Email Forensic

E-mail Forensics www.paraben.com

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

What is a local storage archive? Local storage archives are any archive that has independent archive format from a mail server. Examples of these types of archives include: .PST, .MBX, .DBX, etc.

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

Basic Rules & Expectations for Local Archives 1. Search for the appropriate mail archives and associated data storage.

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

Program Storage Specifics Index or Table of Contents Mailbox Mailbox Mail Messages

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

Program Storage Specifics Index or Table of Contents

Mailbox Mailbox

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

Stores: •Main Status •Unread •Read •Forwarded •Redirected •Flagged •Deleted

".

Common Local Storage Archives The Bat! Index: *.tbi Messages: *.tbb

FoxMail Index: *.ind (E-mail Examiner doesn't use this index file) Messages: *.box

The Bat! < v1.42 Index: *.tbx Messages: *.msb

Outlook Express v5/6 Index+Messages: *.dbx or *.MailDB

Forte Agent Index: *.idx Messages: *.dat

MS Outlook Index+Messages: *.pst (by default messages are stored in encrypted format)

Pegasus Index: *.pmi Messages: *.pmm

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

Common Local Storage Archives Cont.

Outlook Express v4.x Index: *.idx Messages: *.mbx Eudora Index: *.toc Messages: *.mbx Poco Index: *.idx Messages: *.mbx Netscape v6.x and 7.x, and Mozilla Index: *.msf Messages: *. Netscape < v6.x Index: *.snm (E-mail Examiner doesn't use this index file) Messages: *. (no extension)

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

Email Reference Cards

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

Basic Rules & Expectations for Local Archives 1. Search for the appropriate mail archives and associated data storage. 2. Process all items with complete structure of: -Header -Body -Attachment to compute verification through hash value

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

E-mail Headers Typically Contain: •Sender E-mail Address •Receiver E-mail Address •Subject •Time of Creation •Delivery stamps •Message Author •CC-Carbon Copy •BCC

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

E-mail Headers-Text Attachments MIME-Version: 1.0 From: Cpt Picard <cptpicard@paraben.com> To: Beverly Crusher <docbev@hotmail.com> Subject:: Pain in my neck Content-Type: multipart/mixed; boundary=boundarystring— boundarystring Content-Type: text/plain I seem to have this reoccurring pain in my neck. Please see attachment for more details. Regards, Jean Luc Content-Type: text/plain Content-Disposition: attachment; filename=“neck.txt� It aches in the morning when I wake up for about 20 minutes and also whenever Worf is around. --boundarystring--

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

E-mail Headers-Binary Attachments MIME-Version: 1.0 From: Cpt Picard <cptpicard@paraben.com> To: Beverly Crusher <docbev@hotmail.com> Subject:: Pictures of my neck in zip file Content-Type: multipart/mixed; boundary=boundarystring --boundarystring Content-Type: text/plain Attached is the file neck.zip, which has been base64 encoded. --boundarystring Content-Type: application/octet-stream; name=“neck.zipâ€? Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=“neck.zipâ€? H52QLID6AJFBALJHLIHKOLNS80JOPSNLJKNLFDLSHFLSHDLFSHLKDNC8 09SAOIHN3OFNSA80HLDBJSUF93HFSLBNCOISAY890EY0AHFLNC739HFO EBOASHOFHSODIY8930‌ OAIHOFIDHF8920DFNSOFNDOSGU03UQAFLASNFDLIU03WQJFOSIFH03I9 AHFDALHFNB= --boundarystring--

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

Basic Rules & Expectations for Local Archives 1. Search for the appropriate mail archives and associated data storage. 2. Process all items with complete structure of: -Header -Body -Attachment to compute verification through hash value 3. Watch for virus issues

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

Outlook File Size • Outlook Pre 2003 – Maximum archive size is 2 GB

• Outlook 2003 – Maximum archive Size is 20 GB

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

E-mail Forensics Server Storage Archives & NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

What is a server storage archive? Server storage archives are any archive that has mixed storage for all of the clients that exist on a server. Examples of these types of archives include: MS Exchange (.EDB), Lotus Notes (.NSF), GroupWise (.DB), etc.

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

MS Exchange PUB.EDB • Public Information Store – contains Public Folders – Public Folders contain information shared amongst the different users.

MS Exchange PRIV.EDB • Private Information Store – contains the mailboxes for the server – keeps information private from other users.

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

MS Exchange PRIV.EDB • Priv.edb: A rich-text database file containing message headers, message text, and standard attachments.

MS Exchange PRIV.STM • Priv.stm: A streaming internet content file containing audio, video and other media that are formatted as streams of Multipurpose Internet Mail Extensions (MIME) data.

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

Lotus Notes *.NSF • Valuable Evidence: – Messages – Attachments – PIM Oriented Data

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

ENCRYPTION

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

Novell GroupWise Post Office Post Office Directory Structure Composed of directories which contain: – Post Office Database (wphost.db) • Admin info required to allow users to exchange messages (list of post offices and associated users) – Message Store • User databases (userxxx.db) • Message databases (msgnn.db) • Attachments directory

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

E-mail to other devices

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

Case Examples & NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".

& NBJM 'PSFOTJDT@#SFBLJOH "SDIJW

".