1 / 11

Email and Internet Evidence

This document discusses the significance of email and internet evidence in forensic investigations, focusing on Web 1.0 technologies. Key insights include the differentiation between client-based and web-based applications, standards for data processing, and the importance of reconstructing internet history. Effective e-forensic investigations require knowledge of how data is stored and accessed in various applications, including popular email clients like Outlook and browsers like Firefox. Understanding these crucial elements allows forensic experts to document digital footprints effectively.

sutton
Télécharger la présentation

Email and Internet Evidence

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Email and Internet Evidence Mark Pollitt Associate Professor, Engineering Technology

  2. Web 1.0 Technologies • Technologies • Email • Web • Skype • IM • Web 1.0 because: • Static content • Application standards • Client based

  3. Forensics on Web 1.0 Technologies • Focus on two elements: • The application • The data • Looking for: • The content • The connections

  4. Applications • Developers need to build three things into communications applications: • User interface • Data processing/storage • Communications protocols • Multiple Applications can share a common protocol • Outlook, Thunderbird, Zimbra • Hotmail, Yahoo, Gmail

  5. Web Browsers • All share HTML • Some support other technologies: • Active X, Flash, XML, etc. • All store a cache of recent files and a history • Most store those differently • Usually, it takes a specific tool to look at browser histories • Documenting both Internet history and reconstructing web pages is important evidence

  6. Doing Browser Forensics • Know how the browser stores data • Know the location of the data • Have a tool that can read that data • Great resources: http://www.symantec.com/connect/articles/web-browser-forensics-part-1 http://www.symantec.com/connect/articles/web-browser-forensics-part-2

  7. Email • Very simple in concept: • Client/Server • SMTP protocol • Two basic interfaces: • Web mail (Hotmail, Yahoo, Gmail) • Client based (POP, IMAP, SMTP) • Some support both • Features vary by client

  8. Email Clients • Like Browsers, they share some features: • Communications protocols (POP, IMAP, SMTP, etc.) • User Interface • Storage – usually some form of database

  9. Internet History Browsers • Nirsoft – IEHistory View/Mozilla Cache View • Security Exploded – Browser History Spy* • Sqlite Viewer - Firefox

  10. Email Investigations • Client Software • Outlook • Thunderbird • Zimbra • Forensic Suites • EnCase • FTK • Webmail • Use browser forensics

  11. Thank You for your Attention!

More Related