Guide to Computer Forensics and Investigations, Fifth Edition 11-1
Chapter 11
E-mail and Social Media Investigations
At a Glance
Instructor’s Manual Table of Contents
Overview
Objectives
Teaching Tips
Quick Quizzes
Guide to Computer Forensics and Investigations, Fifth Edition 11-2
Lecture Notes
Overview
Chapter 11 explains how to trace, recover, and analyze e-mail messages by using
forensics tools designed for investigating e-mail and general-purpose tools, such as disk
editors. E-mail has become a primary means of communication, and most computer
users have e-mail programs to receive, send, and manage e-mail. These programs differ
in how and where they store and track e-mail. Some are installed separately from the
Chapter Objectives
Explain the role of e-mail in investigations
Describe client and server roles in e-mail
Describe tasks in investigating e-mail crimes and violations
Explain the use of e-mail server logs
Explain how to approach investigating social media communications
Describe some available e-mail forensics tools
Teaching Tips
Exploring the Role of E-mail in Investigations
1. Mention that with the increase in e-mail scams and fraud attempts with phishing or
2. Explain that phishing e-mails are in HTML format, which allows creating links to text
3. Point out that when pharming is used, readers might go to the correct Web site address,
4. Mention that spoofing e-mail can be used to commit fraud. Explain that a clue to
Exploring the Roles of the Client and Server in E-mail
2.
Describe how a client/server architecture can be applied to an e-mail example.
3. Explain the e-mail name conventions in both corporate and public environments.
4. Mention that for computer investigators, tracking intranet e-mail is easier because
Investigating E-mail Crimes and Violations
1. Mention that investigating crimes or policy violations involving e-mail is similar to
investigating other types of computer abuse and crimes.
2. List the goals of e-mail crimes and violations investigations, including:
a. Find who is behind the crime or violation
3. Explain that what is considered a crime or policy violation involving e-mail depends on
4. Present a list with some examples of crimes involving e-mails, such as:
a. Narcotics trafficking
b. Extortion
c. Sexual harassment
Guide to Computer Forensics and Investigations, Fifth Edition 11-4
e. Fraud
Teaching
Tip
Find some examples of recent crimes committed in your area involving e-mails.
Examining E-mail Messages
1. Describe to your class how to acquire evidence from an e-mail during an investigation.
First describe how to use the victim’s computer for retrieving evidence. Then describe
3. Allow students to complete the activity where they will copy and print an email
Viewing E-mail Headers
1. Use Figures 11-2 through 11-3 to illustrate how to view e-mail headers using different
kinds of clients including GUI and Web-based clients such as:
a. Microsoft Outlook
b. Microsoft Outlook Express
Examining E-mail Headers
1. E-mail headers contain useful information for an investigation. Use 11-4 to explain how
to analyze header content line by line. Information included on e-mail headers includes:
a. Return path
b. Recipient’s e-mail address
Guide to Computer Forensics and Investigations, Fifth Edition 11-5
Teaching
Tip
To search for specific files in e-mail headers, use a forensics tool, such as FTK.
Forensics tools can also search for unique header information, such as an ID
number.
Examining Additional E-mail Files
1. Depending on settings, e-mails are saved at the client’s side or left on the server.
2. Mention that another source of valuable information is the personal address book.
Tracing an E-mail Message
1. Explain how to track down a suspect using the information acquired so far from an e-
mail. Use the following sites to find the contact point of the originating domain name:
2. Using these sites, you can find the suspect’s e-mail address and contact information. Do
Using Network E-mail Logs
1. Explain how information contained on network router and firewall logs can help an
investigator track down a suspect. Use Figure 11-5 to illustrate your explanation.
Quick Quiz 1
1. A(n) ____ architecture comprises one central server and several connected client
computers.
2. The ____ of an e-mail message contains unique identifying numbers, such as the IP
address of the server that sent the message.
3. True or False: E-mail crimes and violations depend on the city, state, and sometimes
country in which the e-mail originated.
4. In Outlook, you can save sent, draft, deleted, and received e-mails in a(n) _____ file, or
you can save offline files in a(n) _____ file.
5. True or False: Network administrators maintain logs of the inbound and outbound
traffic that routers handle.
Understanding E-mail Servers
2. Describe how e-mail servers store e-mail messages using either a database or a flat file
system.
3. Explain the use of log files on a server. Some systems have logs enabled by default;
4. Describe some of the information recorded in a log, including:
a. Sending IP address
5. Mention that as soon as the source of the e-mail has been identified, contact the network
or e-mail administrator of the suspect’s network as soon as possible.
Examining UNIX E-mail Server Logs
1. Describe the main log files on UNIX systems and how they relate to e-mail services.
Log files include files such as:
2. Mention that UNIX systems are set to store log files in the /var/log directory.
However, an administrator can change the log location. Point out that you can use the
find or locate command to find them.
Teaching
Tip
The forward slash (/) is used in UNIX/Linux file paths, and the backslash (\) is
used in Windows file paths.
Examining Microsoft E-mail Server Logs
1. Briefly explain how Microsoft Exchange Server works. Exchange is a database e-mail
server based on Microsoft Extensible Storage Engine (ESE).
2. Point out that the files most useful to an investigation are .edb database files, checkpoint
files, and temporary files.
Teaching
Tip
For more information about Extensible Storage Engine, visit:
3. Discuss the main log files used by Microsoft Exchange Server including:
a. Transaction logs
4. Use Figure 11-6 to explain how Event Viewer can be used to examine the details of an
Using Specialized E-mail Forensics Tools
1. List some of the tools that can be used for e-mail investigations, including:
a. DataNumen for Outlook and Outlook Express
b. FINALeMAIL
c. Sawmill Novell GroupWise
2. Explain how these tools enable you to find:
a. E-mail database files
3. Point out that an advantage of using these tools is that you don’t need to know how the
4. Explain that after you compare e-mail logs with messages, you should verify the e-mail
5. Mention the importance of documenting every step in the investigation process. For
Using OSForensics to Recover E-mail
2. Use Figure 11-7 to illustrate how to use OSForensics to recover e-mails.
Using a Hex Editor to Carve E-mail Messages
2. Explain that the mbox format stores e-mails in flat plaintext files. The Multipurpose
3. Use Figures 11-8 through 11-10 to illustrate how to carve e-mail messages from
Recovering Outlook Files
1. List some computer forensic tools that can be used to reconstruct PST files and
messages:
2. Explain how to use Microsoft’s scanpst.exe recovery tool to repair .ost files as
3. Describe how Encase from Guidance Software and other e-mail recovery tools
E-mail Case Studies
1. Discuss the Enron case, which required retrieving thousands of e-mails at a time when
Applying Digital Forensics to Social Media
1. Discuss online social networks (OSNs) and how they can be used to build a profile of a
prospective client, a business partner, a suspect in a murder trial, and more.
2. Describe the kind of information that can be found in social media:
Evidence of cyberbullying and witness tampering
3. Explain that OSNs involve multiple jurisdictions that might cross national boundaries.
Forensics Tools for Social Media Investigations
1. Mention that while software for social media forensics is being developed, not many
2. List a few of the helpful software packages that are available now:
Facebook Forensics
YouTube Forensics
Quick Quiz 2
1. ____ logging saves valuable server space, but you can’t recovery a log file after it’s
overwritten.
2. Typically, a UNIX system has a variety of e-mail servers available, so the _____ file
specifies where to save different types of e-mail log files.
3. Some e-mail systems store messages using flat plaintext files, known as a(n) ____
format.
4. Vendor-unique e-mail file systems, such as Microsoft .pst or .ost, typically use ____
formatting.
5. _____ can contain evidence of cyberbullying and witness tampering.
Class Discussion Topics
1. Many crimes involving e-mails have e-mail accounts set up in countries less willing to
2. Ask students to discuss the advantages and disadvantages of using circular logging
Additional Projects
2. Ask students to write a report discussing the challenges of investigating a case
Additional Resources
1. Extensible Storage Engine:
Guide to Computer Forensics and Investigations, Fifth Edition 11-11
Key Terms
Internet Message Access Protocol 4 (IMAP4) A protocol for retrieving e-mail
messages; it’s slowly replacing POP3. See also Post Office Protocol (POP3).
mbox A method of storing e-mail messages in a flat plaintext file.
Messaging Application Programming Interface (MAPI) The Microsoft system
that enables other e-mail applications to work with each other.
spoofing Transmitting an e-mail message with its header information altered so that
its point of origin appears to be from a different sender. Spoofed e-mails are also
referred to as forged e-mail. Spoofing is typically used in phishing and spamming to
hide the sender’s identity. See also phising.
Stored Communications Act (SCA) Part of the Electronic Communications