Running header: EMAIL FORENSICS

EMAIL FORENSICS

Email Forensics

E-mail is one of the most common and important internet application. Its use varies from sending messages, documents and transactions records over the internet. As billions of users utilize the email to communicate and share files, criminal elements resort to use the same tool to meet their malafide objectives. It is therefore a necessity for forensic experts to understand the operation of email system, the protocols and the weak points in order to extract evidence to help prosecutors. The email system consists of both hardware and software components that work in tandem to achieve communication from one end to the other (Paglierani, Mabey & Ahn, 2013).

The Email Structure

The system is set-up such that only the sending and receiving servers need to be connected to the internet for communication to be successful. The end users especially the recipient can connect to the internet when they want and access the email stored in the servers of the service provider. The sender composes the email on a personal computer or even a smart phone, then puts the address of the receiver. The sending server then look up the recipients address from the receiving server mail address (Chhabra & Bajwa, 2015). The recipient server uses the Domain Name System to respond the results of the look-up query. A connection is then established using the Simple Mail Transfer Protocol between the sending server and receiving server and the mail is sent. The email is then stored in the mail box of receiving server, the receiver can then download the mail when they log in.

Common threats in Email Communication

Emails is a primary mode of formal communication in the 21st century. Even with the number of advantages we gain through using email such as instant message delivery, global communication, easy and worldwide document sharing, a number of vulnerabilities arise. The vulnerabilities rise as a result of the easy with which one can forge an email or intercept one as it propagates through vulnerable media, the internet. As a results emails have been abused, used to aid crime and in some instances sending threat emails.

A number of crimes are done through email; the crimes include phishing, espionage and fraud. Phishing is where a user is lured to click a given link that is a replica of the real one. After clicking this link the user then provides the other side with credential information that is used to harm the lured user in terms of credit or bank information.

Spoofing is where a malicious person sends and email whose header has been changed such that it is impossible to establish the true origin of the data. Spoofing is done such that one is not able to trace back the email using available information. The forged email is then used to solicit key information from unsuspecting user. Spoofing also allows spamming to be done. Spamming is where a user receives numerous useless messages that flood the email service to consequently deny the user some services. Spoofing allows spamming by hiding identity and making the emails seem legit (Haggerty et al., 2011).

Header Investigation

Email headers provide a perfect source for information that can help an expert to solve a crime puzzle. Email headers contain critical personal information on the sender, recipient and the path followed by the email (Chhabra & Bajwa, 2015). It is possible for this information to be altered. The headers contain email addresses of the sender, receiver and the respective IP addresses the two used while in the communication link (Haggerty, Karran, Lamb &Taylor, 2011).

The main piece of information held in the email is the originating domain that has the IP address used. One key advantage of email header is that it can be viewed on different editors, from notepad to note. The critical information on the originating domain can be extracted from the email header of the received email or the firewall log (Guo, Jin & Qian, 2013). In order for one to trace the IP address there are a number of search tools on the internet that can help. The common tools are found in the www.arin.net and www.whois.net. The tools provide the location, machine used, and operating system information on the different IP addresses. Router logs are used to track flows of data through email servers

In Microsoft outlook the emails are typically stored in the .pst and .ost storage files. The standard format of emails is Multipurpose Internet Mail Extension (MIME), it has different versions. Specifies how the email is formatted especially graphics, audio and videos to enable smooth transmission as packets over the internet. Simple Mail Transfer Protocol is the primary standard that defines how emails are transmitted. SMTP was later extended to ESTMP in 2008. ESTMP adds a unique value for each email; the value is a unique identifier that can be used to identify any email (Haggerty et al., 2011).

The email header contains the exact information on the MIME version used to format the email. The email header however does not contain addresses of the same email listed under blind copy (BC) and the email content. Email servers can also be examined to provide useful data on the communication. The email servers provide a log file that has records of different events and who executed them (Guo et al., 2013). During forensic analysis of emails if one gets an email server without date information on the time stamp, one can reestablish the logs by restoring the email server from available backups. Emails are accessed in Client/server format as the end user is a client who requests services that are processed by the provider. It is however not necessary to have internal operations on email server to correctly analyze evidence on an email.

Network and Server Investigation

Investigation of emails does not end at just emails and headers because most of the details can be altered at this level. It is however slightly difficult for criminals to alter data contained in the servers and networks (Meghanathan, Allam & Moore, 2010). As a results, the two contain critical data that can be used to determine the case at hand. Another advantage is that the network and servers fall under the jurisdiction of network and system administrators as such unless they are complicit to the crime the details should be unaltered at their level.

Server stores email logs and its own logs which are time-stamped. If an analyst is unable to access a crucial email to the investigation then the email can be requested from the system administrator who can access the same through Proxy servers. Most ISP servers are designed to store emails after delivering them to respective destination devices (Tariq Banday, 2011). Logs stored by the servers can be analyzed to track the device from which the threat email is originating. The down side to this method is that servers only store the details for a short period. SMTP servers store user details of a mail box owner, the details can be used to unravel the identity of an email address user. Servers hold their copy of emails even when a user deletes from her mailbox and can be used to recover deleted emails.

Network devices like routers, firewalls and switches record logs for different activities. The logs from this devices which can be accessed through a network administrator can provide necessary information to guide an investigator. Time logs stored by network devices can be used to reconcile time logs stored in the mail header, this is usually helpful in case the header has been altered. Accessing network devices logs is usually cumbersome and is normally a last resort in case one cannot access ISP log files (Tariq Banday, 2011).

E-mail Forensics Tools

Email systems are based on client-server technology. Email is sent from client to central server, which then redirects the mail to its destination location. There are lot of tools available that can aid in email forensics. The tools vary in user-friendliness, capabilities and output. Some of the tools are easy to via internet browser format, some provide auto-generated reports, and others assist in identification of the source and recipient of the message. Other features of forensic tools allow tracking of the path followed by the mail while others can notify users of spam and phishing sites (Devebdran, Shahriar & Clincy, 2015). The tools are listed and defined below.

MailXaminer is designed as a tool for analysis of email messages. The utility has ability to examine and analyze email that are web-based and those from email application. MailXaminer starts by loading emails selected by user to special storage that allows easy examination of the mails and contents. The messages are them arranged hierarchically for easy evidence analysis. The tool is designed for easy operation therefore can be used even for first time users with little experience in digital forensics (Devebdran et al., 2015).

EMailTrackerPro – This tool can provide geographic location information and network provider information of a sender. The tool keeps a record of spam email sources which it uses to compare with you emails and shields a user from malicious email. It achieves this by counter-checking the received mail and DNS blacklists. Besides English language, it also supports Japanese, Russian and Chinese language spam filters.

AccessData FTK – This tool is used to perform email analysis. It supports Outlook, Outlook express, AOL, Netscape, Yahoo, EarthLink, Hotmail and MSN email. From experience in the Lab exercises for the course, the tool has capability to recover deleted emails. It can search, print and export email messages and attachments. AccessData FTK can also generate reports that can be used to aid investigators with the case (Meghanathan et al., 2010).

EmailTrace – This tool helps to track the email sender and receiver’s IP addresses. The tool can be accessed using the link, https://www.ip-adress.com/trace-email-address. After opening the link one can put the message header in a window allocated. The tool then does the analysis and extraction of the sender details. The tool is user-friendly and requires no familiarization to achieve results (Devebdran et al., 2015).

DBXtract: The tool functions in isolation and is designed with capabilities to extract emails from outlook database that has been corrupted by the system. After extracting the emails the utility then converts them to single files of the format .eml. Outlook express usually stores emails in one database known as DBX (Charalambou, Bratskas, Karkas & Anastasiades, 2016). In many investigation cases this file is found corrupted as a result of divergent reasons this results to inaccessible emails. DBXtract allows the forensic expert to extract emails and read them as individual emails.

FINALeMail scans email database files and recovers deleted emails. It also searches computer for any other files associated with email. Forensics experts are usually faced with the challenge of analyzing cases where the relevant emails have been deleted. Such a tool could have been used by CIA and FBI to analyze the famous Hillary Clinton email case (Charalambou et al., 2016).

Conclusion