Chapter 10 Email Forensics 1 Email is Often the Best Evidence Contents can demonstrate intent Header data can demonstrate the source Timestamps can show intent to mislead Show up as evidence in a vast majority of cases Email Structure Plain text emails don’t support graphics HTML structured emails support graphics and embedded content Attachments can accompany the message as a separate file Email Technology Mail user agent is a software interface that represents the end user Mail transport agent moves messages from point A to point B Mail client is the application that provides end user support Mail server handles addressing and transport Email Addresses Each user ID must be unique to a particular domain The same user ID on a different domain may or may not represent the same user User IDs are easily spoofed with the right software Email Protocols Mailbox protocols Post Office Protocol, ver. 3 (POP3) Internet Message Access Protocol (IMAP) Transport protocols Simple Mail Transport Protocol (SMTP) Email Clients Perform some basic functions Send messages Receive messages Manage content (including attachments) Are operating system specific Determine how information is archived on the system May be a local client or web-based Information Stores Acts as a cabinet for the information stored by the client Sent/Received messages Address books Calendars Each client has a specific format for storing data Email Servers Act as relay agents for moving messages across the Internet SMTP servers handle all outgoing messages IMAP or POP3 servers handle all incoming messages Server applications such as Microsoft Exchange combine SMTP with POP/IMAP Standard Header Information TO: FROM: SUBJECT: DATE: All of these are easily spoofed MIME Header Information Information stored in the header that includes: Time/Date stamps for various actions along the way Server information for relay servers along the way A message ID unique to this message across the Internet Versions of software used along the way IDs of blind carbon copy recipients A return path Tracing the Origin of a Message Each server that relays the message adds its IP address Each relay server maintains logs for a certain period of time that indicates the IP address of the sender as well as the intended recipient While the time stamp can be manipulated at the origin, the ones added along the way are likely real Some Email Search Tools Clearwell Paraben GREP Search Results False positives – looks right but isn’t False negatives – doesn’t look right, but is A measure of accuracy is “precision” Ratio of false positives to false negatives A measure of effectiveness is “recall” Percentage of relevant emails that were found Advanced Search Methods Stationary User Profiles – a method of determining if a user makes use of multiple accounts Similar Users – a way of determining if what appears to be a single user is actually multiple users Attachment Statistics – a user’s typical be.

1. Chapter 10
Email Forensics
1
Email is Often the Best Evidence
Contents can demonstrate intent
Header data can demonstrate the source
Timestamps can show intent to mislead
Show up as evidence in a vast majority of cases
Email Structure
Plain text emails don’t support graphics
HTML structured emails support graphics and embedded content
Attachments can accompany the message as a separate file
Email Technology
Mail user agent is a software interface that represents the end
user
Mail transport agent moves messages from point A to point B
Mail client is the application that provides end user support
Mail server handles addressing and transport
Email Addresses
Each user ID must be unique to a particular domain
The same user ID on a different domain may or may not
represent the same user

2. User IDs are easily spoofed with the right software
Email Protocols
Mailbox protocols
Post Office Protocol, ver. 3 (POP3)
Internet Message Access Protocol (IMAP)
Transport protocols
Simple Mail Transport Protocol (SMTP)
Email Clients
Perform some basic functions
Send messages
Receive messages
Manage content (including attachments)
Are operating system specific
Determine how information is archived on the system
May be a local client or web-based
Information Stores
Acts as a cabinet for the information stored by the client
Sent/Received messages
Address books
Calendars
Each client has a specific format for storing data
Email Servers
Act as relay agents for moving messages across the Internet
SMTP servers handle all outgoing messages
IMAP or POP3 servers handle all incoming messages
Server applications such as Microsoft Exchange combine SMTP
with POP/IMAP

3. Standard Header Information
TO:
FROM:
SUBJECT:
DATE:
All of these are easily spoofed
MIME Header Information
Information stored in the header that includes:
Time/Date stamps for various actions along the way
Server information for relay servers along the way
A message ID unique to this message across the Internet
Versions of software used along the way
IDs of blind carbon copy recipients
A return path
Tracing the Origin of a Message
Each server that relays the message adds its IP address
Each relay server maintains logs for a certain period of time
that indicates the IP address of the sender as well as the
intended recipient
While the time stamp can be manipulated at the origin, the ones
added along the way are likely real
Some Email Search Tools
Clearwell
Paraben
GREP

4. Search Results
False positives – looks right but isn’t
False negatives – doesn’t look right, but is
A measure of accuracy is “precision”
Ratio of false positives to false negatives
A measure of effectiveness is “recall”
Percentage of relevant emails that were found
Advanced Search Methods
Stationary User Profiles – a method of determining if a user
makes use of multiple accounts
Similar Users – a way of determining if what appears to be a
single user is actually multiple users
Attachment Statistics – a user’s typical behavior regarding
attachments is analyzed
Recipient Frequency – what types of messages a specific user
usually receives