window.open(“http://mail.yahoo.com”, “_top”
One of the strengths of EnCase is the ease of ordering every file in the system by date, regardless of where the file resides in the hierarchical folder structure. We have used this feature to tie other computer-related events into a cohesive timeline rather quickly.
Examining Yahoo! E-mail Artifacts Using FTK
FTK is by far the fastest tool for searching through e-mail files. After acquiring and adding your evidence to FTK, select the Overview tab and then click the Documents button under File Category, as shown in Figure 11-12. FTK is smart enough to recognize these documents as HTML files and will render them as the suspect saw them on his or her computer. In the bottom pane, you can browse through documents until you find something of interest.
Remember, however, that much of the text does not show up here, but is actually in the source of the message as a hidden field. Right-click documents and use the viewer of your choice to see whether more information is contained in the source of the file.
Also remember the powerful indexed searching. If you are looking for something specific enough, you should start with those search terms and try to find corresponding e-mail messages.
Figure 11-12 The Overview tab contents
Examining Yahoo! E-mail Artifacts Using Open Source Tools
Essentially, once you have the suspect’s hard drive, you can find the location of the temporary Internet files. From there, carve out and manipulate the files of interest with the tools you’re most comfortable using. This works because the files are not encoded. You can use any tool you want on the files, such as grep or strings.
Hotmail E-mail
As the popularity of this hosted service has grown, so has the use of Hotmail on corporate assets. Again, because of the usually personal nature of web-hosted e-mail, the impact and subsequent risk rating is high.
Hotmail Examination Tools
The tools and methods are the same as those of other types of e-mail, but the files are different for Hotmail. The files of interest are those beginning with Hotmail, doaddress, getmsg, compose, and calendar. When you’re viewing the files in FTK, they will render as obviously Hotmail files and will have the e-mail data in the viewing window.
Here is a search expression to find Hotmail files:
/cgi-bin/dasp/E?N?/?hotmail_+#+.css
Hushmail E-mail
Although it is still used less often than Yahoo! or Hotmail, Hushmail is growing in popularity. People value their privacy. Employees using Hushmail for personal communications may believe no one can gather any information about their e-mail activities. These employees tend to risk more in their communications.
Hushmail Examination Tools
What employees usually don’t know is that Hushmail never promises client-side security, only security in transit and storage. Depending on how you want to approach the case, you can search for the individual files or use a low-level search for the specific strings. The files are titled beginning with showMessagePane. If you try to view the files as HTML files, you will miss most of the information that is buried in the message source.
To dig into the files or search for e-mail remnants, search for the e-mail field you want to find in this format:
hushAppletFrame.message.
Figure 11-13 is a screenshot of EnCase being used to find the message inside the file by searching for hushAppletFrame.message and looking for the large splash of highlighted files. This allowed us to clue into the message body and other details rather quickly.
The following is from the source of an e-mail using Hushmail and helps illustrate the fields. Notice that the message body is located in the source, but if you render this in a browser, you will miss this information.
hushAppletFrame.message.from = “George Henderson
hushAppletFrame.message.replyto
=“George Henderson
hushAppletFrame.message.to = “Dan Wilkins
[email protected]”;
hushAppletFrame.message.cc = “”;
hushAppletFrame.message.bcc =“”;
hushAppletFrame.message.date = “Sun, 27 Jun 2004 18:34:59 -0700”;
hushAppletFrame.message.subject
=“RE: What to take on the trip”;
hushAppletFrame.message.hushEncryption
= “”;
hushAppletFrame.message.hushKeyblock
= “”;
hushAppletFrame.message.body
“Yes - do that.rnrnDan Wilkins
wrote:Yeah, I agree. This too much money and too easy.
Figure 11-13 EnCase finding a message inside a file
INVESTIGATING E-MAIL HEADERS
E-mail headers contain general information including the e-mail addresses of who apparently authored the e-mail and the recipient of the e-mail. E-mail headers also contain routing information from the point of origin to the final destination. The servers assemble this information en route to the final destination and attach it to the top of the e-mail. Sometimes, depending on the client used and the e-mail servers, the information contained in the headers helps the examiner trace the origin of the e-mail back to the sender’s computer or Internet connection. Other information found in headers includes the type of e-mail client used, the e-mail gateway used, and the names of e-mail attachments. This information is helpful to investigators because it helps tell the full story of what happened or points to other areas to investigate. The headers are constructed more or less uniformly across web-hosted and client-based e-mail.
E-mail Headers
The popularity and simplicity values of e-mail headers are high because e-mail programs automatically generate e-mail headers as part of RFC-822. Despite the ability to spoof e-mail headers, they are typically accurate in civil cases where it matters (spam aside). The impact to an investigation depends on the nature of the investigation. If e-mail is part of the crime, you must verify header information during your fact-finding routine. E-mail headers have influenced investigations by identifying the originating source of information, the type of computer the suspect may be using, and the completeness of a seizure, among other things.
In one recent example, federal authorities investigated a young man for creating an automatic key generator for a well-known piece of software. The expensive software suite normally sold for hundreds of thousands of US dollars, but the suspect advertised a key generator on his Web site for only $10. As part of the seizure, the authorities took the user’s work computer and his home computers. The suspect verified that the authorities had seized all of the home computers.
Further investigation suggested the suspect withheld evidence from the legal seizure of his computers because of information contained in e-mail headers. The examiner discovered e-mails on the work asset sent from the user’s home network. The e-mail headers contained information about an e-mail client program that was not on any of the computers seized from his home. The net result? The suspect must have used another computer from his home network to send e-mail, and this meant the suspect may have lied about the completeness of the seizure.
When the authorities confronted the suspect because of this find, he caved in and quickly confessed that he had one more computer in the house. This computer had the hard evidence that nailed him.
Examine E-mail Headers
E-mail headers reveal key information about the suspect’s computer, the client used, and sometimes the approximate geographic location of the originating e-mail. When you find the e-mail headers, copy and paste them into your logs or text document of choice for easy viewing. This isn’t to say that e-mail headers are completely trustworthy, because they can be spoofed. The only authoritative information included in a header is what is inserted by the routing servers. Now let’s take a look at some e-mail headers.
E-mail Header Compon
ents
A typical e-mail header might look something like this:
From root Mon Jan 6 04:02:16 2003
Return-Path:
Received: (from root@localhost)
by fw (8.11.6/8.11.6) id h06A2FZ01645
for root; Mon, 6 Jan 2003 04:02:15 -0600
Date: Mon, 6 Jan 2003 04:02:15 -0600
From: root
Message-Id: <200301061002.h06A2FZ01645@fw>
To: root@fw
Subject: LogWatch for fw
X-IMAPbase: 1010645096 1016
Status: RO
X-Status:
X-Keywords:
X-UID: 819.
From: From:, with a colon, identifies the sender of the message. Unfortunately, this is the easiest component to forge and hence the most unreliable.
From From, without a colon, is distinctly different from the From: line in the mail user interface and is not actually part of the e-mail header. This line is often inserted by mail servers upon receiving the mail. This is especially common for UNIX mailers, which use this line to separate messages in a mail folder. This line can also be forged, but not always.
Reply-To: or Return-Path: This line contains the e-mail address for sending replies. This is an easy component to forge and is often not in the headers. In the world of spam, this line is helpful. This field is usually legitimate because spammers want to make money off their e-mail orders.
Sender: or X-Sender The way this is supposed to work is that mail software inserts this line if the user modifies the From: line. However, most of the mailers ignore this rule, so this line is rarely present.
Message-ID: This is a unique string assigned by the mail system when the mail is created. This is more difficult to forge than the From line, but not impossible.
Received: These are the most reliable lines in the header and can be quite useful in identifying date/time approximations and geographic locations. They form a list of all sites through which the message traveled en route to the recipient. They are forgeable up to the point the message is inserted into the Internet on its way to the recipient. After this, they are authoritative and accurate.
Received: lines are added to the top of the headers as they pass through the mail servers. Therefore, they are read from bottom to top beginning with the server that first handled the e-mail and ending with the server that delivered it to the final recipient. The last (bottom) nonforged Received: line shows the likely starting point for the e-mail.
One easy way to identify fake Received: lines includes using nslookup to identify the purported sender. In the following example, mail.yahoo-store.com does not match the given IP address of 64.70.43.79, and instead reveals the message came from mx1.real-coupons.com. Some mail servers will do the reverse lookup for you, as illustrated here:
Received: from mail.yahoo-store.com (HELO mx1.real-coupons.com) (64.70.43.79)
by mta291.mail.scd.yahoo.com with SMTP; Tue, 25 May 2004 17:24:13 -0700
Other obvious things to check are the time stamps and IP addresses. If the time stamps between successive servers show a negative time, one of them is likely forged. The headers are also likely forged if the IP address contains a number greater than 255 or is an internal address such as 10.x.x.x, 192.169.x.x, 172.16.x.x, or 127.x.x.x.
E-mail Header Locations
E-mail header locations for popular mail programs are provided in Table 11-3. If you are working with another mainstream product or an esoteric mail reader, take a look at www.spamcop.net for information on how to find the e-mail headers.
Table 11-3 Header Locations for Popular Mail Programs
CHAPTER 12
TRACKING USER ACTIVITY
During a forensics investigation, you’ll spend most of your time reconstructing and tracing the actions that a suspect has taken. This can include web pages the suspect visited, documents he created, and other data he may have modified. Finding this evidence is only the first step in the process, however. You must be able to tie that evidence back to the suspect. What good is an incriminating Word document if you can’t prove who wrote it?
Especially in the field of digital forensics, proving who was sitting at the keyboard and where documents originated is not a trivial task. Think back to the news reports of e-mail viruses running rampant. Most of these viruses took advantage of the Office macro language to spread automatically across the Internet. When the writers were caught, it was usually because authorities found some distinctive fingerprint in the code that pointed them to a suspect. For Office files, as will be discussed later in the chapter, this could be a Media Access Control (MAC) address, a unique identifier, or a timeline reconstructed from metadata. For web browsers, this involves investigating the history and using the cache files and cookies to reconstruct where a suspect went on the Internet and what he did while visiting those sites. The purpose of this chapter is to show you how to perform this digital sleuthing in a way that will stand up in court.
MICROSOFT OFFICE FORENSICS
Office has become ubiquitous in today’s modern business world. As such, investigators frequently have to investigate incidents that involve Word documents. This can be trickier than it initially sounds. How do you prove that the suspect wrote the content in the document? How can you tie that document to a specific computer? What methods exist to subvert the Word user-tracking facilities and how can you tell when someone has tried to subvert tracking? With a bit of sound investigation and a couple of tricks, you can pull a surprising amount of information from Word documents, Excel spreadsheets, and other Office applications that can give you a clear picture of the timeline of events.
Since the release of Office 97, Microsoft Office has been notorious for storing a wealth of sensitive information about who authored the document. For example, if you are lucky enough to be working with a document that was modified with Track Changes turned on, you can pull a lot of data out of the document. The file stores who made modifications and all the content that was ever included in the document, even if it was deleted, plus information about the filenames and to whom the document was e-mailed. This can be incredibly useful in the process of re-creating a timeline.
Microsoft has released a utility called rdhtool.exe for Office 2003 that strips Office documents of all of this metadata. If you stumble onto a document that has no metadata at all, this tool may have been used to cover someone’s tracks or as a matter of practice. Take this information in context and make note of the omission in your report.
E-mail Review
This first appeared in Office 2002 and can be incredibly useful in tying a specific user to a document. When you e-mail a document for review, you may see a dialog box like this when you open the document again:
The sequence of events that causes this dialog to appear can provide some very important forensic data. Let’s examine this process in detail. When you send an Office document for review in Outlook, several custom properties tags are placed into the metadata of the file. We show the five most important of these tags in the following table.
To view this data in any Office application, choose File | Properties, and then click the Custom tab. You will see a Properties dialog similar to that shown in Figure 12-1. As the figure shows, the information contained in custom tags is incredibly useful for tying a user to a document.
Let’s turn our attention for a second to the tag _ReviewCycleID. As you can see from Figure 12-1, this is a number that appears to be some kind of identifier. In fact, it’s the number that Office uses to determine whether it needs to merge changes back into an original document. So the next natural question is, Where does Office store the ID number outside the document for comparison? Actually, an old .ini-style file is placed in the user’s Application Data folder, which stores all this information. The file is placed in
view.rcd created for our file:
[DocSlots]
NextDoc=29
Doc22=3839962597
Doc24=1518299362
Doc2 6=1030839747
Doc28=4246392232
…
[4246392232]
Path=C:Documents and SettingsAaron PhilippDesktopForensics Exposed
Chapter 12 datafigure 2.doc
Slot=Doc28
Url=file:///C:Documents%2 0and%2 0Settings/Aaron%20Philipp/Desktop/
Forensics%20ExposedChapter%2012%20datafigure%202.doc
Figure 12-1 The custom tags that Outlook adds to an Office document
Recall from Figure 12-1 that the _ReviewCyclelD property value for our document was 4246392232. As you can see in the snippet from Review.rcd, an entry for this document shows that it was in fact e-mailed from this machine by username Aaron Philipp. Not only that, but the e-mail address (property value _AuthorEmail) from which it was sent and the subject of the e-mail (property value _EmailSubject) are also displayed, so you should be able to go back through the Exchange server and dig up the message itself.
Recovering Undo Information
If a Word document is saved with Quick Save turned on, you can extract the undo information from the document. Look at the document shown in Figure 12-2. It seems to contain only one sentence.
Hacking Exposed Page 26