SlideShare a Scribd company logo

Email investigation

Download as PPTX, PDF
Animesh Shaw
Animesh Shaw

Presentation on Investigating Emails to detect their spam free nature. Emails are a way to harm others or a social engineering way to fulfill wrong motives by some people. Awareness about the Forensics behind Email will give people an edge to protect themselves from fraud crimes.

1 of 72
Email Investigation Presented By Animesh Shaw (Psycho_Coder) Digital Evidence Analyst Trainee
Discussion Objectives • Working Process of Email • Explain the role of e-mail in investigations • Describe client and server roles in e-mail • Describe tasks in investigating e-mail crimes and violations • Explain the use of e-mail server logs • Describe some available e-mail computer forensics tools
HOW EMAIL WORKS
HOW EMAIL WORKS 1. Stand- alone 2. Web based To send and receive emails, we need an email client. There are primarily two types of email clients:
A client has 4 things : • 1) Messages in mailbox. • 2) Contents can be seen by selecting the header. • 3) Messages can be created and sent. • 4) Attachments can be added. HOW EMAIL WORKS
HOW EMAIL WORKS KEY PROTOCOLS
HOW EMAIL WORKS PROCEDURE OF EMAIL TRANSMISSION
HOW EMAIL WORKS BASIC TERMS
Exploring the Role of E-mail in Investigations • With the increase in e-mail scams and fraud attempts with phishing or spoofing – Investigators need to know how to examine and interpret the unique content of e-mail messages • Phishing e-mails are in HTML format – Which allows creating links to text on a Web page • One of the most noteworthy e-mail scams was 419, or the Nigerian Scam • Spoofing e-mail can be used to commit fraud
Exploring the Roles of the Client and Server in E-mail • Send and receive e-mail in two environments – Internet – Controlled LAN, MAN, or WAN • Client/server architecture – Server OS and e-mail software differs from those on the client side • Protected accounts – Require usernames and passwords
Exploring the Roles of the Client and Server in E-mail (continued)
12 Exploring the Roles of the Client and Server in E-mail (continued) • Name conventions – Corporate: john.smith@somecompany.com – Public: whatever@hotmail.com – Everything after @ belongs to the domain name • Tracing corporate e-mails is easier – Because accounts use standard names the administrator establishes
Investigating E-mail Crimes and Violations • Similar to other types of investigations • Goals – Find who is behind the crime – Collect the evidence – Present your findings – Build a case
Investigating E-mail Crimes and Violations (continued) • Depend on the city, state, or country – Example: spam – Always consult with an attorney • Becoming commonplace • Examples of crimes involving e-mails – Narcotics trafficking – Extortion – Sexual harassment – Child abductions and pornography
Examining E-mail Messages • Access victim’s computer to recover the evidence • Using the victim’s e-mail client – Find and copy evidence in the e-mail – Access protected or encrypted material – Print e-mails • Guide victim on the phone – Open and copy e-mail including headers • Sometimes you will deal with deleted e-mails
Examining E-mail Messages (continued) • Copying an e-mail message – Before you start an e-mail investigation • You need to copy and print the e-mail involved in the crime or policy violation – You might also want to forward the message as an attachment to another e-mail address • With many GUI e-mail programs, you can copy an e-mail by dragging it to a storage medium – Or by saving it in a different location
Examining E-mail Messages (continued)
Viewing E-mail Headers • Learn how to find e-mail headers – GUI clients – Command-line clients – Web-based clients • After you open e-mail headers, copy and paste them into a text document – So that you can read them with a text editor • Headers contain useful information – Unique identifying numbers, IP address of sending server, and sending time
Viewing E-mail Headers (continued) • Yahoo (Client) – Click Mail Options – Click General Preferences and Show All headers on incoming messages – Copy and paste headers
Yahoo Mail Header 20
Yahoo Full Header View
Viewing E-mail Headers (continued) • Outlook – Open the Message Options dialog box – Copy headers – Paste them to any text editor • Outlook Express – Open the message Properties dialog box – Select Message Source – Copy and paste the headers to any text editor
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued) • Novell Evolution – Click View, All Message Headers – Copy and paste the e-mail header • Pine and ELM – Check enable-full-headers • AOL headers – Click Action, View Message Source – Copy and paste headers
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued) • Hotmail – Click Options, and then click the Mail Display Settings – Click the Advanced option button under Message Headers – Copy and paste headers • Apple Mail – Click View from the menu, point to Message, and then click Long Header – Copy and paste headers
Viewing E-mail Headers (continued)
Viewing E-mail Headers (continued)
Examining E-mail Headers • Gather supporting evidence and track suspect – Return path – Recipient’s e-mail address – Type of sending e-mail service – IP address of sending server – Name of the e-mail server – Unique message number – Date and time e-mail was sent – Attachment files information
35 Examining E-mail Headers (continued)
36 Examining Additional E-mail Files • E-mail messages are saved on the client side or left at the server • Microsoft Outlook uses .pst and .ost files • Most e-mail programs also include an electronic address book • In Web-based e-mail – Messages are displayed and saved as Web pages in the browser’s cache folders – Many Web-based e-mail providers also offer instant messaging (IM) services
Validating Email Address • We can use an online Tool Email Dossier to get details about the validity of an email address. 37
Tracing an E-mail Message • Contact the administrator responsible for the sending server • Finding domain name’s point of contact – www.arin.net – www.internic.com – www.freeality.com – www.google.com • Find suspect’s contact information • Verify your findings by checking network e-mail logs against e-mail addresses
Online Email Tracer • We can use Online Email Tracer to make our work easier. Such a tool can be found here http://www.cyberforensics.in/OnlineEmailTracer/index.aspx Demo Trace : 39
Using Network E-mail Logs • Router logs – Record all incoming and outgoing traffic – Have rules to allow or disallow traffic – You can resolve the path a transmitted e-mail has taken • Firewall logs – Filter e-mail traffic – Verify whether the e-mail passed through • You can use any text editor or specialized tools
Using Network E-mail Logs (continued)
Understanding E-mail Servers • Computer loaded with software that uses e-mail protocols for its services – And maintains logs you can examine and use in your investigation • E-mail storage – Database – Flat file • Logs – Default or manual – Continuous and circular
Understanding E-mail Servers (continued) • Log information – E-mail content – Sending IP address – Receiving and reading date and time – System-specific information • Contact suspect’s network e-mail administrator as soon as possible • Servers can recover deleted e-mails – Similar to deletion of files on a hard drive
44 Understanding E-mail Servers (continued)
45 Examining UNIX E-mail Server Logs • /etc/sendmail.cf – Configuration information for Sendmail • /etc/syslog.conf – Specifies how and which events Sendmail logs • /var/log/maillog – SMTP and POP3 communications • IP address and time stamp • Check UNIX man pages for more information
46 Examining UNIX E-mail Server Logs (continued)
47 Examining UNIX E-mail Server Logs (continued)
48 Examining Microsoft E-mail Server Logs • Microsoft Exchange Server (Exchange) – Uses a database – Based on Microsoft Extensible Storage Engine • Information Store files – Database files *.edb • Responsible for MAPI information – Database files *.stm • Responsible for non-MAPI information
49 Examining Microsoft E-mail Server Logs (continued) • Transaction logs – Keep track of e-mail databases • Checkpoints – Keep track of transaction logs • Temporary files • E-mail communication logs – res#.log • Tracking.log – Tracks messages
50 Examining Microsoft E-mail Server Logs (continued)
Examining Microsoft E-mail Server Logs (continued) • Troubleshooting or diagnostic log – Logs events – Use Windows Event Viewer – Open the Event Properties dialog box for more details about an event
Examining Microsoft E-mail Server Logs (continued)
Examining Microsoft E-mail Server Logs (continued)
Using Specialized E-mail Forensics Tools • Tools include: – AccessData’s Forensic Toolkit (FTK) – ProDiscover Basic – FINALeMAIL – Sawmill-GroupWise – DBXtract – Fookes Aid4Mail and MailBag Assistant – Paraben E-Mail Examiner – Ontrack Easy Recovery EmailRepair – R-Tools R-Mail
55 Using Specialized E-mail Forensics Tools (continued) • Tools allow you to find: – E-mail database files – Personal e-mail files – Offline storage files – Log files • Advantage – Do not need to know how e-mail servers and clients work
Using Specialized E-mail Forensics Tools (continued) • FINALeMAIL – Scans e-mail database files – Recovers deleted e-mails – Searches computer for other files associated with e- mail
57 Using Specialized E-mail Forensics Tools (continued)
Using Specialized E-mail Forensics Tools (continued)
Using AccessData FTK to Recover E-mail • FTK – Can index data on a disk image or an entire drive for faster data retrieval – Filters and finds files specific to e-mail clients and servers • To recover e-mail from Outlook and Outlook Express – AccessData integrated dtSearch • dtSearch builds a b-tree index of all text data in a drive, an image file, or a group of files
60 Using AccessData FTK to Recover E-mail (continued)
Using AccessData FTK to Recover E-mail (continued)
Using AccessData FTK to Recover E-mail (continued)
Using a Hexadecimal Editor to Carve E-mail Messages • Very few vendors have products for analyzing e- mail in systems other than Microsoft • mbox format – Stores e-mails in flat plaintext files • Multipurpose Internet Mail Extensions (MIME) format – Used by vendor-unique e-mail file systems, such as Microsoft .pst or .ost • Example: carve e-mail messages from Evolution
65
Using a Hexadecimal Editor to Carve E-mail Messages (continued)
67 Using a Hexadecimal Editor to Carve E-mail Messages (continued)
Summary • E-mail fraudsters use phishing and spoofing scam techniques • Send and receive e-mail via Internet or a LAN – Both environments use client/server architecture • E-mail investigations are similar to other kinds of investigations • Access victim’s computer to recover evidence – Copy and print the e-mail message involved in the crime or policy violation • Find e-mail headers
Summary (continued) • Investigating e-mail abuse – Be familiar with e-mail servers and clients’ operations • Check – E-mail message files, headers, and server log files • Currently, only a few forensics tools can recover deleted Outlook and Outlook Express messages • For e-mail applications that use the mbox format, a hexadecimal editor can be used to carve messages manually
Summary (continued) • Advanced tools are available for recovering deleted Outlook files
QUESTIONS ? DOUBTS ?
THANK YOU

Recommended

E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
edwardbel
 
E mail Investigation
E mail InvestigationE mail Investigation
E mail Investigation
Dr Raghu Khimani
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
E mail forensics
E mail forensicsE mail forensics
E mail forensics
saddamhusain hadimani
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
Yansi Keim
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 

Recommended

E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
edwardbel
 
E mail Investigation
E mail InvestigationE mail Investigation
E mail Investigation
Dr Raghu Khimani
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
primeteacher32
 
E mail forensics
E mail forensicsE mail forensics
E mail forensics
saddamhusain hadimani
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
Yansi Keim
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
N.Jagadish Kumar
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
Gol D Roger
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
Network forensic
Network forensicNetwork forensic
Network forensic
Manjushree Mashal
 
Email Headers – Expert Forensic Analysis
Email Headers – Expert Forensic AnalysisEmail Headers – Expert Forensic Analysis
Email Headers – Expert Forensic Analysis
forensicEmailAnalysis
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
primeteacher32
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
Jyothishmathi Institute of Technology and Science Karimnagar
 
Tracking Emails
Tracking EmailsTracking Emails
Tracking Emails
prashant3535
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
primeteacher32
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
Piyush Jain
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensics
Prince Boonlia
 
ch12.ppt which is very good forensics of email
ch12.ppt which is very good forensics of emailch12.ppt which is very good forensics of email
ch12.ppt which is very good forensics of email
gadisagemechu1
 
Ch 11 E-mail and Social Media Investigations.ppt
Ch 11 E-mail and Social Media Investigations.pptCh 11 E-mail and Social Media Investigations.ppt
Ch 11 E-mail and Social Media Investigations.ppt
whbwi21Basri
 

More Related Content

What's hot

Email Forensics
Email ForensicsEmail Forensics
Email Forensics
Gol D Roger
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
Jyothishmathi Institute of Technology and Science Karimnagar
 
Network forensic
Network forensicNetwork forensic
Network forensic
Manjushree Mashal
 
Email Headers – Expert Forensic Analysis
Email Headers – Expert Forensic AnalysisEmail Headers – Expert Forensic Analysis
Email Headers – Expert Forensic Analysis
forensicEmailAnalysis
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
primeteacher32
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
Jyothishmathi Institute of Technology and Science Karimnagar
 
Tracking Emails
Tracking EmailsTracking Emails
Tracking Emails
prashant3535
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
Parsons Corporation
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
Ambuj Kumar
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
primeteacher32
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
primeteacher32
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
Piyush Jain
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensics
Prince Boonlia
 

What's hot (20)

Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Email Headers – Expert Forensic Analysis
Email Headers – Expert Forensic AnalysisEmail Headers – Expert Forensic Analysis
Email Headers – Expert Forensic Analysis
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Forensics Analysis and Validation
Forensics Analysis and Validation Forensics Analysis and Validation
Forensics Analysis and Validation
 
Tracking Emails
Tracking EmailsTracking Emails
Tracking Emails
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensics
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensics
 

Similar to Email investigation

ch12.ppt which is very good forensics of email
ch12.ppt which is very good forensics of emailch12.ppt which is very good forensics of email
ch12.ppt which is very good forensics of email
gadisagemechu1
 
Ch 11 E-mail and Social Media Investigations.ppt
Ch 11 E-mail and Social Media Investigations.pptCh 11 E-mail and Social Media Investigations.ppt
Ch 11 E-mail and Social Media Investigations.ppt
whbwi21Basri
 
The Internet
The InternetThe Internet
The Internet
Amir Villas
 
Computer networks unit v
Computer networks unit vComputer networks unit v
Computer networks unit v
JAIGANESH SEKAR
 
Email as a datasource for applications
Email as a datasource for applicationsEmail as a datasource for applications
Email as a datasource for applications
Context.IO
 
Email transfer part 1
Email transfer part 1Email transfer part 1
Email transfer part 1myrajendra
 
Improving email reliability
Improving email reliabilityImproving email reliability
Improving email reliability
Antti Siiskonen
 
8.1.Phishing Analysis.ppt
8.1.Phishing Analysis.ppt8.1.Phishing Analysis.ppt
8.1.Phishing Analysis.ppt
RoheetBhatnagar3
 
Electronic mail
Electronic mailElectronic mail
Electronic mail
Ahmad Zahid
 
Email Capture at the Radical Archives of Philadelphia
Email Capture at the Radical Archives of PhiladelphiaEmail Capture at the Radical Archives of Philadelphia
Email Capture at the Radical Archives of Philadelphia
archivistsbeingawesome
 
Email Address Harvesting
Email Address HarvestingEmail Address Harvesting
Email Address Harvesting
Michael Lamont
 
INTERNT.ppt
INTERNT.pptINTERNT.ppt
INTERNT.ppt
AdilRehman54
 
Digital Literacy - Basic Technical Concepts (Session 1)
Digital Literacy - Basic Technical Concepts (Session 1)Digital Literacy - Basic Technical Concepts (Session 1)
Digital Literacy - Basic Technical Concepts (Session 1)
Bill Condo
 
Internet and Email 101 v1
Internet and Email 101 v1Internet and Email 101 v1
Internet and Email 101 v1Adam Ripsam
 
Application layer
Application layerApplication layer
Application layer
Mukesh Chinta
 
Automatically Retrieving and Loading Data into Siebel CTMS from Multiple CRO ...
Automatically Retrieving and Loading Data into Siebel CTMS from Multiple CRO ...Automatically Retrieving and Loading Data into Siebel CTMS from Multiple CRO ...
Automatically Retrieving and Loading Data into Siebel CTMS from Multiple CRO ...
Perficient, Inc.
 
First step to internet
First step to internet First step to internet
First step to internet
Disani Neranjala
 

Similar to Email investigation (20)

ch12.ppt which is very good forensics of email
ch12.ppt which is very good forensics of emailch12.ppt which is very good forensics of email
ch12.ppt which is very good forensics of email
 
Ch 11 E-mail and Social Media Investigations.ppt
Ch 11 E-mail and Social Media Investigations.pptCh 11 E-mail and Social Media Investigations.ppt
Ch 11 E-mail and Social Media Investigations.ppt
 
The Internet
The InternetThe Internet
The Internet
 
Internet
InternetInternet
Internet
 
Computer networks unit v
Computer networks unit vComputer networks unit v
Computer networks unit v
 
Email as a datasource for applications
Email as a datasource for applicationsEmail as a datasource for applications
Email as a datasource for applications
 
Email transfer part 1
Email transfer part 1Email transfer part 1
Email transfer part 1
 
Improving email reliability
Improving email reliabilityImproving email reliability
Improving email reliability
 
8.1.Phishing Analysis.ppt
8.1.Phishing Analysis.ppt8.1.Phishing Analysis.ppt
8.1.Phishing Analysis.ppt
 
Ch22 system administration
Ch22 system administration Ch22 system administration
Ch22 system administration
 
Electronic mail
Electronic mailElectronic mail
Electronic mail
 
Email Capture at the Radical Archives of Philadelphia
Email Capture at the Radical Archives of PhiladelphiaEmail Capture at the Radical Archives of Philadelphia
Email Capture at the Radical Archives of Philadelphia
 
Email Address Harvesting
Email Address HarvestingEmail Address Harvesting
Email Address Harvesting
 
Intro to email for seniors
Intro to email for seniorsIntro to email for seniors
Intro to email for seniors
 
INTERNT.ppt
INTERNT.pptINTERNT.ppt
INTERNT.ppt
 
Digital Literacy - Basic Technical Concepts (Session 1)
Digital Literacy - Basic Technical Concepts (Session 1)Digital Literacy - Basic Technical Concepts (Session 1)
Digital Literacy - Basic Technical Concepts (Session 1)
 
Internet and Email 101 v1
Internet and Email 101 v1Internet and Email 101 v1
Internet and Email 101 v1
 
Application layer
Application layerApplication layer
Application layer
 
Automatically Retrieving and Loading Data into Siebel CTMS from Multiple CRO ...
Automatically Retrieving and Loading Data into Siebel CTMS from Multiple CRO ...Automatically Retrieving and Loading Data into Siebel CTMS from Multiple CRO ...
Automatically Retrieving and Loading Data into Siebel CTMS from Multiple CRO ...
 
First step to internet
First step to internet First step to internet
First step to internet
 

More from Animesh Shaw

Factoid based natural language question generation system
Factoid based natural language question generation systemFactoid based natural language question generation system
Factoid based natural language question generation system
Animesh Shaw
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
Animesh Shaw
 
Investigating server logs
Investigating server logsInvestigating server logs
Investigating server logs
Animesh Shaw
 
Flash drives
Flash drivesFlash drives
Flash drives
Animesh Shaw
 
Financial Crimes
Financial CrimesFinancial Crimes
Financial Crimes
Animesh Shaw
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
Animesh Shaw
 
Cryptography & Steganography
Cryptography & SteganographyCryptography & Steganography
Cryptography & Steganography
Animesh Shaw
 

More from Animesh Shaw (7)

Factoid based natural language question generation system
Factoid based natural language question generation systemFactoid based natural language question generation system
Factoid based natural language question generation system
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
 
Investigating server logs
Investigating server logsInvestigating server logs
Investigating server logs
 
Flash drives
Flash drivesFlash drives
Flash drives
 
Financial Crimes
Financial CrimesFinancial Crimes
Financial Crimes
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Cryptography & Steganography
Cryptography & SteganographyCryptography & Steganography
Cryptography & Steganography
 

Recently uploaded

Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
Jheel Barad
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
Vikramjit Singh
 
The Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonThe Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve Thomason
Steve Thomason
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
Thiyagu K
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
beazzy04
 
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
Nguyen Thanh Tu Collection
 
Basic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersBasic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumers
PedroFerreira53928
 
Template Jadual Bertugas Kelas (Boleh Edit)
Template Jadual Bertugas Kelas (Boleh Edit)Template Jadual Bertugas Kelas (Boleh Edit)
Template Jadual Bertugas Kelas (Boleh Edit)
rosedainty
 
The Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdfThe Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdf
kaushalkr1407
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chips
GeoBlogs
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
TechSoup
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer Service
PedroFerreira53928
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
BhavyaRajput3
 
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxMARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
bennyroshan06
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
Celine George
 

Recently uploaded (20)

Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
 
The Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonThe Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve Thomason
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
 
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
GIÁO ÁN DẠY THÊM (KẾ HOẠCH BÀI BUỔI 2) - TIẾNG ANH 8 GLOBAL SUCCESS (2 CỘT) N...
 
Basic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersBasic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumers
 
Template Jadual Bertugas Kelas (Boleh Edit)
Template Jadual Bertugas Kelas (Boleh Edit)Template Jadual Bertugas Kelas (Boleh Edit)
Template Jadual Bertugas Kelas (Boleh Edit)
 
The Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdfThe Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdf
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chips
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer Service
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
 
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxMARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
 

Email investigation

  • 1. Email Investigation Presented By Animesh Shaw (Psycho_Coder) Digital Evidence Analyst Trainee
  • 2. Discussion Objectives • Working Process of Email • Explain the role of e-mail in investigations • Describe client and server roles in e-mail • Describe tasks in investigating e-mail crimes and violations • Explain the use of e-mail server logs • Describe some available e-mail computer forensics tools
  • 4. HOW EMAIL WORKS 1. Stand- alone 2. Web based To send and receive emails, we need an email client. There are primarily two types of email clients:
  • 5. A client has 4 things : • 1) Messages in mailbox. • 2) Contents can be seen by selecting the header. • 3) Messages can be created and sent. • 4) Attachments can be added. HOW EMAIL WORKS
  • 7. HOW EMAIL WORKS PROCEDURE OF EMAIL TRANSMISSION
  • 9. Exploring the Role of E-mail in Investigations • With the increase in e-mail scams and fraud attempts with phishing or spoofing – Investigators need to know how to examine and interpret the unique content of e-mail messages • Phishing e-mails are in HTML format – Which allows creating links to text on a Web page • One of the most noteworthy e-mail scams was 419, or the Nigerian Scam • Spoofing e-mail can be used to commit fraud
  • 10. Exploring the Roles of the Client and Server in E-mail • Send and receive e-mail in two environments – Internet – Controlled LAN, MAN, or WAN • Client/server architecture – Server OS and e-mail software differs from those on the client side • Protected accounts – Require usernames and passwords
  • 11. Exploring the Roles of the Client and Server in E-mail (continued)
  • 12. 12 Exploring the Roles of the Client and Server in E-mail (continued) • Name conventions – Corporate: john.smith@somecompany.com – Public: whatever@hotmail.com – Everything after @ belongs to the domain name • Tracing corporate e-mails is easier – Because accounts use standard names the administrator establishes
  • 13. Investigating E-mail Crimes and Violations • Similar to other types of investigations • Goals – Find who is behind the crime – Collect the evidence – Present your findings – Build a case
  • 14. Investigating E-mail Crimes and Violations (continued) • Depend on the city, state, or country – Example: spam – Always consult with an attorney • Becoming commonplace • Examples of crimes involving e-mails – Narcotics trafficking – Extortion – Sexual harassment – Child abductions and pornography
  • 15. Examining E-mail Messages • Access victim’s computer to recover the evidence • Using the victim’s e-mail client – Find and copy evidence in the e-mail – Access protected or encrypted material – Print e-mails • Guide victim on the phone – Open and copy e-mail including headers • Sometimes you will deal with deleted e-mails
  • 16. Examining E-mail Messages (continued) • Copying an e-mail message – Before you start an e-mail investigation • You need to copy and print the e-mail involved in the crime or policy violation – You might also want to forward the message as an attachment to another e-mail address • With many GUI e-mail programs, you can copy an e-mail by dragging it to a storage medium – Or by saving it in a different location
  • 18. Viewing E-mail Headers • Learn how to find e-mail headers – GUI clients – Command-line clients – Web-based clients • After you open e-mail headers, copy and paste them into a text document – So that you can read them with a text editor • Headers contain useful information – Unique identifying numbers, IP address of sending server, and sending time
  • 19. Viewing E-mail Headers (continued) • Yahoo (Client) – Click Mail Options – Click General Preferences and Show All headers on incoming messages – Copy and paste headers
  • 22. Viewing E-mail Headers (continued) • Outlook – Open the Message Options dialog box – Copy headers – Paste them to any text editor • Outlook Express – Open the message Properties dialog box – Select Message Source – Copy and paste the headers to any text editor
  • 23. Viewing E-mail Headers (continued)
  • 24. Viewing E-mail Headers (continued)
  • 25.
  • 26. Viewing E-mail Headers (continued) • Novell Evolution – Click View, All Message Headers – Copy and paste the e-mail header • Pine and ELM – Check enable-full-headers • AOL headers – Click Action, View Message Source – Copy and paste headers
  • 27. Viewing E-mail Headers (continued)
  • 28. Viewing E-mail Headers (continued)
  • 29. Viewing E-mail Headers (continued)
  • 30. Viewing E-mail Headers (continued)
  • 31. Viewing E-mail Headers (continued) • Hotmail – Click Options, and then click the Mail Display Settings – Click the Advanced option button under Message Headers – Copy and paste headers • Apple Mail – Click View from the menu, point to Message, and then click Long Header – Copy and paste headers
  • 32. Viewing E-mail Headers (continued)
  • 33. Viewing E-mail Headers (continued)
  • 34. Examining E-mail Headers • Gather supporting evidence and track suspect – Return path – Recipient’s e-mail address – Type of sending e-mail service – IP address of sending server – Name of the e-mail server – Unique message number – Date and time e-mail was sent – Attachment files information
  • 36. 36 Examining Additional E-mail Files • E-mail messages are saved on the client side or left at the server • Microsoft Outlook uses .pst and .ost files • Most e-mail programs also include an electronic address book • In Web-based e-mail – Messages are displayed and saved as Web pages in the browser’s cache folders – Many Web-based e-mail providers also offer instant messaging (IM) services
  • 37. Validating Email Address • We can use an online Tool Email Dossier to get details about the validity of an email address. 37
  • 38. Tracing an E-mail Message • Contact the administrator responsible for the sending server • Finding domain name’s point of contact – www.arin.net – www.internic.com – www.freeality.com – www.google.com • Find suspect’s contact information • Verify your findings by checking network e-mail logs against e-mail addresses
  • 39. Online Email Tracer • We can use Online Email Tracer to make our work easier. Such a tool can be found here http://www.cyberforensics.in/OnlineEmailTracer/index.aspx Demo Trace : 39
  • 40. Using Network E-mail Logs • Router logs – Record all incoming and outgoing traffic – Have rules to allow or disallow traffic – You can resolve the path a transmitted e-mail has taken • Firewall logs – Filter e-mail traffic – Verify whether the e-mail passed through • You can use any text editor or specialized tools
  • 41. Using Network E-mail Logs (continued)
  • 42. Understanding E-mail Servers • Computer loaded with software that uses e-mail protocols for its services – And maintains logs you can examine and use in your investigation • E-mail storage – Database – Flat file • Logs – Default or manual – Continuous and circular
  • 43. Understanding E-mail Servers (continued) • Log information – E-mail content – Sending IP address – Receiving and reading date and time – System-specific information • Contact suspect’s network e-mail administrator as soon as possible • Servers can recover deleted e-mails – Similar to deletion of files on a hard drive
  • 45. 45 Examining UNIX E-mail Server Logs • /etc/sendmail.cf – Configuration information for Sendmail • /etc/syslog.conf – Specifies how and which events Sendmail logs • /var/log/maillog – SMTP and POP3 communications • IP address and time stamp • Check UNIX man pages for more information
  • 46. 46 Examining UNIX E-mail Server Logs (continued)
  • 47. 47 Examining UNIX E-mail Server Logs (continued)
  • 48. 48 Examining Microsoft E-mail Server Logs • Microsoft Exchange Server (Exchange) – Uses a database – Based on Microsoft Extensible Storage Engine • Information Store files – Database files *.edb • Responsible for MAPI information – Database files *.stm • Responsible for non-MAPI information
  • 49. 49 Examining Microsoft E-mail Server Logs (continued) • Transaction logs – Keep track of e-mail databases • Checkpoints – Keep track of transaction logs • Temporary files • E-mail communication logs – res#.log • Tracking.log – Tracks messages
  • 50. 50 Examining Microsoft E-mail Server Logs (continued)
  • 51. Examining Microsoft E-mail Server Logs (continued) • Troubleshooting or diagnostic log – Logs events – Use Windows Event Viewer – Open the Event Properties dialog box for more details about an event
  • 52. Examining Microsoft E-mail Server Logs (continued)
  • 53. Examining Microsoft E-mail Server Logs (continued)
  • 54. Using Specialized E-mail Forensics Tools • Tools include: – AccessData’s Forensic Toolkit (FTK) – ProDiscover Basic – FINALeMAIL – Sawmill-GroupWise – DBXtract – Fookes Aid4Mail and MailBag Assistant – Paraben E-Mail Examiner – Ontrack Easy Recovery EmailRepair – R-Tools R-Mail
  • 55. 55 Using Specialized E-mail Forensics Tools (continued) • Tools allow you to find: – E-mail database files – Personal e-mail files – Offline storage files – Log files • Advantage – Do not need to know how e-mail servers and clients work
  • 56. Using Specialized E-mail Forensics Tools (continued) • FINALeMAIL – Scans e-mail database files – Recovers deleted e-mails – Searches computer for other files associated with e- mail
  • 57. 57 Using Specialized E-mail Forensics Tools (continued)
  • 58. Using Specialized E-mail Forensics Tools (continued)
  • 59. Using AccessData FTK to Recover E-mail • FTK – Can index data on a disk image or an entire drive for faster data retrieval – Filters and finds files specific to e-mail clients and servers • To recover e-mail from Outlook and Outlook Express – AccessData integrated dtSearch • dtSearch builds a b-tree index of all text data in a drive, an image file, or a group of files
  • 60. 60 Using AccessData FTK to Recover E-mail (continued)
  • 61. Using AccessData FTK to Recover E-mail (continued)
  • 62. Using AccessData FTK to Recover E-mail (continued)
  • 63. Using a Hexadecimal Editor to Carve E-mail Messages • Very few vendors have products for analyzing e- mail in systems other than Microsoft • mbox format – Stores e-mails in flat plaintext files • Multipurpose Internet Mail Extensions (MIME) format – Used by vendor-unique e-mail file systems, such as Microsoft .pst or .ost • Example: carve e-mail messages from Evolution
  • 64.
  • 65. 65
  • 66. Using a Hexadecimal Editor to Carve E-mail Messages (continued)
  • 67. 67 Using a Hexadecimal Editor to Carve E-mail Messages (continued)
  • 68. Summary • E-mail fraudsters use phishing and spoofing scam techniques • Send and receive e-mail via Internet or a LAN – Both environments use client/server architecture • E-mail investigations are similar to other kinds of investigations • Access victim’s computer to recover evidence – Copy and print the e-mail message involved in the crime or policy violation • Find e-mail headers
  • 69. Summary (continued) • Investigating e-mail abuse – Be familiar with e-mail servers and clients’ operations • Check – E-mail message files, headers, and server log files • Currently, only a few forensics tools can recover deleted Outlook and Outlook Express messages • For e-mail applications that use the mbox format, a hexadecimal editor can be used to carve messages manually
  • 70. Summary (continued) • Advanced tools are available for recovering deleted Outlook files