E-mail forensics refers to the study of source and content of e-mail as evidence to identify the
actual sender and recipient of a message, data/time of transmission, detailed record of e-mail transaction, intent of the sender, etc. This study involves investigation of metadata, keyword searching, port scanning, etc. for authorship attribution and identification of e-mail scams.
Various approaches that are used for e-mail forensic are described and are briefly defined below:
1.1. Header Analysis
Meta data in the e-mail message in the form of control information i.e. envelope and headers
including headers in the message body contain information about the sender and/or the path along which the message has traversed. Some of these may be spoofed to conceal the identity of the sender. A detailed analysis of these headers and their correlation is performed in header analysis.
1.2. Bait Tactics In bait tactic investigation an e-mail with http: “<img src>” tag having image source at some computer monitored by the investigators is send to the sender of e-mail under investigation containing real (genuine) e-mail address. When the e-mail is opened, a log entry containing the IP address of the recipient (sender of the e-mail under investigation) is recorded on the http server hosting the image and thus sender is tracked. However, if the recipient (sender of the e-mail under investigation) is using a proxy server then IP address of the proxy server is recorded. The log on proxy server can be used to track the sender of the e-mail under investigation. If the proxy server’s log is unavailable due to some reason, the n investigators may send the tactic e-mail containing a) Embedded Java Applet that runs on receiver’s computer or b) HTML page with Active X Object. Both aiming to extract IP address of the receiver’s computer and e-mail it to the investigators.
1.3. Server Investigation
In this investigation, copies of delivered e-mails and server logs are investigated to identify source of an e-mail message. E-mails purged from the clients(senders or receivers) whose recovery is impossible may be requested from servers (Proxy or ISP)as most of them store a copy of all e-mails after their deliveries. Further, logs maintained by servers can be studied to trace the address of the computer responsible for making the e-mail transaction. However, servers store the copies of e-mail and server logs only for some limited periods and some may not co-operate with the investigators. Further, SMTP servers whichstore data like credit card number and other data pertaining to owner of a mailbox can be usedto identify person behind an e-mail address.
1.4. Network Device Investigation
In this form of e-mail investigation, logs maintained by the network devices such as routers,
firewalls and switches are used to investigate the source of an e-mail message. This form of investigation is complex and is used only when the logs of servers (Proxy or ISP) are unavailable due to some reason, e.g. when ISP or proxy does not maintain a log or lack of co-operation by ISP’s or failure to maintain chain of evidence.
1.5. Software Embedded Identifiers
Some information about the creator of e-mail, attached files or documents may be included with
the message by the e-mail software used by the sender for composing e-mail. This information may be included in the form of custom headers or in the form of MIME content as a Transport Neutral Encapsulation Format (TNEF). Investigating the e-mail for these details may reveal some vital information about the senders e-mail preferences and options that could help client side evidence gathering. The investigation can reveal PST filenames, Windows logon username, MAC address, etc. of the client computer used to send e-mail message.
1.6. Sender Mailer Fingerprints
Identification of software handling e-mail at server can be revealed from the Received header field and identification of software handling e-mail at client can be ascertained by using different set of headers like “X-Mailer” or equivalent. These headers describe applications and their versions used at the clients to send e-mail. This information about the client computer of the sender can be used to help investigators devise an effective plan and thus prove to be very useful.
2. E-MAIL FORENSIC TOOLS
There are many tools which may assist in the study of source and content of e-mail message so
that an attack or the malicious intent of the intrusions may be investigated. These tools while
providing easy to use browser format, automated reports, and other features, help to identify the origin and destination of the message, trace the path traversed by the message; identify spam and phishing networks, etc. This section introduces some of these tools.
2.1. eMailTrackerPro
eMailTrackerPro analyses the headers of an e-mail to detect the IP address of the machine that sent the message so that the sender can be tracked down. It can trace multiple e-mails at the same time and easily keep track of them. The geographical location of an IP address is key information for determining the threat level or validity of an e-mail message. This tool can pin point the city that the e-mail most likely came from. It identifies the network provider (or ISP) of the sender and provide contact information for further investigation. The actual path to the sender's IP address is reported in a routing table, providing additional location information to
help determine the sender's true location. The abuse reporting feature in it can be used to make further investigation easier. It checks the mail against DNS blacklists such as Spamcop to further safeguard against spam and malicious emails. It supports Japanese, Russian and Chinese
language spam filters besides English language. A major feature of this tool is abuse reporting that can create a report that can be sent to the ISP of sender. The ISP can then takes steps to prosecuting the account holder and help put a stop to spam.
2.2. EmailTracer
EmailTracer is an Indian effort in cyber forensics by the Resource Centre for Cyber Forensics (RCCF) which is a premier centre for cyber forensics in India. It develops cyber forensic tools based on the requirements of law enforcement agencies. Among several other digital forensic tools, it has developed an e-mail tracer tool named EmailTracer. This tool traces the originating IP address and other details from e-mail header, generates detailed HTML report of email header analysis, finds the city level details of the sender, plots route traced by the mail and display the originating geographic location of the e-mail. Besides these, it has keyword searching facility on e-mail content including attachment for its classification.
2.3. Adcomplain
Adcomplain [10] is a tool for reporting inappropriate commercial e-mail and usenet postings, as well as chain letters and "make money fast" postings. Itautomatically analyses the message, composes an abuse report, and mails the report to the offender's internet service provider by
performing a valid header analysis. The report is displayed for approval prior to mailing to U.S. Federal Trade Commission. Adcomplain can be invoked from the command line or automatically from many news and mail readers.
2.4. Aid4Mail Forensic
Aid4Mail Forensic is e-mail investigation software for forensic analysis, e-discovery, and litigation support. It is an e-mail migration and conversion tool,which supports various mail
formats including Outlook (PST, MSG files), Windows Live Mail,Thunderbird, Eudora, and mbox. It can search mail by date, header content, and by message body content. Mail folders and files can be processed even when disconnected (unmounted) from their email client including those stored on CD, DVD, and USB drives. Aid4Mail Forensic can search PST files and all supported mail formats, by date range and by keywords in the message body or in the headers. Special Boolean operations are supported. It is able to process unpurged (deleted) e-mail from mbox files and can restore unpurged e-mail during exportation.
2.5. AbusePipe
AbusePipe analyses abuse complaint e-mails and determines which of ESP’s customers is sending spam based on the information in e-mailed complaints. It automatically generates reports reporting customers violating ESP’s acceptable user policy so that action to shut them down can be taken immediately. AbusePipe can be configured to automatically reply to people reporting abuse. It can assist in meeting legal obligations such as reporting on the customers connected to a given IP address at a given date and time.
2.6. AccessData’s FTK
AccessData’s FTK [13] is standard court-validated digital investigations platform computer forensics software delivering computer forensic analysis, decryption and password cracking within an intuitive and customizable interface. It hasspeed, analytics and enterprise-class scalability. It is known for its intuitive interface, e-mail analysis, customizable data views and stability. It supports popular encryption technologies, such as Credant, SafeBoot, Utimaco, EFS, PGP, Guardian Edge, Sophos Enterprise and S/MIME. Its current supported e-mail types are: Lotus Notes NSF, Outlook PST/OST, Exchange EDB, Outlook Express DBX, Eudora, EML (Microsoft Internet Mail, Earthlink, Thunderbird, Quickmail, etc.), Netscape, AOL and RFC 833.
2.7. EnCase Forensic
EnCase Forensic is computer forensic application that provides investigators the ability to image a drive and preserve it in a forensic manner using the EnCase evidence file format (LEF or E01), a digital evidence container vetted by courts worldwide. It contains a full suite of analysis, bookmarking and reporting features. Guidance Software and third party vendors provide support for expanded capabilities to ensure that forensic examiners have the most comprehensive set of utilities. Including many other network forensics investigations, it also supports Internet and e-mail investigation. It included Instant Messenger toolkit for Microsoft Internet Explorer, Mozilla Firefox, Opera and Apple Safari. The e-mail support includes for Outlook PSTs/OSTs, Outlook Express DBXs, Microsoft Exchange EDBParser, Lotus Notes, AOL, Yahoo, Hotmail, Netscape Mail and MBOX archives.
2.8. FINALeMAIL
FINALeMAIL can recover the e-mail database file and locates lost e-mails that do not have data location information associated with them. FINALeMAIL has the capability of restoring lost e-mails to their original state, recover full e-mail database files even when such files are attacked by viruses or damaged by accidental formatting. It can recover E- mail messages and attachments emptied from the ‘Deleted Items folder’ in Microsoft Outlook Express, Netscape Mail, and Eudora.
2.9. Sawmill-GroupWise
Sawmill-GroupWise is a GroupWise Post Office Agent log analyser which can process log files in GroupWise Post Office Agent format, and generate dynamic statistics from them, analysing and reporting events. It can parse these logs, import them into a MySQL, Microsoft SQL Server, or Oracle database (or its own built-in database), aggregate them, and generate dynamically filtered reports, through a web interface. It supports Window, Linux, FreeBSD, OpenBSD, Mac OS, Solaris, other UNIX, and several other platforms.
2.10. Forensics Investigation Toolkit (FIT)
Forensics Investigation Toolkit (FIT) is content forensics toolkit to read and analyse the content of the Internet raw data in Packet CAPture (PCAP) format.FIT provides security administrative officers, auditors, fraud and forensics investigators well as lawful enforcement officers the power to perform content analysis and reconstruction on pre-captured Internet raw data from wired or wireless networks. All protocols and services analysed and reconstructed are displayed in readable format to the users. The other uniqueness of the FIT is that the imported raw data files can be immediately parsed and reconstructed. It supports case management functions, detailed information including Date-Time, Source IP,Destination IP, Source MAC, etc., WhoIS and Google Map integration functions. Analysing and reconstruction of various Internet traffic types which includes e-mail (POP3, SMTP, IMAP),Webmail (Read and Sent), IM or Chat (MSN, ICQ, Yahoo, QQ, Skype Voice Call Log, UT ChatRoom, Gtalk, IRC Chat Room), File Transfer (FTP, P2P), Telnet, HTTP (Content, Upload/Download, Video Streaming,
Request) and Others (SSL) can be performed using this toolkit.
2.11. Paraben (Network) E-mail Examiner Paraben (Network) E-mail Examiner has comprehensive analysis features, easy bookmarking and reporting, advanced Boolean searching, searching within attachments, and full UNICODE language support. It supports America On-line (AOL),Microsoft Outlook (PST,OST), Thunderbird, Outlook Express, Eudora, E-mail file (EML),Windows mail databases and more than 750 MIME Types and related file extensions. It can recover deleted e-mails fromOutlook (PST), Thunderbird, etc. Network E-mail Examiner [http://www.paraben.com/network-email-examiner.html], can thoroughly examine Microsoft Exchange (EDB), Lotus Notes (NSF), and GroupWise e-mail stores. It works with E-mailExaminer and all output is compatible and can easily be loaded for more complex tasks.
According to Simson L. Garfinkel current forensic tools are designed to help examiners in finding specific pieces of evidence and are not assisting in investigations. Further, these tools were created for solving crimes committed against people where the evidence resides on a computer; they were not created to assist in solving typical crimes committed with computers oragainst computers. Current tools must be re-imagined to facilitate investigation and exploration.This is especially important when the tools are used outside of the law enforcement context for activities such as cyber-defense and intelligence. Construction of a modular forensic processing framework for digital forensics that implements the “Visibility, Filter and Report” model would be the first logical step in this direction
No comments:
Post a Comment