Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

8- Email & Web Forensics.

8-1 Introduction
The Internet is a very easy way to reach any system. If confidential data is
not properly protected, then it becomes opens to vulnerable access and
misuse. Cyber-crime can cause varying degrees of damage by hackers. So,
detailed forensic analysis is required to come to a conclusion about an
incident and to prove or disprove someone’s guilt.

Some criminal activities like child pornography, hacking, and identity theft
can be traced and the criminals can be punished if proper evidence is found
against them.

8-2 Email Forensics

8-2-1 Email Structure

E-mail works much the same way as U.S. Postal Service mail. The central
post office corresponds to the e-mail server, and the computers connected
to it are the clients. Two types of e-mail systems are client/server and
Web-based. Here’s how a client/server setup works:

Client: The computer that’s receiving or sending the e-mail. Think of the
client as your home mail box.
Server: The computer that’s storing e-mail it receives until the destination
client retrieves them. Think of the server as your local post office where mail
is sent and received.

70
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

According to “Ciber indian web site”, Web based Email accounts are
usually free email accounts that are operated from a website unlike
Outlook Express installed on your hard drive. They are World Wide
Web interfaces that allows users to read and write E-mail using a Web
browser. Webmail is commonly offered as a service by Internet
companies.

They usually offer some email services such as signature, vacation reply
and filters and usually provide less disk space to store messages.

Since they are web based, they are slow, using a browser and require an
Internet connection to read and compose messages, but useful in the case
where you need additional email accounts on a long or short term basis.
Web based email accounts are used extensively by spammers. A clear
disadvantage of web based email accounts is that you can not read
old email or prepare new email offline. You need to be connected to
the Internet to retrieve, read, and send your email messages.

General webmail service features:

 Multiple Folders
 Trash folder
 Address book / Contact list
 Filtering the incoming email to dispatch to related folder
 Spam detection and blocking measures (reject/bounce email to
sender with note)

71
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

 Ability to send back the emails with suspecious attachments to the

sender.
 POP3 mail retrieval
 Antivirus for mail attachements
 Dictionary and thesaurus for composed messages
 Online Spell checker (gmail has best)

Advantages of webmail services

 Email can be read and composed anywhere a person has access to

a web browser.
 Messages do not have to be downloaded.
 Many services allow anonymous sign-ups.

Disadvantages of webmail services

 The user must stay online to read and write email.

 Commercial webmail services often offer only limited email storage
space and deliver advertisements.
 Heavy use of webmail over a slow network connection can be
tedious.

Ref: Web based mail, https://www.cyberindian.com/web-

hosting/article.php?article_id=91 accessd on 5/5/2019

72
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

-2-2 E-mail addressing

The structure of the e-mail address, as originally designed by Ray
Tomlinson, consists of these two parts, separated by the familiar @
symbol:
_ Mailbox: The part on the left, often referred to as the username.
_ Domain (or host): The part on the right; the name of the domain
server.

Under this two-part structure, e-mail servers can find an e-mail’s

destination quickly by looking up the IP address of the domain in a
domain name server (DNS).

8-2-3 Seeing the E-Mail Forensics Perspective

From a forensic point of view, client/server e-mail systems are best for
finding information because messages are downloaded to the user’s
or local computer’s hard drive. You usually have access to the server too,
from which you can access e-mail messages and logs of e-mail activity.
E-mail servers are hard to shut down to investigate because
companies can’t afford to be cut off from their e-mail systems. Your
first step should be to look at backups of the e-mail system and if all
fails then take down the live e-mail server.

8-2-4 The Message Details

This list describes the two parts of an e-mail message, as shown in Figure
9-3:

73
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

_ Header: Like the outside of an envelope, contains the source and

destination addresses. You use header information to track an e-mail
back to its source or sender.
_ Body: Contains the actual message and often has the “smoking gun”
information.
When you’re looking at an e-mail message, you see only these two parts and
not the packets that were used to deliver the message because you’re
looking at it after delivery. Anyone who wants to capture packets of e-
mail en route from source to destination can do so by using packet
sniffer software. Unless it has been encrypted, e-mail is sent in plain
text and is readable like a post card.

8-2-4 Expanding headers

Most e-mail clients display by default only regular header information. Here
are the basic four fields of information in the header:
_ From: The sender’s address. Be careful about relying on this information.
This field can be spoofed (disguised) to make it look as though another
person sent the e-mail while hiding the IP address of the real sender.
_ To: The recipient’s address, which can also be faked or spoofed.
_ Subject: Sometimes left blank or contains misleading information.
_ Date: Recorded from the sending computer, but may not be accurate if
the sender’s computer clock was set incorrectly.
Obviously, you cannot trust header information. You may not be able to
verify the real information. To confirm the information, you need to expand
the header.

74
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

The expanded mail header has quite a bit more information that’s
needed by routers to deliver the e-mail to its destination. For the most
part, e-mail client software doesn’t show you full headers unless you
specifically ask, and even then you may have to look at the raw e-mail to find
all the headers you’re after.

The piece of information most useful to you is the originating IP

address (source IP address) or domain. You can use this address to try
to track down the person who sent the e-mail — unless it has been spoofed
or faked.
A unique ID is assigned to the message by the first e-mail server that
the e-mail passes through. You can find the e-mail’s footprints on the
servers it had passed through using this ID. If you can catch the e-mail
server logs before they’re overwritten, you can literally track the true
date/time of the e-mail as it passes through the network.
In most full headers, the path of the e-mail starts at the bottom and
works its way up. For example, in Figure 9-4, by following the date-and-

75
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

time stamps, you see that the e-mail traveled through two e-mail servers to
arrive at its destination.

8-2-5 Extracting e-mail from clients

Most e-mail systems use SMTP, POP, or IMAP. The use of these protocols
makes e-mail transport fairly standard. Your challenge is to extract e-mail
from different e-mail client software. Here’s a description of the two most
common e-mail client systems:
_ Outlook: It can act as a data assistant with features such as a calendar, a
task list, and contact management. When you investigate cases where
Outlook has been used to manage the day-to-day affairs of a suspect, you
find enormous detailed information! Unlike Outlook Express, Outlook
saves all its data into a single identity using a .pst file extension. You
need a viewer or forensic software to view the contents of this file. FTK
and EnCase offer the most complete method for extracting Outlook files.
_ Outlook Express: From Microsoft, stores data in files with a .dbx file
extension and requires you to have a viewer to read them.
In Outlook Express, Outlook, AOL, Eudora, and Thunderbird, e-mail is stored
on the local client computer, which helps your investigation alot.

8-2-6 Investigating Web-Based Mail

Users often rely on Web-based e-mail for personal communication. The
major providers of Web mail are Yahoo!, Hotmail, and Google, which provide
their basic services for free. Web mail can be used without e-mail client
software.
The only software that’s needed is the free Web browser already installed on
most computers. In reality, Web mail is a client/server system.
76
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

Figure 9-6 smmarizes the basic e-mail interactions on a Web mail server.

The easiest way to view the contents of a person’s Web mail account
is to get permission from that person. But unlikely that happening.
Instead, you can find data by using forensic methods on the local machine.
Extracting every Web page that a suspect has ever visited would take to view
all those pages into the next decade.

77
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

8-3 Web Forensics

The victims of Web attacks are clients and Web servers. Both clients and server
side protection is necessary. The attacks can be performed by using false URLs
and redirects to malicious sites. The medium of attack on the Internet are Web
Browser, database servers and application servers. On the client side,
forensic analysis is done to find out if a user has been involved or has been
a victim of the crime. Potential evidence can be found in the Browser history,
registry entries, temporary files, index.dat, cookies, favorites, html pages in
unallocated space, emails sent and received by the user and the cache etc.
On the server side, forensic analysis can be done by examining access
logs, error logs and FTP log files and network traffic. The intermediate
site logs such as antivirus server logs, Web filter logs, spam filter logs
and firewall logs also help in tracking an incident.

Web forensic analysis brings out some details like when and in what
sequence did somebody access a Web page.

8-3-1 Temporary Files. (client side)

The temporary files (created by applications sending and receiving
data over a network) are temporarily stored by the operating system.
The files are first stored in RAM. When RAM becomes full or the
operating system pushes that
data down the priority list of data to be retrieved by applications, the
files are written to the storage device.
There is no single area for temporary files on modern day computers
because

78
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

some applications also create temporary files in addition to the

operating system. For example, Internet Explorer handles temporary files
downloaded from the Internet through settings in the software. Not only do
you find the location of the temporary files, but you also find the number of
days Internet Explorer keeps the history of the Web sites you visited.

If the application doesn’t have the ability to temporarily store files for use
later, it often lets the operating system handle this function via the swap file
or virtual memory.
The swap file is an operating system function that acts like RAM, but
uses the hard drive or storage device instead of memory microchips.
Because the swap file is written and then deleted, the information is still
physically on the storage device and retrievable by you.

8-3-2 Internet History (client side)

Internet Explorer has the ability to keep track of where the Web browser
has visited. The user has quite a bit of control and can adjust the
number of days the browser hangs onto the list of Web sites (the
Internet history).
Most users think that deleting the history deletes the files forever! The
part most users cannot control is the index.dat file. Internet Explorer
uses the index.dat file to create a database of Web sites visited,
cookies, and assorted other details pertaining to the use of the Web
browser.
You can extract data from the index.dat file and re-create the tracks of
where you have been, often going back to the first day you ever surfed the

79
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

Internet on that particular computer. Other Web browsers, such as Mozilla

and Opera, also have the ability to keep these types of files.
Because most Web browsers keep histories, computer forensic
software is designed to open these types of files to extract the data
quite easily. In the case of EnCase and FTK, the process is automated to
the point where the software not only looks for active database files, but also
deleted files in unallocated space that contain web surfing histories.

8-3-3 Looking through Instant Messages (client side)

Instant messaging (IM) has exploded in the dynamic communication
arena.
Whereas e-mail acts like an inbox, IM acts like a text-based cell call.
Texting on mobile devices is the preferred mode of communication for some
people.
IM is important to forensic examiners because companies use this form
of communication for real-time customer service and internal business
communication.
On the personal side, people use IM to chat about everything.. IM
software works basically the same way as software used by e-mail
systems — it’s just done in real time.
In any real-time environment, your best chance of finding any data is
to log the data as it is being typed. Some IM software logs conversations
for you, but most people don’t activate the logs. If you rely on the caching
system to save IM chats, you may get pieces of the conversation or
nothing, depending on how the cache archived the data on the hard
drive.

80
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

IM is migrating to mobile devices, where the technology is somewhat

different from desktop computers. The main problem that mobile devices
have now is that they don’t have the resources or power of conventional
desktop computers and they therefore use memory differently. Because
mobile devices tend to not cache or archive data in the same way that
desktop devices do, retrieving chats is that much more difficult, unless
you’re recording them as they occur. You may be able to catch some
logging information from the mobile clients or even the IM server. But
finding a complete conversation in memory is almost impossible
unless logging has been turned on.
‫الفقرة التالية لالطالع‬
A relatively new area of computer forensics is the area of Web-based
forensics. This area of forensics deals with the use of software to log and
track suspects such as child predators in chat rooms while the investigator
is using the Internet to pretend they are a 14 year old child. Until recently,
real time forensic tracking of live data was problematic because the Internet
was a real time environment. Computer forensic software such as WebCase
by VereSoft (www.veresoftware.com) is solving this problem by allowing
investigators to forensically record IP addresses, chat sessions, and other
communication across an Internet connection.

8-3-4 Web Forensics Mechanism ‫مهمة‬

The port number 80 is the standard port for Websites and is open for
lot of security issues. This is the port which listens to requests from a
Web Client. The potential attacks enter into the system through this
port. Web forensics is carried out on both client side and server side Both

81
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

server side and client side forensic evidence are sometimes insufficient for
ascertaining ‫ التثبت‬the occurrence of an activity.

Sources for web forensics:

1- Router: explained in details in previous lecture.

2- Application server: Intermediate logging locations like application
server logs play a crucial role in proving someone’s guilt.

8-3-5 Server Side Forensics.

Some of the information is found on the Webserver logs and
Application Server logs. But most of these don’t grant access to the HTTP
information like headers and requests. To know if the attack was done by
an application, the following information is needed.
(i) Date ; (ii) Time; (iii)IP Address of the client; (iv)HTTP method used
(v) URL; (vi)HTTP Query used to retrieve the information from the server
(vii) A total set of headers (HTTP headers); (viii) The full body of the request.

8-3-6 Methodology for Web Forensic investigation:

(1) Protect the system during forensic investigation from possible data
corruption/alteration.
(2) Discover all files needed for the forensic investigation
a. Web server and application server logs.
b. Server side scripts.
c. Configuration files of Application server and Web server.
d. Third party installed software logs and important files.
e. OS logs and registry entries.

82
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

8-3-8 Obtaining Information from the Registry ‫مهمة‬

Windows registry is a central hierarchical database used to store
information that is necessary to configure the system for one or more
users. The Registry has the information such as profiles for each user; the
applications installed on the computer and the types of documents that each
can create; hardware existing on the system and the ports in use. A registry
hive ‫ خلية‬is a group of keys, subkeys, and values in the registry that has a set
of supporting files that contain backups of its data.
[Microsoft 2010] Microsoft Support, "Windows registry information for
advanced users," http://support.Microsoft.com/kb/256986
Examining the Windows registry reveals the operations done by the
user. The
Windows registry has keys which are similar to folders and values which are
name/data pairs. One such entry to be examined is the
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
key which obtains all of the URLs that were typed into Internet Explorer by
the current user during their Website surfing.
[Skoudias 2008].
The
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UBSTOR/s
key obtains the history on every USB device that was ever plugged into the
user’s system.
The
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Par
ameters\Interfaces key does not only obtain the current IP address but all
recently used IP configurations.

83
Lecture 8 Email & Web Forensics Digital Forensics 2018-2019

In Internet Explorer, the history of visited sites is maintained in a file

called index.dat, which is referenced in the Windows Registry database.
That is the reason why one can see the history contents in the
TypedURLs key.
Firefox keeps limited information in the registry. It stores its history in
ASCII format in a history.dat file located at C:\Documents and
Settings\<user>\Application Data\Mozilla\Firefox\Profiles\x.default\ in
Windows XP and C:\Documents and
Settings\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\clfzo15s.default.

Web Server -
Server on which your website is hosted. This server will have installed web
servers such as IIS, apache, etc.

Application Server -
Server on which your created applications which are utilizing your
database, web service, etc. This application server will host business layer
(wrapped with web services), scheduled jobs, windows services, etc.

Database Server -
Database server will have your one or more database hosted such as
Oracle, Sql Server, MySql, etc.

84