Logo
RSS Feed

📬 Mail


Created: 12.10.2020

General Reference

Protocols. SMTP (Simple Mail Transport Protocol) and extended SMTP are used for outbound mailbox📤 and POP3/IMAP - for inbound 📥. Default port for SMTP - 25, however, sometimes redirected to 587. POP3 uses 110 by default and IMAP - 143. First, HELO packet is sent to check the address and access rights. Returns ACK upond success and NACK upon failure. Then, message itself. Usually queued. IMAP leaves all messages on server after download, POP3 can be configured to either delete them from the server or keep.

Tools 🛠 . libpff - to parse and extract PAB, PST and OST Mailboxes (download). Example: pffexport -q -f all -m all outlook.pst.

MIME. Define the format of an email message.

Header. Each message has a very extensive header, containing receiver’s and sender’s information. Timestamps are better verified. If a message passes several servers on its way, several Received: from will be added to the header.

header meaning example
Delivered-To Recipient myaddress@gmail.com
Received: by
X-Google-Smtp-Source:
X-Received:
ARC-Seal:
ARC-Message-Signature:
ARC-Authentication-Results:
Return-Path: This is where the message will go if rejected by the target system <0102017c9a0[….]000@eu-west-1.amazonses.com>
Received: from The sending server. There can be multiple instances of this header. a55-173.smtp-out.eu-west-1.amazonses.com ([IP]) by mx.google.com with ESMTPS id o10si44935vsh.320.2021.10.19.12.35.42 for myaddress@gmail.com (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-SHA bits=128/128); Tue, 19 Oct 2021 12:35:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of [….] designates [IP] as permitted sender) client-ip=[IP];
Authentication-Results:
DKIM-Signature: Domain Key Signature. There can be more than one such header for a single email Digital signatures 💌 for emails.
From: The original sender (can be spoofed) PortSwigger hello@portswigger.net
To: The intended receiver myaddress@gmail.com
Reply-To: Address to be used when Reply option is chosen. Usually the same as From. PortSwigger hello@portswigger.net
Subject: Get Burp Suite certified
Content-Type: multipart/mixed; boundary=“XXXXXXX”
Message-ID: Unique ID. It can be used to identify the sender from ISP or server’s logs. <0102017c9a[…]000000@eu-west-1.amazonses.com>
Date:
Feedback-ID:
X-SES-Outgoing:
List-Unsubscribe: Legitimate senders will often include opt-out emails.
BCC Blind Carbon Copy indicated it is a copy of a message sent to TO
Envelope-To: Overwrites the TO field
X-OriginalArrivalTime: This cannot be spoofed! Timestamp from the POP server. X-OriginalArrivalTime: 06 Oct 2209 06:06:06.0666 (UTC) FILETIME=[blahblah]

Attachments 📎.

Tools

🛠 EMT (Email Mining Toolkit) is not maintained anymore but the idea was to group emails with similar bahvioral characteristics. The following techniques were used:

  • Stationary User Profiles. Compare PC user activity with email activity.
  • Similar Users. Collect information about normal user activity. Deviated accs are suspicious.
  • Attachment statistics.
  • Recipient Frequency. Certain users receive certain email with some known consistency.
  • Group Communications. Same last names - family. A group with different last names receiving one email - business org, club or spam target.

⚒️ ContentAnalysis developed this idea further and several software employed this technique: Agilex, AnyDoc, Datacap, dtSearch, elVia, eLumicor, Fastline Technologies (data mining), H&A eDiscovery, iConnect, kCura (electronic discovery), Planet Data, SAIC.

First, make sure that the source IP is a valid one ( 🛠 nslookup will help). Additional info can be acquired with whois.

Mail Apps

Outlook

The main artifacts are stored in C:\Users\%USERNAME%\AppData\Local\Microsoft\Outlook. Get OST and PST files. Contains messages, contacts, calendars, notes. PST files are usually in Documents and Settings on Windows (personal folder files), but can defined by user as well.

C: Documents and Settings| |*\ Local Settings\ Application Data\Microsoft\ Outlook\|*.pst
C:\ Documents and Settings |* Local Settings Application Data\Microsoft\ Outlook||*.ost
C: \ Users |*\ AppData\ Local \Microsoft\ Outlook| |*.pst
C: \Users\|*\AppData\Local|Microsoft\Outlook\|*.ost

Tools 🛠: Intella.

Outlook Express

Dafault up to Vista. Address book is typicalluy wab and mail folders - mbx (messages), idx (index for mbx), nch (user-created folder structure). Later dbx (database) was used to store info. Starts with 0xcf 0xad 0x12 0xfe followed by a class id (for file association in Windows). inbox.dbx, sent items.dbx, drafts.dbx, offline.dbx (doesn’t exist when Webmail was not configured), pop3uidl.dbx (messages left on POP3 server), <generic_name>.dbx (user-created folders), <newsgroup_name>.dbx (if subsribed).

Thunderbird

C:\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles, or just use a forensic image.

Tools 🛠: Autopsy, Email Parser plugin.

Webmail

Tools 🛠: Magnet AXIOM, when there are no mail clients on the system.

To get this information, “RAM-on-disk” files are needed (for Windows hiberfil.sys, swapfile.sys and pagefile.sys).

Windows 10 Mail

Emails are stored in txt or html. Can have multiple accounts. The path to data is: C:\Users\%Username%\AppData\Local\Comms. There several subfolders:

  • Temp
  • Unistore\data. Contains lots of subfolders, 3 (mail) and 7 (attachments) are of particular interest.
  • UnistoreDB\store.vol\Contact. Contains Contacts.txt and Pcontacts.txt.
  • UserDataTempFiles. Emails that were not sent. This data is volatile.
  • Volatile

iOS

Mail App

• /private/var/mobile/Library/Mail
  • /private/var/mobile/Library/Mail/[UUID]/*.emlx

  • /private/var/mobile/Library/Mail/[UUID]/*.imapmbox/

    Attachments/