Investigating E Mail Part 4 - Paiet/Mobile-Forensics GitHub Wiki

Steps involved in investigating e-mail crimes and violations: 1. Obtain a Search Warrant 2. Examine e-mail messages 3. Copy and print the e-mail messages 4. View the e-mail headers 5. Analyze the e-mail headers 6. Trace the e-mail 7. Acquire e-mail archives 8. Examine e-mail logs

Checking validity of an e-mail sender:

http://centralops.net

Types of encoding in emails

MIME extends the email format to support the following:

Text in non-ASCII character sets Attachments like application programs, images, audio, video, other than text Multiple part message bodies Non-ASCII character set header information Uuencode, also known as UNIX-to-UNIX encoding or Uuencode/Uudecode, is a utility for encoding and decoding files shared between users or systems using the UNIX operating systems. It is also available for all other operating systems, and many e-mail applications offer it as an encoding alternative, especially for e-mail attachments.

BinHex is the short form for "binary-to-hexadecimal." It is a binary-to-text encoding system used in the Mac OS to send binary files via e-mails. This system is similar to Uuencode, but BinHex combines both "forks" of the Mac file system including extended file information.

Examining Linux E-mail Server Logs

Sendmail is the command used to send emails via Linux or Unix system

Linux and Unix uses Syslog to maintain logs of what has happened on the system

The configuration file, /etc/syslog.conf determines the location of syslog service logs

Syslog configuration file contains information on the logging priority, where logs are sent, and what other actions may be taken

The syslog.conf provides the location of the log file for e-mail, which is usually /var/log/mailog

/var/log/mailog file contains source and destination IP addresses, date and time stamps, and other information necessary to validate the data within an e-mail header

Examining Microsoft Exchange E-mail Server Logs

Microsoft Exchange uses the Microsoft Extensible Storage Engine (ESE)

While investigating an e-mail sent via Microsoft Exchange server, you should primarily focus on the following files:

.edb database files (responsible for MAPI information) .stm database files (responsible for non-MAPI information) checkpoint files temporary files Checkpoint files helps to find out if any data loss occurred after last backup, allowing you to recover lost or deleted messages

Temporary files store the information received by the server when it was too busy to process it immediately

Transaction log preserves and processes modifications done in the database file, so that it can be used to determine if the email has been sent or received by the server

U.S laws against E-mail related crimes:

  1. CAN-SPAM Act - (Controlling the Assault of Non-Solicited Pornography and Marketing Act)
  2. 18 U.S.C. § 2252A - Transmission of Child Pornography
  3. 18 U.S.C. § 2252B - Manipulation of domain names or other means to provide access to Child Pornography
  4. Residents of Washington D.C. are governed by RCW 19.190.020