E-mail Forensics www.paraben.com &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". What is a local storage archive? Local storage archives are any archive that has independent archive format from a mail server. Examples of these types of archives include: .PST, .MBX, .DBX, etc. &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". Basic Rules & Expectations for Local Archives 1. Search for the appropriate mail archives and associated data storage. &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". Program Storage Specifics Index or Table of Contents MailboxMailbox Mail Messages &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". Program Storage Specifics Index or Table of Contents Stores: •Main Status MailboxMailbox •Unread •Read •Forwarded •Redirected •Flagged •Deleted &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". Common Local Storage Archives The Bat! FoxMail Index: *.tbi Index: *.ind Messages: *.tbb (E-mail Examiner doesn't use this index file) Messages: *.box The Bat! < v1.42 Index: *.tbx Outlook Express v5/6 Messages: *.msb Index+Messages: *.dbx or *.MailDB Forte Agent MS Outlook Index: *.idx Index+Messages: *.pst (by default messages Messages: *.dat are stored in encrypted format) Pegasus Index: *.pmi Messages: *.pmm &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". Outlook Express v4.x Index: *.idx Common Messages: *.mbx Eudora Local Index: *.toc Messages: *.mbx Storage Poco Index: *.idx Archives Messages: *.mbx Netscape v6.x and 7.x, and Mozilla Cont. Index: *.msf Messages: *. Netscape < v6.x Index: *.snm (E-mail Examiner doesn't use this index file) Messages: *. (no extension) &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". Email Reference Cards &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". Basic Rules & Expectations for Local Archives 1. Search for the appropriate mail archives and associated data storage. 2. Process all items with complete structure of: -Header -Body -Attachment to compute verification through hash value &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". E-mail Headers Typically Contain: •Sender E-mail Address •Receiver E-mail Address •Subject •Time of Creation •Delivery stamps •Message Author •CC-Carbon Copy •BCC &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". E-mail Headers-Text Attachments MIME-Version: 1.0 From: Cpt Picard <[email protected]> To: Beverly Crusher <[email protected]> Subject:: Pain in my neck Content-Type: multipart/mixed; boundary=boundarystring— boundarystring Content-Type: text/plain I seem to have this reoccurring pain in my neck. Please see attachment for more details. Regards, Jean Luc Content-Type: text/plain Content-Disposition: attachment; filename=“neck.txt” It aches in the morning when I wake up for about 20 minutes and also whenever Worf is around. --boundarystring-- &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". E-mail Headers-Binary Attachments MIME-Version: 1.0 From: Cpt Picard <[email protected]> To: Beverly Crusher <[email protected]> Subject:: Pictures of my neck in zip file Content-Type: multipart/mixed; boundary=boundarystring --boundarystring Content-Type: text/plain Attached is the file neck.zip, which has been base64 encoded. --boundarystring Content-Type: application/octet-stream; name=“neck.zip” Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=“neck.zip” H52QLID6AJFBALJHLIHKOLNS80JOPSNLJKNLFDLSHFLSHDLFSHLKDNC8 09SAOIHN3OFNSA80HLDBJSUF93HFSLBNCOISAY890EY0AHFLNC739HFO EBOASHOFHSODIY8930… OAIHOFIDHF8920DFNSOFNDOSGU03UQAFLASNFDLIU03WQJFOSIFH03I9 AHFDALHFNB= --boundarystring-- &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". Basic Rules & Expectations for Local Archives 1. Search for the appropriate mail archives and associated data storage. 2. Process all items with complete structure of: -Header -Body -Attachment to compute verification through hash value 3. Watch for virus issues &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". Outlook File Size • Outlook Pre 2003 – Maximum archive size is 2 GB • Outlook 2003 – Maximum archive Size is 20 GB &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". E-mail Forensics Server Storage Archives &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". What is a server storage archive? Server storage archives are any archive that has mixed storage for all of the clients that exist on a server. Examples of these types of archives include: MS Exchange (.EDB), Lotus Notes (.NSF), GroupWise (.DB), etc. &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". MS Exchange PUB.EDB • Public Information Store – contains Public Folders – Public Folders contain information shared amongst the different users. MS Exchange PRIV.EDB • Private Information Store – contains the mailboxes for the server – keeps information private from other users. &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". MS Exchange PRIV.EDB • Priv.edb: A rich-text database file containing message headers, message text, and standard attachments. MS Exchange PRIV.STM • Priv.stm: A streaming internet content file containing audio, video and other media that are formatted as streams of Multipurpose Internet Mail Extensions (MIME) data. &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". Lotus Notes *.NSF • Valuable Evidence: –Messages – Attachments – PIM Oriented Data &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". ENCRYPTION &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". Novell GroupWise Post Office Post Office Directory Structure Composed of directories which contain: – Post Office Database (wphost.db) • Admin info required to allow users to exchange messages (list of post offices and associated users) – Message Store • User databases (userxxx.db) • Message databases (msgnn.db) • Attachments directory &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". E-mail to other devices &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". Case Examples &NBJM'PSFOTJDT@#SFBLJOH"SDIJW ". &NBJM'PSFOTJDT@#SFBLJOH"SDIJW "..