JTA 2018 294-74 be present as the greatest enemy of forensic Scien analysing them we can decode the message being sent. After decoding all IP addresses are analysed The main idea of this experiment is that the at and their location is traced. A timeline of all event tacker uses an ARP spoofing mechanism to convince is made in universal standard time) and is checked the legitimate user that they are a legitimate partici- further for suspicious behaviour Server logs are pant, device gateway (4. After the response of a le checked at the same time to ensure that all the ac gitimate user, the attacker immediately confirms to tivities are mentioned in the timeline se formed. I the gateway that they are a legitimate user. Both the any suspicious activity is found the mails are reco legitimate user and the gateway will think they have cred and can be used as evidence against the send established a relationship with each other, and in et Email is extracted from the client server which fact they have both established a relationship with keeps a copy of sent mails until a specific number the attacker. This means that the gateway and le First case study pitimate user traffic is directed towards an attacker First, we will describe a well-known case in court who can then intercept the communication between practice Lea case study involving the use of Manual the two sides. For the purpose of this experiment Method for Email Analysis (4 using a whaling attack the attacker is only interested in the traffic of a le which is a spear phishing attack directed specifi- gitimate user suspected of being searched for IM cally at high-profile targets like-C-level executives, PORTANT online content politicians and celebrities An email attached to a $20 million dollarlow suit purported to be from the CEO of tech. EXAMINING E-MAIL FORENSIC TOOLS: CASE STUDIES Con to a venture Capital broker. The message Email analysis, as we already mention, is the outlined guaranteed warrants on the next task performed in the network forensies Email round of finding for the broke analysis is the process which involves analysis of . "tech.com" filled counter claim and claimed emails sent and received at different ends. In cur the email was forgery. Their law firm engageda rent era, there are very less ways to analyse emails. team to determine the validity of the message Most widely accepted method is the Manual Meth- The team imaged all of the CEO's computers at od of Email Analysis (4.5). Although there have his office and his home Email server backup been many attempts into securing e-mail systems, tapes were recalled from the client servers most are still inadequately secured. Installing an All hard drivers and email servers were tiviruses, filters, firewalls and scanners is simply searched for questioned message. There not enough to secure e-mail communication. Some were no traces of any such mail on any of the common examples of illegitimate uses of emails are hard drive or mail spool spam, phishing cyber bullying, botnets, disclosure . When the timestamps and messages were of confidential information, child pornography and compared with the server logs then it was sexual harassment. The anonymity factor of e-mail found that the questioned message have not has made it difficult for digital forensic investiga one through either tech.com webmailor tors to identify the authorship of an email, and to mail server at the time indicated by the date/ aggravate this problem further, there is no stan- timestamp on the message dardised procedure to follow. Based on the analysis the defendants filed mo Therefore, a forensic investigator needs efficient tion to image and examine broker's computers tools and techniques to perform the analysis with a Federal judge issued subpoena and the team high degree of accuracy and in a timely fashion. It is arrived at the broker's business, he refused to evident that an email forensic tool may only assist the allow his system to image investigator during a specific stage of analysis (4.5) Broker's lawyer went into the state court, on a While preforming manual method for email anal companion case, and get the judge to issue an ysis, we try to spot spoofed messages which are sent order for a new court appointed examiner through SMTP (Simple Mail Transfer Protocol). By . The examination revealed direct proof of the 70 Journal of Information Technology and Application www.a-aw.com L-M. Tore ATFOD JITA 2018 2:4-74 alteration of a valid message's header to create thot and careful scrutiny should be practiced anves a questioned email tigating every part of the e-mail header However, this is quite a bit long and tiring proce The allegedly received email dure which would involve too many mails to be an The header of a problematic e-mail is presented lysed, which would be excessively time-consuming as follows. Time being the most expensive entity, we need to Peter-Path to Good Daytech.com y the time as much as This time While preforming manual method for email anal ysis, we try to spot spoofed messages which are sent through SMTP (Simple Mail Transfer Protocol). By companion case, and got the judge to issue an order er for a new court appointed esaminer The mamination revealed direct proof of the 70 Journal of Information Technology and Application www.t-ou.com EMTA TFF OG SITA 2018 2.64-74 alteration of a valid message's header to create tion and careful scrutiny should be practiced in inves a questioned email tigating every part of the e-mail header However, this is quite a bit long and tiring proce The allegedly received email dure which would involve too many mails to be an The header of a problematic e-mail is presented lysed, which would be excessively time-consuming as follows Time being the most expensive entity, we need to Math Codytech. save the time as much as we can. To Save this time 21.10.2015 certain tools are present which helps to reduce the fundon.co... work burden. So, we need a software tools, such as 725922 The > A1000 151451-0400 eMail Tracker Pro (http://www.emaltrackerpro Herved from west.tech.com mail. com/ and Aid Mall Forensic (http://www.ald 110.27.3.1901 byt.tech.co.mail.com/) that are discussed in the next section It-3,0.1) FE0363) the In this case investigator should look at ESMTP 2008 44-500 id which is a unique identification assigned by each contracte 110.27.10.1001 intermediate relay or gateway server. This id is usu by W. 1...... with ally in a hexadecimal string that is reset each day. Ash Aug 2000 1400131 Resulting in an id that can be resolved to a time win contentcontent-class dow on a particular server. The investigator should subject Warrants in also compare the header information against server Tags: webmaltech.com Analysis of the web Verant 1.6 Cyperat/thef mail server logs revealed several issues regarding . the validity of the suspect message contentTransfer coing by Matching trace header timestamps and Es Mesaje-11 154783. DERE.CO MTP ids revealed that RA1318 was issued --- at 17:41:31 to the authentic message Comparing the 14:41:31 timestamp of the The Top Maine RACY suspect message with the log revealed the server was assigning ESMTP ids beginning Pro to Good dytech.com with "OM" "RRA" as represented in the tech.com header TOI_duyuyun.com Analysis of the mail server logs confirmed that Information contained in the header can aldives the suspect message was not authentic tigators in trading the sender of the e-mail A thorough Matching trace header timestamps and ES. investigation of e-mail headers should include exami MTP ids revealed that the authentic Message nation of the sender's e-mail address and IP address ID was logged at 17:41:32 and assigned ES examination of the message ID as well as the messa MTP d e73M/W903943 then it was sent to ing initiation protocol (HTTP or SMTP). To determine the hedgefondetund.com server and it the source of the e- mail investigators must first exum was assigned a new ESMTP ide73M12331592 in the received section at the bottom of the header and Comparing the 14:41:32 timestamp of the work their way up in a bottom to top approach. suspect message with the log revealed there It is also important that e-mail cases examine the were no messages for over an hour during logs of all servers in the received chain as soon as pos that time frame sible. Time is very important in e-mail cases as HTTP and SMTP logs are archived frequently, especially by Second case study Large ISPs. If a log is archived, it could take time and This section describes the court case of cyber effort to retrieve and decompress the log files needed crime so called "Identity theft in Internet communi to trace e-mails. Some e-mails have fake/forged head cation by electronic mail by two business entities" ers in order to deceive investigators, to extreme cats. Based on the analysis of the method of communica December 2012 Juma of information Technology and Application 71 Read carefully the first and the second case studies in E-Mail Forensics: Techniques and Tools for Forensic Investigation of One Court Case paper and answer the questions 2. First case study (page 70) 1. Give a short description of the first case study? 2. Why analysing the email header is important for investigators? 3. The examination of all server logs should be achieved as soon as possible. Identify the reasons. 4. Analysing email headers for too many emails is time consuming. What are the software tools investigators can use to reduce efforts and time in analysing the email? 5. What are the results investigators can get related to the validity of suspect message from analysing web-mail server logs? 6. How the analysis of mail server logs confirmed that the suspect message was not authentic? b. Second case study (page 71) 1. Give a short description of the second case study? 2. What is the software tool used for the email examination process? 3. What are the results of examining the hopes through which the hacker's mail passed? 4. What is the finding after analysing the suspicious e-mail and email server on the victim's side? 5. Briefly analysed and compare between eMailTrackerPro and Aid4Mail Forensic tools used in this case study? JTA 2018 294-74 be present as the greatest enemy of forensic Scien analysing them we can decode the message being sent. After decoding all IP addresses are analysed The main idea of this experiment is that the at and their location is traced. A timeline of all event tacker uses an ARP spoofing mechanism to convince is made in universal standard time) and is checked the legitimate user that they are a legitimate partici- further for suspicious behaviour Server logs are pant, device gateway (4. After the response of a le checked at the same time to ensure that all the ac gitimate user, the attacker immediately confirms to tivities are mentioned in the timeline se formed. I the gateway that they are a legitimate user. Both the any suspicious activity is found the mails are reco legitimate user and the gateway will think they have cred and can be used as evidence against the send established a relationship with each other, and in et Email is extracted from the client server which fact they have both established a relationship with keeps a copy of sent mails until a specific number the attacker. This means that the gateway and le First case study pitimate user traffic is directed towards an attacker First, we will describe a well-known case in court who can then intercept the communication between practice Lea case study involving the use of Manual the two sides. For the purpose of this experiment Method for Email Analysis (4 using a whaling attack the attacker is only interested in the traffic of a le which is a spear phishing attack directed specifi- gitimate user suspected of being searched for IM cally at high-profile targets like-C-level executives, PORTANT online content politicians and celebrities An email attached to a $20 million dollarlow suit purported to be from the CEO of tech. EXAMINING E-MAIL FORENSIC TOOLS: CASE STUDIES Con to a venture Capital broker. The message Email analysis, as we already mention, is the outlined guaranteed warrants on the next task performed in the network forensies Email round of finding for the broke analysis is the process which involves analysis of . "tech.com" filled counter claim and claimed emails sent and received at different ends. In cur the email was forgery. Their law firm engageda rent era, there are very less ways to analyse emails. team to determine the validity of the message Most widely accepted method is the Manual Meth- The team imaged all of the CEO's computers at od of Email Analysis (4.5). Although there have his office and his home Email server backup been many attempts into securing e-mail systems, tapes were recalled from the client servers most are still inadequately secured. Installing an All hard drivers and email servers were tiviruses, filters, firewalls and scanners is simply searched for questioned message. There not enough to secure e-mail communication. Some were no traces of any such mail on any of the common examples of illegitimate uses of emails are hard drive or mail spool spam, phishing cyber bullying, botnets, disclosure . When the timestamps and messages were of confidential information, child pornography and compared with the server logs then it was sexual harassment. The anonymity factor of e-mail found that the questioned message have not has made it difficult for digital forensic investiga one through either tech.com webmailor tors to identify the authorship of an email, and to mail server at the time indicated by the date/ aggravate this problem further, there is no stan- timestamp on the message dardised procedure to follow. Based on the analysis the defendants filed mo Therefore, a forensic investigator needs efficient tion to image and examine broker's computers tools and techniques to perform the analysis with a Federal judge issued subpoena and the team high degree of accuracy and in a timely fashion. It is arrived at the broker's business, he refused to evident that an email forensic tool may only assist the allow his system to image investigator during a specific stage of analysis (4.5) Broker's lawyer went into the state court, on a While preforming manual method for email anal companion case, and get the judge to issue an ysis, we try to spot spoofed messages which are sent order for a new court appointed examiner through SMTP (Simple Mail Transfer Protocol). By . The examination revealed direct proof of the 70 Journal of Information Technology and Application www.a-aw.com L-M. Tore ATFOD JITA 2018 2:4-74 alteration of a valid message's header to create thot and careful scrutiny should be practiced anves a questioned email tigating every part of the e-mail header However, this is quite a bit long and tiring proce The allegedly received email dure which would involve too many mails to be an The header of a problematic e-mail is presented lysed, which would be excessively time-consuming as follows. Time being the most expensive entity, we need to Peter-Path to Good Daytech.com y the time as much as This time While preforming manual method for email anal ysis, we try to spot spoofed messages which are sent through SMTP (Simple Mail Transfer Protocol). By companion case, and got the judge to issue an order er for a new court appointed esaminer The mamination revealed direct proof of the 70 Journal of Information Technology and Application www.t-ou.com EMTA TFF OG SITA 2018 2.64-74 alteration of a valid message's header to create tion and careful scrutiny should be practiced in inves a questioned email tigating every part of the e-mail header However, this is quite a bit long and tiring proce The allegedly received email dure which would involve too many mails to be an The header of a problematic e-mail is presented lysed, which would be excessively time-consuming as follows Time being the most expensive entity, we need to Math Codytech. save the time as much as we can. To Save this time 21.10.2015 certain tools are present which helps to reduce the fundon.co... work burden. So, we need a software tools, such as 725922 The > A1000 151451-0400 eMail Tracker Pro (http://www.emaltrackerpro Herved from west.tech.com mail. com/ and Aid Mall Forensic (http://www.ald 110.27.3.1901 byt.tech.co.mail.com/) that are discussed in the next section It-3,0.1) FE0363) the In this case investigator should look at ESMTP 2008 44-500 id which is a unique identification assigned by each contracte 110.27.10.1001 intermediate relay or gateway server. This id is usu by W. 1...... with ally in a hexadecimal string that is reset each day. Ash Aug 2000 1400131 Resulting in an id that can be resolved to a time win contentcontent-class dow on a particular server. The investigator should subject Warrants in also compare the header information against server Tags: webmaltech.com Analysis of the web Verant 1.6 Cyperat/thef mail server logs revealed several issues regarding . the validity of the suspect message contentTransfer coing by Matching trace header timestamps and Es Mesaje-11 154783. DERE.CO MTP ids revealed that RA1318 was issued --- at 17:41:31 to the authentic message Comparing the 14:41:31 timestamp of the The Top Maine RACY suspect message with the log revealed the server was assigning ESMTP ids beginning Pro to Good dytech.com with "OM" "RRA" as represented in the tech.com header TOI_duyuyun.com Analysis of the mail server logs confirmed that Information contained in the header can aldives the suspect message was not authentic tigators in trading the sender of the e-mail A thorough Matching trace header timestamps and ES. investigation of e-mail headers should include exami MTP ids revealed that the authentic Message nation of the sender's e-mail address and IP address ID was logged at 17:41:32 and assigned ES examination of the message ID as well as the messa MTP d e73M/W903943 then it was sent to ing initiation protocol (HTTP or SMTP). To determine the hedgefondetund.com server and it the source of the e- mail investigators must first exum was assigned a new ESMTP ide73M12331592 in the received section at the bottom of the header and Comparing the 14:41:32 timestamp of the work their way up in a bottom to top approach. suspect message with the log revealed there It is also important that e-mail cases examine the were no messages for over an hour during logs of all servers in the received chain as soon as pos that time frame sible. Time is very important in e-mail cases as HTTP and SMTP logs are archived frequently, especially by Second case study Large ISPs. If a log is archived, it could take time and This section describes the court case of cyber effort to retrieve and decompress the log files needed crime so called "Identity theft in Internet communi to trace e-mails. Some e-mails have fake/forged head cation by electronic mail by two business entities" ers in order to deceive investigators, to extreme cats. Based on the analysis of the method of communica December 2012 Juma of information Technology and Application 71 Read carefully the first and the second case studies in E-Mail Forensics: Techniques and Tools for Forensic Investigation of One Court Case paper and answer the questions 2. First case study (page 70) 1. Give a short description of the first case study? 2. Why analysing the email header is important for investigators? 3. The examination of all server logs should be achieved as soon as possible. Identify the reasons. 4. Analysing email headers for too many emails is time consuming. What are the software tools investigators can use to reduce efforts and time in analysing the email? 5. What are the results investigators can get related to the validity of suspect message from analysing web-mail server logs? 6. How the analysis of mail server logs confirmed that the suspect message was not authentic? b. Second case study (page 71) 1. Give a short description of the second case study? 2. What is the software tool used for the email examination process? 3. What are the results of examining the hopes through which the hacker's mail passed? 4. What is the finding after analysing the suspicious e-mail and email server on the victim's side? 5. Briefly analysed and compare between eMailTrackerPro and Aid4Mail Forensic tools used in this case study