Email Evidences

Learning Objectives
By the end of this lecture you will be able to:
• Identify the basic evidence sources for email
activity.
 Understanding
01

web based email

3 27-Feb-23
Understanding web-based email
• Web-based email is a service the user accesses with a web browser. Standard webmail
providers are Gmail, Yahoo Mail, and Outlook/Hotmail.

• Some internet service providers also provide an email account that the user can access
with a web browser.

PG. 8 27-Feb-23
 Decoding email
02

9 27-Feb-23
Decoding email

Decoding email
• An email has many unique identifiers for a digital forensic investigator to identify and
track down.

• The mailbox and domain name, along with the message ID, will allow a digital forensic
investigator to serve judicially approved subpoenas/search warrants on the vendor to
follow any investigative leads.

PG. 10 27-Feb-23
Decoding email

Understanding the email message format

• The vast majority of email users are only familiar with basic email information, such as
this:

Subject: background checks

Date: 07/19/2008 23:39:57 +0
Sender: [email protected]
Recipients: [email protected]

PG. 11 27-Feb-23
Decoding email

Understanding the email message format

-----HEADERS-----
Return-Path: [email protected]
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from smarty.dreamhost.com (sd-green-bigip-81.dreamhost.com [208.97.132.81]) by spunkymail-
mx8.g.dreamhost.com (Postfix) with ESMTP id E32634D80F for <[email protected]>; Sat, 19 Jul 2008 16:39:57 -0700 (PDT)
Received: from xy.dreamhostps.com (apache2-xy.xy.dreamhostps.com [208.97.188.9]) by smarty.dreamhost.com
(Postfix) with ESMTP id 6E408EE23D for <[email protected]>; Sat, 19 Jul 2008 16:39:57 -0700 (PDT)
Received: by xy.dreamhostps.com (Postfix, from userid 558838) id 64C683B1DAE; Sat, 19 Jul 2008 16:39:57 -0700 (PDT)
To: [email protected] From: [email protected]
subject: background checks
Message-Id: [email protected]
Date: Sat, 19 Jul 2008 16:39:57 -0700 (PDT)

PG. 12 27-Feb-23
Decoding email

Understanding the email message format

• The email header shows where the email originated from and what servers it touched
upon. Starting from the bottom, we can see the Message-Id field:

• Message-Id: <[email protected]>

PG. 13 27-Feb-23
 Decoding email

Understanding the email message format

The following two Received lines identify the subsequent servers on the path to the destination:

Received: from smarty.dreamhost.com (sd-green-bigip-81.dreamhost.com

[208.97.132.81])
by spunkymail-mx8.g.dreamhost.com (Postfix) with ESMTP id E32634D80F for
<[email protected]>;
Sat, 19 Jul 2008 16:39:57 -0700 (PDT)Received: from xy.dreamhostps.com (apache2-
xy.xy.dreamhostps.com [208.97.188.9])
by smarty.dreamhost.com (Postfix) with ESMTP id 6E408EE23D for <[email protected]>;
Sat, 19 Jul 2008 16:39:57 -0700 (PDT)

PG. 14 27-Feb-23
Decoding email

Understanding the email message format

There are optional fields that you may come across in your investigations.
These fields typically start with an X–

X-Priority: 3
X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)
Message-Id: [email protected]
X-Report-Abuse: Please forward a copy of this message, including all headers, to [email protected]
X-Report-Abuse: You can also report abuse here:
http://mandrillapp.com/contact/abuse?id=30514476.1925a088d66f450cb25a4034f3ec6942 X-Mandrill-User:
md_30514476

PG. 15 27-Feb-23
Decoding email

Understanding the email message format

• A note about IP addresses: there are two different types of IPv4 addresses: public and
private. You may see both in the email header.

• 10.X.X.X
• 127.X.X.X
• 172.16.X.X
• 192.168.X.X

PG. 16 27-Feb-23
Decoding email

Email attachments
• MIME is the acronym for Multipurpose Internet Mail Extensions
• Internet standard for allowing emails to accept text other than ASCII, binary
attachments, multi-part message bodies, and non-ASCII base header information.
• MIME indicated with the following:

MIME-Version: 1.0

PG. 17 27-Feb-23
Email Analysis (I)
• Frequently the contents of emails are encoded, mainly to allow special characters to
be used in email messages. Standard emails only allow 7-bit characters:
so if foreign or special characters or non-text attachments (i.e. audio, video, images,
programs etc.) are required in an email, the email must be encoded.
• The MIME (Multipurpose Internet Mail Extensions) standard defines how this
encoding is to be done.
• The encoding method is listed in the email header.
MIME-Version: 1.0
Content-type: text/plain
• This states that the email is encoded to MIME 1.0 standard and the Internet Media
Type (AKA MIME type) is ‘text/plain’.

PG. 18 27-Feb-23
Email Analysis (II)
• Default Internet media type is text/plain - the default - text-only email.
• Other possible Internet media types exist (e.g.):
• text/html - html formatted email,
• multipart/mixed - text plus attachments.
• The content-transfer-encoding header is also defined:
• Governs the actual encoding scheme to be used.
• The most common encodings are:
• 7bit - ASCII only (i.e. 7 bit only),
• quoted-printable (encodes non-ASCII bytes as ‘=hh’, where h is a hex digit),
• base64 - typically used for non-ASCII data such as programs - looks like random
characters - is 4/3 larger than original.

PG. 19 27-Feb-23
Email Analysis (III)
• 7bit and quoted-printable formats will
display at least some of their content
in human readable form.
• Base64 is a way of representing
binary data in an ASCII string.
• base64 is not human readable, but
can be converted/decoded (either
using a forensic tool or by other
standalone or online decoders) e.g.

https://www.opinionatedgeek.com/codecs/base64encoder

PG. 20 27-Feb-23
Email Analysis – Base64 Decoding
• Example
 Understanding
03

client-based
email analysis
22 27-Feb-23
Understanding
client-based email
analysis

Understanding client-based email analysis

• A user has access to many email clients to retrieve, read, and send emails.

• Depending on whether you’re in the consumer or commercial environment, you may

encounter different email clients.

• In the consumer market, you will find that Microsoft Outlook/Outlook Express will
prevail because it is preinstalled on the system

PG. 23 27-Feb-23
Understanding
client-based email
analysis

Exploring Microsoft Outlook/Outlook Express

• Outlook stores email information in several file types, such as pst, .mdb, and .ost. We
will find the PST file on the user's hard disk at the following path:

\Users\$USER$\AppData\Local\Microsoft\Outlook

PG. 24 27-Feb-23
Understanding
client-based email
analysis

Exploring Microsoft Windows Live Mail

• Starting with Windows Vista and Windows 7, Windows Live became the default email
client shipping with the Windows operating system.

• The client stores email messages in the following path:

\Users\$USER$\AppData\Local\Microsoft\Windows Live Mail

PG. 25 27-Feb-23
Understanding
client-based email
analysis

Exploring Microsoft Windows Live Mail

PG. 26 27-Feb-23
Understanding
client-based email
analysis

Mozilla Thunderbird
• Thunderbird is a free, open-source email client provided by Mozilla.

• Thunderbird will store emails within a .MBOX file.

• The MBOX format is a generic term for a family of file formats used to store emails. It
will keep all the emails from folder into a singular database file. By default, the
examiner can find the MBOX file in the following path:

$USERNAME$\AppData\Roaming\Thunderbird\Profiles

PG. 27 27-Feb-23
Understanding
client-based email
analysis

Mozilla Thunderbird

PG. 28 27-Feb-23
Understanding
client-based email
analysis

Mozilla Thunderbird
When we look in the folder, we will see the following files:

Archive.msf INBOX.msf
Archives.msf msgFilterRules.dat
Bulk Mail.msf Sent-1.msf
Draft.msf Sent.msf
Drafts.msf Templates.msf
INBOX Trash.msf

PG. 29 27-Feb-23
Understanding
client-based email
analysis

Mozilla Thunderbird

PG. 30 27-Feb-23
 Understanding
04

WebMail analysis
31 27-Feb-23
Understanding
WebMail analysis

Understanding WebMail analysis

• Web-based email has become increasingly popular as we transition from the twentieth
to the twenty-first century.

• It’s easy to access, requires little to no configuration from the user, and is available
from any computer.

• WebMail is just another internet artifact for conducting browser analysis

PG. 32 27-Feb-23
Understanding
WebMail analysis

Understanding WebMail analysis

• Suppose the digital forensic investigator wants to investigate the user's use of web-
based email.

• In that case, they will have to analyze the temporary internet files or the internet
cache on the user's system.

• The temporary internet files/cache contains images, text, or any web page component
the user has viewed in their browser.

PG. 33 27-Feb-23
Understanding
WebMail analysis

Understanding WebMail analysis

• Before look into the cache, look into the internet history of the installed browser to see
if the user has accessed web-based email.

• For the Chrome browser, you will find the history stored in a SQLite database named
History at the following path:

$USER$\AppData\Local\Google\Chrome\User Data\Default

PG. 34 27-Feb-23
Understanding
WebMail analysis

Understanding WebMail analysis

PG. 35 27-Feb-23
Understanding
WebMail analysis

Understanding WebMail analysis

• The examiner can find the cache and history for the Firefox browser at the following
location:

$USERS$\AppData\Local\Mozilla\Firefox\Profiles\<profile>\cache2

PG. 38 27-Feb-23
Summary
• Email and Internet evidence is often vitally important to a case.
• Emails sent and received and sites visited give valuable
clues to a user’s motives and modus operandi.
• You are strongly advised to try out as many analysis techniques as you can
- practice is the only way to get familiar with the material.
• Browser Forensics is valuable tool in a forensicator’s
arsenal.

PG. 41 27-Feb-23
 Thanks
00

PG. 42 27-Feb-23