email search

profilekumar9
Chapter10.pptx
Home>Computer Science homework help>email search

Chapter 10

Email Forensics

1

Email is Often the Best Evidence

Contents can demonstrate intent

Header data can demonstrate the source

Timestamps can show intent to mislead

Show up as evidence in a vast majority of cases

Email Structure

Plain text emails don’t support graphics

HTML structured emails support graphics and embedded content

Attachments can accompany the message as a separate file

Email Technology

Mail user agent is a software interface that represents the end user

Mail transport agent moves messages from point A to point B

Mail client is the application that provides end user support

Mail server handles addressing and transport

Email Addresses

Each user ID must be unique to a particular domain

The same user ID on a different domain may or may not represent the same user

User IDs are easily spoofed with the right software

Email Protocols

Mailbox protocols

Post Office Protocol, ver. 3 (POP3)

Internet Message Access Protocol (IMAP)

Transport protocols

Simple Mail Transport Protocol (SMTP)

Email Clients

Perform some basic functions

Send messages

Receive messages

Manage content (including attachments)

Are operating system specific

Determine how information is archived on the system

May be a local client or web-based

Information Stores

Acts as a cabinet for the information stored by the client

Sent/Received messages

Address books

Calendars

Each client has a specific format for storing data

Email Servers

Act as relay agents for moving messages across the Internet

SMTP servers handle all outgoing messages

IMAP or POP3 servers handle all incoming messages

Server applications such as Microsoft Exchange combine SMTP with POP/IMAP

Standard Header Information

TO:

FROM:

SUBJECT:

DATE:

All of these are easily spoofed

MIME Header Information

Information stored in the header that includes:

Time/Date stamps for various actions along the way

Server information for relay servers along the way

A message ID unique to this message across the Internet

Versions of software used along the way

IDs of blind carbon copy recipients

A return path

Tracing the Origin of a Message

Each server that relays the message adds its IP address

Each relay server maintains logs for a certain period of time that indicates the IP address of the sender as well as the intended recipient

While the time stamp can be manipulated at the origin, the ones added along the way are likely real

Some Email Search Tools

Clearwell

Paraben

GREP

Search Results

False positives – looks right but isn’t

False negatives – doesn’t look right, but is

A measure of accuracy is “precision”

Ratio of false positives to false negatives

A measure of effectiveness is “recall”

Percentage of relevant emails that were found

Advanced Search Methods

Stationary User Profiles – a method of determining if a user makes use of multiple accounts

Similar Users – a way of determining if what appears to be a single user is actually multiple users

Attachment Statistics – a user’s typical behavior regarding attachments is analyzed

Recipient Frequency – what types of messages a specific user usually receives