Chapter 11: E-mail and Social Media Investigations
Phishing: Here a message attempts to get personal information by luring readers with false promises.
Pharming: Here the readers might go to the correct Web site address, but DNS poisoning takes them to a fake site.
Email Spoofing: A type of cyberattack that targets businesses by using emails with forged sender addresses.
The clue to the e-mail being a fake was the Enhanced/Extended Simple Mail Transfer Protocol (ESMTP) number in the messageâs header, which is unique to each message an e-mail server transmits.
Client/Server Architecture: A configuration where messages are distributed from a central server to may connected client computers.
The server runs an e-mail server program, such as Microsoft Exchange Server, to provide e-mail services.
Client computers use e-mail programs, such as Microsoft Outlook, to contact the e-mail server and send and retrieve e-mail messages.
Regardless of the OS or e-mail program, users access their e-mail based on permissions the e-mail server administrator grants. These permissions prevent users from accessing each otherâs e-mail.
An Intranet E-mail System is for the private use of network users, and Internet e-mail systems are for public users.
Forensic Linguistics: involves the application of scientific knowledge to language in the context of criminal and civil law.
The International Association of Forensic Linguists divides this field into four categories:
language and law;
language in the legal process;
language as evidence; and
research/teaching.
Forensic linguistics encompasses civil cases, criminal cases, cyberterrorism cases, and other legal proceedings.
If Outlook or Outlook Express is installed on your computer, follow these steps:
Insert a USB drive into a USB port.
Open File Explorer, navigate to the USB drive, and leave this window open.
Start Outlook by going to the Start screen, typing Outlook, and pressing Enter.
In the Mail Folders pane, click the folder containing the message you want to copy.
Resize the Outlook window so that you can see the message you want to copy and the USB drive icon in File Explorer.
Drag the message from the Outlook window to the USB drive icon in File Explorer.
Click the File tab, and then click Print to open the Print pane. After printing the e-mail so that you have a copy to include in your final report, exit Outlook.
The main piece of information youâre looking for is the originating e-mailâs domain address or an IP address.
To open and examine an e-mail header, follow these steps:
Open File Explorer and navigate to your work folder.
Double-click a .txt file containing message header text, such as Outlook header.txt. The message header opens in Notepad.
E-mail programs save messages on the client's computer or leave them on the server.
How e-mails are stored depends on the settings on the client and server.
On the client's computer, you could save all your e-mail in a separate folder for record-keeping purposes.
Most e-mail programs also include an address book of contacts, and many offer calendars, task lists, and memos.
A suspectâs address book, calendar, task list, and memos can contain valuable information that links e-mail crimes or abuse to other parties and reveal the suspectâs physical address and even involvement in other crimes.
In Web-based e-mail, messages are displayed and saved as Web pages in the browserâs cache folders.
Many Web-based e-mail providers offer instant messaging (IM) services that can save message contents in proprietary and nonproprietary file formats.
Some IM programs are configured to not save chat content unless users change the default setting, so you might need to search the suspectâs Pagefile.sys
file to find message fragments.
As part of the investigation, you need to determine an e-mailâs origin by further examining the header with one of many free Internet tools.
Tracing: Way of determining message origin.
If the point of contact isnât listed on the Web site or the domain doesnât have a Web site, you need to use a registry site, such as those in the following list, to determine the point of contact:
www.arin.net â Use the American Registry for Internet Numbers (ARIN) to ap an IP address to domain name and find the domainâs point of contact.
www.internic.com â Use this site to find a domainâs IP address and point of contact.
www.google.com â Use this search engine and others to look for more information and additional postings on discussion boards.
Network administrators maintain logs of the inbound and outbound traffic routers handle.
Routers have rules to allow or deny traffic based on source or destination IP address.
Routers are set up to track all traffic flowing through its port.
Using these logs, you can determine the path a transmitted e-mail has taken.
The network administrator who manages routers can supply the log files you need.
Review the router logs to find the victimâs (recipientâs) e-mail, and look for the unique ID number.
Network administrators also maintain logs for firewalls that filter Internet traffic; these logs can help verify whether an e-mail message passed through the firewall.
Firewalls maintain log files that track the Internet traffic destined for other networks or the network the firewalls are protecting.
An e-mail server is loaded with software that uses e-mail protocols for its services and maintains logs you can examine and use in your investigation.
Your focus is not to learn how a particular e-mail server works but how to retrieve information about e-mails for an investigation.
To investigate e-mail abuse, you should know how an e-mail server records and handles the e-mail it receives. Some e-mail servers use databases that store usersâ e-mails, and others use a flat file system.
All e-mail servers can maintain a log of e-mails that are processed. Some e-mail servers are set up to log e-mail transactions by default; others must be configured to do so.
Most e-mail administrators log system operations and message traffic for the following reasons:
Recover e-mails in case of a disaster.
Make sure the firewall and e-mail filters are working correctly.
Enforce company policy.
E-mail logs generally identify:
the e-mail messages an account received,
the IP address from which they were sent,
the time and date the e-mail server received them,
the time and date the client computer accessed the e-mail,
the e-mail contents, system-specific information, and
any other information the e-mail administrator wants to track.
Administrators usually set e-mail servers to continuous logging mode.
After you have identified the source of the e-mail, contact the network or e-mail administrator of the suspectâs network as soon as possible.
In addition to logging e-mail traffic, e-mail servers maintain copies of clientsâ e-mails, even if the users have deleted messages from their inboxes.
Log files and configuration files can provide helpful information.
The configuration file for Sendmail is /etc/mail/sendmail.cf
, which can help you determine where log files are stored.
Sendmail refers to the sendmail.cf
file to find out what to do with an e-mail after itâs received.
The /etc/syslog.conf
file includes e-mail logging instructions so that you can determine how Sendmail is set up to log e-mail events and which events are logged.
The syslog.conf
fileâs configuration in the /etc
directory contains three pieces of information that tell you what happened to an e-mail when it was logged: the event, the priority level of concern, and the action taken when it was logged.
E-mail files are typically found at /var/mail
.
Postfix: It has configuration files, master.cf
and main.cf
, in the /etc/postfix
directory, and e-mails are stored in /var/spool/postfix
.
Because a UNIX system has a variety of e-mail servers available, the syslog.conf
file simply specifies where to save different types of e-mail log files.
The first log file UNIX configures is /var/log/maillog
, which usually contains a record of Simple Mail Transfer Protocol (SMTP) communication between servers.
The IP address and the timestamp in the maillog
file are important information in an e-mail investigation.
The maillog
file also contains information about Post Office Protocol version 3 (POP3) and Internet Message Access Protocol 4 (IMAP4) events.
UNIX systems are set to store log files in the /var/log
directory.
If youâre examining a UNIX computer and donât find the e-mail logs in /var/log
, you can use the find or locate command to find them.
A new directory /home/username/mail
is created on the client computer when a user logs on for the first time and runs the e-mail program.
If the server has been configured to deliver e-mail to client machines but not store copies of e-mails on the server, the only copy of the e-mail is on the client computer in the userâs mail folder.
Exchange Server: The Microsoft e-mail server software.
It uses an Exchange database and is based on the Microsoft Extensible Storage Engine (ESE), which uses several files in different combinations to provide e-mail service.
An .edb
file is responsible for messages formatted with MAPI.
Messaging Application Programming Interface (MAPI): A Microsoft system that enables different e-mail applications to work together.
Exchange logs transactions in a transaction log.
Exchange also creates .tmp
(temporary) files to prevent loss when itâs busy converting binary data to readable text.
The server also maintains a log called Tracking.log
that tracks messages.
DataNumen for Outlook and Outlook Express
FINALeMAIL for Outlook Express and Eudora
Sawmill-Novell GroupWise for log analysis
MailXaminer for multiple e-mail formats and large data sets
Fookes Aid4Mail and MailBag Assistant for Outlook, Thunderbird, and Eudora
Paraben E-Mail Examiner, configured to recover several e-mail formats
AccessData FTK for Outlook and Outlook Express
Ontrack EasyRecovery EmailRepair for Outlook and Outlook Express
R-Tools R-Mail for Outlook and Outlook Express
OfficeRecoveryâs MailRecovery for Outlook, Outlook Express, Exchange, Exchange Server, and IBM Notes
MXToolBox for decoding e-mail headers
FreeViewer with free tools for Outlook, Windows Live Mail, Thunderbird, and other servers
Magnet AXIOM: It is designed to combine evidence retrieval from PCs, mobile devices, and the cloud.
Multipurpose Internet Mail Extensions (MIME): It is an extension of the original SMTP email protocol. It lets users exchange different kinds of data files, including audio, video, images and application programs, over email.
Online Social Networks (OSNs): These are not just used for communication but also used to conduct business, brag about criminal activities, raise money, and have class discussions.
You can also use OSNs to build a profile of a prospective client, a business partner, a suspect in a murder trial, and more.
Social media can contain a lot of information, including the following:
Evidence of cyberbullying and witness tampering.
A companyâs position on an issue.
Whether intellectual property rights have been violated.
Who posted information and when.
As with any investigation, you need a warrant or subpoena to ask an OSN to produce its records.
There are other approaches you can take, however. If people are cooperating with your investigation, they might give you the usernames and passwords to their social media accounts.
If not, you can access only their public profile or become friends with one of their friends, which might give you limited information. For this approach, there are a few steps you need to take:
Begin with a workstation that doesnât contain any of your personal information, or create a virtual machine with a bridged network.
Many people link their cell phone numbers to their Facebook accounts, so try looking up the suspectâs cell phone number in Facebook, which shows you the personâs username, too.
People often use the same username in all platforms, including Twitter, Instagram, LinkedIn, and so forth.
Next, you should do a Google search on this username, making sure to use your investigation workstation.
Disable Googleâs Safe Search feature and âinstant results,â which Google uses to guess what youâre searching for.
Turn off location-based searches so that Google doesnât use your location to filter results.
Collect as much information as possible on Google, and use it to find friends of the suspect and then attempt to friend these people.
With some social media tools, you need to create a decoy account.
Remember that itâs against the law to use someone elseâs likeness as your own for a social media account, and operating within the law is crucial in any investigation.
Phishing: Here a message attempts to get personal information by luring readers with false promises.
Pharming: Here the readers might go to the correct Web site address, but DNS poisoning takes them to a fake site.
Email Spoofing: A type of cyberattack that targets businesses by using emails with forged sender addresses.
The clue to the e-mail being a fake was the Enhanced/Extended Simple Mail Transfer Protocol (ESMTP) number in the messageâs header, which is unique to each message an e-mail server transmits.
Client/Server Architecture: A configuration where messages are distributed from a central server to may connected client computers.
The server runs an e-mail server program, such as Microsoft Exchange Server, to provide e-mail services.
Client computers use e-mail programs, such as Microsoft Outlook, to contact the e-mail server and send and retrieve e-mail messages.
Regardless of the OS or e-mail program, users access their e-mail based on permissions the e-mail server administrator grants. These permissions prevent users from accessing each otherâs e-mail.
An Intranet E-mail System is for the private use of network users, and Internet e-mail systems are for public users.
Forensic Linguistics: involves the application of scientific knowledge to language in the context of criminal and civil law.
The International Association of Forensic Linguists divides this field into four categories:
language and law;
language in the legal process;
language as evidence; and
research/teaching.
Forensic linguistics encompasses civil cases, criminal cases, cyberterrorism cases, and other legal proceedings.
If Outlook or Outlook Express is installed on your computer, follow these steps:
Insert a USB drive into a USB port.
Open File Explorer, navigate to the USB drive, and leave this window open.
Start Outlook by going to the Start screen, typing Outlook, and pressing Enter.
In the Mail Folders pane, click the folder containing the message you want to copy.
Resize the Outlook window so that you can see the message you want to copy and the USB drive icon in File Explorer.
Drag the message from the Outlook window to the USB drive icon in File Explorer.
Click the File tab, and then click Print to open the Print pane. After printing the e-mail so that you have a copy to include in your final report, exit Outlook.
The main piece of information youâre looking for is the originating e-mailâs domain address or an IP address.
To open and examine an e-mail header, follow these steps:
Open File Explorer and navigate to your work folder.
Double-click a .txt file containing message header text, such as Outlook header.txt. The message header opens in Notepad.
E-mail programs save messages on the client's computer or leave them on the server.
How e-mails are stored depends on the settings on the client and server.
On the client's computer, you could save all your e-mail in a separate folder for record-keeping purposes.
Most e-mail programs also include an address book of contacts, and many offer calendars, task lists, and memos.
A suspectâs address book, calendar, task list, and memos can contain valuable information that links e-mail crimes or abuse to other parties and reveal the suspectâs physical address and even involvement in other crimes.
In Web-based e-mail, messages are displayed and saved as Web pages in the browserâs cache folders.
Many Web-based e-mail providers offer instant messaging (IM) services that can save message contents in proprietary and nonproprietary file formats.
Some IM programs are configured to not save chat content unless users change the default setting, so you might need to search the suspectâs Pagefile.sys
file to find message fragments.
As part of the investigation, you need to determine an e-mailâs origin by further examining the header with one of many free Internet tools.
Tracing: Way of determining message origin.
If the point of contact isnât listed on the Web site or the domain doesnât have a Web site, you need to use a registry site, such as those in the following list, to determine the point of contact:
www.arin.net â Use the American Registry for Internet Numbers (ARIN) to ap an IP address to domain name and find the domainâs point of contact.
www.internic.com â Use this site to find a domainâs IP address and point of contact.
www.google.com â Use this search engine and others to look for more information and additional postings on discussion boards.
Network administrators maintain logs of the inbound and outbound traffic routers handle.
Routers have rules to allow or deny traffic based on source or destination IP address.
Routers are set up to track all traffic flowing through its port.
Using these logs, you can determine the path a transmitted e-mail has taken.
The network administrator who manages routers can supply the log files you need.
Review the router logs to find the victimâs (recipientâs) e-mail, and look for the unique ID number.
Network administrators also maintain logs for firewalls that filter Internet traffic; these logs can help verify whether an e-mail message passed through the firewall.
Firewalls maintain log files that track the Internet traffic destined for other networks or the network the firewalls are protecting.
An e-mail server is loaded with software that uses e-mail protocols for its services and maintains logs you can examine and use in your investigation.
Your focus is not to learn how a particular e-mail server works but how to retrieve information about e-mails for an investigation.
To investigate e-mail abuse, you should know how an e-mail server records and handles the e-mail it receives. Some e-mail servers use databases that store usersâ e-mails, and others use a flat file system.
All e-mail servers can maintain a log of e-mails that are processed. Some e-mail servers are set up to log e-mail transactions by default; others must be configured to do so.
Most e-mail administrators log system operations and message traffic for the following reasons:
Recover e-mails in case of a disaster.
Make sure the firewall and e-mail filters are working correctly.
Enforce company policy.
E-mail logs generally identify:
the e-mail messages an account received,
the IP address from which they were sent,
the time and date the e-mail server received them,
the time and date the client computer accessed the e-mail,
the e-mail contents, system-specific information, and
any other information the e-mail administrator wants to track.
Administrators usually set e-mail servers to continuous logging mode.
After you have identified the source of the e-mail, contact the network or e-mail administrator of the suspectâs network as soon as possible.
In addition to logging e-mail traffic, e-mail servers maintain copies of clientsâ e-mails, even if the users have deleted messages from their inboxes.
Log files and configuration files can provide helpful information.
The configuration file for Sendmail is /etc/mail/sendmail.cf
, which can help you determine where log files are stored.
Sendmail refers to the sendmail.cf
file to find out what to do with an e-mail after itâs received.
The /etc/syslog.conf
file includes e-mail logging instructions so that you can determine how Sendmail is set up to log e-mail events and which events are logged.
The syslog.conf
fileâs configuration in the /etc
directory contains three pieces of information that tell you what happened to an e-mail when it was logged: the event, the priority level of concern, and the action taken when it was logged.
E-mail files are typically found at /var/mail
.
Postfix: It has configuration files, master.cf
and main.cf
, in the /etc/postfix
directory, and e-mails are stored in /var/spool/postfix
.
Because a UNIX system has a variety of e-mail servers available, the syslog.conf
file simply specifies where to save different types of e-mail log files.
The first log file UNIX configures is /var/log/maillog
, which usually contains a record of Simple Mail Transfer Protocol (SMTP) communication between servers.
The IP address and the timestamp in the maillog
file are important information in an e-mail investigation.
The maillog
file also contains information about Post Office Protocol version 3 (POP3) and Internet Message Access Protocol 4 (IMAP4) events.
UNIX systems are set to store log files in the /var/log
directory.
If youâre examining a UNIX computer and donât find the e-mail logs in /var/log
, you can use the find or locate command to find them.
A new directory /home/username/mail
is created on the client computer when a user logs on for the first time and runs the e-mail program.
If the server has been configured to deliver e-mail to client machines but not store copies of e-mails on the server, the only copy of the e-mail is on the client computer in the userâs mail folder.
Exchange Server: The Microsoft e-mail server software.
It uses an Exchange database and is based on the Microsoft Extensible Storage Engine (ESE), which uses several files in different combinations to provide e-mail service.
An .edb
file is responsible for messages formatted with MAPI.
Messaging Application Programming Interface (MAPI): A Microsoft system that enables different e-mail applications to work together.
Exchange logs transactions in a transaction log.
Exchange also creates .tmp
(temporary) files to prevent loss when itâs busy converting binary data to readable text.
The server also maintains a log called Tracking.log
that tracks messages.
DataNumen for Outlook and Outlook Express
FINALeMAIL for Outlook Express and Eudora
Sawmill-Novell GroupWise for log analysis
MailXaminer for multiple e-mail formats and large data sets
Fookes Aid4Mail and MailBag Assistant for Outlook, Thunderbird, and Eudora
Paraben E-Mail Examiner, configured to recover several e-mail formats
AccessData FTK for Outlook and Outlook Express
Ontrack EasyRecovery EmailRepair for Outlook and Outlook Express
R-Tools R-Mail for Outlook and Outlook Express
OfficeRecoveryâs MailRecovery for Outlook, Outlook Express, Exchange, Exchange Server, and IBM Notes
MXToolBox for decoding e-mail headers
FreeViewer with free tools for Outlook, Windows Live Mail, Thunderbird, and other servers
Magnet AXIOM: It is designed to combine evidence retrieval from PCs, mobile devices, and the cloud.
Multipurpose Internet Mail Extensions (MIME): It is an extension of the original SMTP email protocol. It lets users exchange different kinds of data files, including audio, video, images and application programs, over email.
Online Social Networks (OSNs): These are not just used for communication but also used to conduct business, brag about criminal activities, raise money, and have class discussions.
You can also use OSNs to build a profile of a prospective client, a business partner, a suspect in a murder trial, and more.
Social media can contain a lot of information, including the following:
Evidence of cyberbullying and witness tampering.
A companyâs position on an issue.
Whether intellectual property rights have been violated.
Who posted information and when.
As with any investigation, you need a warrant or subpoena to ask an OSN to produce its records.
There are other approaches you can take, however. If people are cooperating with your investigation, they might give you the usernames and passwords to their social media accounts.
If not, you can access only their public profile or become friends with one of their friends, which might give you limited information. For this approach, there are a few steps you need to take:
Begin with a workstation that doesnât contain any of your personal information, or create a virtual machine with a bridged network.
Many people link their cell phone numbers to their Facebook accounts, so try looking up the suspectâs cell phone number in Facebook, which shows you the personâs username, too.
People often use the same username in all platforms, including Twitter, Instagram, LinkedIn, and so forth.
Next, you should do a Google search on this username, making sure to use your investigation workstation.
Disable Googleâs Safe Search feature and âinstant results,â which Google uses to guess what youâre searching for.
Turn off location-based searches so that Google doesnât use your location to filter results.
Collect as much information as possible on Google, and use it to find friends of the suspect and then attempt to friend these people.
With some social media tools, you need to create a decoy account.
Remember that itâs against the law to use someone elseâs likeness as your own for a social media account, and operating within the law is crucial in any investigation.