Notifications

Clear all

Investigation of Electronic Mail

General (Technical, Procedural, Software, Hardware etc.)

Last Post by paraben 11 years ago

6 Posts

6 Users

0 Likes

399 Views

RSS

Kwilley

(@kwilley)

Posts: 7

Active Member

Topic starter

Apologies if this is in the wrong forum but felt it was more a general discussion than a targeted educational query.

For my final year project I am working with electronic mail, looking at the extraction, indexing, reviewing and exporting of mail as well as large scale mapping of central mail servers and for my research I am looking for any information on the structure of electronic mail as well as any particular tools that perform this task currently in the forensic field.

My research so far has covered EnCase, FTK with addon's, Nuix as my email investigation tools - I was wondering if there were any other ones which are used in industry for analysis? With regards to documentation I have read RFC 2822 - Internet Message Format as well as articles relating to the header information on electronic mails.

I am ideally looking for pointers in which direction my research should continue and any help would be greatly appreciated.

Regards,
Kieran

Posted : 07/02/2013 4:39 am

TuckerHST

(@tuckerhst)

Posts: 175

Estimable Member

You might want to check out Vound and Aid4Mail.

Posted : 07/02/2013 4:42 am

Adam10541

(@adam10541)

Posts: 550

Honorable Member

+1 for Vound (Intella) it's very similar to NUIX so if you are familiar with NUIX should be easy enough to use.

Posted : 07/02/2013 7:36 am

joachimm

(@joachimm)

Posts: 181

Estimable Member

First you want to distinguish between the type of analysis
* content-centric (like e-Discovery)
* "artefact"-centric (e.g. timestamps. conversation index)

RFC 2822 if of little use if you're analyzing other formats. Check the following projects.

Outlook PST files
http//code.google.com/p/libpff/

NSF
http//code.google.com/p/libnsfdb/

Outlook Express
http//www.forensicswiki.org/wiki/Outlook_Express_Database_(DBX)

Exchange
http//code.google.com/p/libesedb/

Regarding tools
X-Ways

Unless you're doing an evaluation on how the tools represent their result, you actually want to know which parser the tools are using. You'll find that some of the tools use the same parser implementation. E.g. for PST Outside-In, libpff or even the Outlook MAPI (which is not forensically sound).

Posted : 07/02/2013 11:50 am

Belkasoft

(@belkasoft)

Posts: 169

Estimable Member

My research so far has covered EnCase, FTK with addon's, Nuix as my email investigation tools - I was wondering if there were any other ones which are used in industry for analysis?

I can recommend our own tool, Belkasoft Evidence Center (link in my signature). Includes email analysis of most popular clients. You can contact me to obtain a license (free for educational jobs such as yours).

Posted : 07/02/2013 3:51 pm

paraben

(@paraben)

Posts: 47

Eminent Member

There's also P2 Commander which incorporates the capabilities of E-mail Examiner and Network E-mail Examiner. We've been analyzing email for over 10 years with these products.

Posted : 08/02/2013 1:19 am

8 Forums
15.5 K Topics
92 K Posts
6 Online
40 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed