Email Investigation Part 2
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hey, everyone. Welcome back to the course.
00:00
The last video we talked about
00:00
different types of email crimes.
00:00
In this video, we're going to talk about
00:00
Microsoft Exchange, e-mail laws.
00:00
Some other laws besides
00:00
a canned spam act that may be applicable in
00:00
your email investigation or
00:00
the Electronic Communications Privacy Act or
00:00
ECPA and the Stored Communications Act as well.
00:00
Now you also might see that different states have laws
00:00
regarding obtaining information from
00:00
e-mails or e-mail related information,
00:00
as well as different locales.
00:00
One county I know of in Texas,
00:00
Harris County has pretty strict cyber laws,
00:00
whereas other counties may not.
00:00
It may be at the local level as well.
00:00
The email investigation itself.
00:00
Obviously, we will always want to get
00:00
a search warrant first,
00:00
and then we want to make a copy of the emails or
00:00
email information and preferably a bit by bit copy.
00:00
In some instances, we may also print out
00:00
the email as part of our investigation.
00:00
Then from there we just view or
00:00
analyze the email header or try to trace
00:00
back whoever sent it, as much as we can.
00:00
A lot of times with spoofing,
00:00
we can't trace it all the way back.
00:00
Investigate different types of encoding,
00:00
and then also acquire an email or archives as well.
00:00
Just an example of an email header.
00:00
You see the two in the front fields there.
00:00
You'll also see an IP address in there as well.
00:00
I'm showing that, hey,
00:00
it's received from this IP address,
00:00
which is the 106 dot 10 dot 165 dot 32.
00:00
Again, whether or not that's actually accurate.
00:00
Because you can spoof an IP address.
00:00
Well, some areas you can search on
00:00
the suspect machine is going to be the browser cache,
00:00
as well as using different tools that are specifically
00:00
designed to grab information from web emails.
00:00
Microsoft Exchange, e-mail server logs.
00:00
Exchange works as the extensible storage engine.
00:00
The different archive logs we want to get are going to
00:00
be PRIV dot EDB PUB dot EDB,
00:00
and PRIV dot STM.
00:00
You'll definitely want to know those for
00:00
your exam as well as the tracking dot log file.
00:00
PRIV dot EDB is
00:00
a rich text file that
00:00
contains message headers and message texts,
00:00
as well as standard attachments.
00:00
PUB dot EDB contains public folder hierarchies,
00:00
excuse me, and contents.
00:00
Then PRIV dot STM is regarding
00:00
the streaming internet content file.
00:00
Things like your mind,
00:00
which contains your video and audio files.
00:00
Different tools we can use for e-mail recovery.
00:00
Some of the more popular ones are
00:00
going to be ProDiscover Basic,
00:00
OSForensics and Paraben email
00:00
examiner as well as the AccessData FTK.
00:00
Just a screenshot of all of those.
00:00
Prodiscover Basic OSForensics,
00:00
DataNewman, paraben E-mail Examiner again,
00:00
I mentioned this is probably one of
00:00
the most popular ones to use.
00:00
AccessData FTK, another very popular tool.
00:00
Fookes Aid4Mail.
00:00
Just a couple of quick posted assessment questions.
00:00
The PRIV dot EDB archive database file
00:00
contains message headers,
00:00
message text,
00:00
and standard attachments. Is that true or false?
00:00
That's true if you remember,
00:00
that one contains that and
00:00
definitely remember this for your exam.
00:00
Our next question here, the PUB
00:00
dot EDB file stores
00:00
public folder hierarchies and contents.
00:00
Is that one true or false?
00:00
All right that one's true again as well.
00:00
Again, you definitely, definitely want
00:00
to memorize and make sure you
00:00
know those three that I mentioned for the exam.
00:00
It's got a very, very, very beneficial to you.
00:00
In this module, we wrapped up our discussion
00:00
on investigating email crimes.
00:00
We've talked about Exchange e-mail logs
00:00
and some of the other laws
00:00
that we need to worry about as
00:00
doing an email investigation.
00:00
The next module we're going to talk
00:00
about mobile forensics.
Up Next
Instructed By
Similar Content
