Email Forensic by Richard Rivas

E-mail Forensics www.paraben.com

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

What is a local storage archive? Local storage archives are any archive that has independent archive format from a mail server. Examples of these types of archives include: .PST, .MBX, .DBX, etc.

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Basic Rules & Expectations for Local Archives 1. Search for the appropriate mail archives and associated data storage.

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Program Storage Specifics Index or Table of Contents Mailbox Mailbox Mail Messages

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Program Storage Specifics Index or Table of Contents

Mailbox Mailbox

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Stores: â€˘Main Status â€˘Unread â€˘Read â€˘Forwarded â€˘Redirected â€˘Flagged â€˘Deleted

Common Local Storage Archives The Bat! Index: *.tbi Messages: *.tbb

FoxMail Index: *.ind (E-mail Examiner doesn't use this index file) Messages: *.box

The Bat! < v1.42 Index: *.tbx Messages: *.msb

Outlook Express v5/6 Index+Messages: *.dbx or *.MailDB

Forte Agent Index: *.idx Messages: *.dat

MS Outlook Index+Messages: *.pst (by default messages are stored in encrypted format)

Pegasus Index: *.pmi Messages: *.pmm

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Common Local Storage Archives Cont.

Outlook Express v4.x Index: *.idx Messages: *.mbx Eudora Index: *.toc Messages: *.mbx Poco Index: *.idx Messages: *.mbx Netscape v6.x and 7.x, and Mozilla Index: *.msf Messages: *. Netscape < v6.x Index: *.snm (E-mail Examiner doesn't use this index file) Messages: *. (no extension)

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Email Reference Cards

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Basic Rules & Expectations for Local Archives 1. Search for the appropriate mail archives and associated data storage. 2. Process all items with complete structure of: -Header -Body -Attachment to compute verification through hash value

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

E-mail Headers Typically Contain: â€˘Sender E-mail Address â€˘Receiver E-mail Address â€˘Subject â€˘Time of Creation â€˘Delivery stamps â€˘Message Author â€˘CC-Carbon Copy â€˘BCC

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

E-mail Headers-Text Attachments MIME-Version: 1.0 From: Cpt Picard <cptpicard@paraben.com> To: Beverly Crusher <docbev@hotmail.com> Subject:: Pain in my neck Content-Type: multipart/mixed; boundary=boundarystringâ€” boundarystring Content-Type: text/plain I seem to have this reoccurring pain in my neck. Please see attachment for more details. Regards, Jean Luc Content-Type: text/plain Content-Disposition: attachment; filename=â€œneck.txtâ€? It aches in the morning when I wake up for about 20 minutes and also whenever Worf is around. --boundarystring--

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

E-mail Headers-Binary Attachments MIME-Version: 1.0 From: Cpt Picard <cptpicard@paraben.com> To: Beverly Crusher <docbev@hotmail.com> Subject:: Pictures of my neck in zip file Content-Type: multipart/mixed; boundary=boundarystring --boundarystring Content-Type: text/plain Attached is the file neck.zip, which has been base64 encoded. --boundarystring Content-Type: application/octet-stream; name=â€œneck.zipâ€? Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=â€œneck.zipâ€? H52QLID6AJFBALJHLIHKOLNS80JOPSNLJKNLFDLSHFLSHDLFSHLKDNC8 09SAOIHN3OFNSA80HLDBJSUF93HFSLBNCOISAY890EY0AHFLNC739HFO EBOASHOFHSODIY8930â€Ś OAIHOFIDHF8920DFNSOFNDOSGU03UQAFLASNFDLIU03WQJFOSIFH03I9 AHFDALHFNB= --boundarystring--

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Outlook File Size â€˘ Outlook Pre 2003 â€“ Maximum archive size is 2 GB

â€˘ Outlook 2003 â€“ Maximum archive Size is 20 GB

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

E-mail Forensics Server Storage Archives &NBJM'PSFOTJDT@#SFBLJOH"SDIJW

What is a server storage archive? Server storage archives are any archive that has mixed storage for all of the clients that exist on a server. Examples of these types of archives include: MS Exchange (.EDB), Lotus Notes (.NSF), GroupWise (.DB), etc.

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

MS Exchange PUB.EDB â€˘ Public Information Store â€“ contains Public Folders â€“ Public Folders contain information shared amongst the different users.

MS Exchange PRIV.EDB â€˘ Private Information Store â€“ contains the mailboxes for the server â€“ keeps information private from other users.

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

MS Exchange PRIV.EDB â€˘ Priv.edb: A rich-text database file containing message headers, message text, and standard attachments.

MS Exchange PRIV.STM â€˘ Priv.stm: A streaming internet content file containing audio, video and other media that are formatted as streams of Multipurpose Internet Mail Extensions (MIME) data.

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Lotus Notes *.NSF â€˘ Valuable Evidence: â€“ Messages â€“ Attachments â€“ PIM Oriented Data

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

ENCRYPTION

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Novell GroupWise Post Office Post Office Directory Structure Composed of directories which contain: â€“ Post Office Database (wphost.db) â€˘ Admin info required to allow users to exchange messages (list of post offices and associated users) â€“ Message Store â€˘ User databases (userxxx.db) â€˘ Message databases (msgnn.db) â€˘ Attachments directory

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

E-mail to other devices

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Case Examples &NBJM'PSFOTJDT@#SFBLJOH"SDIJW

&NBJM'PSFOTJDT@#SFBLJOH"SDIJW

Email Forensic

Published on Jul 4, 2012

Descripcion de analisis forense en correos electronicos

richardrivas

Similar to

Popular now

Just for you

Go explore