collecting of webmail

Hi Jason,

I would think that it would be forensically sound as the PST (if you would use Outlook for example) would have the headers and any other pertinent information. Because of each providers' retention policy and hurdles to go through with a preservation requests, it might just be more efficient and offer a greater change of getting the information via a desktop email client.

In the past I have done both; fire out a preservation request and then pull data down via POP/IMAP (but keep data on servers). This way I cover any situation. Of course documentation is key to your reasons and methods.

The times I've had to do this, it really comes down to a heavily documented process. I just document each step that I take in the process, since depending on the webmail service, I use a different tool to "retrieve" the email. I agree the headers within the email do not change, but depending on how you retrieve the data, you may have individual files on your machine that have different MAC times.

Typically what I will do is fire up a clean XP VM that has been virus scanned and prepped for what I need to retrieve (Zimbra for Yahoo, Outook for MSN, etc). Then once I download the mail, I'll usually hash it on the VM, then hash it again once I move it to my examination machine. That way there's at least a due diligence on my part in what I did (and it's all documented).

(that's a high level view of what I do, there are more steps than that).

Tom

I've been looking around for any articles or documentation regarding the reasons why you would and would not collect data from a web-based mail service like HOTMAIL, GMAIL, AOL, etc…

I know its best to subpoena the service for the users mail,

Under the terms of the Electronic Communications Privacy Act, mail hosting sites are virtually immune from civil subpoena without either

the consent of the originator
the consent of one of the intended recipients
evidence of criminal activity

but I've been requested lately by some to say they would rather me just pull it down from the web service via POP3 or some other means to present to the client. Is this really forensically sound? Why and why not?

POP3 would not be a good choice because, as the name (Post Office Protocol), suggests, once the message has been delivered, it is usually removed from the server. The fact that it is on the server could be evidence that the message was never read.

Which brings me to the second point, namely, that many mail services mark it when mail is read. Sometimes you have the option to mark the mail as having been unread but, in either event, if it is important that you document whether the mail had been read, previously, you should keep this in mind.

For purity's sake, I'd much prefer to have the intact message store or, if that is not possible, a PST, MBOX or maildir image (the latter two should be done so as to preserve the MAC times). This can be a little tricky depending upon the message store architecture, but it is doable.

Again, if there is an issue as to whether or not the mail had been read, you may need to do more.

POP3 would not be a good choice because, as the name (Post Office Protocol), suggests, once the message has been delivered, it is usually removed from the server. The fact that it is on the server could be evidence that the message was never read.

Not quite true. POP3 does allow you to retrieve message whilst leaving them on the server. It's just that most POP3 clients use a default setting for downloading and deleting from the server.

You can generally change this setting in a mail client, and as a practical measure, I've been doing this on every mail client I've used since '96. All my clients are set to delete messages from the POP3 server that are older than 10 days. I use a second computer to POP off the messages as an archival system in case of loss of data from my email computer.

I have done email collection from mail providers under consent when I was working for the police. It's perfectly fine so long as your process is documented and reproducible.

POP3 would not be a good choice because, as the name (Post Office Protocol), suggests, once the message has been delivered, it is usually removed from the server. The fact that it is on the server could be evidence that the message was never read.

Not quite true. POP3 does allow you to retrieve message whilst leaving them on the server. It's just that most POP3 clients use a default setting for downloading and deleting from the server.

That is why I said "usually". However, if you go to the actual RFC, it states quite clearly

It should be noted that enforcing site message deletion policies may be confusing to the user community, since their POP3 client may contain configuration options to leave mail on the server which will not in fact be supported by the server.

Document retention is actually outside the POP3 protocol and implemented according to site policy. By default in POP3, once a message is transfered it is marked for deletion though it doesn't actually get deleted until an UPDATE command is issued in response to a QUIT command from the client. So, for example, if you disconnect without sending an explict QUIT, deletion will not occur. The simplest way to implement retention is for the client to force a disconnect without a QUIT (although retention is actually done via the optional UIDL command).

You can generally change this setting in a mail client, and as a practical measure, I've been doing this on every mail client I've used since '96.

True, but I was speaking more from a forensic standpoint. It is a little like write blocking. I, now, have to document that I made this change and how do I prove it?

And, in any event, you have the bigger issue of having touched the message with the client and that gets you into the problem of proving whether the mailbox owner actually read the message or the fact that it was marked read was from your retrieval.

That is why I prefer not to use the client to retrieve messages if I want to preserve the forensic details.

Looks like Craig Ball is happy enough to do it via POP.

http//www.lawtechnews.com/r5/showkiosk.asp?listing_id=3336466

Looks like Craig Ball is happy enough to do it via POP.

http//www.lawtechnews.com/r5/showkiosk.asp?listing_id=3336466

Sure. And I'd be happy to challenge him in court, especially with respect to documenting whether the mail had been read prior to being extracted.
Also, you failed to mention this statement from your link

"But if you try this, be sure that the collecting POP client is set to leave messages on the server and that any Yahoo! Mail that arrives during the collection process makes its way to the local and Yahoo! Mail Inboxes."

Now, tell me, how do you prove this if the e-mail is deleted after the fact, and you can't supoena the ISP regarding e-mail? And remember that according to the POP3 RFC, the server doesn't have to follow the client's requests for retention. The method is optional and the policy is outside the POP3 specification.

I respect Craig Ball as an attorney and a forensic investigator, but that doesn't mean that I agree with him all of the time.

If encountered with a hotmail account.

If you can get the password from the owner, you can download and install a connector to Outlook 2007 (Install on your own machine), and then get a copy of the mails, downloaded to your own Office client.

Then export the mails to a .pst file, hash it.

Wouldn't that be a sound way to get it, forensically speaking ?

regards

Thomas

That's actually how I get Hotmail/Windows Live emails.

As for forensically sound, well, it's currently probably the most "untainted" way to get a copy of it, barring going straight to the provider. What's nice about it is it keeps the folder structure of the webmail account.

But again with all of these, you're not going to get deleted emails (except of course those in the "trash" bin on the webmail account).

Tom