There are many tools which may assist in the study of source and content of e-mail message so
that an attack or the malicious intent of the intrusions may be investigated. These tools while
providing easy to use browser format, automated reports, and other features, help to identify the origin and destination of the message, trace the path traversed by the message; identify spam and phishing networks, etc. This section introduces some of these tools.
2.1. eMailTrackerPro
eMailTrackerPro analyses the headers of an e-mail to detect the IP address of the machine that sent the message so that the sender can be tracked down. It can trace multiple e-mails at the same time and easily keep track of them. The geographical location of an IP address is key information for determining the threat level or validity of an e-mail message. This tool can pin point the city that the e-mail most likely came from. It identifies the network provider (or ISP) of the sender and provide contact information for further investigation. The actual path to the sender's IP address is reported in a routing table, providing additional location information to
help determine the sender's true location. The abuse reporting feature in it can be used to make further investigation easier. It checks the mail against DNS blacklists such as Spamcop to further safeguard against spam and malicious emails. It supports Japanese, Russian and Chinese
language spam filters besides English language. A major feature of this tool is abuse reporting that can create a report that can be sent to the ISP of sender. The ISP can then takes steps to prosecuting the account holder and help put a stop to spam.
2.2. EmailTracer
EmailTracer is an Indian effort in cyber forensics by the Resource Centre for Cyber Forensics (RCCF) which is a premier centre for cyber forensics in India. It develops cyber forensic tools based on the requirements of law enforcement agencies. Among several other digital forensic tools, it has developed an e-mail tracer tool named EmailTracer. This tool traces the originating IP address and other details from e-mail header, generates detailed HTML report of email header analysis, finds the city level details of the sender, plots route traced by the mail and display the originating geographic location of the e-mail. Besides these, it has keyword searching facility on e-mail content including attachment for its classification.
2.3. Adcomplain
Adcomplain [10] is a tool for reporting inappropriate commercial e-mail and usenet postings, as well as chain letters and "make money fast" postings. Itautomatically analyses the message, composes an abuse report, and mails the report to the offender's internet service provider by
performing a valid header analysis. The report is displayed for approval prior to mailing to U.S. Federal Trade Commission. Adcomplain can be invoked from the command line or automatically from many news and mail readers.
2.4. Aid4Mail Forensic
Aid4Mail Forensic is e-mail investigation software for forensic analysis, e-discovery, and litigation support. It is an e-mail migration and conversion tool,which supports various mail
formats including Outlook (PST, MSG files), Windows Live Mail,Thunderbird, Eudora, and mbox. It can search mail by date, header content, and by message body content. Mail folders and files can be processed even when disconnected (unmounted) from their email client including those stored on CD, DVD, and USB drives. Aid4Mail Forensic can search PST files and all supported mail formats, by date range and by keywords in the message body or in the headers. Special Boolean operations are supported. It is able to process unpurged (deleted) e-mail from mbox files and can restore unpurged e-mail during exportation.
2.5. AbusePipe
AbusePipe analyses abuse complaint e-mails and determines which of ESP’s customers is sending spam based on the information in e-mailed complaints. It automatically generates reports reporting customers violating ESP’s acceptable user policy so that action to shut them down can be taken immediately. AbusePipe can be configured to automatically reply to people reporting abuse. It can assist in meeting legal obligations such as reporting on the customers connected to a given IP address at a given date and time.
2.6. AccessData’s FTK
AccessData’s FTK [13] is standard court-validated digital investigations platform computer forensics software delivering computer forensic analysis, decryption and password cracking within an intuitive and customizable interface. It hasspeed, analytics and enterprise-class scalability. It is known for its intuitive interface, e-mail analysis, customizable data views and stability. It supports popular encryption technologies, such as Credant, SafeBoot, Utimaco, EFS, PGP, Guardian Edge, Sophos Enterprise and S/MIME. Its current supported e-mail types are: Lotus Notes NSF, Outlook PST/OST, Exchange EDB, Outlook Express DBX, Eudora, EML (Microsoft Internet Mail, Earthlink, Thunderbird, Quickmail, etc.), Netscape, AOL and RFC 833.
2.7. EnCase Forensic
EnCase Forensic is computer forensic application that provides investigators the ability to image a drive and preserve it in a forensic manner using the EnCase evidence file format (LEF or E01), a digital evidence container vetted by courts worldwide. It contains a full suite of analysis, bookmarking and reporting features. Guidance Software and third party vendors provide support for expanded capabilities to ensure that forensic examiners have the most comprehensive set of utilities. Including many other network forensics investigations, it also supports Internet and e-mail investigation. It included Instant Messenger toolkit for Microsoft Internet Explorer, Mozilla Firefox, Opera and Apple Safari. The e-mail support includes for Outlook PSTs/OSTs, Outlook Express DBXs, Microsoft Exchange EDBParser, Lotus Notes, AOL, Yahoo, Hotmail, Netscape Mail and MBOX archives.
2.8. FINALeMAIL
FINALeMAIL can recover the e-mail database file and locates lost e-mails that do not have data location information associated with them. FINALeMAIL has the capability of restoring lost e-mails to their original state, recover full e-mail database files even when such files are attacked by viruses or damaged by accidental formatting. It can recover E- mail messages and attachments emptied from the ‘Deleted Items folder’ in Microsoft Outlook Express, Netscape Mail, and Eudora.
2.9. Sawmill-GroupWise
Sawmill-GroupWise is a GroupWise Post Office Agent log analyser which can process log files in GroupWise Post Office Agent format, and generate dynamic statistics from them, analysing and reporting events. It can parse these logs, import them into a MySQL, Microsoft SQL Server, or Oracle database (or its own built-in database), aggregate them, and generate dynamically filtered reports, through a web interface. It supports Window, Linux, FreeBSD, OpenBSD, Mac OS, Solaris, other UNIX, and several other platforms.
2.10. Forensics Investigation Toolkit (FIT)
Forensics Investigation Toolkit (FIT) is content forensics toolkit to read and analyse the content of the Internet raw data in Packet CAPture (PCAP) format.FIT provides security administrative officers, auditors, fraud and forensics investigators well as lawful enforcement officers the power to perform content analysis and reconstruction on pre-captured Internet raw data from wired or wireless networks. All protocols and services analysed and reconstructed are displayed in readable format to the users. The other uniqueness of the FIT is that the imported raw data files can be immediately parsed and reconstructed. It supports case management functions, detailed information including Date-Time, Source IP,Destination IP, Source MAC, etc., WhoIS and Google Map integration functions. Analysing and reconstruction of various Internet traffic types which includes e-mail (POP3, SMTP, IMAP),Webmail (Read and Sent), IM or Chat (MSN, ICQ, Yahoo, QQ, Skype Voice Call Log, UT ChatRoom, Gtalk, IRC Chat Room), File Transfer (FTP, P2P), Telnet, HTTP (Content, Upload/Download, Video Streaming,
Request) and Others (SSL) can be performed using this toolkit.
2.11. Paraben (Network) E-mail Examiner Paraben (Network) E-mail Examiner has comprehensive analysis features, easy bookmarking and reporting, advanced Boolean searching, searching within attachments, and full UNICODE language support. It supports America On-line (AOL),Microsoft Outlook (PST,OST), Thunderbird, Outlook Express, Eudora, E-mail file (EML),Windows mail databases and more than 750 MIME Types and related file extensions. It can recover deleted e-mails fromOutlook (PST), Thunderbird, etc. Network E-mail Examiner [http://www.paraben.com/network-email-examiner.html], can thoroughly examine Microsoft Exchange (EDB), Lotus Notes (NSF), and GroupWise e-mail stores. It works with E-mailExaminer and all output is compatible and can easily be loaded for more complex tasks.
According to Simson L. Garfinkel current forensic tools are designed to help examiners in finding specific pieces of evidence and are not assisting in investigations. Further, these tools were created for solving crimes committed against people where the evidence resides on a computer; they were not created to assist in solving typical crimes committed with computers oragainst computers. Current tools must be re-imagined to facilitate investigation and exploration.This is especially important when the tools are used outside of the law enforcement context for activities such as cyber-defense and intelligence. Construction of a modular forensic processing framework for digital forensics that implements the “Visibility, Filter and Report” model would be the first logical step in this direction
