Chapter 7

E-mail Investigations
TCF2043
Digital Investigation

Exploring the Role of E-mail

in Investigations
E-mail evidence has become an
important part of many computing
investigations.
computer forensics investigators must
know how e-mail is processed to collect
this essential evidence.
with the increase in e-mail scams and
fraud attempts, investigators need to
know how to examine and interpret the
unique content of e-mail messages.

Exploring the Roles of the

Client and Server in E-mail
You can send and receive e-mail in two environments:
the Internet
intranet (an internal network).

In both e-mail environments, messages are distributed

from a central server to many connected client
computers, a configuration called a client/server
architecture.
The server runs an e-mail server program to provide email services, such as
Microsoft Exchange Server.
Novell GroupWise.
UNIX Sendmail.

Client computers use e-mail programs (also called e-mail

clients), such as Novell Evolution or Microsoft Outlook, to
contact the e-mail server and send and retrieve e-mail
messages (see Figure 1).

Exploring the Roles of the

Client and Server in E-mail

Figure 1: E-mail in a client/server architecture

Exploring the Roles of the

Client and Server in E-mail
Regardless of the OS or e-mail program, users access
their e-mail based on permissions the e-mail server
administrator grants.
These permissions prevent users from accessing each
others e-mail.
To retrieve messages from the e-mail server, users
identify themselves to the server, as when logging on to
the network.
Then e-mails are delivered to their computers.
E-mail services on both the Internet and an intranet use a
client/server architecture, but they differ in:
how client accounts are assigned, used, and managed and
in how users access their e-mail.

Exploring the Roles of the

Client and Server in E-mail
Overall, an intranet e-mail system is for the private use of
network users, and Internet e-mail systems are for public
use.
On an intranet, the e-mail server is generally part of the
local network, and an administrator manages the server
and its services.
In most cases, an intranet e-mail system is specific to a
company, used only by its employees, and regulated by
its business practices, which usually include strict
security and acceptable use policies.
For example, network users cant create their own e-mail
accounts, and usernames tend to follow a naming
convention that the e-mail administrator determines. For
example, for John Smith at Some Company, jsmith is the
username, and its followed by the companys domain
name, somecompany.com, to create the e-mail address
jsmith@somecompany.com.

Exploring the Roles of the

Client and Server in E-mail
NOTE: In an e-mail address, everything after the @
symbol represents the domain name. You need to know
the domain information when you investigate e-mail to
identify the point of contact at the domain.
In contrast, a company that provides public e-mail
services, such as Google, Hotmail, or Yahoo!, owns the
e-mail server and accepts everyone who signs up for the
service by providing a username and password.
E-mail companies also provide their own servers and
administrators.
After users sign up, they can access their e-mail from
any computer connected to the Internet.
In most cases, Internet e-mail users arent required to
follow a standardized naming convention for usernames.
They can choose their own usernames (but not the
domain name), as long as they arent already in use.

Exploring the Roles of the

Client and Server in E-mail
For computer investigators, tracking intranet email is easier because accounts use standard
names the administrator establishes.
For example, jane.smith@mycompany.com is
easily recognized as the e-mail address for an
employee named Jane Smith.
Tracking Internet e-mail users is more difficult
because these user accounts dont always use
standard
naming
schemes,
and
e-mail
administrators arent familiar with all the user
accounts on their servers.
Identifying the owner of an e-mail account with an
address such as itty_bitty@hotmail.com, for
example, isnt easy.

Investigating E-mail Crimes

and Violations
Investigating crimes or policy violations involving e-mail is
similar to investigating other types of computer abuse
and crimes.
Your goal is to find out whos behind the crime or policy
violation, collect the evidence, and present your findings
to build a case for prosecution or arbitration.
E-mail crimes and violations depend on the city, state,
and sometimes country in which the e-mail originated.
For example, in Washington State, sending unsolicited email is illegal.
However, in other states, it isnt considered a crime.
Committing
crimes
with
e-mail
is
becoming
commonplace, and more investigators are finding
communications that link suspects to a crime or policy
violation through e-mail.

Investigating E-mail Crimes

and Violations
Examining E-mail Messages
After you have determined that a crime has been
committed involving e-mail, first access the victims
computer to recover the evidence.
Using the victims e-mail client, find and copy any
potential evidence.
It might be necessary to log on to the e-mail service and
access any protected or encrypted files or folders.
If you cant actually sit down at the victims computer, you
have to guide the victim on the phone to open and print a
copy of an offending message, including the header.
The header contains unique identifying numbers, such as
the IP address of the server that sent the message.
This information helps you trace the e-mail to the
suspect.

Investigating E-mail Crimes

and Violations
Copying an E-mail Message
Before you start an e-mail investigation, you need to copy
and print the e-mail involved in the crime or policy
violation.
You might also want to forward the message as an
attachment to another e-mail address, depending on your
organizations guidelines.
The following activity shows you how to use Outlook
2007, included with Microsoft Office, to copy an e-mail
message to a USB drive. follow these steps:
Insert a USB drive into a USB port.
Open Windows Explorer or the Computer window,
navigate to the USB drive, and leave this window
open.
Start the Outlook software.

Investigating E-mail Crimes

and Violations
Copying an E-mail Message
In the Mail Folders pane (see Figure 2), click the
folder containing the message you want to copy. For
example, click the Inbox folder. A list of messages in
that folder is displayed in the pane in the middle. Click
the message you want to copy.
Resize the Outlook window so that you can see the
message you want to copy and the USB drive icon in
Windows Explorer or the Computer window.
Drag the message from the Outlook window to the
USB drive icon in Windows Explorer or the Computer
window.
Click File, Print from the Outlook menu to open the
Print dialog box. After printing the e-mail so that you
have a copy to include in your final report, exit
Outlook.

Investigating E-mail Crimes

and Violations

Figure 2: Selecting an e-mail to copy

Investigating E-mail Crimes

and Violations
Viewing E-mail Headers
After you copy and print a message, use the e-mail
program that created it to find the e-mail header.
After you open e-mail headers, copy and paste them into
a text document so that you can read them with a text
editor, such as Windows Notepad.
To retrieve an Outlook e-mail header, follow these steps:
Start Outlook, and then select the original of the message
you copied in the previous section.
Right-click the message and click Message Options to open
the Message Options dialog box. The Internet headers text
box at the bottom contains the message header, as shown
in Figure 3.
Select all the header text, and copy it to the Clipboard.
Start Notepad, and then paste in a new document window
the message header text.

Investigating E-mail Crimes

and Violations
Viewing E-mail Headers
Save the document as Outlook Header.txt in your work
folder. Then close the document and exit Outlook.

Figure 3 An Outlook e-mail header

Investigating E-mail Crimes

and Violations
Examining E-mail Headers

The next step is examining the e-mail header you

saved to gather information about the e-mail and track
the suspect to the e-mails originating location.
The primary piece of information youre looking for is
the originating e-mails domain address or an IP
address.
Other helpful information includes the date and time
the message was sent, filenames of any attachments,
and unique message number, if its supplied.
To open and examine an e-mail header, Double-click a
.txt file containing message header text, such as
Outlook Header.txt. The message header opens in
Notepad.
See figure 4.

Investigating E-mail Crimes

and Violations

Figure 4: An e-mail header with line numbers added

Investigating E-mail Crimes

and Violations
Examining E-mail Headers
The e-mail header in Figure 4 provides a lot of
information.
Lines 1 to 5 show the e-mail servers through which the
message travelled.
Line 1 shows the return path, which is the address an email program uses for sending a reply, usually indicated
as the Reply to field in an e-mail. Do not rely on the
return path to reveal the e-mails source account,
however. Spoofing (faking) an e-mail address in the
Return-Path line is easy to do.
Line 2 identifies the recipients e-mail address. When
youre investigating e-mail, you should verify this address
by confirming it with the e-mail service provider. Request
a bill or log to make sure the account name in Line 2 is
the one the victim uses.

Investigating E-mail Crimes

and Violations
Examining E-mail Headers
Line 3 indicates the type of e-mail service that sent the email, such as qmail (UNIX e-mail), and includes an ID
number, such as 12780 in Figure 4. With these ID
numbers, you can examine logs from the transmitting email server to determine whether the message was
actually sent from it. If the transmitting e-mail server
doesnt list this unique ID number, theres a good chance
the message was spoofed.
Line 4 lists the IP address of the e-mail server that sent
the message192.152.64.20, in this example. It also
identifies the name of the server sending the message: in
this case, smtp.superiorbicycles.biz.
Line 5 contains the name of the e-mail server (or list of email servers) that sent or passed the message to the
victims e-mail server.

Investigating E-mail Crimes

and Violations
Examining E-mail Headers
Lines 6 and 7 provide information important for e-mail
investigators. Line 6 shows a unique ID number that the
sending e-mail server assigned to the message.
In Figure 4, its 20101212082330.40429. You can use
this number to track the message on the originating email server in e-mail logs.
Line 7 shows the IP address of the server sending the email and lists the date and time the e-mail was sent.
For example, 10.187.241.199 is the IP address of the
sending server web4009.mail0.myway.com, and Sun 12
Dec 2010 00:23:30 PST is the date the message was
sent. Line 7 might also identify the e-mail as being sent
through an HTTP client, as it does in Figure 4.

Understanding E-mail
Servers
An e-mail server is loaded with software that uses e-mail
protocols for its services and maintains logs you can
examine and use in your investigation.
As a computer forensics investigator, you cant know
everything about e-mail servers.
Your focus is not to learn how a particular e-mail server
works but how to retrieve information about e-mails for an
investigation.
Usually, you must work closely with the network
administrator or e-mail administrator, who is often willing
to help you find the data or files you need and might even
suggest new ways to find this information.
If you cant work with an administrator, conduct research
on the Internet or use the forensics tools to investigate
the e-mail server software and OS.

Understanding E-mail
Servers
To investigate e-mail abuse, you should know how an email server records and handles the e-mail it receives.
Some e-mail servers use databases that store users emails, and others use a flat file system. All e-mail servers
can maintain a log of e-mails that are processed.
Some e-mail servers are set up to log e-mail transactions
by default; others must be configured to do so.
Most e-mail administrators log system operations and
message traffic to recover e-mails in case of a disaster,
to make sure the firewall and e-mail filters are working
correctly, and to enforce company policy.
However, the e-mail administrator can disable logging or
use circular logging, which overwrites the log file when it
reaches a specified size or at the end of a specified time
frame.

Understanding E-mail
Servers
Circular logging saves valuable server space,
but you cant recover a log after its overwritten.
For example, on Monday the e-mail server
records traffic in the Mon.log file. For the next
six days, the e-mail server uses a log for each
day, such as Tues.log, Wed.log, and so forth.
On Sunday at midnight, the e-mail server starts
recording e-mail traffic in Mon.log, overwriting
the information logged the previous Monday.
The only way to access the log file information
is from a backup file, which many e-mail
administrators create before a log file is
overwritten.

Understanding E-mail
Servers
As shown in Figure 5, e-mail logs generally identify the email messages an account received, the IP address from
which they were sent, the time and date the e-mail server
received them, the time and date the client computer
accessed the e-mail, the e-mail contents, system-specific
information, and any other information the e-mail
administrator wants to track.
These e-mail logs are formatted in plain text and can be
read with a basic text editor, such as Notepad.

Figure 5: An e-mail server log file

Understanding E-mail
Servers
Administrators usually set e-mail servers to continuous
logging mode.
They can also log all e-mail information in the same file,
or use one log file to record, for example, date and time
information, the size of the e-mail, and the IP address.
These separate log files are extremely useful when you
have an e-mail header with a date and time stamp and
an IP address, and you want to filter or sort the log files to
narrow your search.
After you have identified the source of the e-mail, contact
the network or e-mail administrator of the suspects
network as soon as possible.
Some e-mail providers, especially Internet e-mail
providers, dont keep logs for a long time, and their logs
might contain key information for your investigation.

Understanding E-mail
Servers

e-mail servers maintain copies of clients e-mail, even if the

users have deleted messages from their inboxes.

Some e-mail servers dont completely delete messages until the

system is backed up.

Even if the suspect deletes the e-mail, sometimes the e-mail

administrator can recover the e-mail without restoring the entire
e-mail system.

With other systems, however, the e-mail administrator must

recover the entire e-mail server to retrieve one deleted
message.

This process is similar to deleting files on a hard drive; the file is

marked for deletion, but its not truly deleted until another piece
of data is written in the same place.

E-mail servers wait to overwrite disk space until the server has
been backed up.

If you have a date and time stamp for an e-mail, the e-mail
administrator should be able to recover it from backup media if
the message is no longer on the e-mail server.

Using Specialized E-mail

Forensics Tools
For many e-mail investigations, you can rely on
e-mail message files, e-mail headers, and email server log files.
However, if you cant find an e-mail
administrator willing to help with the
investigation, or you encounter a highly
customized e-mail environment, you can use
data recovery tools and forensics tools
designed to recover e-mail files.
tools for data recovery, such as ProDiscover
Basic and AccessData FTK. You can use these
tools to investigate and recover e-mail files.

Using Specialized E-mail

Forensics Tools
Other tools, such as the ones in the following list, are
specifically created for e-mail recovery, including
recovering deleted attachments from a hard drive:
DataNumen for Outlook and Outlook Express
FINALeMAIL for Outlook Express and Eudora
Sawmill-GroupWise for log analysis
DBXtract for Outlook Express
Paraben E-Mail Examiner, configured to recover several email formats
AccessData FTK for Outlook and Outlook Express
Ontrack Easy Recovery EmailRepair for Outlook and
Outlook Express
R-Tools R-Mail for Outlook and Outlook Express
OfficeRecoverys MailRecovery for Outlook, Outlook
Express, Exchange, Exchange

THE END