Forums
Main Category
General (Technical,...
E-mail Forensics / ...
 
Notifications
Clear all

E-mail Forensics / Analysis

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by seanmcl 16 years ago
7 Posts
4 Users
0 Reactions
819 Views
RSS
 AED47
(@aed47)
Active Member
Joined: 16 years ago
Posts: 6
Topic starter 19/01/2010 9:20 pm  

Hi everyone,

So I am currently writing my senior thesis and for those of you who helped me out this summer with programs that deal with email forensics, a warm thank you! It was a great success.

I ended up enjoying email forensics so much that it is the topic for my senior thesis.

Here is the issue.
Sources - or rather, lack there of. Is anyone aware of any journals, publications, or books that will have information on
OST/ PST Files
EMail examination
Email Forensics
How specific programs deal with email forensics.

I have my EnCase certification book and will be using that, also - I will be investigating programs like
NUIX
Intella
Paraben Email examiner
EnCase/FTK - how they deal with email forensics.

I am looking for as much information as possible. Anything will help!

Thanks again.


   
Quote
pbobby
 pbobby
(@pbobby)
Estimable Member
Joined: 16 years ago
Posts: 239
21/01/2010 4:32 am  

libpff.sourceforge.net

Read the source code - OST,PST,PAB goodness


   
ReplyQuote
 seanmcl
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
21/01/2010 4:48 am  

I can suggest a topic, as I am working on this very issue, myself. And it has relevence to a a court case in which I am involved.

The issue is whether it is possible to detect e-mail forgeries, that is to say, e-mails which have been edited to change their content or meaning, rather than deleted. Specifically, the issue is how reliable is forensics on the archive (in this case, a .PST file).

Another issue, specific to Personal File Folder (pff) content is whether one can edit the mail message within a PFF (.PST .OST), in such a way that ithe edit cannot be detected? If so, how practical is this?

A great deal of work has already been done in this area (look at the libpff Sourceforge site), but it remains a hot topic as e-mail, especially e-mail hosted on POP servers, can either be evidence, or can be excluded as evidence due to the unreliability of the archive.


   
ReplyQuote
 forensicakb
(@forensicakb)
Reputable Member
Joined: 16 years ago
Posts: 316
21/01/2010 6:47 am  

Hi Seanmcl.

Is this a Federal case?


   
ReplyQuote
pbobby
 pbobby
(@pbobby)
Estimable Member
Joined: 16 years ago
Posts: 239
21/01/2010 7:10 am  

Sean

You are in luck.

Read the following blog entry, they'll be happy to talk with you personally too.

https://blogs.sans.org/computer-forensics/2009/08/26/analysis-of-e-mail-and-appointment-falsification-on-microsoft-outlookexchange/


   
ReplyQuote
 seanmcl
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
21/01/2010 7:12 pm  

Hi Seanmcl.

Is this a Federal case?

Unfortunately, I am not at liberty to say, at this point, but it is a a public corruption case.


   
ReplyQuote
 seanmcl
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
21/01/2010 7:17 pm  

Sean

You are in luck.

Read the following blog entry, they'll be happy to talk with you personally too.

https://blogs.sans.org/computer-forensics/2009/08/26/analysis-of-e-mail-and-appointment-falsification-on-microsoft-outlookexchange/

Paul

Thanks. I have actually had discussions with Joachim Metz about this and am in the process of experimenting a bit, myself, using the parameters established by the opposing side's theory of the evidence.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: