CSF Unit 3-1
CSF Unit 3-1
Email in Investigation
Emails play a very important role in business communications and have emerged as one of
the most important applications on internet. They are a convenient mode for sending
messages as well as documents, not only from computers but also from other electronic
gadgets such as mobile phones and tablets.
The negative side of emails is that criminals may leak important information about their
company. Hence, the role of emails in digital forensics has been increased in recent years. In
digital forensics, emails are considered as crucial evidences and Email Header Analysis has
become important to collect evidence during forensic process.
An investigator has the following goals while performing email forensics −
To identify the main criminal
To collect necessary evidences
To presenting the findings
To build the case
Challenges in Email Forensics
Email forensics play a very important role in investigation as most of the communication in
present era relies on emails. However, an email forensic investigator may face the following
challenges during the investigation −
Fake Emails
The biggest challenge in email forensics is the use of fake e-mails that are created by
manipulating and scripting headers etc. In this category criminals also use temporary email
which is a service that allows a registered user to receive email at a temporary address that
expires after a certain time period.
Spoofing
Another challenge in email forensics is spoofing in which criminals used to present an email
as someone else’s. In this case the machine will receive both fake as well as original IP
address.
Techniques Used in Email Forensic Investigation
Email forensics is the study of source and content of email as evidence to identify the actual
sender and recipient of a message along with some other information such as date/time of
transmission and intention of sender. It involves investigating metadata, port scanning as well
as keyword searching.
Some of the common techniques which can be used for email forensic investigation are
Header Analysis
Server investigation
Network Device Investigation
Sender Mailer Fingerprints
Software Embedded Identifiers
Email Tracking
Email tracking is a method for monitoring the delivery of email messages to the intended
recipient. Email tracking means monitoring opens and clicks of emails to follow up with
leads, job applicants, and partners. In other words, email tracking is the process of tracking
sent emails and using that data to inform business decisions.
Email tracking involves using software to monitor the emails you send. Most tracking
technologies use some form of digitally time-stamped record to reveal the exact time and date
that an email was received or opened, as well the IP address of the recipient. In fact, Most
email tracking tools capture data on open rates, times, and locations, as well as click-throughs
on links and attachments. When the recipient opens the file, the beacon loads, alerting the
sender to who opened the email, and when, and on what device, and where. How this works
is that you add a web beacon – a tiny image pixel – to the mails that you send to the
recipients. This web beacon is not visible to the end reader. Certain actions like email opens
or link clicks will trigger notifications back to your email management system, alerting you
to the fact that the email recipient has performed certain actions on the email you sent.
Most email marketing software provides tracking features, sometimes in aggregate (e.g.,
click-through rate), and sometimes on an individual basis.
Some email applications, such as Microsoft Office Outlook and Mozilla Thunderbird, employ
a read-receipt tracking mechanism. The sender selects the receipt request option prior to
sending the message, and then upon sending, each recipient has the option of notifying the
sender that the message was received or read by the recipient. In other words, many different
variations on this theme exist: Some work like read receipts, and simply report whether or not
the recipient opened your message by displaying a small check in your inbox after the fact.
Others can tell you how many times your message has been opened and when.
Additional technical information, such as who it is from, the email software they use, the IP
addresses of the sender, and their email server is commonly available inside the Internet
headers of the read receipt. So, email tracking gives us the power to build and maintain
relationships in this exceedingly crowded, competitive inbox environment.
Of course, requesting a receipt does not guarantee that one will get one. Not all email
applications or services support read receipts, and users can generally disable the
functionality if they so wish. Those that do support it are not necessarily compatible with or
capable of recognizing requests from a different email service or application.
Email Recovery
Email recovery is a method of retrieving accidentally deleted or lost emails due to unforeseen
system failure. Once email get lost it becomes very difficult to recover them without using
special technology. It does not matter how you have lost your data like accidental deletion,
virus attack, software corruption, bad sector on the hard disk or any reason, we can help you
to regain your valuable emails and make it accessible as it was. Our email data recovery
specialists have already handled plenty of email recovery cases and successfully recovered
emails in our clean room data recovery labs.
Followings are some Desktop Data Recovery Situations
Accidental deletion of mails
Virus Infected corrupted mail files
Media corruption where mails are stored or backed up
Header corruption of DBX, NSF, EDB, OST, PST, IMH, IMB, IMM files
Mails emptied from the "Deleted Items" folder
System shutdown improperly
Error 505 & 528 in MS Exchange
Deletion of user profile resulting in lost of email folders private folder after system
migration or corruption.
IP Tracking
IP stands for internet protocol, which is the set of processes that dictate how information is
shared across the web. If you’ve ever wondered how one machine knows how to connect to
another and what information to share with it, all internet-connected devices use the internet
protocol for that.
Every time two devices connect to one another using the internet protocol, they have to
acknowledge each other. In internet parlance, this is generally described as “shaking hands.”
Your IP address needs to let the device at the other IP address know where to send the
information that’s being requested. That hand shake is how IP addresses are tracked.
For example, when you’re trying to visit a website, your network sends out an information
packet that includes your IP address and port number. Then the server that hosts the website
you’re seeking accepts the packet, learns what network is asking for access, and knows where
to send back its response in the form of all the files that make up the website.
That website and the server it’s on now know your IP address has visited. And your internet
service provider (ISP) also has a record of that visit. In most cases, that’s where the tracking
stops. A random person curious about your internet history won’t be able to find out what
websites you’ve visited just based on knowing your IP address.
But ISPs keep a record of IP address activity, which means that, in rare cases, they can share
that information with others. And while your IP address only provides limited information to
the servers your network communicates with, it does give them some data about you.
Deleted Files
Deleting files is one of the easiest, convenient, and foremost way to destroy the evidence.
Whether it is using the “Delete” button or “Shift+Delete” button. The principle of file
recovery of deleted files is based on the fact that Windows does not wipe the contents of the
file when it’s being deleted. Instead, a file system record storing the exact location of the
deleted file on the disk is being marked as “deleted” and the disk space previously occupied
by the deleted file is then labeled as available – but not overwritten with zeroes or other data.
The deleted file can be retrieved by analyzing the contents of the recycle bin as they
are temporarily stored there before being erased.
If the deleted files have no trace in the recycle bin like in case of the “Shift+Delete”
command, then, in that case, you can use commercial recovery tools to recover the
deleted evidence. One such example commercial tool is DiskInternals Partition
Recovery.
Looking for characteristic signatures of known file types by analyzing the file system
and/or scanning the entire hard drive, one can successfully recover :
Files that were deleted by the user.
Temporary copies of Office documents (including old versions and revisions
of such documents).
Temporary files saved by many applications.
Renamed files.
Information stored in deleted files can be supplemented with data collected from other
sources. For example, the “chatsync” folder in Skype stores the internal data that may
contain chunks and bits of user conversations. This means if the “chatsync” folder
exists there is a possibility to recover user chat’s even if the Skype database is deleted.
Many tools exist for this purpose like Belkasoft Evidence Center 2020.