E-MAIL IS THE ELECTRONIC EQUIVALENT of a letter or a memo. Computers and servers retain these electronic messages in digital format. An e-mail may include attachments or enclosures. And organizations and individuals use e-mail for communicating sensitive, protected, or confidential information. E-mail is also a very common method for distributing intellectual property, such as client lists or copyrighted material. You may send one with desktop and laptop computers and other portable devices, such as mobile phones and personal digital assistants (PDAs).
E-mail creates a security vulnerability. It is a virtual door that leads directly into a network and indirectly into every desktop. In its natural form, e-mail is as secure as a postcard: Anyone can easily see its contents as it passes through the networks. Hackers can use e-mail to sneak into a network. Staff can use it to send secrets out of a company. Attackers can also use e-mail as a portal for data destruction.
Investigating, recovering, and analyzing e-mail is one of the most common system forensics activities. E-mail is a starting point or key element in forensic investigations. A forensic investigator can examine e-mail and identify what messages have been sent, when, and to whom. An investigator can also use information contained in e-mail to show a pattern of behavior. An e-mail investigation may involve corporate e-mail or Web-based mail, such as Gmail or Hotmail. The evidence from an e-mail investigation can be enough to show that other systems, possibly in a third party's control, may need investigating. In addition, an investigation may lead you to research a piece of received e-mail as a way of tracking down its source or author. This chapter discusses some of the issues related to investigating and scrutinizing e-mail.
Different types of devices and methods generate e-mails. Most commonly, a user composes a message on his or her computer and then sends it to his or her mail server. At this point, the user's computer is finished with the job, but the mail server still has to deliver the message. A mail server is like an electronic post office: It sends and receives electronic mail. Most of the time, the mail server is separate from the computer where the mail was composed, as shown in Figure 10-1.
Note
Microsoft Exchange Server and Sendmail are examples of mail servers.
The sender's mail server forwards the message through the organization's network or the Internet to the recipient's mail server (see Figure 10-2). The message then resides on that second mail server and is available to the recipient. The software program used to compose and read e-mail messages is the e-mail client.
Note
Some of the most commonly used e-mail clients are Microsoft Outlook, Yahoo! Mail, Hotmail, Windows Live Mail, Apple Mail, Gmail, and AOL.
Depending on how the recipient's e-mail client is configured, copies of the message may exist in a number of places. The recipient's computer, another electronic device such as a smart-phone or a PDA, and the mail server or its backups may all hold copies of the message. In addition, the sender's computer may still hold a copy of the message in the Sent box or trash folder. And the sender's mail server or its backups may also have a copy. In addition, any of the servers that relays the message from the sender to the recipient may retain a copy of the e-mail message. The number of relay "hops" may be only one if the sender and recipient are on the same network. Transmitting a message to a remotely located recipient might require many hops.
Tip
Regardless of the type of e-mail client used, a message can be stored in multiple locations. Consider obtaining a message from as many sources as possible.
A forensic investigation of e-mail might reveal information such as the following:
E-mail messages related to the investigation
E-mail addresses related to the investigation
Sender and recipient information
Content of the communications
Internet Protocol (IP) addresses
Date and time information
User information
Attachments
Passwords
Application logs that show evidence of spoofing
The following sections describe how an investigator can find such information.
You can use various methods to create and send an e-mail message. An e-mail message's appearance depends on the device or software program you use. However, a message typically has several common parts:
Make sure that any e-mail you offer as evidence includes the message, any attachments, and the full e-mail header.
The header keeps a record of the message's journey as it travels through the communications network. As the message is routed through one or more mail servers, each server adds its own information to the message header. Each device in a network has a numeric label called an Internet Protocol (IP) address that identifies the device and provides a location address. The IP address is the virtual equivalent of a street address for a computer on a network. A forensic investigator may be able to identify IP addresses from a message header and use this information to determine who sent the message.
Tip
Internet Protocol (IP) is the protocol that networks use to communicate data to other networks. IP is the primary protocol in the Internet layer of the Internet Protocol suite. Its job is to deliver data packets from the source host to the destination host, based on their IP addresses.
Most e-mail programs normally display only a small portion of the e-mail header along with a message. This usually is information that the sender puts in the message, as shown in Figure 10-3. You can view and examine the full header record by using tools available in the e-mail client.
An e-mail investigation begins with a review of an e-mail message followed by a detailed examination of the message header information. The e-mail message shown in Figure 10-3 shows the limited header display generally provided. Look at the header in more detail to find additional information associated with the e-mail message. The message header provides an audit trail of every machine through which the e-mail has passed.
Note
Every machine identified in the e-mail header could have accessed, retained a copy of, or altered the e-mail message.
How you look at the entire header depends on the e-mail client. For example, follow these steps to view the header information in Microsoft Outlook 2007:
Open the message whose header you want to examine.
On the Message tab, click the arrow to the right of Options. A new dialog appears, with the header in the bottom section.
To see the header information in Windows Live Mail, follow these steps:
Open the message whose header you want to examine.
Select File, Properties.
In the dialog that appears, select the Details tab. The window in this tab shows the complete header information.
To see the entire message, including the complete header, click Message Source. A dialog appears, showing this information.
As another example, these steps will let you view the header information in Gmail:
Open the message whose header you want to examine.
In the message's top-right corner, click the downward-pointing arrow and select Show Original. A new browser tab opens, showing the complete message, including the entire header.
To see the header information in Yahoo! Mail, use these steps:
Open the message whose header you want to examine.
Select Actions, View Full Header. A dialog appears, showing the complete header information.
Note
Copies of a message on the sender's system don't show a message's routing path. The routing path is available only on the recipient system. Further, a typical e-mail client provides no assurance that the recipient has received and read an e-mail message. In some cases, a sender requests a message receipt. However, the recipient can choose not to provide a receipt.
Every e-mail message has a header, no matter what client and Internet service provider (ISP) an organization or individual uses. Finding the header information generally requires a few simple steps that are easy to figure out by poking around in the client.
Reconstruct an e-mail's journey by reading the e-mail header from bottom to top. The "From:" line shows the e-mail's source. As the message passes through mail servers, each mail server adds its information above the previous information in the header in a "Received:" line. The "Received:" lines list every point the e-mail passed through on its journey, along with the date and time.
One of the most important pieces of information for you to obtain from the detailed header is the originating IP address. In the example shown in Figure 10-4, for example, the originating IP address is 165.247.94.223.
Note
E-mail clients allow senders to defer and manually initiate or schedule the time they send an e-mail. Also, some servers send e-mails at a certain prescheduled time. Either of these situations could allow an individual to be at another location at the time an e-mail message is actually sent. Therefore, the times shown in the header may not be able to verify the sender or receiver location at any point in time.
The information in an e-mail header does not always tell a simple story. For example, anything up to the topmost "Received:" line in a message header can be faked, or spoofed. (Spoofing is discussed later in this chapter.) If a message header contains inconsistent information, the e-mail message may have been spoofed.
Times shown in e-mail headers do not always appear to be consistent. Different servers in different parts of the world and in different time zones may have added timestamps. In addition, clocks built into computer systems may not always be accurate. Scrutinize timestamps in headers, look for apparent inconsistencies, and identify clues that validate the message authenticity.
E-mail tracing involves examining e-mail header information to look for clues about where a message has been. This will be one of your more frequent responsibilities as a forensic investigator. You will often use audits or paper trails of e-mail traffic as evidence in court.
After a suspect comes to the authorities' attention, your organization may ask you to monitor that person's traffic. For example, administrators might order security checks on an employee who appears to be disgruntled or who has access to sensitive information. This employee's e-mail logs and network usage may, for example, show him or her sending innocent family photos to a Hotmail account but no traffic coming back from that Hotmail account. These seemingly innocent photos might carry a stego message, and so provide evidence of the employee's part in corporate espionage. As discussed in Chapter 8, "Understanding Information-Hiding Techniques," steganography is a process in which someone buries the 1s and 0s of digital text or images inside the pixels of ordinary-looking photographs. Your job may be to determine whether the employee possesses a steganography program.
Forensic e-mail tracing is similar to traditional gumshoe detective work. It involves looking at each point through which an e-mail passed. Work step-by-step back to the originating computer and, eventually, the perpetrator.
An e-mail message may travel through machines outside a company's network. In these cases, try sleuthing tools such as Whois (available at many sites, such as http://www.whois.com) or BetterWhois (http://www.betterwhois.com) to do further tracking. These services search databases that record online users and their IP addresses. For example, running a Whois search on a domain name such as XYZ.com will identify the name and address of the domain name's holder, administrative and technical points of contact, and the domain name servers responsible for the domain. In some cases, you may need a more sophisticated tracing tool such as Webtracer (http://www.webtracer.com).
If an address isn't fake, determine who used the machine at the time the suspect message was sent. For example, say that an attacker used a school or library computer to send a bomb threat through a commercial e-mail account. In this case, the logon times in the school's or library's sign-on logs might be helpful.
Sophisticated suspects may fake their e-mail messages. Some of them use e-mail programs that strip the message header from the message before delivering it to the recipient. Or they may bury the message header within the e-mail program. In other cases, the "From:" line in a message header is fake. Offenders may "steal" someone else's e-mail account or set up a temporary, bogus account. The following sections look at some common methods of faking e-mails: spoofing, anonymous remailing, using mail relays, spamming, stealing, and using bogus accounts.
Spoofing involves making an e-mail message appear to come from someone or someplace other than the real sender or location (see Figure 10-5). The e-mail sender uses a software tool that is readily available on the Internet to cut out his or her IP address and replace it with someone else's address. However, the first machine to receive the spoofed message records the machine's real IP address. Thus, the header contains both the faked ID and the real IP address.
Anonymous remailing is another attempt to throw tracing or tracking off the trail. A suspect who uses anonymous remailing sends an e-mail message to an anonymizer. An anonymizer is an e-mail server that strips identifying information from an e-mail message before forwarding it with the mailing computer's IP address.
To find out who sent remailed e-mail, try to look at any logs maintained by these remailer or anonymizer companies. However, these services frequently do not maintain logs. In addition, you can closely analyze the message for embedded information that might give clues to the user or system that sent the message.
Using mail relays involves hiding an e-mail's origin and having someone else's mail server send the message. Local networks typically use mail relays—servers that transmit e-mail messages among local users. A college campus, for example, might use a mail relay to transmit all the student and faculty e-mail. In e-mail aliasing, multiple e-mail addresses are used to send mail to a single account. A mail relay forwards all these messages to the specified single e-mail address. A properly configured mail server processes mail only from within its system and doesn't relay mail from IP addresses originating from outside its network. But if the mail server is not configured properly, it becomes vulnerable to a wide variety of remote access programs.
Note
Internet access is available in many public locations, such as libraries, schools, airports, hotels, and Internet cafes. If an attacker sends an e-mail message from such a location, determining the actual sender may be difficult.
Spamming occurs when a perpetrator sends an e-mail message to a large number of recipients, usually routed through an unsuspecting company's mail server. The e-mailer uses that mail server as a relay point, and the server's owner may never be aware that the e-mail sender has been there. The sender then disappears before anyone gets suspicious. This is not only a theft of services but potentially a denial of services as well, if the volume of e-mail sent through the server causes it to crash.
The problem of spam offers no easy solutions. The following are some methods to reduce spam:
Keyword filters—On the server end, an administrator can try using keyword filters. The keyword approach must be creative enough to keep up with all the ways a spammer can spell "VI@Gra," for example.
IP database block lists—Attempting to blacklist, or block, spam by specific IP addresses may not work as well as blocking a whole IP address block. A spammer can spoof an address but can't hide the IP domain he or she is using for a relay. The drawback of this method is that it blocks innocent relay points and mail servers even though they don't know they're being used to send spam.
Whitelists—A server administrator can try whitelists, which allow e-mail only from known and trusted senders. However, this is a drastic solution that defies the purpose of e-mail in the first place.
Graylists—Graylisting is a method of protecting users from spam e-mails by temporarily rejecting senders the server system does not recognize. When an e-mailer gets a message saying a message didn't go through but the system is "trying again in about 24 hours," multiple e-mail servers are communicating with one another to require messages to be re-sent or re-transmitted later. Because spam originates from places that don't usually recognize a request to re-send or re-transmit later, this method eliminates much spam.
Congress has been trying to crack down on spam. However, the problem will probably not go away, no matter how much legislation Capitol Hill passes. Until changes are made in e-mail and related protocols, spam will likely always be around. Also, one person's spam may be another person's business advertising.
Stealing can be broadly defined as unauthorized use of someone else's password and e-mail account. One common way in which stealing occurs is shoulder-surfing—watching over someone's shoulder as he or she enters a password and ID. Another method is sniffing a network—watching all the network traffic and intercepting user IDs and passwords.
Bogus free e-mail accounts are quite common among both valid users and spammers. Anybody can give a false identity and address when opening a Hotmail account, for example. It is difficult to catch someone who has done this because the e-mail company doesn't know who opened the false account. Like disposable mobile phones, these accounts are quickly used and discarded. Pornographers often use bogus accounts.
E-mail tracing in forensic investigations relies on computer logs. An e-mail log is a record of each e-mail message that passes through a computer in a network. For evidence purposes, you may need to prove that a certain e-mail originating address traveled through a machine. Do this by verifying the message ID on a log of e-mail transactions, together with the date and time the address was recorded. This is not always easy to do. Legal limits and jurisdictional issues create tough challenges.
Many ISPs do not log e-mail. Some keep only partial data, such as information on logons and File Transfer Protocol (FTP) transfers. ISPs vary in their willingness to assist with forensic investigations. Some readily produce computer logs to help. Others refuse to give up logs without a court order or subpoena. They are legitimately concerned about violating users' privacy rights.
If an official public law enforcement officer notifies an ISP that a certain user is being investigated, the ISP is obligated by law to preserve any information it would have normally logged or collected. This gives investigators time to seek the legal authority to seize the relevant information. The law doesn't require ISPs to escalate their monitoring activities in this situation, however. If they were not keeping a log to begin with, they are under no obligation to start doing so.
Note
Foreign jurisdictions are notoriously uncooperative in forensic investigations, even when an investigation has the backing of the U.S. State Department.
In a forensic investigation, use e-mail tracing to determine the physical location of the device a perpetrator used to send e-mail. If possible, confiscate the device and make exact copies of its hard drive. As discussed in other chapters, to avoid tainting the original evidence, analyze an image copy of the device or media rather than the original. In your analysis, look for file fragments or portions of any e-mails that contain specific references to the offending message. For example, if the suspect were using Hotmail, you could check the browser's Internet cache, which shows where the user has been online. The cache contains copies of any e-mails created, sent, or received via Hotmail. Even if the attacker has emptied the cache, you can undelete and recover this information by using forensic software. Examples of this software include Network E-mail Examiner and E-mail Examiner (http://www.paraben.com), F-Response (http://www.f-response.com), and EnCase Enterprise (http://www.guidancesoftware.com).
Note
If a message is Web based and stored by a service provider such as Yahoo! or Hotmail, time is of the essence. Many of these companies have a policy of purging information after a certain period of time. In most cases, you must send a preservation letter to the provider to prevent purging of data.
Several worrisome trends suggest that e-mail tracing will become more difficult in the future:
Organizations routinely require encryption of all e-mail messages.
Products currently available automatically strip e-mail headers, encrypt the message, and then destroy the message after a period of time.
Thorough e-mail deletion utilities are commonly available.
Smart programmers are always looking for ways to get around the audit trail, and investigators always seem to be playing catch-up when tracing e-mail. Nevertheless, e-mail tracing will likely remain an essential part of computer forensics.
This section provides an example of e-mail tracing. The example is from the "Tracing Email" Web page at USUS.org. The following e-mail header is part of a faked e-mail. As described earlier in this chapter, perpetrators have a number of ways to fake e-mail messages. The following example is a rather unsophisticated spoofed e-mail:
Received: from SpoolDir by IFKW-2 (Mercury 1.31);
13 May 09 15:51:47 GMT +01
Return-path: <[email protected]>
Received: from bang.jmk.su.se by ifkw-2.ifkw.uni-muenchen.de (Mercury 1.31) with ESMTP;
13 May 09 15:51:44 GMT +01
Received: from [130.237.155.60] (Lilla_Red_10 [130.237.155.60]) by bang.jmk.su.se (8.7.6/8.6.6) with ESMTP id PAA17265 for <[email protected]>; Wed, 13 May 2009 15:49:09 +0200 (MET DST)
X-Sender: [email protected]
Message-Id: <v03020902b17f551e91dd@[130.237.155.60]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 13 May 2009 15:49:06 +0200
From: Kuno Seltsam <[email protected]>
Subject: Important Information
X-PMFLAGS: 34078848 0
The following lines show who claims to have sent the mail, to whom it was sent, and when:
Date: Wed, 13 May 2009 15:49:06 +0200
From: Kuno Seltsam <[email protected]>
Subject: Important Information
The next line is a number that the receiver's e-mail program adds to the mail to keep track of it on the local hard drive:
X-PMFLAGS: 34078848 0
The next lines indicate that the message contains plaintext with no accented or other fancy characters:
Mime-Version: 1.0 Content-Type: text/plain;
charset="us-ascii"
If you think that the message didn't really come from someone at seltsam.com, use the following line to figure out where the message really came from. The next line contains the Message-Id, which is a tracking number that the originating host assigned to the message:
Message-Id: <v03020902b17f551e91dd@[130.237.155.60]>
The Message-Id is unique for each message, and it contains the IP address of the originating host. You can use a number of sites and programs to translate IP addresses into domain names. For example, if you apply TJPing (http://www.topjimmy.net/tjs/) with the IP address in this Message-Id, you get the following information:
Starting lookup on 130.237.155.60 - May 14, 2009
22:01:25
Official Name: L-Red-10.jmk.su.se
IP address: 130.237.155.60
This result shows the originating computer from which the perpetrator sent the message, not the mail server. Because this address is at a university, it's not very helpful because many students share computers on a campus. However, if this were a company computer, it would be useful because employees tend to have their own computers. You can fairly easily use this information to determine what company is involved at this point. You just eliminate the first set of digits from the "Official Name:" line (L-Red-10.), add www, and type the URL into a browser. In this case, you see that www.jmk.su.se is the journalism department of the University of Stockholm. If you have tracked down this much information from the header, you could call the university's system administrator and ask who uses node 60.
The following line tells you who was logged on to the mail server when the message was sent:
X-Sender: [email protected]
Not all e-mail programs add this line. But if you see this line, you know the name of the user who sent the mail—in this case, o-pabjen. The IP address shown here is the address of the mail server used. If you check with TJPing, you learn that it's called bang.jmk.su.se. Now you could actually reply to the message by sending mail to [email protected] or [email protected].
Here's the rest of the header:
Received: from [130.237.155.60] (Lilla_Red_10 [130.237.155.60]) by bang.jmk.su.se (8.7.6/8.6.6) with ESMTP id PAA17265 for <[email protected]>; Wed, 13 May 2009 15:49:09 +0200 (MET DST)
These lines name the computer from which the mail server received the message. They also tell when the message was sent and that the recipient was supposed to be [email protected].
Similarly, the next lines tell you what mail server—ifkw-2.ifkw.uni-muenchen.de—sent the message to the recipient's mail server:
Received: from bang.jmk.su.se by ifkw-2.ifkw.uni-muenchen.de (Mercury 1.31) with ESMTP; 13 May 09 15:51:44 GMT +01
You know that this must be the recipient's mail server because it is the last server that received anything. It follows this fake return path:
Return-path: <[email protected]>
The mail server generates the following internal message about where and how it distributed the message within its system:
Received: from SpoolDir by IFKW-2 (Mercury 1.31); 13 May 09 15:51:47 GMT +01
You know that SpoolDir cannot be the recipient's mail server because it lacks an Internet address.
In all investigations involving computer evidence, you must follow specific legal requirements and reliable forensic procedures. Otherwise, the evidence you obtain may not be admissible. The following sections discuss some of the legal considerations in investigating e-mail. Chapter 14, "Trends and Future Directions," provides more information on legal considerations in system forensics.
Note
In addition to these sources for legal information, state laws often apply to e-mail investigations.
If an e-mail message resides on a sender's or recipient's computer or other device, the Fourth Amendment to the U.S. Constitution and state requirements govern the seizure and collection of the message. Determine whether the person on whose computer the evidence resides has a reasonable expectation of privacy on that computer. The Fourth Amendment requires a search warrant or one of the recognized exceptions to the search warrant requirements, such as consent from the device owner. Chapter 6, "Controlling a Forensic Investigation," discussed the Fourth Amendment in more detail.
If an ISP or any other communications network stores an e-mail, retrieval of that evidence must be analyzed under the Electronic Communications Privacy Act (ECPA). The ECPA creates statutory restrictions on government access to such evidence from ISPs or other electronic communications service providers.
The ECPA requires different legal processes to obtain specific types of information:
Basic subscriber information—This information includes name, address, billing information including a credit card number, telephone toll billing records, subscriber's telephone number, type of service, and length of service. An investigator can obtain this type of information with a subpoena, court order, or search warrant.
Transactional information—This information includes Web sites visited, e-mail addresses of others with whom the subscriber exchanged e-mail, and buddy lists. An investigator can obtain this type of information with a court order or search warrant.
Content information—An investigator who has a search warrant can obtain content information from retrieved e-mail messages and also acquire unretrieved stored e-mails.
Real-time access—To intercept traffic as it is sent or received, get a wiretap order.
E-mail has quickly become one of the most common formats for communication. However, it is a security vulnerability because attackers can use it for a variety of nefarious purposes. Information obtained from an e-mail message can provide valuable evidence.
To probe an e-mail crime, you need a basic understanding of how e-mail works, as well as the roles mail servers and e-mail clients play in sending and receiving e-mail messages. In addition, know how to read the information contained in an e-mail header. In your investigations, you will often execute e-mail tracing to research and scrutinize e-mail. Always keep federal and state legal considerations in mind when investigating e-mail.
Anonymizer
Anonymous remailing
Electronic Communications Privacy Act (ECPA)
E-mail attachment
E-mail body
E-mail client
E-mail header
E-mail log
E-mail tracing
Hypertext Transfer Protocol (HTTP)
Internet Message Access Protocol (IMAP)
Internet Protocol (IP)
Internet Protocol (IP) address
Mail relay
Mail server
Post Office Protocol (POP)
Simple Mail Transfer Protocol (SMTP)
Sniffing
Spamming
Spoofing
Transmission Control Protocol/Internet Protocol (TCP/IP)
The _________ is like an electronic post office: It sends and receives electronic mail.
A software program used to compose and read e-mail messages is referred to as ________.
A forensic investigator can find copies of e-mail messages in a number of places. Which of the following are some of them? (Select three.)
The recipient's computer
The sender's computer
The Whois database
The e-mail header
The sender's mail server
Microsoft Outlook, Windows Mail, Gmail, Yahoo! Mail, Hotmail, and AOL are examples of mail servers.
True
False
What is the name of the numeric label that identifies each device on a network and provides a location address?
E-mail header
Mail server
IP address
Sniffer
As an e-mail message is routed through one or more mail servers, each server adds its own information to the message header.
True
False
It is possible to reconstruct the journey of an e-mail message by reading the e-mail header from top to bottom.
True
False
The _________ lines list every point an e-mail passed through on its journey, along with the date and time.
Which of the following are common methods of faking e-mails? (Select three.)
Spoofing
Routing
Anonymous remailing
Spamming
Adding an attachment
Which of the following is the name for making an e-mail message appear to come from someone or someplace other than the real sender or location?
Spoofing
Routing
Anonymous remailing
Spamming
Adding an attachment
Keyword filters, IP database block lists, whitelists, and graylists are examples of methods used to prevent or reduce ________.
Which of the following is not a legal consideration in investigating e-mail?
ECPA
Fourth Amendment
Fifth Amendment
State laws