General Reference
Protocols. SMTP (Simple Mail Transport Protocol) and extended SMTP are used for outbound mailbox📤 and POP3/IMAP - for inbound 📥. Default port for SMTP - 25, however, sometimes redirected to 587. POP3 uses 110 by default and IMAP - 143. First, HELO packet is sent to check the address and access rights. Returns ACK upond success and NACK upon failure. Then, message itself. Usually queued. IMAP leaves all messages on server after download, POP3 can be configured to either delete them from the server or keep.
Tools 🛠 . libpff - to parse and extract PAB, PST and OST Mailboxes (download). Example: pffexport -q -f all -m all outlook.pst.
MIME. Define the format of an email message.
Header. Each message has a very extensive header, containing receiver’s and sender’s information. Timestamps are better verified. If a message passes several servers on its way, several Received: from will be added to the header.
| header | meaning | example |
|---|---|---|
| Delivered-To | Recipient | myaddress@gmail.com |
| Received: by | ||
| X-Google-Smtp-Source: | ||
| X-Received: | ||
| ARC-Seal: | ||
| ARC-Message-Signature: | ||
| ARC-Authentication-Results: | ||
| Return-Path: | This is where the message will go if rejected by the target system | <0102017c9a0[….]000@eu-west-1.amazonses.com> |
| Received: from | The sending server. There can be multiple instances of this header. | a55-173.smtp-out.eu-west-1.amazonses.com ([IP]) by mx.google.com with ESMTPS id o10si44935vsh.320.2021.10.19.12.35.42 for myaddress@gmail.com (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-SHA bits=128/128); Tue, 19 Oct 2021 12:35:43 -0700 (PDT) |
| Received-SPF: | pass (google.com: domain of [….] designates [IP] as permitted sender) client-ip=[IP]; | |
| Authentication-Results: | ||
| DKIM-Signature: | Domain Key Signature. There can be more than one such header for a single email | Digital signatures 💌 for emails. |
| From: | The original sender (can be spoofed) | PortSwigger hello@portswigger.net |
| To: | The intended receiver | myaddress@gmail.com |
| Reply-To: | Address to be used when Reply option is chosen. Usually the same as From. | PortSwigger hello@portswigger.net |
| Subject: | Get Burp Suite certified | |
| Content-Type: | multipart/mixed; boundary=“XXXXXXX” | |
| Message-ID: | Unique ID. It can be used to identify the sender from ISP or server’s logs. | <0102017c9a[…]000000@eu-west-1.amazonses.com> |
| Date: | ||
| Feedback-ID: | ||
| X-SES-Outgoing: | ||
| List-Unsubscribe: | Legitimate senders will often include opt-out emails. | |
| BCC | Blind Carbon Copy indicated it is a copy of a message sent to TO | |
| Envelope-To: | Overwrites the TO field | |
| X-OriginalArrivalTime: | This cannot be spoofed! Timestamp from the POP server. | X-OriginalArrivalTime: 06 Oct 2209 06:06:06.0666 (UTC) FILETIME=[blahblah] |
Attachments 📎.
Tools
🛠 EMT (Email Mining Toolkit) is not maintained anymore but the idea was to group emails with similar bahvioral characteristics. The following techniques were used:
- Stationary User Profiles. Compare PC user activity with email activity.
- Similar Users. Collect information about normal user activity. Deviated accs are suspicious.
- Attachment statistics.
- Recipient Frequency. Certain users receive certain email with some known consistency.
- Group Communications. Same last names - family. A group with different last names receiving one email - business org, club or spam target.
⚒️ ContentAnalysis developed this idea further and several software employed this technique: Agilex, AnyDoc, Datacap, dtSearch, elVia, eLumicor, Fastline Technologies (data mining), H&A eDiscovery, iConnect, kCura (electronic discovery), Planet Data, SAIC.
First, make sure that the source IP is a valid one ( 🛠
nslookupwill help). Additional info can be acquired withwhois.
Mail Apps
Outlook
The main artifacts are stored in C:\Users\%USERNAME%\AppData\Local\Microsoft\Outlook. Get OST and PST files. Contains messages, contacts, calendars, notes. PST files are usually in Documents and Settings on Windows (personal folder files), but can defined by user as well.
C: Documents and Settings| |*\ Local Settings\ Application Data\Microsoft\ Outlook\|*.pst
C:\ Documents and Settings |* Local Settings Application Data\Microsoft\ Outlook||*.ost
C: \ Users |*\ AppData\ Local \Microsoft\ Outlook| |*.pst
C: \Users\|*\AppData\Local|Microsoft\Outlook\|*.ost
Tools 🛠: Intella.
Outlook Express
Dafault up to Vista. Address book is typicalluy wab and mail folders - mbx (messages), idx (index for mbx), nch (user-created folder structure). Later dbx (database) was used to store info. Starts with 0xcf 0xad 0x12 0xfe followed by a class id (for file association in Windows). inbox.dbx, sent items.dbx, drafts.dbx, offline.dbx (doesn’t exist when Webmail was not configured), pop3uidl.dbx (messages left on POP3 server), <generic_name>.dbx (user-created folders), <newsgroup_name>.dbx (if subsribed).
Thunderbird
C:\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles, or just use a forensic image.
Tools 🛠: Autopsy, Email Parser plugin.
Webmail
Tools 🛠: Magnet AXIOM, when there are no mail clients on the system.
To get this information, “RAM-on-disk” files are needed (for Windows hiberfil.sys, swapfile.sys and pagefile.sys).
Windows 10 Mail
Emails are stored in txt or html. Can have multiple accounts. The path to data is: C:\Users\%Username%\AppData\Local\Comms. There several subfolders:
TempUnistore\data. Contains lots of subfolders,3(mail) and7(attachments) are of particular interest.UnistoreDB\store.vol\Contact. ContainsContacts.txtandPcontacts.txt.UserDataTempFiles. Emails that were not sent. This data is volatile.Volatile
iOS
Mail App
• /private/var/mobile/Library/Mail
-
/private/var/mobile/Library/Mail/[UUID]/*.emlx
-
/private/var/mobile/Library/Mail/[UUID]/*.imapmbox/
Attachments/