Email Forensic by Richard Rivas

E-mail Forensics www.paraben.com

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

What is a local storage archive? Local storage archives are any archive that has independent archive format from a mail server. Examples of these types of archives include: .PST, .MBX, .DBX, etc.

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Basic Rules & Expectations for Local Archives 1. Search for the appropriate mail archives and associated data storage.

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Program Storage Specifics Index or Table of Contents Mailbox Mailbox Mail Messages

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Program Storage Specifics Index or Table of Contents

Mailbox Mailbox

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Stores: â€˘Main Status â€˘Unread â€˘Read â€˘Forwarded â€˘Redirected â€˘Flagged â€˘Deleted

Common Local Storage Archives The Bat! Index: *.tbi Messages: *.tbb

FoxMail Index: *.ind (E-mail Examiner doesn't use this index file) Messages: *.box

The Bat! < v1.42 Index: *.tbx Messages: *.msb

Outlook Express v5/6 Index+Messages: *.dbx or *.MailDB

Forte Agent Index: *.idx Messages: *.dat

MS Outlook Index+Messages: *.pst (by default messages are stored in encrypted format)

Pegasus Index: *.pmi Messages: *.pmm

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Common Local Storage Archives Cont.

Outlook Express v4.x Index: *.idx Messages: *.mbx Eudora Index: *.toc Messages: *.mbx Poco Index: *.idx Messages: *.mbx Netscape v6.x and 7.x, and Mozilla Index: *.msf Messages: *. Netscape < v6.x Index: *.snm (E-mail Examiner doesn't use this index file) Messages: *. (no extension)

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Email Reference Cards

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Basic Rules & Expectations for Local Archives 1. Search for the appropriate mail archives and associated data storage. 2. Process all items with complete structure of: -Header -Body -Attachment to compute verification through hash value

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

E-mail Headers Typically Contain: â€˘Sender E-mail Address â€˘Receiver E-mail Address â€˘Subject â€˘Time of Creation â€˘Delivery stamps â€˘Message Author â€˘CC-Carbon Copy â€˘BCC

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

E-mail Headers-Text Attachments MIME-Version: 1.0 From: Cpt Picard <cptpicard@paraben.com> To: Beverly Crusher <docbev@hotmail.com> Subject:: Pain in my neck Content-Type: multipart/mixed; boundary=boundarystringâ€” boundarystring Content-Type: text/plain I seem to have this reoccurring pain in my neck. Please see attachment for more details. Regards, Jean Luc Content-Type: text/plain Content-Disposition: attachment; filename=â€œneck.txtâ€? It aches in the morning when I wake up for about 20 minutes and also whenever Worf is around. --boundarystring--

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

E-mail Headers-Binary Attachments MIME-Version: 1.0 From: Cpt Picard <cptpicard@paraben.com> To: Beverly Crusher <docbev@hotmail.com> Subject:: Pictures of my neck in zip file Content-Type: multipart/mixed; boundary=boundarystring --boundarystring Content-Type: text/plain Attached is the file neck.zip, which has been base64 encoded. --boundarystring Content-Type: application/octet-stream; name=â€œneck.zipâ€? Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=â€œneck.zipâ€? H52QLID6AJFBALJHLIHKOLNS80JOPSNLJKNLFDLSHFLSHDLFSHLKDNC8 09SAOIHN3OFNSA80HLDBJSUF93HFSLBNCOISAY890EY0AHFLNC739HFO EBOASHOFHSODIY8930â€Ś OAIHOFIDHF8920DFNSOFNDOSGU03UQAFLASNFDLIU03WQJFOSIFH03I9 AHFDALHFNB= --boundarystring--

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Outlook File Size â€˘ Outlook Pre 2003 â€“ Maximum archive size is 2 GB

â€˘ Outlook 2003 â€“ Maximum archive Size is 20 GB

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

E-mail Forensics Server Storage Archives &NBJM'PSFOTJDT@#SFBLJOH"SDIJW

What is a server storage archive? Server storage archives are any archive that has mixed storage for all of the clients that exist on a server. Examples of these types of archives include: MS Exchange (.EDB), Lotus Notes (.NSF), GroupWise (.DB), etc.

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

MS Exchange PUB.EDB â€˘ Public Information Store â€“ contains Public Folders â€“ Public Folders contain information shared amongst the different users.

MS Exchange PRIV.EDB â€˘ Private Information Store â€“ contains the mailboxes for the server â€“ keeps information private from other users.

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

MS Exchange PRIV.EDB â€˘ Priv.edb: A rich-text database file containing message headers, message text, and standard attachments.

MS Exchange PRIV.STM â€˘ Priv.stm: A streaming internet content file containing audio, video and other media that are formatted as streams of Multipurpose Internet Mail Extensions (MIME) data.

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Lotus Notes *.NSF â€˘ Valuable Evidence: â€“ Messages â€“ Attachments â€“ PIM Oriented Data

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

ENCRYPTION

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Novell GroupWise Post Office Post Office Directory Structure Composed of directories which contain: â€“ Post Office Database (wphost.db) â€˘ Admin info required to allow users to exchange messages (list of post offices and associated users) â€“ Message Store â€˘ User databases (userxxx.db) â€˘ Message databases (msgnn.db) â€˘ Attachments directory

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

E-mail to other devices

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Case Examples &NBJM'PSFOTJDT@#SFBLJOH"SDIJW

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Richard Rivas

Published on Jul 4, 2012

Email Forensic

Descripcion de analisis forense en correos electronicos

Email Forensic

Published on Jul 4, 2012

Descripcion de analisis forense en correos electronicos

richardrivas

Go explore