in 350 words,
Using Chapter 10(PFA) as a reference, explain the concept of information stores. Why is an understanding of how different clients store messaging information critical to the success of an email search?
Write your answer using a WORD document. Include references.
No copy paste strictly. Plagiarism results in course termination.
Chapter 10
Email Forensics
1
Email is Often the Best Evidence
Contents can demonstrate intent
Header data can demonstrate the source
Timestamps can show intent to mislead
Show up as evidence in a vast majority of cases
Email Structure
Plain text emails don’t support graphics
HTML structured emails support graphics and embedded content
Attachments can accompany the message as a separate file
Email Technology
Mail user agent is a software interface that represents the end user
Mail transport agent moves messages from point A to point B
Mail client is the application that provides end user support
Mail server handles addressing and transport
Email Addresses
Each user ID must be unique to a particular domain
The same user ID on a different domain may or may not represent the same user
User IDs are easily spoofed with the right software
Email Protocols
Mailbox protocols
Post Office Protocol, ver. 3 (POP3)
Internet Message Access Protocol (IMAP)
Transport protocols
Simple Mail Transport Protocol (SMTP)
Email Clients
Perform some basic functions
Send messages
Receive messages
Manage content (including attachments)
Are operating system specific
Determine how information is archived on the system
May be a local client or web-based
Information Stores
Acts as a cabinet for the information stored by the client
Sent/Received messages
Address books
Calendars
Each client has a specific format for storing data
Email Servers
Act as relay agents for moving messages across the Internet
SMTP servers handle all outgoing messages
IMAP or POP3 servers handle all incoming messages
Server applications such as Microsoft Exchange combine SMTP with POP/IMAP
Standard Header Information
TO:
FROM:
SUBJECT:
DATE:
All of these are easily spoofed
MIME Header Information
Information stored in the header that includes:
Time/Date stamps for various actions along the way
Server information for relay servers along the way
A message ID unique to this message across the Internet
Versions of software used along the way
IDs of blind carbon copy recipients
A return path
Tracing the Origin of a Message
Each server that relays the message adds its IP address
Each relay server maintains logs for a certain period of time that indicates the IP address of the sender as well as the intended recipient
While the time stamp can be manipulated at the origin, the ones added along the way are likely real
Some Email Search Tools
Clearwell
Paraben
GREP
Search Results
False positives – looks right but isn’t
False negatives – doesn’t look right, but is
A measure of accuracy is “precision”
Ratio of false positives to false negatives
A measure of effectiveness is “recall”
Percentage of relevant emails that were found
Advanced Search Methods
Stationary User Profiles – a method of determining if a user makes use of multiple accounts
Similar Users – a way of determining if what appears to be a single user is actually multiple users
Attachment Statistics – a user’s typical behavior regarding attachments is analyzed
Recipient Frequency – what types of messages a specific user usually receives
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
