Chapter 13: Email Investigations

Previous page
Table of content
Next page

Overview

The contents of email messages have incriminated many individuals (and lead to some embarrassing disclosures). When an email is created, the sense of permanence associated with penning a letter is not always at the front of the mind. As such, individuals convey things in emails that they would never put to paper and ink. The medium is treated more like a telephone conversation. Unfortunately for the individuals that treat it as such, this is not the case, and email communications differ greatly from phone communications. Emails are rarely transient. They are stored on the sender and recipient(s) machines as well as any mail servers used, at least until viewed and securely erased. Emails are visible in transit unless explicitly encrypted. They can be routed accidentally to the wrong persons, and they and can be forwarded beyond the intended, original recipients.

Email is a store-and-forward protocol. Copies of messages are actually stored to disk in most cases, on all mail relays between the sender's SMTP server or internal mail server (for example, Exchange), and on the recipient's home POP3, IMAP, or internal mail server.

Email investigations cover the gamut of computer crimes and policy violations. Inappropriate material may be transmitted through email, it can be used as a harassment tool, an impersonation tool (for example, phishing scams), or a communications tool for other activities. Forensic analysis of email can be as simple as performing a pen-register analysis (who sent a message to whom and when) or as complex as analyzing and reconstructing message chains from numerous mail files.

Three primary email products exist in the corporate setting: Outlook, Outlook Express, and Lotus Notes. Web-based mail clients are also encountered frequently (for example, Hotmail, Yahoo! Mail, Gmail), but these do not have a client-side component to analyze unless POP3 or IMAP has been enabled, and other clients on Windows platforms are either less prevalent than before (for example, the excellent Eudora email client) or just burgeoning (for example, the equally excellent Thunderbird from Mozilla). In this chapter, I will cover investigations into the big three and include a brief overview of the Microsoft Exchange Server.

image from book
CASE STUDY: INAPPROPRIATE EMAIL USAGE

Policy violations based on the inappropriate usage of IT resources is one of the most common investigation areas plaguing large organizations. With increased controls in place to block web-based inappropriate content, email is becoming a more popular mechanism for distribution of banned material. As one unlucky company found out, investigations into email usage violations can be far reaching and costly.

While working on IT investigations, I received a report from a human resources manager that an employee had seen a co-worker viewing inappropriate material. When questioned about the viewing, the employee reporting the issue noted that a co-worker had "hardcore, pornographic images" on her screen when he walked by her cubicle . The second time he came by, his co-worker immediately turned off her monitor until he passed. He promptly reported the incident as a violation of respectful workplace policies to HR, who recognized it as requiring an IT-lead investigation.

After questioning the complainant, it became apparent that several aspects of the suspect's behavior were suspicious, in addition to the actual viewing of inappropriate material. These included:

  • Turning off her monitor when others walked by.

  • Moving her monitor to face away from the common area, despite the ergonomic gymnastics necessary to work with it in that location.

  • Refusing to let others use her computer. Yet sharing was common in that location, as not all employees were issued machines.

  • Requesting an anti-glare filter despite being in a low-glare area hours after the initial incident. This filter prevents side-angle viewing of the monitor.

Given the probable cause for investigation noted previously, the protocol for inappropriate usage investigations was enacted. This particular company's protocol called for the viewing of web usage history through proxy log files, the examination of the user 's shared drive and local drive for inappropriate images, and the analysis of the employee's mail file.

Analyzing the employee's logfiles and shared drive returned no results. She did not use the network-based shared drive for storage and her web history returned only work- related and appropriate personal browsing. The first sign of trouble came with her local disk. A covert duplication was performed after she left in the evening, and the material was analyzed in the company's forensic lab offline the following day. The analysis was performed using AccessData's Forensic Toolkit and revealed multiple images which were inappropriate for a business environment, mostly deleted files. Further review of the MRU list for Windows Media Player revealed several additional file names of a dubious nature containing words like Hardcore XXX and Young Naked that triggered further suspicion, although the files noted were no longer present. No inappropriate browsing was found, no network-based file sharing mechanisms (peer-to-peer, IM, IRC, and NNTP) were present, and there was no evidence external devices with inappropriate material were attached.

Based on the inappropriate file names found in the MRU listing, a bitwise text search for those names was done on the entire image. Although the files themselves were still not found, references to the file names were found in slack -space fragments surrounded by what appeared to be email headers. The only email client on the machine was Lotus Notes, and the server name of her corporate mail server obtained from the Notes Addressbook. Read-only access was provided to the forensic account (called Disaster Backup Replicator to reduce the suspicions of anyone reviewing their user logs), and a replication done to the forensic analysis machine. The replica was unusually large for a mail file around 10GB in size and was backed up to tape immediately after generating a recording a checksum for the replica.

A working copy of the file was placed on a clean Notes analysis machine, and the All Documents view opened for review. Sorting the files by size (with the largest first) showed numerous large entries with subjects of "Check this out," "Never seen this before," and my favorite, "Don't open when your boss is around." All of the messages were opened individually, and hundreds of movies, images, PowerPoint presentations, Word documents, and even Excel spreadsheets containing XXX-level images were found. We made a list of both senders and recipients of the inappropriate messages, and each message was individually cataloged and stored as evidence. Unfortunately, 20 of the individuals who sent messages were other employees and over 40 internal recipients of the material were implicated in the messages.

Fortunately, this was not the first inappropriate email investigation the company had performed and a scorched-earth SOP was in place to limit the effort required for these investigations. The SOP had two relevant clauses:

  1. After 20 individual items of inappropriate material are cataloged for a single individual, the remainder can be viewed for illegal content and stored in a forensically sound manner for later cataloging as necessary.

  2. Receipt of inappropriate material was a minor violation of policy (not reporting the violation) but not probable cause to analyze an individual's mail file, thus reducing the potential targets for further analysis in the preceding investigation from more than 60 to 20.

With the SOP already in place, the mail files of the 20 who had been confirmed as sending inappropriate material were acquired and analyzed. (At this point there was no reason to suspect nonmail-related, inappropriate use, and resource constraints limited the investigative scope.) Their drives were imaged in order to provide a forensically sound copy for later analysis if needed. An additional five senders and several dozen recipients were identified from these, and once again the five senders were investigated. In total, 26 individuals were fully investigated and several dozen identified as being recipients of inappropriate material.

Analyzing the email distribution patterns revealed a multiple hub-and-spoke topology. Several individuals acted as hubs and received inappropriate messages from others outside of the organization. They would then distribute the messages to small distribution lists of internal and external friends who were the spokes . Occasionally, a hub would copy an individual who was also a hub, further propagating the inappropriate material.

The 26 individuals who sent inappropriate material were dismissed from the organization for actively violating the company's Acceptable Use of IT Resources policy. The several dozen recipients were sent a written warning, told to clean up their mail files, and re-enrolled in Acceptable Usage training. Finally, a targeted education effort was made at the two sites where the incident had occurred, focusing on the appropriate and inappropriate use of email.

image from book
 

Previous page
Table of content
Next page
Windows Forensics. The Field Guide for Corporate Computer Investigations
Windows Forensics: The Field Guide for Corporate Computer Investigations
ISBN: 0470038624
EAN: 2147483647
Year: 2006
Pages: 71
Authors: Chad Steel
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Building Web Applications with UML (2nd Edition)
101 Microsoft Visual Basic .NET Applications
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy