Monday, February 8, 2016

Webmail Forensics: Collecting & Analyzing Artifacts

Almost everyone uses at least one or more web-based email client account for communication with one user to another. Increased usage of web based email client leads to the rise in the cybercrime rate drastically involving cases that require forensic email analysis of the webmail account. It is observed that introduction of virtual way of communication provided by internet has made our life lot easier and less complex by taking us to new level of effectiveness, productivity & connectivity.

We use World Wide Web for several purposes like emailing purpose, exchanging documents, retrieving information, contacting with friends and families through voice chat or Video calling etc. Though it has bought multiple benefits in everyone’s life, it is at the same time has weak point that may affect one’s life through cybercrimes. As most of the cybercrime cases involve usage of web-based email client, webmail forensics is the field that needs to be acknowledged.

What is Webmail Mailbox Analysis?

It is the way to collect any legal evidence that can later be shown as proof in court of law by examining source and content of emails of any web-based client. Some commonly used email clients are Google’s Gmail, Microsoft’s, Yahoo mail etc. Many criminals make use of web-based clients for performing any misfortunate cyber-crimes. As information is exchanged from one email-client account to other, the email will contain critical information used by the criminal, which will be analyzed by the investigation team to collect evidence against criminal.

How Webmail Forensics Analysis helps Investigators?

The main motive of the investigation team is to extract high level of information from the messages received or sent regardless of any web-based email client used. Forensics procedure involves stages like collection, analysis, preservation, and reporting. The first stage in investigations consists of collecting information from the email message. An email has its Email Header for every mail transaction on which analysis can be done to extract information. Let us discuss how we can use Email Header details for forensics purpose.

Extracting information using Email Header

Email Header can be analyzed by extracting header information of suspicious email and going through all the details. The procedure steps to scrutinize the email header are as follows:

 Extract header data and save it in another file

i)                   Login to the particular web-based email client
ii)                Click to open the suspicious mail for which header details are required
iii)              Once the mail is opened, click on right side menu to check the option.
iv)              Options to view header details are different in multiple email clients.
i.e. For Gmail, search for tab ‘Show Original’  and click it to view all the details and save it in a text file.
For Yahoo mail, search for tab ‘View Full Header’ and click it to view and save it in text file.
For mail, search for tab ‘View Message Source’ and save it in text file. 

v)          Finally, during webmail forensics analysis the entire details of Email Header can be analyzed.

Detailed examination of all the header information

The below screenshot is the email header for a web based email client. The details will be discussed as follows:

  • Delivered-To: it shows the email address where the mail will be delivered.
  • Received: First ‘Received’ defines the IP address of the sender’s mail server and the time at which the message reached the Receiver’s server.
  • X-Received: It defines the IP address of the mail server through which the email passes from sender to receiver.
  • Return-Path: Stores the address from where the mail was sent.
  • Received: Bottom ’Received’ defines the IP address of the sender’s mail server and time when the message was received by server from sender’s email client.
  • Received-SPF: Sender Policy Framework displays the type of email service used for sending mail. Using id, it also examines whether the mail is legitimate or not for analysis. It prevents sender address forgery.
  • DKIM Signature: Domain Keys Identification Mail (DKIM) gives cryptographic signature to header and body of message. It checks authenticity of sender and content of message.
  • Message-ID: it represents unique message identification string created while it is sent.
  • MIME-Version: While conducting webmail forensics analysis; Multipurpose internet Mail Extensions defines internet standard that extends format of email message. Information can be extracted from MIME Version.
  • Content-Type: it displays the format of message such as html, plain text, xml.
  • From: it gives the name of sender. It is not much reliable as it can be easily forged.
  • To: It gives the name of the receiver.
  • Subject: Represents the subject of the message being sent. 
Collecting information for forensics

We will collect the data we have retrieved using header of the email of the suspect’s account and compile all the information all together. The combined data will be used to start the forensic analysis of webmail. The chosen mails from the suspect’s account will be analyzed similarly from the header details file. From the collected header details file, we can extract several important information related to the message like citations, sender details, receiver details, IP address, MIME version, DKIM signature, date etc.

The details should be interrelated in order to attain the exact information. The next stage of analysis will be started after collection of evidence.  

Webmail forensics analysis plays a very important role in the field of digital forensics for investigating the email of the suspect’s account. Though several methods have been established to investigate the webmail and its components, some may not work in spoofed emails or deleted emails. The Forensic investigation tool must meet all the standards of investigation that involves extraction of evidence from the webmail so that evidence can be used for forensic investigation purpose against the suspect.

No comments:

Post a Comment