4. When you’re done, you can use the familiar Outlook interface to search the PST as you would normally search any mail through Outlook.
Examining Artifacts with ReadPST (libPST Package)
ReadPST is a program made available as part of the libPST package, which is available from SourceForge at http://sourceforge.net/projects/ol2mbox/. Downloading the libPST package and extracting it will place the contents of the package in the libpst directory on your hard drive. Enter that directory and execute the make command.
Figure 11-5 Follow the prompts.
You can then execute the readPST program with the following options:
ReadPST v0.3.4 implementing LibPST v0.3.4
Usage: ./readpst [OPTIONS] {PST FILENAME}
OPTIONS:
ReadPST will then convert the PST into RFC-compliant UNIX mail. You can access the extracted mail and attachments with any standard UNIX mail client. For example, to convert a PST into KDE mail format, you would execute this command:
./readpst –k mypst.pst
Microsoft Outlook Express
Outlook Express is a common e-mail and Internet news client. It is installed by default on a Windows-based operating system with Internet Explorer. Because it is readily available, some users choose to use it as their default e-mail client. Therefore, the forensic investigator must be prepared to reconstruct the e-mail generated from this program. Outlook Express stores e-mail in a database type file using a .DBX file extension that is similar to a PST file found in Outlook. Table 11-2 shows common data file locations.
DBX (Outlook Express) Examination Tools
A number of tools are capable of reading the Outlook Express DBX files, including the tools listed previously. The steps for importing and examining the data are nearly identical to those used with PST files in the “PST (Microsoft Outlook) Examination Tools” section with a few noted differences, which are outlined here.
Examining Artifacts with E-mail Examiner
E-mail Examiner reads Outlook Express files directly, and the same conversion process used for PSTs is not necessarily used for DBX files. You can import DBX files directly into E-mail Examiner, as shown in Figure 11-6.
Table 11-2 Summary of Mail Locations for Outlook Express
Figure 11-6 Using Paraben’s E-mail Examiner to examine Outlook Express e-mail
Examining Artifacts with EnCase
EnCase requires that you right-click the files and choose the View File Structure command. Then filters and other search tools become available to help you with the investigation. Figure 11-7 shows a suspect’s deleted e-mail folder. Notice that the e-mail is broken out under Deleted Items.dbx and listed as individual files named by e-mail subject. The file contents can be viewed by clicking the file.
Examining Artifacts with FTK
FTK’s operational look and feel is the same for DBX files as it is for PST files. The index and search features are helpful across multiple and large e-mail data containers. Figure 11-8 illustrates how FTK handles Outlook Express e-mail.
Figure 11-7 Viewing Outlook Express e-mail with Guidance Software’s EnCase
Examining Artifacts Using Outlook Express
The process for importing files into Outlook Express is similar to that for importing data files into Microsoft Outlook. We assume that you understand how to perform this task on your own.
Using readDBX
Like its sister program libPST, libDBX contains a program called readDBX. This program, like readPST, allows an examiner to extract the contents of a DBX file into a RFC-compliant UNIX mail format. LibDBX can be found at http://sourceforge.net/projects/ol2mbox/. Downloading the libDBX package and extracting it will place the contents of the package in the libDBX directory. Enter that directory and execute the make command.
Figure 11-8 Viewing Outlook Express e-mail with Forensic Toolkit
You can then execute the readDBX program with the following options:
readdbx - Extract e-mails from MS Outlook Express 5.0 DBX files into mbox format.
File is taken from stdin unless -f is specified.
Output e-mails are written to stdout unless -o is specified
Usage: readdbx [OPTIONS]
Options:
ReadDBX will convert the DBX into RFC-compliant UNIX mail. You can access the extracted mail and attachments with any standard UNIX mail client. For example, to convert a PST into UNIX mail format, you would execute this command:
./readdbx -f mydbx.dbx -o mydbx
UNIX E-mail
UNIX mail is commonly used in many organizations, especially among engineering-oriented groups that are accustomed to using Linux and UNIX. With the increasing popularity and ease of use of the Linux desktop, the likelihood of encountering UNIX e-mail is growing.
UNIX Examination Tools
UNIX e-mail, unlike most Windows formats, does not normally contain binary information. Instead, the UNIX e-mail format follows and extends the RFCs and writes out its data as plain ASCII text. Attachments in UNIX mail, however, are encoded with MIME encoding, typically BASE64. This means that while you can search through the text of any e-mail with any standard search tool, you cannot search through the attachments without decoding all of the MIME information. Multiple variations of UNIX mail are available—such as KMail, Vm, and RMail—but they all share the same common characteristics.
Examining Artifacts with E-mail Examiner
E-mail Examiner reads UNIX mail files directly. You can import UNIX mail files directly into E-mail Examiner by choosing File | Open Mailbox and selecting the e-mail store. Another method of importing UNIX e-mail is to drag-and-drop it on the program window. The net result and view are the same as in the previous examples using Outlook and Outlook Express.
Examining Artifacts with EnCase
EnCase allows you to search through the text of any e-mail, but you cannot search through the attachments without decoding all of the MIME information.
Examining Artifacts with FTK
FTK’s operational look and feel is the same for UNIX mail files as it is for other types of mail files. The indexing and searching features are still advantageous across multiple and large e-mail data containers.
Examining Artifacts with Grep
One of the beauties of UNIX e-mail is how easy it is to use regular grep expressions to search the mail store, because it’s a simple text file. Regular grep expressions and searching techniques are covered in the Appendix of this book.
Netscape Navigator and Mozilla
Netscape Navigator and Mozilla are installed by default by their associated browser installations. These clients are not as popular as MS Outlook or UNIX, but they do exist in a number of organizations.
Netscape Navigator and Mozilla Examination Tools
Netscape Navigator and Mozilla have their own extensions of UNIX mail. Similar to UNIX mail, the Netscape and Mozilla files that constitute the e-mail folders are stored in a directory. All of the tools applicable to UNIX mail are applicable in the same way to Netscape Navigator and Mozilla. If you are dealing with these types of mail stores, review the section, “UNIX Examination Tools.”
AOL
AOL is not typically used in corporate environments, but it is popular enough to cover here. If AOL is discovered, the impact can be quite high, because people are more likely to use this for their personal e-mail and let their guard down. Employees are more cautious with their work e-mail than with their play e-mail. It’s also quite possible that workers will take their laptops home and check their AOL home accounts using their work machines.
It is important in this section to differentiate among AOL mail that remains on the AOL server, AOL mail archived on the local machine, and AOL mail that is accessed through a browser. In the following cases, we discuss the investigation of AOL’s client storage archive.
AOL Examination Tools
AOL uses a proprietary format, and only a few tools can read AOL’s PFC files. Three tools discussed briefly here are E-mail Exami
ner, EnCase, and FTK. Another tool that we do not discuss is Hot Pepper Technology’s E-mail Detective (www.hotpepperinc.com/ emd.html).
Examining Artifacts Using E-mail Examiner
Similar to the same process used by AOL for examining PST files, E-mail Examiner first converts AOL mail files into a generic mailbox format. Then do the following:
1. Begin the conversion process by starting the AOL Converter, shown in Figure 11-9.
Figure 11-9 The AOL Converter
2. Choose File | Import AOL Files in E-mail Examiner. Choose the command to open the AOL Converter dialog box. If you do not see this command under the File menu, go to Program FilesParaben CorporationE-mail Examiner and double-click AOLConverter.exe.
3. In the AOL Converter dialog box, select the AOL files and click Add Files to convert into a generic format.
4. Finally, carefully select the destination directory, and then begin the conversion process by clicking Convert.
5. When the process is completed (it may take some time for large AOL formats), you can view the e-mails in E-mail Examiner. Choose File | Open All E-mails.
6. Select Mailbox type Generic Mail (UNIX/mbox) and find the folder where you chose to output the files when you converted them. When this is completed, you will find the e-mail located in the E-mail Examiner window, as shown in Figure 11-10.
As with dealing with any other format using Paraben’s tool, numerous options and ready reports are available. You can also extract e-mails into EML and generic mailbox formats.
Figure 11-10 E-mail located in E-mail Examiner window
Examining Artifacts Using EnCase
You can use EnCase if you want to find the e-mail archives in their default location using the provided enscript Initialize Case. However, EnCase does not currently have the ability to decode the archive. If you are not using the scripts now, you can take advantage of a lot of additional functionality inside EnCase by choosing View | Scripts.
You should be aware of several limitations here. First, the initialize script searches only for the files in specific locations. Second, you need to export the files and use a third-party tool for analysis.
Rather than using EnCase, we recommend that you use E-mail Examiner or FTK.
Examining Artifacts Using FTK
FTK’s operational look and feel Figure 11-11 holds the same continuity for AOL mail archives as it does for other types of mail archives. FTK is an easy-to-use tool that decodes the mail archive seamlessly, retrieving e-mail and other items of interest, such as the user’s marked favorites.
Figure 11-11 FTK’s main window
Often, multiple mail types appear on a corporate user’s computer. The ability of FTK to search, locate, and import multiple mail formats seamlessly is an asset. If you have a user with an Outlook PST and an AOL account, FTK does an excellent job of retrieving data across the different formats.
WEB-BASED E-MAIL
Web-based e-mail such as Yahoo! and Hotmail challenges investigators to find the e-mail on the computer, reconstruct activity, and identify users in ways that are different from client-based e-mail. Depending on the web mail service, where the e-mail is stored, how it is stored, and other factors, you may find nothing, the entire e-mail, or an e-mail remnant. And if that wasn’t enough, all the major webmail providers now offer 5 or more gigabytes of storage, adding to the volume of e-mail that can be exchanged and stored with webmail providers.
E-mail remnants are stored on a drive found on the media during analysis. Examples include previously deleted e-mails, web-based e-mail, and partially overwritten e-mails.
For example, web-based e-mail allows users to choose their own e-mail addresses. This makes it more difficult to identify users than with typical corporate e-mail systems. An address that doesn’t definitely identify a user, such as [email protected], makes it difficult to identify a suspect. [email protected] pretty much nails a user’s identity.
Internet-Hosted Mail
Web-hosted e-mail is popular because a number of companies provide free e-mail services from the Internet. The impact to an investigation is high because the content of Internet mail is personal and reveals a lot about the user. Additionally, Internet mail requires credentials, providing further evidence that the user was at the computer during the time the e-mail was read—assuming you can somehow tie the user ID to the suspect. Even so, most users still believe that Internet mail is private and cannot be recovered.
In one recent case involving financial fraud, web-based e-mail was used to identify a single user from more than 200 workers who had shared access to a computer. The user was logging into his e-mail account to delete possible evidence. Using EnCase and a few scripts, we culled the webmail into a readable format. The result was a quick confession and subsequent dismissal.
It takes time and energy to get e-mail logs, attachments, and e-mails from hosted e-mail service providers. In some cases, this effort is definitely warranted. In others, or when you are searching for leads in a case, you will find additional methods useful for recovering cached e-mail. This isn’t a perfect world, and at times these methods will not work. For example, if the suspect is using a privacy-friendly browser, you may have to resort to other evidence or consult the web e-mail hosting company to gather the necessary evidence.
Today’s browsers are increasingly more secure than their predecessors. Users are demanding privacy features and paying a premium for the luxury. Unfortunately, this creates a challenge for the investigator. For example, one browser encrypts the cache with Blowfish Encryption, does not use the registry, and does not use index.dat files. If that’s not bad enough, all of the session data is securely wiped during and after the session is completed. When this occurs, you have moved from a technical problem to a people problem. You must now either confront your suspect to recover encryption keys or request subpoenas against the e-mail provider to allow you to view the suspect’s e-mail logs.
Yahoo! E-mail
We know that end users are more likely to use web-hosted e-mail for personal business because they feel it’s safer. Because of Yahoo!’s popularity and host of services, its webmail is common among end users as a way to handle personal business. The interface is simple, and with Yahoo!’s 100MB free space, there is plenty of room to store information.
Yahoo! Examination Tools
These techniques target recovering e-mails from the Internet cache. You can apply the same techniques to other Yahoo! services to recover information from Yahoo! Groups and other locales by re-creating the suspected event and studying the output.
Some key filenames of interest for Yahoo!-related mail include those beginning with ShowFolder, ShowLetter, Compose, and Attachments. They include the rendered HTML that was on the screen. It is possible to add the .HTM extension to these files and view them in your browser as the user would have seen them. However, in some cases you may have to remove the script that redirects you to the login page. The script exists to determine whether the session is still active. If this is the case, you can remove the script by editing the file in your chosen text editor.
ShowFolder The ShowFolder file lists all of the suspect’s folders on the left side of the screen when viewed in a web page. The body of the page contains e-mail subject lines with the alias of the person who sent the messages, message dates, and the sizes of the e-mails. This is a quick way to view the type of e-mail the user typically receives.
ShowLetter The ShowLetter files contain the opened e-mail as seen by the user. Remember that the files are not binary or encoded files, and you can search them for strings using any tool you want.
Compose The Compose files contain the e-mail to which the user is replying before any modification is done by the user. Additionally, another Compose file is present when the e-mail is sent as a confirmation that the e-mail was sent. This file contains the username and the name(s) of the intended recipient(s). Look for the information immediately following the hidden values:
input
type=hidden name=
This is true for TO, CC, BCC, Subject, and 40 to 60 other fields, depending on the message. What’s amazing, however, is that the entire text of the message is held as a hidden field. Look for the following text:
input type=hidden name=Body value=
In this particular sample, it looks something like this:
<DIV>
<DIV>You're nuts! There's no way we can get away with
this! I'm not going to join you in selling weapons
Attachments The Attachments file contains the name of any attachments and the person or group of people for which the e-mail was intended. This file also contains all the same information as the compose field.
Examining Yahoo! E-mail Artifacts Using EnCase
EnCase does an excellent job of locating specific strings and ordering files. The search capabilities allow you to find files and e-mail remnants, but it will take time on large volumes. To find Yahoo! files, use the following grep expression for your search. You can export your findings or use an external viewer if you have one.
Hacking Exposed Page 25