E mail Basics
Several communicating entities called e-mail nodes which are essentially software units working on application layer of TCP/IP model are involved in the process of e-mail delivery. E-mail is a highly distributed service involving several actors that play different roles to accomplish end-to-end mail exchange . These actors fall under “User Actors”, “Message Handling Service (MHS) Actors” and “ADministrative Management Domain (ADMD) Actors” groups.
User Actors are people, organizations or processes that serve as sources or sinks of messages. They can generate, modify or look at the whole message. User Actors can be of following four types.
| User Actor Type | Roles and Responsibilities |
| Author | ü Responsible for creating the message, its contents, and its list of Recipient addresses.
ü The MHS transfers the message from the Author and delivers it to the Recipients. ü The MHS has an Originator role that correlates with the Author role.
|
| Recipient | ü The Recipient is a consumer of the delivered message.
ü The MHS has a Receiver role that correlates with the Recipient role. ü A Recipient can close the user-communication loop by creating and submitting ü a new message that replies to the Author e.g. an automated form of reply is the ü Message Disposition Notification (MDN) |
| Return Handler | ü It is a special form of Recipient that provides notifications (failures or completions) generated by the MHS as it transfers or delivers the message.
ü It is also called Bounce Handler. |
All types of Mediator user actors set HELO/EHLO, ENVID, RcptTo and Received fields. Alias actors also typically change To/CC/BCC and MailFrom fields. Identities relevant to ReSender are: From, Reply-To, Sender, To/CC/BCC, Resent-From, Resent-Sender, Resent-To/CC/BCC and MailFrom fields. Identities relevant to Mailing List processor are: List-Id, List-*, From, Reply-To, Sender, To/CC and MailFrom fields. Identities relevant to Gateways are: From, Reply-To, Sender, To/CC/BCC and MailFrom fileds.
Message Handling Service (MHS) Actors are responsible for end-to-end transfer of messages. These Actors can generate, modify or look at only transfer data in the message. MHS Actors can be of following four types.
| MHS Actor Type | Roles and Responsibilities |
| Originator | It ensures that a message is valid for posting and then submits it to a Relay
It is responsible for the functions of the Mail Submission Agent. It also performs any post-submission that pertain to sending error and delivery notice. The Author creates the message, but the Originator handles any transmission issues with it |
| Relay | It performs MHS-level transfer-service routing and store-and-forward function by transmitting or retransmitting the message to its Recipients.
It adds trace information but does not modify the envelope information or the semantics of message content. It can modify message content representation, such as changing the form of transfer encoding from binary to text, but only (as required) to meet the capabilities of the next hop in the MHS. When a Relay stops attempting to transfer a message, it becomes an Author because it sends an error message to the Return Address. |
| Gateway | It connects heterogeneous mail services despite differences in their syntax and semantics.
It can send a useful message to a Recipient on the other side, without requiring changes to any components in the Author’s or Recipient’s mail services. |
| Receiver | It performs final delivery or sends the message to an alternate address.
It can also perform filtering and other policy enforcement immediately before or after delivery. |
A mail message from Author to Receiver that traverses through aMUA, aMSA, hMSA, MTA (outbound), MTA (Inbound), hMDA, rMDA, rMailServ and rMUA is considered as good mail by the Sender Policy Forum (SPF). Mails following through other paths are either fully or partially non-SMTP based or uses non-standard transfer modes which are often suspected to contain viruses and spam. Delivery Status Notification (DSN) messages are generated by some components of MHS (MSA, MTA, or MDA) which provide information about transfer errors or successful deliveries and are sent to MailFrom addresses. Message Disposition Notification (MDN) messages are generated by rMUA which provide information about post-delivery processing are sent to Disposition-Notification-To address. Out Of Office (OOO) messages are sent by rMDA to return address.
Email Forensics
E-mail forensics refers to the study of source and content of e-mail as evidence to identify the
actual sender and recipient of a message, data/time of transmission, detailed record of e-mail transaction, intent of the sender, etc. This study involves investigation of metadata, keyword searching, port scanning, etc. for authorship attribution and identification of e-mail scams.
Various approaches that are used for e-mail forensic are
- Header Analysis – Meta data in the e-mail message in the form of control information i.e. envelope and headers including headers in the message body contain information about the sender and/or the path along which the message has traversed. Some of these may be spoofed to conceal the identity of the sender. A detailed analysis of these headers and their correlation is performed in header analysis.
- Bait Tactics – In bait tactic investigation an e-mail with http: “<img src>” tag having image source at some computer monitored by the investigators is send to the sender of e-mail under investigation containing real (genuine) e-mail address. When the e-mail is opened, a log entry containing the IP address of the recipient (sender of the e-mail under investigation) is recorded on the http server hosting the image and thus sender is tracked. However, if the recipient (sender of the e-mail under investigation) is using a proxy server then IP address of the proxy server is recorded. The log on proxy server can be used to track the sender of the e-mail under investigation. If the proxy server’s log is unavailable due to some reason, then investigators may send the tactic e-mail containing a) Embedded Java Applet that runs on receiver’s computer or b) HTML page with Active X Object. Both aiming to extract IP address of the receiver’s computer and e-mail it to the investigators.
- Server Investigation – In this investigation, copies of delivered e-mails and server logs are investigated to identify source of an e-mail message. E-mails purged from the clients (senders or receivers) whose recovery is impossible may be requested from servers (Proxy or ISP) as most of them store a copy of all e-mails after their deliveries. Further, logs maintained by servers can be studied to trace the address of the computer responsible for making the e-mail transaction. However, servers store the copies of e-mail and server logs only for some limited periods and some may not co-operate with the investigators. Further, SMTP servers which store data like credit card number and other data pertaining to owner of a mailbox can be used to identify person behind an e-mail address.
- Network Device Investigation – In this form of e-mail investigation, logs maintained by the network devices such as routers, firewalls and switches are used to investigate the source of an e-mail message. This form of investigation is complex and is used only when the logs of servers (Proxy or ISP) are unavailable due to some reason, e.g. when ISP or proxy does not maintain a log or lack of co-operation by ISP’s or failure to maintain chain of evidence.
- Software Embedded Identifiers – Some information about the creator of e-mail, attached files or documents may be included with the message by the e-mail software used by the sender for composing e-mail. This information may be included in the form of custom headers or in the form of MIME content as a Transport Neutral Encapsulation Format (TNEF). Investigating the e-mail for these details may reveal some vital information about the senders e-mail preferences and options that could help client side evidence gathering. The investigation can reveal PST file names, Windows logon username, MAC address, etc. of the client computer used to send e-mail message.
- Sender Mailer Fingerprints – Identification of software handling e-mail at server can be revealed from the Received header field and identification of software handling e-mail at client can be ascertained by using different set of headers like “X-Mailer” or equivalent. These headers describe applications and their versions used at the clients to send e-mail. This information about the client computer of the sender can be used to help investigators devise an effective plan and thus prove to be very useful.
Email Forensics Tools
Erasing or deleting an email doesn’t necessarily mean that it is gone forever. Often emails can be forensically extracted even after deletion. Forensic tracing of e-mail is similar to traditional detective work. It is used for retrieving information from mailbox files.
- MiTec Mail Viewer – This is a viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases, and single EML files. It displays a list of contained messages with all needed properties, like an ordinary e-mail client. Messages can be viewed in detailed view, including attachments and an HTML preview. It has powerful searching and filtering capability and also allows extracting email addresses from all emails in opened folder to list by one click. Selected messages can be saved to eml files with or without their attachments. Attachments can be extracted from selected messages by one command.
- OST and PST Viewer – Nucleus Technologies’ OST and PST viewer tools help you view OST and PST files easily without connecting to an MS Exchange server. These tools allow the user to scan OST and PST files and they display the data saved in it including email messages, contacts, calendars, notes, etc., in a proper folder structure.
- eMailTrackerPro – eMailTrackerPro analyses the headers of an e-mail to detect the IP address of the machine that sent the message so that the sender can be tracked down. It can trace multiple e-mails at the same time and easily keep track of them. The geographical location of an IP address is key information for determining the threat level or validity of an e-mail message.
- EmailTracer – EmailTracer is an Indian effort in cyber forensics by the Resource Centre for Cyber Forensics (RCCF) which is a premier centre for cyber forensics in India. It develops cyber forensic tools based on the requirements of law enforcement agencies.
Exchange Analysis
Every Exchange forensic analysis should start on the Exchange system itself. If the required information is not available on Exchange, then a deeper analysis at the client side is typically performed.
To preserve e-mail from a live Microsoft Exchange server, forensic investigators typically take one of several different approaches, depending on the characteristics of the misuse being investigated. Those approaches might include:
- Exporting a copy of a mailbox from the server using the Microsoft Outlook e-mail client, the Exchange Management Shell or a specialized 3rd-party tool;
- Obtaining a backup copy of the entire Exchange Server database from a properly created full backup of the server;
- Temporarily bringing the Exchange database(s) offline to create a copy;
- Using specialised software such as F-Response or EnCase Enterprise to access a live Exchange server over the network and copying either individual mailboxes or an entire Exchange database file.
One of the most complete collections from an Exchange server is to collect a copy of the mailbox database files. The main advantage in this case is that the process preserves and collects all e-mail in the store for all users with accounts on the server. If during the course of the investigation it becomes apparent that new users should be added to the investigation, then those users’ mailboxes have already been preserved and collected.
Traditionally, the collection of these files from live servers would require shutting down e-mail server services for a period of time because files that are open for access by Exchange cannot typically be copied from the server. This temporary shutdown can have a negative impact on the company and the productivity of its employees. In some cases, a process like this is scheduled to be done out of hours or over a weekend to further minimize impact on the company.
Some 3rd-party software utilities can also be used to access the live Exchange server over the network and to preserve copies of the files comprising the information store.
Another approach to collecting mailbox database files is to collect a recent full backup of Exchange, if there is one. Once these files are preserved and collected, there are a number of 3rd-party utilities on the market today that can extract mailboxes from them, such as Kernel Exchange EDB Viewer or Kernel EDB to PST.
A different approach that is becoming more and more important, is to use features of Exchange to perform the investigation. Exchange has a number of features such as audit logs or In-Place Hold that help, amongst other purposes, the investigation of misuse by keeping a data intact and a detailed log of actions performed in the messaging system.
Auditing Mailbox Access
In every organization, there are always mailboxes with sensitive information. These might be the mailboxes of the CEO, directors, users from the HR or Payroll departments, or simply mailboxes for which administrators have to perform discovery actions to demonstrate compliance with regulatory or legal requirements. Although normally administrators are not concerned with the content of user’s mailboxes, there might be someone less honest that attempts to access someone’s mailbox in order to obtain information of value for their own benefit.
Versions of Exchange prior to Exchange 2010 did not provide a full range of compliance capabilities. Managed Folders or Journaling simply were not enough to perform basic audits or to be fully compliant with legislation such as the Sarbanes-Oxley Act in the United States. Exchange 2010 Service Pack 1 introduced a new feature known as Auditing Mailbox Access, which allows administrators to record operations on a mailbox such as the deletion or copy of e-mails. After enabling audit for one or more mailboxes and configuring the level of detail that we want to capture, audit entries are captured in the Audit subfolder of the Recoverable Items folder and can be interrogated using the Exchange Management Shell or the GUI (being that the Exchange Control Panel or the Exchange Admin Center)
Outlook Analysis
Although nowadays a great part of an investigation is done at the Exchange server level, there might be situations where a forensics investigator needs to analyze e-mail clients in order to collect evidence.
E-mail clients, such as Microsoft Outlook and Outlook Express, enable users to send and receive e-mails, manage newsgroups and organize helpful information in contacts and calendars. Outlook is probably the most common e-mail client in any organization. It is part of the Microsoft Office suite and provides a platform for e-mail management. The primary data file types associated with Outlook are personal data file (.PST) and offline data file (.OST) files. These PST and OST files contain a user’s e-mail, calendar, contacts and other data that allows Outlook to function effectively for the user. There is a wide variety of different ways for an investigator to get to the data within a PST or OST file. Perhaps the easiest is to add a PST file into Outlook on a forensic workstation. Once the PST file is opened, the investigator can access and view the user’s mail and other Outlook items as if he was the user himself. If the PST is password protected, this is obviously more of a challenge, but there are numerous tools available for cracking PST passwords. Other than Outlook itself, virtually any forensic suite processes Outlook data files for viewing and searching by the investigator.
Furthermore, the advantage of using a forensic suite to parse e-mail is that many of them can recover deleted items from the unallocated space within the PST or OST file. Outlook data files have their own structures, similar to their own file systems, complete with unallocated space in which investigators can find snippets of deleted conversations and even entire messages.
It is also very important to understand two different methods of operation in Outlook: online and cached mode. When Outlook is configured to use Cached Exchange Mode, Outlook works from a local copy of a user’s Exchange mailbox that is stored in an OST file on the user’s computer. The cached mailbox is updated periodically from Exchange. Cached Exchange Mode was introduced in Outlook 2003 to provide users a better online and offline experience as cached mode lets users move between connected and disconnected environments without interrupting their experience in Outlook. Also, it protects users from network latency and connectivity issues while they are using Outlook.
In contrast, Online Mode works by using information directly from the Exchange server. When new information is required in Outlook, a request is made to the server and the information is displayed. Mailbox data is only cached in memory and never written to disk. Therefore, if the user experiences any network issues that prevent the connection to Exchange, it becomes impossible to access any mailbox data.
