Network E-mail Examiner
NEMX will allow you to access, search, and extract messages from an NSF. NEMX, as stated earlier, does not provide for any automation ability.
Recovery Manager for Notes
Quest Software’s Microsoft Exchange Email Recovery and Domino Recovery, found at http://wm.quest.com/, offers functionality that other tools in the market do not offer. It allows you to extract for NT Backup and other tape types to extract NSF files from tape to PST.
Domino Server
The other option is either to automate the Lotus Domino Mail Server through Lotus script or install a new Domino server and configure it as a recovery server to access the existing NSF.
Novell GroupWise
Novell’s GroupWise mail server has been around for quite some time. However, there has never been an easy way to recover data from its local e-mail database. GroupWise is a closed architecture that by default stores all e-mail on the GroupWise server and allows you to archive e-mail off it to a local system. However, be aware that some systems are configured to delete e-mail messages automatically after a certain number of days, so make sure to examine the GroupWise server configuration before waiting to capture data.
Transend Migrator Forensic Edition
One of the few tools available to convert GroupWise data is Transend Migrator Forensic Edition, available at www.transend.com. Transend Migrator will allow the conversion of GroupWise data to a number of different formats so you can access the e-mail in one of the other tools we have covered in this book, such as AccessData’s FTK. While Transend Migrator can connect to a GroupWise server to do the conversion, the GroupWise server must exist first for it to work. So in either case you are stuck installing a GroupWise server and recovering the previous mail database.
Network E-mail Examiner
Good news since the last edition of this book: NEMX now allows you to access, search, and extract messages from a GroupWise server. NEMX, as stated earlier, does not provide for any automation ability or tape extract abilities. If you keep the parent directory that contains NGWGUARD.DLL and the three directories ofmsg, ofuser, offiles underneath in a place accessible to NEMX, it can find and recover the messages and deleted messages from a GroupWise data store and export them to PST.
Sun’s iPlanet
Sun’s iPlanet mail server is a UNIX-based mail system that shows its origins in its mail storage. The iPlanet system stores each individual message in a RFC-822–complaint e-mail format within a hive-like directory structure named after the user. This makes your life much easier as you do not have to worry about dealing with proprietary databases for accessing the messages.
Searching RFC-822 and Decoding MIME
To access e-mail and attachments in an iPlanet server, you need some tools that can search RFC-822 and decode MIME. Paraben’s E-mail Examiner and AccessData’s FTK will allow you to do this. Using any search utility, you can access the text of the e-mails. For MIME encoding, you can also combine some open-source tools such as munpack to extract the attachments for further searching.
CHAPTER 11
E-MAIL ANALYSIS
Today’s world functions on e-mail. E-mail is one of the fastest growing forms of communication and one of the most common means for transferring information about people, places, and activities. People will continue to use e-mail and the Internet to conduct business, legitimate or not. About 210 billion e-mails were sent each day in 2008, according to the Radicati Group (www.radicati.com/); that’s 150 billon more e-mails per day than forecasted by IDC for 2006, and e-mail continues to grow by orders of magnitude each year. Nearly half of these e-mails contain personal information.
E-mail analysis today is one of the most common tasks in an investigation, with so much day-to-day business being conducted from e-mail and e-mail–enabled mobile devices. Personal and business information is being sent, received, and forwarded back and forth over mobile devices to traditional e-mail accounts.
This chapter discusses tools and techniques you can use to reconstruct client and web-based e-mail activities from the perspective of the local hard drive. (Enterprise server investigations are covered in Chapter 10, and cell phone and PDA investigations are covered in Chapter 13.) Although a single chapter can’t cover every tool and technique available today, we do cover mainstream e-mail investigative techniques applicable for use in a corporate environment.
This chapter breaks up content into client-based and web-based e-mail. Client-based e-mail refers to programs installed on the client for reading e-mail, such as Outlook Express, Outlook, and generic UNIX readers. Web-based e-mail refers to online e-mail resources such as Yahoo!, Gmail, Hotmail, AOL, and Excite that are usually accessed through a browser.
Three key interesting components of an e-mail include the e-mail headers, text, and attachments. Additionally, other items useful to investigators can include message flags, certificates, or requested receipts for delivering or opening an e-mail.
FINDING E-MAIL ARTIFACTS
In the scenarios that follow, programs and techniques used to view e-mail data and extract relevant artifacts are discussed. If available, we discuss how to use professional products such as Paraben’s E-mail Examiner, Paraben’s Network E-mail Examiner, OutIndex, Guidance Software’s EnCase, and Access Data’s Forensic Toolkit (FTK). Other methods include using the native e-mail client or various tricks to get around simple controls. Remember that multiple tools and methods are available for searching and analyzing this data. Choose the tools and methods that best fit your needs.
Client- and web-based e-mail readers share much in common. Both can have e-mail headers, proofs of receipt, attachments, and more. Both generally follow the same rules as outlined in the RFCs (requests for comments). However, some differences are worth exploring, including the methods for viewing, location of evidence, and ease with which you can access and recover the evidence. We will get into more of this in each of the following sections.
CONVERTING E-MAIL FORMATS
In some instances you may need to convert e-mail from one format to another before you begin your investigation, or you may need to present e-mail results in a format that is easier for you or another party to analyze and review.
Transend Migrator (www.transend.com/) is a great tool for performing a number of e-mail tasks. Transend will allow you to convert EML, Text, mbox, and many other e-mail formats to Outlook PST format. The Forensic version of Transend will let you convert various e-mail formats to e-discovery and Compliance document management file formats such as PDF, TIFF, and HTML.
When dealing with OST files, you may need to repair a damaged OST or convert an Outlook OST file to PST format. Kernel for OST to PST Conversion by Nucleus Data Recovery (www.nucleustechnologies.com/exchange-ost-recovery.html) allows you to convert OST files to PST.
Paraben’s Network E-mail Examiner may confuse you with the title being nearly identical to the Paraben E-mail Examiner, but these tools are entirely different. Network E-mail Examiner offers some rare and valuable features, such as the ability to convert mailboxes from Novell GroupWise, Lotus Notes, or EDB databases to Outlook PST, MSG, or EML. Network E-mail Examiner will also allow you to perform searches or browse the mailboxes in the NSF, DB, and EDBs.
OBTAINING WEB-BASED E-MAIL (WEBMAIL)
FROM ONLINE SOURCES
In some scenarios, you may need to download webmail from Yahoo!, Gmail, or Hotmail. This can require multiple tools such as Outlook Express for Windows Live Mail (aka Hotmail) along with a Post Office Protocol/Internet Message Access Protocol (POP/IMAP) client such as Outlook or Thunderbird for Gmail and Yahoo!. In addition, getting the e-mail in the correct format may require some scripting experience.
You can download Gmail with a POP client by enabling POP on your Gmail account:
1. Click the Settings link.
2. Click the Forwarding and POP/IMAP tab.
3. Choose the Enable POP For All Mail option, and then click Save Changes.
&nb
sp; Transend Migrator Forensic can simplify this task by grabbing Yahoo! e-mail in an easy three-step process:
1. In Transcend select POP Server from the Convert From drop-down box and Exchange/Outlook from the Convert To drop-down box. Then click Next.
2. Enter your username, POP server, and password. Then click Next.
3. Enter a PST filename and password, if required, and then click Next.
4. Select the folder you want and click Next.
5. Click Run.
CLIENT-BASED E-MAIL
Client-based e-mail includes programs such as Outlook and Outlook Express. Client e-mail is typically stored on the hard drive in an e-mail archive. This is important to know, as it increases the likelihood that you will find the information you need. Client-based e-mail is typically easier to work with than Internet-hosted mail in corporate environments because the e-mail exists on a company-owned asset. In the case of client-based e-mail, typically both the incoming and outgoing e-mails are recorded; this is not always the case for Internet-hosted e-mail.
An important point for overloaded corporate investigators is ease of access to the mail server. Investigators will have access either to the e-mail on the suspect’s computer or the company-owned servers. Either way, this is much easier than demanding e-mail from an externally hosted e-mail provider. In many cases, the latter choice is not practical. (E-mail server investigations are covered in Chapter 10.)
Microsoft Outlook PST
Outlook, installed with the Microsoft Office suite, is the most popular e-mail client used in large corporations. It is also one of the most popular e-mail archive formats encountered in corporate investigations.
PST (Microsoft Outlook) Examination Tools
The most well-known tools for reading Outlook files are Paraben’s E-mail Examiner, Guidance Software’s EnCase, Access Data’s FTK, and Microsoft Outlook. For the open source advocates, a great tool is included in the libPST package.
Paraben’s E-mail Examiner works by using a PST converter to translate the contents of the PST file into a generic UNIX mailbox format. The text file is then easily read and searched by E-mail Examiner. Paraben’s product supports a large number of e-mail formats and is very fast in converting the PSTs. You can use EnCase by Guidance Software to open and search the contents of the PST directly. EnCase lets you use the same tool for e-mail that you use for locating other artifacts on the drive.
If you have EnCase and haven’t updated to the latest version, you should do so. The newer versions have support for Outlook Compressible Encryption in searches.
FTK is also capable of searching through multiple mail files such as Outlook, Outlook Express, AOL, Netscape, Yahoo!, Earthlink, Eudora, Hotmail, and MSN e-mail. FTK provides an intuitive interface for reviewing large amounts of e-mail and will now identify and segregate webmail from other e-mail.
The open-source tool readPST from the libPST package is a project of SourceForge headed by Dave Smith. When you’re done using readPST, you can use UniAccess to convert UNIX mail back into PST and other formats.
Examining Outlook Artifacts
Table 11-1 provides a helpful list of MS Outlook data and configuration files. Some of the folders have hidden attributes. You can change the Windows Explorer view to show hidden files by choosing Tools | Folder Options | View | Show Hidden Files And Folders.
Examining Artifacts with E-mail Examiner
E-mail Examiner (www.paraben-forensics.com/examiner.html) simplifies the complexity of the PST mail store by converting it into a generic mailbox format. Because of this simplicity, the search capabilities are excellent. E-mail Examiner runs in a Windows environment and supports a wide variety of mail formats. Support for MS Outlook .PST files is available through Paraben’s PST Converter, which is distributed with E-mail Examiner. This is similar to the conversion process used when converting AOL files. Here’s how to do it:
Table 11-1 Summary of Microsoft Outlook Data Configuration Files
1. Start the PST Converter.
2. Choose File | Import PST Files to open the PST Converter dialog box shown in Figure 11-1. If you do not see this command on the File menu, go to Program FilesParaben CorporationE-mail Examiner, and double-click pstconv.exe.
3. When the PST Converter dialog box opens, select the PST files to convert into a generic format by clicking Add Files.
Figure 11-1 The PST Converter dialog box
4. Carefully select the destination directory, and then begin the conversion process by clicking Convert. When the process is completed (it may take some time for large PST files), the files will automatically appear in E-mail Examiner.
5. If you used the pstconv.exe utility and you need to open the e-mail later, choose File | Open Mailbox.
6. Select Files Of Type “Generic mail [*.*]” and find the folder in which you chose to store the converted files. When this is completed, you will find the e-mail located in the E-mail Examiner window, as shown in Figure 11-2.
If you typically have a large caseload with PST files, consider Paraben’s text searcher, which is capable of searching through unique file types such as Outlook PST, PDF, and more.
Be aware that the searching options are robust and will require some learning to take advantage of all the features. Numerous options are available, and just about every view and feature is customizable to some degree. Ready reports are available for quickly producing statistical data based on variables such as word count and e-mail domains used. Options exist for extracting the attachments as well as extracting e-mails into EML and generic mailbox formats. Additional quick-reporting features of interest include the ability to extract all e-mail addresses and all originating servers into a single file.
Figure 11-2 E-mail Examiner window
Examining Artifacts with EnCase
For the expert, EnCase’s view of a PST and its Messaging Application Programming Interface (MAPI) objects proves valuable. Add the filtering, EnScript, and searching capabilities to this mix, and you have a powerful tool.
After collecting the evidence relevant to your case, consider using the readily available filters for locating different types of mail files. Simply select Filters in the bottom pane of the EnCase screen and double-click the filter you want to use. At this point, you can choose to mount and view the files within EnCase, or you can export them for use in other programs you prefer.
It’s important that you remember that a PST is a binary file structure that is not interpreted correctly without your mounting the file inside of EnCase. Do this by right-clicking the PST of interest and choosing View File Structure. Then you can use the regular searching features inside EnCase.
In addition, EnCase lets you identify Outlook Compressible Encryption (OCE) files in unallocated space using CodePages. To identify OCE files in your search, you will need to configure the CodePage for OCE by each keyword you intend to include in your search. Here’s how to do this:
1. Choose New Keyword.
2. Select Unicode.
3. Go to the CodePage tab.
4. Enable Outlook Compressible Encryption in the list; make sure that you select Unallocated Clusters in the directory tree for your evidence item before initiating the search.
Figure 11-3 illustrates the selection for viewing the file structure and the filters available for quickly accessing PST files in your evidence. More features are available in the newer versions of EnCase, which continues to improve the experience with PST files.
Examining Artifacts with FTK
FTK is an excellent all-around tool for investigating e-mail files. Principle among its strongest features is its ability to create a full text index of large files. While this is time-consuming up front, you will save an enormous amount of time in large investigations in the long run. A good rule of thumb is that if you are going to search a file only one time, you don’t necessarily have to index the file. If you are going to search the file more than five times, you need to consider the value of indexing the files. If you
are going to search the file more than ten times, we would hope that you have indexed it already.
Figure 11-3 Viewing file structures and filters in EnCase
An advantage to using FTK is its ability to read PST and OST archives directly by accessing internal structures. The result is that e-mails are automatically indexed during the import process, making them easy to search quickly, especially across multiple mail stores. Keep in mind that FTK can also take EnCase images directly and create a full text index of the entire file. Figure 11-4 shows an example of the interface. Because there is no need to break down the PST, the e-mail is readily accessible right after you get the evidence imported.
Examining Artifacts with Outlook
If no other tools are available, you can use Microsoft Outlook to import and view PSTs. Here’s how to do this:
1. Install and start Microsoft Outlook. When the prompt to create another mailbox appears, click No, and then click Continue.
Figure 11-4 FTK in action viewing PST files
2. When Outlook opens, choose File | Data File Management | Add.
3. Select the correct file type and follow the prompts, as shown in Figure 11-5.
Hacking Exposed Page 24