This is about … .
SMTP (Simple Mail Transport Protocol) and extended SMTP are used for outbound mailbox📤 and POP3/IMAP - for inbound 📥. Default port for SMTP - 25, however, sometimes redirected to 587. POP3 uses 110 by default and IMAP - 143. First,
HELO packet is sent to check the address and access rights. Returns
ACK upond success and
NACK upon failure. Then, message itself. Usually queued. IMAP leaves all messages on server after download, POP3 can be configured to either delete them from the server or keep.
Tools 🛠 .
libpff - to parse and extract PAB, PST and OST Mailboxes (download). Example:
pffexport -q -f all -m all outlook.pst.
MIME. Define the format of an email message.
Header. Each message has a very extensive header, containing receiver’s and sender’s information. Timestamps are better verified. If a message passes several servers on its way, several
Received: from will be added to the header.
|Return-Path:||This is where the message will go if rejected by the target system||<0102017c9a0[….]email@example.com>|
|Received: from||The sending server. There can be multiple instances of this header.||a55-173.smtp-out.eu-west-1.amazonses.com ([IP]) by mx.google.com with ESMTPS id o10si44935vsh.320.2021.10.19.12.35.42 for firstname.lastname@example.org (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-SHA bits=128/128); Tue, 19 Oct 2021 12:35:43 -0700 (PDT)|
|Received-SPF:||pass (google.com: domain of [….] designates [IP] as permitted sender) client-ip=[IP];|
|DKIM-Signature:||Domain Key Signature. There can be more than one such header for a single email||Digital signatures 💌 for emails.|
|From:||The original sender (can be spoofed)||PortSwigger email@example.com|
|To:||The intended firstname.lastname@example.org|
|Reply-To:||Address to be used when Reply option is chosen. Usually the same as From.||PortSwigger email@example.com|
|Subject:||Get Burp Suite certified|
|Message-ID:||Unique ID. It can be used to identify the sender from ISP or server’s logs.||<0102017c9a[…]firstname.lastname@example.org>|
|List-Unsubscribe:||Legitimate senders will often include opt-out emails.|
|BCC||Blind Carbon Copy indicated it is a copy of a message sent to TO|
|Envelope-To:||Overwrites the TO field|
|X-OriginalArrivalTime:||This cannot be spoofed! Timestamp from the POP server.||X-OriginalArrivalTime: 06 Oct 2209 06:06:06.0666 (UTC) FILETIME=[blahblah]|
🛠 EMT (Email Mining Toolkit) is not maintained anymore but the idea was to group emails with similar bahvioral characteristics. The following techniques were used:
- Stationary User Profiles. Compare PC user activity with email activity.
- Similar Users. Collect information about normal user activity. Deviated accs are suspicious.
- Attachment statistics.
- Recipient Frequency. Certain users receive certain email with some known consistency.
- Group Communications. Same last names - family. A group with different last names receiving one email - business org, club or spam target.
⚒️ ContentAnalysis developed this idea further and several software employed this technique: Agilex, AnyDoc, Datacap, dtSearch, elVia, eLumicor, Fastline Technologies (data mining), H&A eDiscovery, iConnect, kCura (electronic discovery), Planet Data, SAIC.
First, ensure the source IP is valid ( 🛠
nslookupwill help). Additional info can be acquired with
%USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook (XP)
PST files. Contains messages, contacts, calendars, and notes.
PST files are usually in
Documents and Settings on Windows (personal folder files), but can also be defined by the user.
Attachments are encoded with MIME/base64 format. Outlook uses either OST or PST formats. Also, OLK and Content.Outlook folder to be examined.
C: Documents and Settings| |*\ Local Settings\ Application Data\Microsoft\ Outlook\|*.pst C:\ Documents and Settings |* Local Settings Application Data\Microsoft\ Outlook||*.ost C: \ Users |*\ AppData\ Local \Microsoft\ Outlook| |*.pst C: \Users\|*\AppData\Local|Microsoft\Outlook\|*.ost
Tools 🛠: Intella.
Dafault up to Vista. Address book is typicalluy
wab and mail folders -
idx (index for
nch (user-created folder structure). Later
dbx (database) was used to store info. Starts with
0xcf 0xad 0x12 0xfe followed by a class id (for file association in Windows).
offline.dbx (doesn’t exist when Webmail was not configured),
pop3uidl.dbx (messages left on POP3 server),
<generic_name>.dbx (user-created folders),
<newsgroup_name>.dbx (if subsribed).
C:\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles, or just use a forensic image.
Tools 🛠: Autopsy, Email Parser plugin.
Tools 🛠: Magnet AXIOM, when there are no mail clients on the system.
To get this information, “RAM-on-disk” files are needed (for Windows
Windows 10 Mail
Emails are stored in
html. Can have multiple accounts. The path to data is:
C:\Users\%Username%\AppData\Local\Comms. There several subfolders:
Unistore\data. Contains lots of subfolders,
7(attachments) are of particular interest.
UserDataTempFiles. Emails that were not sent. This data is volatile.