knowt logo

Chapter 11: E-mail and Social Media Investigations

11.1: Exploring the Role of E-mail in Investigations

  • Phishing: Here a message attempts to get personal information by luring readers with false promises.

  • Pharming: Here the readers might go to the correct Web site address, but DNS poisoning takes them to a fake site.

  • Email Spoofing: A type of cyberattack that targets businesses by using emails with forged sender addresses.

  • The clue to the e-mail being a fake was the Enhanced/Extended Simple Mail Transfer Protocol (ESMTP) number in the message’s header, which is unique to each message an e-mail server transmits.


11.2: Exploring the Roles of the Client and Server in E-mail

  • Client/Server Architecture: A configuration where messages are distributed from a central server to may connected client computers.

  • The server runs an e-mail server program, such as Microsoft Exchange Server, to provide e-mail services.

  • Client computers use e-mail programs, such as Microsoft Outlook, to contact the e-mail server and send and retrieve e-mail messages.

  • Regardless of the OS or e-mail program, users access their e-mail based on permissions the e-mail server administrator grants. These permissions prevent users from accessing each other’s e-mail.

  • An Intranet E-mail System is for the private use of network users, and Internet e-mail systems are for public users.


11.3: Investigating E-mail Crimes and Violations

Understanding Forensic Linguistics

  • Forensic Linguistics: involves the application of scientific knowledge to language in the context of criminal and civil law.

  • The International Association of Forensic Linguists  divides this field into four categories:

    • language and law;

    • language in the legal process;

    • language as evidence; and

    • research/teaching.

  • Forensic linguistics encompasses civil cases, criminal cases, cyberterrorism cases, and other legal proceedings.

Examining E-mail Messages

Copying an E-mail Message

  • If Outlook or Outlook Express is installed on your computer, follow these steps:

    1. Insert a USB drive into a USB port.

    2. Open File Explorer, navigate to the USB drive, and leave this window open.

    3. Start Outlook by going to the Start screen, typing Outlook, and pressing Enter.

    4. In the Mail Folders pane, click the folder containing the message you want to copy.

    5. Resize the Outlook window so that you can see the message you want to copy and the USB drive icon in File Explorer.

    6. Drag the message from the Outlook window to the USB drive icon in File Explorer.

    7. Click the File tab, and then click Print to open the Print pane. After printing the e-mail so that you have a copy to include in your final report, exit Outlook.

Examining E-mail Headers

  • The main piece of information you’re looking for is the originating e-mail’s domain address or an IP address.

  • To open and examine an e-mail header, follow these steps:

    1. Open File Explorer and navigate to your work folder.

    2. Double-click a .txt file containing message header text, such as Outlook header.txt. The message header opens in Notepad.

Examining Additional E-mail Files

  • E-mail programs save messages on the client's computer or leave them on the server.

  • How e-mails are stored depends on the settings on the client and server.

  • On the client's computer, you could save all your e-mail in a separate folder for record-keeping purposes.

  • Most e-mail programs also include an address book of contacts, and many offer calendars, task lists, and memos.

  • A suspect’s address book, calendar, task list, and memos can contain valuable information that links e-mail crimes or abuse to other parties and reveal the suspect’s physical address and even involvement in other crimes.

  • In Web-based e-mail, messages are displayed and saved as Web pages in the browser’s cache folders.

  • Many Web-based e-mail providers offer instant messaging (IM) services that can save message contents in proprietary and nonproprietary file formats.

  • Some IM programs are configured to not save chat content unless users change the default setting, so you might need to search the suspect’s Pagefile.sys file to find message fragments.

Tracing an E-mail Message

  • As part of the investigation, you need to determine an e-mail’s origin by further examining the header with one of many free Internet tools.

  • Tracing: Way of determining message origin.

  • If the point of contact isn’t listed on the Web site or the domain doesn’t have a Web site, you need to use a registry site, such as those in the following list, to determine the point of contact:

    • www.arin.net — Use the American Registry for Internet Numbers (ARIN) to ap an IP address to domain name and find the domain’s point of contact.

    • www.internic.com — Use this site to find a domain’s IP address and point of contact.

    • www.google.com — Use this search engine and others to look for more information and additional postings on discussion boards.

Using Network E-mail Logs

  • Network administrators maintain logs of the inbound and outbound traffic routers handle.

  • Routers have rules to allow or deny traffic based on source or destination IP address.

    • Routers are set up to track all traffic flowing through its port.

    • Using these logs, you can determine the path a transmitted e-mail has taken.

  • The network administrator who manages routers can supply the log files you need.

  • Review the router logs to find the victim’s (recipient’s) e-mail, and look for the unique ID number.

  • Network administrators also maintain logs for firewalls that filter Internet traffic; these logs can help verify whether an e-mail message passed through the firewall.

  • Firewalls maintain log files that track the Internet traffic destined for other networks or the network the firewalls are protecting.


11.4: Understanding E-mail Servers

  • An e-mail server is loaded with software that uses e-mail protocols for its services and maintains logs you can examine and use in your investigation.

  • Your focus is not to learn how a particular e-mail server works but how to retrieve information about e-mails for an investigation.

  • To investigate e-mail abuse, you should know how an e-mail server records and handles the e-mail it receives. Some e-mail servers use databases that store users’ e-mails, and others use a flat file system.

  • All e-mail servers can maintain a log of e-mails that are processed. Some e-mail servers are set up to log e-mail transactions by default; others must be configured to do so.

  • Most e-mail administrators log system operations and message traffic for the following reasons:

    • Recover e-mails in case of a disaster.

    • Make sure the firewall and e-mail filters are working correctly.

    • Enforce company policy.

  • E-mail logs generally identify:

    • the e-mail messages an account received,

    • the IP address from which they were sent,

    • the time and date the e-mail server received them,

    • the time and date the client computer accessed the e-mail,

    • the e-mail contents, system-specific information, and

    • any other information the e-mail administrator wants to track.

  • Administrators usually set e-mail servers to continuous logging mode.

  • After you have identified the source of the e-mail, contact the network or e-mail administrator of the suspect’s network as soon as possible.

  • In addition to logging e-mail traffic, e-mail servers maintain copies of clients’ e-mails, even if the users have deleted messages from their inboxes.

Examining UNIX E-mail Server Logs

  • Log files and configuration files can provide helpful information.

  • The configuration file for Sendmail is /etc/mail/sendmail.cf, which can help you determine where log files are stored.

    • Sendmail refers to the sendmail.cf file to find out what to do with an e-mail after it’s received.

  • The /etc/syslog.conf file includes e-mail logging instructions so that you can determine how Sendmail is set up to log e-mail events and which events are logged.

  • The syslog.conf file’s configuration in the /etc directory contains three pieces of information that tell you what happened to an e-mail when it was logged: the event, the priority level of concern, and the action taken when it was logged.

  • E-mail files are typically found at /var/mail.

  • Postfix: It has configuration files, master.cf and main.cf, in the /etc/postfix directory, and e-mails are stored in /var/spool/postfix.

  • Because a UNIX system has a variety of e-mail servers available, the syslog.conf file simply specifies where to save different types of e-mail log files.

  • The first log file UNIX configures is /var/log/maillog, which usually contains a record of Simple Mail Transfer Protocol (SMTP) communication between servers.

  • The IP address and the timestamp in the maillog file are important information in an e-mail investigation.

  • The maillog file also contains information about Post Office Protocol version 3 (POP3) and Internet Message Access Protocol 4 (IMAP4) events.

  • UNIX systems are set to store log files in the /var/log directory.

  • If you’re examining a UNIX computer and don’t find the e-mail logs in /var/log, you can use the find or locate command to find them.

  • A new directory /home/username/mail is created on the client computer when a user logs on for the first time and runs the e-mail program.

  • If the server has been configured to deliver e-mail to client machines but not store copies of e-mails on the server, the only copy of the e-mail is on the client computer in the user’s mail folder.

Examining Microsoft E-mail Server Logs

  • Exchange Server: The Microsoft e-mail server software.

    • It uses an Exchange database and is based on the Microsoft Extensible Storage Engine (ESE), which uses several files in different combinations to provide e-mail service.

  • An .edb file is responsible for messages formatted with MAPI.

  • Messaging Application Programming Interface (MAPI): A Microsoft system that enables different e-mail applications to work together.

  • Exchange logs transactions in a transaction log.

  • Exchange also creates .tmp (temporary) files to prevent loss when it’s busy converting binary data to readable text.

  • The server also maintains a log called Tracking.log that tracks messages.

11.5: Using Specialized E-mail Forensics Tools

Other Tools to Investigate and Recover E-mail Files

  • DataNumen for Outlook and Outlook Express

  • FINALeMAIL for Outlook Express and Eudora

  • Sawmill-Novell GroupWise for log analysis

  • MailXaminer for multiple e-mail formats and large data sets

  • Fookes Aid4Mail and MailBag Assistant for Outlook, Thunderbird, and Eudora

  • Paraben E-Mail Examiner, configured to recover several e-mail formats

  • AccessData FTK for Outlook and Outlook Express

  • Ontrack EasyRecovery EmailRepair for Outlook and Outlook Express

  • R-Tools R-Mail for Outlook and Outlook Express

  • OfficeRecovery’s MailRecovery for Outlook, Outlook Express, Exchange, Exchange Server, and IBM Notes

  • MXToolBox for decoding e-mail headers

  • FreeViewer with free tools for Outlook, Windows Live Mail, Thunderbird, and other servers


  • Magnet AXIOM: It is designed to combine evidence retrieval from PCs, mobile devices, and the cloud.

  • Multipurpose Internet Mail Extensions (MIME): It is an extension of the original SMTP email protocol. It lets users exchange different kinds of data files, including audio, video, images and application programs, over email.


11.6: Applying Digital Forensics Methods to Social Media Communications

  • Online Social Networks (OSNs): These are not just used for communication but also used to conduct business, brag about criminal activities, raise money, and have class discussions.

  • You can also use OSNs to build a profile of a prospective client, a business partner, a suspect in a murder trial, and more.

  • Social media can contain a lot of information, including the following:

    • Evidence of cyberbullying and witness tampering.

    • A company’s position on an issue.

    • Whether intellectual property rights have been violated.

    • Who posted information and when.

Forensics Tools for Social Media Investigations

  • As with any investigation, you need a warrant or subpoena to ask an OSN to produce its records.

  • There are other approaches you can take, however. If people are cooperating with your investigation, they might give you the usernames and passwords to their social media accounts.

  • If not, you can access only their public profile or become friends with one of their friends, which might give you limited information. For this approach, there are a few steps you need to take:

    1. Begin with a workstation that doesn’t contain any of your personal information, or create a virtual machine with a bridged network.

    2. Many people link their cell phone numbers to their Facebook accounts, so try looking up the suspect’s cell phone number in Facebook, which shows you the person’s username, too.

      1. People often use the same username in all platforms, including Twitter, Instagram, LinkedIn, and so forth.

    3. Next, you should do a Google search on this username, making sure to use your investigation workstation.

      1. Disable Google’s Safe Search feature and “instant results,” which Google uses to guess what you’re searching for.

      2. Turn off location-based searches so that Google doesn’t use your location to filter results.

    4. Collect as much information as possible on Google, and use it to find friends of the suspect and then attempt to friend these people.

      1. With some social media tools, you need to create a decoy account.

      2. Remember that it’s against the law to use someone else’s likeness as your own for a social media account, and operating within the law is crucial in any investigation.

MA

Chapter 11: E-mail and Social Media Investigations

11.1: Exploring the Role of E-mail in Investigations

  • Phishing: Here a message attempts to get personal information by luring readers with false promises.

  • Pharming: Here the readers might go to the correct Web site address, but DNS poisoning takes them to a fake site.

  • Email Spoofing: A type of cyberattack that targets businesses by using emails with forged sender addresses.

  • The clue to the e-mail being a fake was the Enhanced/Extended Simple Mail Transfer Protocol (ESMTP) number in the message’s header, which is unique to each message an e-mail server transmits.


11.2: Exploring the Roles of the Client and Server in E-mail

  • Client/Server Architecture: A configuration where messages are distributed from a central server to may connected client computers.

  • The server runs an e-mail server program, such as Microsoft Exchange Server, to provide e-mail services.

  • Client computers use e-mail programs, such as Microsoft Outlook, to contact the e-mail server and send and retrieve e-mail messages.

  • Regardless of the OS or e-mail program, users access their e-mail based on permissions the e-mail server administrator grants. These permissions prevent users from accessing each other’s e-mail.

  • An Intranet E-mail System is for the private use of network users, and Internet e-mail systems are for public users.


11.3: Investigating E-mail Crimes and Violations

Understanding Forensic Linguistics

  • Forensic Linguistics: involves the application of scientific knowledge to language in the context of criminal and civil law.

  • The International Association of Forensic Linguists  divides this field into four categories:

    • language and law;

    • language in the legal process;

    • language as evidence; and

    • research/teaching.

  • Forensic linguistics encompasses civil cases, criminal cases, cyberterrorism cases, and other legal proceedings.

Examining E-mail Messages

Copying an E-mail Message

  • If Outlook or Outlook Express is installed on your computer, follow these steps:

    1. Insert a USB drive into a USB port.

    2. Open File Explorer, navigate to the USB drive, and leave this window open.

    3. Start Outlook by going to the Start screen, typing Outlook, and pressing Enter.

    4. In the Mail Folders pane, click the folder containing the message you want to copy.

    5. Resize the Outlook window so that you can see the message you want to copy and the USB drive icon in File Explorer.

    6. Drag the message from the Outlook window to the USB drive icon in File Explorer.

    7. Click the File tab, and then click Print to open the Print pane. After printing the e-mail so that you have a copy to include in your final report, exit Outlook.

Examining E-mail Headers

  • The main piece of information you’re looking for is the originating e-mail’s domain address or an IP address.

  • To open and examine an e-mail header, follow these steps:

    1. Open File Explorer and navigate to your work folder.

    2. Double-click a .txt file containing message header text, such as Outlook header.txt. The message header opens in Notepad.

Examining Additional E-mail Files

  • E-mail programs save messages on the client's computer or leave them on the server.

  • How e-mails are stored depends on the settings on the client and server.

  • On the client's computer, you could save all your e-mail in a separate folder for record-keeping purposes.

  • Most e-mail programs also include an address book of contacts, and many offer calendars, task lists, and memos.

  • A suspect’s address book, calendar, task list, and memos can contain valuable information that links e-mail crimes or abuse to other parties and reveal the suspect’s physical address and even involvement in other crimes.

  • In Web-based e-mail, messages are displayed and saved as Web pages in the browser’s cache folders.

  • Many Web-based e-mail providers offer instant messaging (IM) services that can save message contents in proprietary and nonproprietary file formats.

  • Some IM programs are configured to not save chat content unless users change the default setting, so you might need to search the suspect’s Pagefile.sys file to find message fragments.

Tracing an E-mail Message

  • As part of the investigation, you need to determine an e-mail’s origin by further examining the header with one of many free Internet tools.

  • Tracing: Way of determining message origin.

  • If the point of contact isn’t listed on the Web site or the domain doesn’t have a Web site, you need to use a registry site, such as those in the following list, to determine the point of contact:

    • www.arin.net — Use the American Registry for Internet Numbers (ARIN) to ap an IP address to domain name and find the domain’s point of contact.

    • www.internic.com — Use this site to find a domain’s IP address and point of contact.

    • www.google.com — Use this search engine and others to look for more information and additional postings on discussion boards.

Using Network E-mail Logs

  • Network administrators maintain logs of the inbound and outbound traffic routers handle.

  • Routers have rules to allow or deny traffic based on source or destination IP address.

    • Routers are set up to track all traffic flowing through its port.

    • Using these logs, you can determine the path a transmitted e-mail has taken.

  • The network administrator who manages routers can supply the log files you need.

  • Review the router logs to find the victim’s (recipient’s) e-mail, and look for the unique ID number.

  • Network administrators also maintain logs for firewalls that filter Internet traffic; these logs can help verify whether an e-mail message passed through the firewall.

  • Firewalls maintain log files that track the Internet traffic destined for other networks or the network the firewalls are protecting.


11.4: Understanding E-mail Servers

  • An e-mail server is loaded with software that uses e-mail protocols for its services and maintains logs you can examine and use in your investigation.

  • Your focus is not to learn how a particular e-mail server works but how to retrieve information about e-mails for an investigation.

  • To investigate e-mail abuse, you should know how an e-mail server records and handles the e-mail it receives. Some e-mail servers use databases that store users’ e-mails, and others use a flat file system.

  • All e-mail servers can maintain a log of e-mails that are processed. Some e-mail servers are set up to log e-mail transactions by default; others must be configured to do so.

  • Most e-mail administrators log system operations and message traffic for the following reasons:

    • Recover e-mails in case of a disaster.

    • Make sure the firewall and e-mail filters are working correctly.

    • Enforce company policy.

  • E-mail logs generally identify:

    • the e-mail messages an account received,

    • the IP address from which they were sent,

    • the time and date the e-mail server received them,

    • the time and date the client computer accessed the e-mail,

    • the e-mail contents, system-specific information, and

    • any other information the e-mail administrator wants to track.

  • Administrators usually set e-mail servers to continuous logging mode.

  • After you have identified the source of the e-mail, contact the network or e-mail administrator of the suspect’s network as soon as possible.

  • In addition to logging e-mail traffic, e-mail servers maintain copies of clients’ e-mails, even if the users have deleted messages from their inboxes.

Examining UNIX E-mail Server Logs

  • Log files and configuration files can provide helpful information.

  • The configuration file for Sendmail is /etc/mail/sendmail.cf, which can help you determine where log files are stored.

    • Sendmail refers to the sendmail.cf file to find out what to do with an e-mail after it’s received.

  • The /etc/syslog.conf file includes e-mail logging instructions so that you can determine how Sendmail is set up to log e-mail events and which events are logged.

  • The syslog.conf file’s configuration in the /etc directory contains three pieces of information that tell you what happened to an e-mail when it was logged: the event, the priority level of concern, and the action taken when it was logged.

  • E-mail files are typically found at /var/mail.

  • Postfix: It has configuration files, master.cf and main.cf, in the /etc/postfix directory, and e-mails are stored in /var/spool/postfix.

  • Because a UNIX system has a variety of e-mail servers available, the syslog.conf file simply specifies where to save different types of e-mail log files.

  • The first log file UNIX configures is /var/log/maillog, which usually contains a record of Simple Mail Transfer Protocol (SMTP) communication between servers.

  • The IP address and the timestamp in the maillog file are important information in an e-mail investigation.

  • The maillog file also contains information about Post Office Protocol version 3 (POP3) and Internet Message Access Protocol 4 (IMAP4) events.

  • UNIX systems are set to store log files in the /var/log directory.

  • If you’re examining a UNIX computer and don’t find the e-mail logs in /var/log, you can use the find or locate command to find them.

  • A new directory /home/username/mail is created on the client computer when a user logs on for the first time and runs the e-mail program.

  • If the server has been configured to deliver e-mail to client machines but not store copies of e-mails on the server, the only copy of the e-mail is on the client computer in the user’s mail folder.

Examining Microsoft E-mail Server Logs

  • Exchange Server: The Microsoft e-mail server software.

    • It uses an Exchange database and is based on the Microsoft Extensible Storage Engine (ESE), which uses several files in different combinations to provide e-mail service.

  • An .edb file is responsible for messages formatted with MAPI.

  • Messaging Application Programming Interface (MAPI): A Microsoft system that enables different e-mail applications to work together.

  • Exchange logs transactions in a transaction log.

  • Exchange also creates .tmp (temporary) files to prevent loss when it’s busy converting binary data to readable text.

  • The server also maintains a log called Tracking.log that tracks messages.

11.5: Using Specialized E-mail Forensics Tools

Other Tools to Investigate and Recover E-mail Files

  • DataNumen for Outlook and Outlook Express

  • FINALeMAIL for Outlook Express and Eudora

  • Sawmill-Novell GroupWise for log analysis

  • MailXaminer for multiple e-mail formats and large data sets

  • Fookes Aid4Mail and MailBag Assistant for Outlook, Thunderbird, and Eudora

  • Paraben E-Mail Examiner, configured to recover several e-mail formats

  • AccessData FTK for Outlook and Outlook Express

  • Ontrack EasyRecovery EmailRepair for Outlook and Outlook Express

  • R-Tools R-Mail for Outlook and Outlook Express

  • OfficeRecovery’s MailRecovery for Outlook, Outlook Express, Exchange, Exchange Server, and IBM Notes

  • MXToolBox for decoding e-mail headers

  • FreeViewer with free tools for Outlook, Windows Live Mail, Thunderbird, and other servers


  • Magnet AXIOM: It is designed to combine evidence retrieval from PCs, mobile devices, and the cloud.

  • Multipurpose Internet Mail Extensions (MIME): It is an extension of the original SMTP email protocol. It lets users exchange different kinds of data files, including audio, video, images and application programs, over email.


11.6: Applying Digital Forensics Methods to Social Media Communications

  • Online Social Networks (OSNs): These are not just used for communication but also used to conduct business, brag about criminal activities, raise money, and have class discussions.

  • You can also use OSNs to build a profile of a prospective client, a business partner, a suspect in a murder trial, and more.

  • Social media can contain a lot of information, including the following:

    • Evidence of cyberbullying and witness tampering.

    • A company’s position on an issue.

    • Whether intellectual property rights have been violated.

    • Who posted information and when.

Forensics Tools for Social Media Investigations

  • As with any investigation, you need a warrant or subpoena to ask an OSN to produce its records.

  • There are other approaches you can take, however. If people are cooperating with your investigation, they might give you the usernames and passwords to their social media accounts.

  • If not, you can access only their public profile or become friends with one of their friends, which might give you limited information. For this approach, there are a few steps you need to take:

    1. Begin with a workstation that doesn’t contain any of your personal information, or create a virtual machine with a bridged network.

    2. Many people link their cell phone numbers to their Facebook accounts, so try looking up the suspect’s cell phone number in Facebook, which shows you the person’s username, too.

      1. People often use the same username in all platforms, including Twitter, Instagram, LinkedIn, and so forth.

    3. Next, you should do a Google search on this username, making sure to use your investigation workstation.

      1. Disable Google’s Safe Search feature and “instant results,” which Google uses to guess what you’re searching for.

      2. Turn off location-based searches so that Google doesn’t use your location to filter results.

    4. Collect as much information as possible on Google, and use it to find friends of the suspect and then attempt to friend these people.

      1. With some social media tools, you need to create a decoy account.

      2. Remember that it’s against the law to use someone else’s likeness as your own for a social media account, and operating within the law is crucial in any investigation.