Towards comprehensive and collaborative forensics on email evidence
read more
Citations
An insight into digital forensics branches and tools
Live forensics of tools on android devices for email forensics
Challenges, Opportunities and a Framework for Web Environment Forensics
A Framework for Extended Acquisition and Uniform Representation of Forensic Email Evidence
On Geo Location Services for Telecom Operators.
References
That ‘Internet of Things’ Thing
Bringing science to digital forensics with standardized forensic corpora
Dropbox analysis: Data remnants on user machines
Guide to Computer Forensics and Investigations
Automating Disk Forensic Processing with SleuthKit, XML and Python
Related Papers (5)
Frequently Asked Questions (14)
Q2. What is the current trend in digital forensics?
A current trend in digital forensics is the use of XML as a data representation format, allowing for a firm layer of abstraction “between feature extraction and analysis” and “a single, XML-based output format for forensic analysis tools” [9].
Q3. What is the way to acquire email data from Gmail?
The final challenge to acquiring data from Gmail is that the only method for retrieving the raw email data is to essentially “screen scrape” the pages returned during a web session, parsing through the HTML and using regular expression patterns or searching through the Document Object Model (DOM) for the desired elements.
Q4. What is the last task the module performs after discovering the cookie database?
After discovering the cookie database, the last task the module performs is to store important information about the possible credential source in a JSON file for use in the Evidence Mapping phase.
Q5. What were the verification tasks carried out after the conversion of the evidence into EFXML?
Following the step of processing the evidence into EFXML, a number of verification tasks were carried out including reproducing checksums and comparing counts of messages between the original and EFXML representations.
Q6. What is the way to acquire a copy of emails?
While the optimal acquisition method for retrieving a copy of all emails is to do so via IMAP, cookies are specific to the HTTP protocol and will not work to authenticate through IMAP.
Q7. How many directories are there before reaching the target file?
\\AppData\\Local\\Google\\ Chrome\\User Data\\Default\\Cookies, which is a total of 9 directories before reaching the target file (Cookies).
Q8. Why did the authors observe a size increase in the case of a PST file?
Due to the nature of email data, it is possible to observe a size increase in particularly imperfect cases (e.g. where volume of header data exceeds the volume of body data) after the addition of the EFXML tags to the data20; however, their evaluations point toward an average case which does not approach this situation.
Q9. What is the useful check against data integrity?
As each email is a discrete, individually identifiable piece of data, the authors assert that a checksum of the plain text content of the original form of an email message is the most useful check against data integrity.
Q10. What are the conditions that must be met to make the acquisition process work?
The authors recognize that a few circumstances have to be ideal in order for this acquisition process to work, namely that the owner of the credentials is always signed in, that the cookies have not yet expired and are discoverable by some means, and that the notification banner of having added the delegate account will not compromise the investigation.
Q11. How does the implementation ensure the reliability and accuracy of evidence?
Their implementation ensures the reliability and accuracy of evidence it handles by measuring the integrity of each message by taking its checksum during supplemental acquisition and evidence processing.
Q12. What is the next step after acquiring, processing, and authenticating the evidence?
The next step after acquiring, processing, and authenticating the evidence is to perform forensic analyses that will be informative for the purposes of the investigation.
Q13. Why are there two new formats for forensics?
Because of this, the authors have defined two new representations which are more suitable for email forensics, but maintain some of the standard elements introduced in DFXML, such as byte runs of discrete pieces of evidence.
Q14. How long does it take to add a delegate?
It opens a browser and connects to Gmail, and as long as the cookies are still valid it performs each of the steps for adding a delegate as outlined in the Google help pages10, which takes O(1) time.