UNIX MAILBOXES

Although most Unix mail resides in a single text file when seized, an investigator can manipulate the data for easier browsing and analysis. This section will use the tools resident on most installations of Linux and FreeBSD to reconstruct a suspect's e-mail file and analyze its contents.

Implementation

A Unix e-mail file is typically located at /var/spool/mail/ username on Linux and /var/mail/ username on FreeBSD. Other flavors of Unix have a similar directory and file-naming structure. This file contains all the e-mail for the particular user named username , and every message is concatenated into this file. The file can be viewed with a standard text viewer because the format of the file is not proprietary.

If the e-mail file contains a lot of file attachments or if the suspect has saved thousands of messages, reading through the text file with a general-purpose editor (see Chapter 25) may be inefficient and even impractical . Additionally, without using specialized decoders for file attachments, an analyst reading the full text file with a general-purpose editor initially may not be able to view any files attached. Therefore, the analyst must be able to manipulate the e-mail with a mail program to analyze the contents fully and increase efficiency.

The e-mail can be reconstructed by using the following steps:

  1. Copy the mailbox file to the mail directory, and rename the file to the username who will be accessing it. The following output demonstrates this:

     forensic# ls -al Mailbox     -rw-r--r-- 1 kjones 1000 15745 Mar 5 15:16 Mailbox     forensic# cp Mailbox /var/mail/kjones 
  2. Switch users, by using the system's su command, to the user to whom the mailbox was copied . In this case, the user is kjones.

  3. Use any general-purpose mailing program to read the contents of the e-mail.

Note 

Although the mail program is installed on nearly every Unix system, the authors also like to use the mutt and pine programs because they let you easily save or view file attachments. Furthermore, they provide much greater searching capabilities.

Mutt, pine, and mail are text-based programs that can be used to view Unix mailboxes. With Netscape/Mozilla 4. x and 5. x versions, you can actually use the built-in Messenger or Mail & Newsgroups GUI programs to view messages and attachments in Unix mailboxes. Netscape/Mozilla accomplishes this using a built-in tool called movemail. Movemail does just what it saysit moves the mail from the Unix mailbox (that is, /var/mail/kjones, in our example) into the configured Netscape/Mozilla mail account. With 4. x versions, you can configure Netscape to use the built-in movemail option in the GUI under the Options Mail And News Servers Preferences. In the transition from Netscape 4. x to Mozilla 5. x on UNIX, movemail support was dropped from the GUI, even though the functionality is still there. To create a movemail-enabled mailbox in Mozilla 5. x , choose Edit Mail & Newsgroups Account Settings. Click the Add Account button to create a POP e-mail mail account with the same username as the Unix mailbox name (kjones in our example) and "localhost" for the POP3 server. When finished, exit Mozilla and edit your prefs.js file (which can be found in $HOME/.mozilla/ <profilename> / <unique filename> .slt/prefs.js). Look for a line similar to the following:

 user_pref("mail.server.server1.hostname", "localhost");  user_pref("mail.server.server1.type", "pop3");  user_pref("mail.server.server1.userName", "kjones"); 

Change the " pop3 " line (shown in boldface) to:

  user_pref("mail.server.server1.type", "movemail");  

You should also look for the following line:

 user_pref("mail.use_movemail", "false"); 

If you see this line, you should change the word "false" to "true" and save the file. Assuming the $MAIL environment variable points to your user's mail spool (such as /var/mail/kjones), Mozilla should be configured to "import" the Unix mailbox at that location the next time you retrieve messages for that mailbox.

Tip 

To make sure that it isn't writing to the Unix mailbox at the same time the system's mail transfer agent (MTA) is writing to it, movemail needs to write a lock file to the mail spool directory (/var/mail in our example). This means that for movemail to work properly, it will need write access to that mail spool directory. You'll have to lessen the security on your workstation, either by running the Netscape/Mozilla mail viewer as root or by setting the sticky bit on the mail spool directory ( chmod 1777 /var/mail ). This should not be done on a production system, however.



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net