W9 Mon lecture note

There is lot of way of hacking using email. So investigating email is important.

Email protocols: POP3 and imap. Deleted email may found in email server. The email header may include sender ip address. Compare server logs to check spoofing.

 

Workshop

 

Module 9 – Email and Internet Forensics

Background:

This tutorial activity will make use of Autopsy and OSForensics to search and examine email messages. Ron Torvald is a possible suspect in a case involving computer crime. Your task is to search for possible evidence. By conducting an email investigation utilising multiple investigative software packages you are adhering to the process of triangulation to validate results.

 

Task:

1.            Start OSForensics and create a new case. Click the “Add Device” button, choose Image File and select the MS E-mail Files.E01 file downloaded from Blackboard.

2.            Click the Create Index button in the left pane and select the Use Pre-defined File Types, and check all the boxes. Select Whole       Finalise the process by selecting the Start Indexing option in step 3.

3.            Click the Search Index button in the left pane and perform a search for the word Ron. Any emails discovered will be listed under the Emails tab. If the image we were investigating contained any additional data, then this would be accessible via the alternative tabs.

4.            Select the first email message, Right-click and select the View with Email Viewer option. From here on you should use your intuition to manually browse through and investigate the email messages contained within MS E-mail Files.E01 file.

a.            How many emails were deleted from Ron Torvald’s Outlook mailbox?

-              3

b.            How many emails received contained attachments?

-              13

c.             Deleted emails with attachments cannot be viewed. True or false?

-              False

d.            How many emails were recovered by using “Ron” as a research keyword?

-              32

e.            How many zipped files are attached to emails in total?

-              2

f.             What type of activity was suggested for the weekend?

-              12

g.            What type of malicious software was being referred to amongst the communication?

-              Troygen, backdoor

h.            How many email attachments contain the file signature header “38 42 50 53”?

-              4

i.              All email communication occurred internally within one organisation. True or False?

-              True

5.            In the first part of this tutorial activity, you used OSForensics to analyse a series of email addresses. In the following section, you will use Autopsy to find additional evidence and to validate preceding results.

6.            Create a new case in Autopsy and load the MS E-mail Files.E01 file downloaded from Blackboard. Once the file is processed, click the Keyword Lists button in the top right corner, check the Phone Numbers, IP Addresses, Email Addresses and URLs boxes, and click Search.

7.            Click the Keyword Search button in the top right corner and type in Ron Torvald, and click Search.

8.            Click the Sent Items.dbx folder to view the emails that Ron Torvald sent.

9.            Click mail.pst folder to view the emails Ron Torvald received.

10.          Using the left pane, under the option of Email Messages, click through the tree to discover the options and features of the Autopsy program with regards to email.

a.            Autopsy discovered the same quantity of emails. True or False?

-              False, Autopsy got 41

b.            How many graphic files were recovered?

-              6

c.             No video files are attached to emails in the MS E-mail Files.E01 file. True or False?

-              True

d.            What is the name of the Microsoft Word document that was recovered?

-              new interfaces.doc

11.          The last component for this tutorial is to investigate the presence of Hotmail related activity, and attempt to answer questions including; Was Hotmail used and if so how? Answers to locating Hotmail related answers will not be provided. This is an advanced task for you to pursue in your own time to further enhance your digital forensic skills.

-              No, they used company email called PenguinDevelopers.com

12.          The next activity will focus on investigating the precious.001 file supplied on Blackboard. In the following activity, you will attempt to locate email and Google related evidence. Close all previous activities and commence the following investigation by creating a new Autopsy case.

13.          Once the precious.001 file has been successfully loaded into Autopsy, proceed with clicking the Keyword Lists button and checking Phone Numbers, IP Addresses, Email Addresses and URLs, following by clicking the Search button.

14.          Click the Keyword Search button and perform a search for Frodo Baggins. Scroll through the results as you should find multiple mailboxes containing the preceding search term.

-              Sent Items.dbx

15.          In the left pane, expand Email Messages > Default. Click the Default folder and then locate and click on the Out.mbx.001 mailbox. Explore the header and content information of each mailbox.

16.          Next, click on Web Search within the left pane under Extracted Content to view and analyse the Google Search results.

a.            How many email messages, including duplicates were present?

-              64

b.            How many Google searches for the term “computer forensics” were made?

-              3

c.             Frodo Baggins did not have an AOL email account. True or False?

-              False

d.            Frodo Baggins is suspected of using multiple email accounts (aliases) for communication purposes. As an advanced activity see if you can formulate a method by which to use Keyword Lists and/or Keyword Searches, to quantity the total number of email addresses. A definitive answer to this problem will not be provided.

17.          Download and install a trial version of the software Aid4Mail.

18.          Individually load the pst files from Blackboard into Aid4Mail by selecting the Office Outlook PST file option.

19.          Carefully read through and proceed with the options for appropriately configuring Aid4Mail.

20.          When asked to choose a “Target Format” you are going to experiment with two different outcomes (you will need to restart Aid4Mail);

a.            First convert the file into an “Office Outlook MSG files” and

b.            Secondly, convert the file into “Convert emails to CSV (opens in Excel)

21.          Create a new Autopsy case on your forensic workstation.

22.          Click “Add Data Source”, select “Logical Files” as your source type and load the three pst files into Autopsy.

23.          Manually experiment by assessing the strengths, weaknesses and capabilities of the results produced by either product.

a.            As part of your assessment you should attempt to perform keyword searches, analyse the email headers, look for messages that might contain personal information or be related to the Enron scandal.

b.            Assess the simplicity by which the data of interest can be viewed and interpreted.

c.             Given the complexity of the Enron case, how might viewing of the data be made easier? What factors inhibit a timely and successful investigation of numerous email accounts in a corporation?

24.         

 

Solutions:

10a: True

10b: 16

10d: True

10e: new interfaces.doc

16a: 64

16b: 16

16c: True