, downloader, obfuscator, payload, etc
• Attackers use malware such as
  • Virus, worms, spyware, trojan and ransomware to commit a crime
• Attackers may use some techniques, such as
  • Spear Phishing sites, Compromised websites, Malvertising, Domain shadowing, Drive-by downloads, and Social engineering, …
• The objective of Malware Forensics is to identify the collected malicious code and examine its behaviour in a secure and preserved environment
  • This can be done in static analysis and run-time/dynamic analysis
  • There could be many challenges, e.g. amount of data, dynamic nature of malware, accuracy of the analysis, anti-forensics techniques, etc

Malware Forensics Examination

• Once the suspicious activity is reported or detected, the investigator needs to examine important areas of the workstation
  • Installed programs
  • Suspicious executable files
  • Services and modules
  • Scheduled jobs & Startup programs
• The important information to be collected could include
  • Logs, accounts and user login activities, registries, application traces, file systems
• The analysis can be either Static or Run-time
  • Though a dedicated laboratory system using virtualization tools, e.g. VirtualBox
• Examples of the tools for investigation
  • Balbuzars
  • Cryptam Malware Document Detection Suit
• Identifying and analyzing Malware artifacts in forensic investigations is essential. Artifacts are the pieces of data that shows malicious activity. Some common malware forensic artifacts in the system include:
  • File system artifacts
  • Email artifacts
  • Cryptographic artifacts
  • Network traffic indicators
  • Registry artifacts
  • Log file anomalies
  • Authentication records
  • Memory and processes artifacts
• Looking into indicators of Malware is important Such as abnormal network traffic, suspicious processes, consumption of storage space, unbounded emails, irrelevant alerts/ads/popups, …

Preparing Testbed

• Allocate a physical system, Install Virtual machine, Install guest OSs, Isolate the system, Simulate the internet services, Disable shared folders and guest isolation, Install Malware analysis tools, Generate hash value, Collect detected malware

Malware Analysis tools

• Virtual Machines, e.g. Virtual Box
• Screen capturer and recorder, e.g. Camtasia, Snagit
• Network simulation tools, e.g. ns-3 and NetSim, ns-3
• Backup and imaging tools, e.g. R-Drive Image, Genie Backup Manager Pro

Important rules

• Capture important data and try different tools to analyse malware

Documentation

• Details of the process and how to handle the malware should be pre-prepared
• System Baselining is important to perform system baselining to take a snapshot of the baseline state of the forensic workstation before conducting malware execution
  • Run the malware on the workstation for a certain period
  • Run WhatChanged Portable to select the option to take a snapshot
  • The snapshot will capture the current state of the machine, files and registries
  • Take the second snapshot
  • Compare the second snapshot with the baseline to detect the changes

Malware Forensics (Static Analysis)

• Static analysis, a.k.a code analysis, involves going through the executable binary codes without the actual execution
  • this can be done through IDA Pro to disassemble the binary file
• Examples of malware analysis techniques are
  • File fingerprinting, e.g. HashMyFiles
  • Online malware scanning, e.g. VirusTotal, Online Scanner, Hybrid Analysis
  • Strings search, e.g. Bintext, FLOSS, Strings, Free EXE DLL, Hex Workshop
  • Identifying file dependencies, e.g. Dependency Walker, Snyk, Dependency-Check
  • Malware disassembly
  • Identifying packaging/obfuscation methods, e.g. PEiD, Detect is Easy (DIE), ps2-packer, UPX
  • Finding the Portable Executables (PE), e.g. PE Explorer, pestudio, Resource Hacker
  • Firstly, compute the hash value of the binary code
    • E.g. HashTab, HashCal, md5sum, HashMyFiles, etc
  • Scan the binary code using up-to-date antivirus software or upload to scan engines such as VirtusTotal
  • Analyse embedded strings with the program’s executable file
    • E.g. ResourcesExtract, Hex Workshop
  • Use tools such as a PEiD to detect common packers, cryptors, and compilers for PE executable files
  • Finding the Portable Executables (PE) Information
    • Examines the metadata of a PE file, e.g. Pestudio
    • Indicators window presents a list of suspicious elements
    • Strings window
    • Blacklisted strings need to be checked Try other tools
    • E.g. Dependency Walker, OllyDbg, IDA Pro
    • readelf tool can display ELF executable files (linux,die.net)
  • Examine the dynamically linked libraries in the malware executable file
    • Finding library functions show what the malware program can do
    • Dependency Walker lists all dependent modules within the executable file
• The investigator should know various DLLs used to run and load programs
  • kernel32.dll, Wininet.dll, Advapi32.dll, User32.dll, WSock32.dll, Ntdll.dll

Malware Forensics (Run-Time Analysis)

• Run-time or Dynamic analysis, a.k.a behavioral analysis, involves executing malware code to simulate the environment
  • Requires virtual machines and sandboxes
  • Examples of debuggers are OllyDbg, WinDbg, etc
  • Monitoring network activities using
    • check IP addresses, Open ports, DNS entries ✓ Wireshark to monitor IP addresses and look for any suspicious activities ✓ Netstat to monitor all active ports and their status, e.g. netstat -an ✓ TCPView & Currports to check TCP/IP and UDP endpoints ✓ Ipconfig /displaydns to view all DNS records ✓ DNSQuerySniffer shows the DNS entries sent on the system and identifies the DNS servers the malware tries to connect to

Registry Artifacts Analysis

• Malware manipulates the registry to run automatically

• Check Windows AutoStart registry location, using tools e.g. Regripper to extract NTUSER.dat

• System Behavior Analysis

• Malware uses Pes (portable executables) to inject themselves into processes

• Use Process monitoring e.g. Process Monitor to scan for suspicious processes

• Check registry artifacts, look for Windows AutoStart registry locations using monitoring tools: regshot, Registry Viewer, RegScanner

• Malware uses Windows services to remotely control the victim machine

• Check Service Manager to identify suspicious services that run automatically or manually (refer to http://tools.sysprogs.org)

• Use monitoring processes, e.g. Process Monitor, Process Explorer, Monit, SrvMan, Autoruns for Windows

• System Behavior Analysis (cont’d)

• Malware can change system settings, specifically startup menu

• Check startup program entries in the registry

• Check C:\Windows\System32\drivers, boot.ini or bcd entries

• Check startup folders

• Check AutoRuns for Windows to detect suspicious startups

• Malware might get executed under event logs

• Check C:\Windows\System32\winevt\Logs

• Use Event Viewer to monitor events based on specific details, e.g. name

• Key event IDs: 4688, 5156, 7040, 4663, 4660, 4657, 7045 (refer to https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor)

• System Behavior Analysis (cont’d)

• Malicious programs use Windows APIs to access OS information

• Use API Monitor to intercept API calls made by the malware

• Check HTML and SCR files

• Use API Monitor, APImetrics, AlertSite, Runscope, Datadog, Postman

• Check device drivers to find any untrusted downloading sources

• DriverView, Driver Booster, Driver Reviver, Driver Easy

• Check the Installations to find traces of the application data on the system

• Mirekusoft Installer Monitor, Advanced Uninstaller PRO, Comodo Programs Manager,

• Check for System Calls or syscalls to reveal the type of damage to the system via the malware

• Strace

• Check for Scheduled Tasks to find malware such as logic bombs

• Schtasks, ADAudit, CronitorCLI

• Check suspicious files and fodders,

• e.g. Sigverif, PA File Sight, Tripwire File Integrity Monitoring, Netwrix Auditor Check

• System Behavior Analysis (cont’d)

• Malwares can get installed with the device drivers

• Check for suspicious drivers and check whether they are genuine

• Run -> “msinfo32” -> Software Environment -> System Drivers

• DriverView tool displays a list of all device drivers and all relevant details

• Check files and folder integrity for any malwares

• Use SIGVERIF to check the integrity

• Use FCIV to compute hash values

• Use TRIPWIRE Enterprise to scan the system files

• PA File Sight tool can be used for file monitoring

• Use integrity tools such as FastSum or WinMD5

Summary

• E-mail fraudsters use phishing, pharming, and spoofing scam techniques
• In both Internet and intranet e-mail environments, e-mail messages are distributed from one central server to connected client computers
• E-mail investigations are similar to other kinds of investigations
• Forensics linguistics is a field where language and the law intersect to determine the author of e-mails, text messages, and other online communications
• Access victim’s computer to recover evidence
• Copy and print the e-mail message involved in the crime or policy violation
• Use the e-mail program that created the message to find the e-mail header, which provides supporting evidence and can help you track the suspect to the originating location
• Investigating e-mail abuse
• Be familiar with e-mail servers and clients’ operations
• For many e-mail investigations you can rely on e-mail message files, headers, and server log files
• For e-mail applications that use the mbox format, a hexadecimal editor can be used to carve messages manually
• Social media, or OSNs can provide evidence in criminal and civil cases
• Software for collecting OSN information is being developed
• The majority of people engaging in social media communications are mobile users
• Social media forensics tools have evolved with the technology, and many forensics suites have built-in social media tools

Malware Forensics

• Malware forensics deals with identifying and capturing malicious code on an infected system
• Malware forensics can be divided into two main areas of Static/code-based and dynamic/behavioural, a.k.a, run-time analysis
• Static analysis involves going through the executable binary codes without the actual program
• Run-Time/behavioural analysis involves executing the malware code on a simulated system to collect its real functions