Digital forensics

Computer Forensics: Web, Email, and Messaging Forensics

Claudio Dodt
January 3, 2018 by
Claudio Dodt


The last couple of decades brought us several astonishing developments in technology, but what amazes me is the fact that, most of the time, we take those things for granted and simply pay no attention to how much we have advanced.

Let’s use the internet as an example: if you are reading this article on a mobile device, your current bandwidth is almost surely at least ten times larger than what we had back in the office I worked at in the early 2000’s.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

It was a branch office of a multinational company and, for our 500 users, we only had a meager 128K connection. Of course at that time our needs were quite different and given the fact that our office was located at a remote site and the Internet was used only for basic browsing and receiving emails, the limited connection we had was actually sufficient.

Move forward 17 years and the ubiquitous nature of the Internet has made it so that finding a device that is never online is incredibly rare. With high speed connections readily available almost anywhere, we are constantly online: browsing, paying bills, sharing more than we should of our personal life on social networks, being entertained with streaming, working, studying and, quite unfortunately, either falling victim or even committing some sort of cybercrime.

Every location, individual, industry or organization can be a target and the only actual requirement is being online at some point. Cybercrime has evolved and created a whole industry around it. The impact it causes to business may reach $2 trillion by 2019, and according to The Global Risks Report 2016 from the World Economic Forum, this figure may simply be the tip of the iceberg. But cybercrime is not only about money: there is no lack of online social predators, pedophiles, stalkers, identity thieves, pirates, fraudsters, bullies, disgruntled exes, etc. Well, having somebody investigating these sorts of crimes that are based on online communications was an inevitability.

Since this is no easy task, there’s nothing better than having an expert doing it. The (ISC)² Certified Cyber Forensics Professional is one of the best certifications for professionals who want to demonstrate a keen knowledge on digital forensics. Amongst other very interesting topics, the CCFE requires expertise such as performing Web, Email and Messaging forensics, looking for evidence that, if necessary, must be strong enough and adequately obtained/preserved to be presented at a court of law.

Web Forensics

Web forensics relates to any sort of crime committed over the Internet. With proper knowledge and expert skills, criminal activities like child pornography, hacking/cracking and identity theft may be traced back to its perpetrators. Criminals can only be successfully punished if a sufficient amount of conclusive evidence against them is found. In this case, Internet history, cache and server logs are of immense value. You might be surprised by the number of offenders who search the Internet for advice on how to conduct a crime.

This leaves a trail of evidence both on the client side (e.g., registry entries, temporary files, index.dat, cookies, favorites, a list of visited sites or partial website data downloaded to the local browser cache) and also on the server side (e.g., during log analysis on a server, you may save precious registers such as the perpetrator IP Address, a timestamp for each visit, what information was posted, etc.). Again, if you have the proper tools and knowledge, once you gather this sort of evidence, it is a great step towards building a strong case.

Email Forensics

Email communication is also often exposed to abuse. As one of the, if not the, most utilized way of online communication for both businesses and individuals, emails are amongst the critical system’s list for any organization, being used for the most simple information exchange, such as scheduling meetings, to the distribution of documents and even sensitive information.

Unfortunately, cases of illegitimate use are quite present, given that encryption at the sender end and/or integrity checks at the recipient end are quite rare, and the fact that the most widely used email protocol, Simple Mail Transfer Protocol (SMTP), does not enforce a source authentication mechanism by default. Also, the email header metadata, containing information about the sender and the path through which the message traveled, can be manipulated quite easily.

Email related crimes can vary from sending spam, phishing, cyberbullying, distributing hate messages or racial abuse content, disclosing sensitive information, distributing child pornography and online sexual harassment. Again, finding and preserving evidence forms the basis of a solid case against cybercriminals, and techniques such as identification and extraction of data are an essential step.

For most cases, the use of emails goes far beyond simple message exchange. Servers are no longer used just to send and receive messages; they have actually expanded into full collaboration tools that include databases, document repositories, contacts and calendar managers amongst many other uses. From an investigator point of view, this implies the necessity of, first and foremost, understanding this complex system before doing any actual evidence collection.

A quite common requirement is determining sender/receiver attribution, in order to prove or dispute the sender of the message. This is done by a review of the email header, comparing information from fields such as ‘from’ and ‘to’ to what information is on the logs of the server where the message originated. The challenge here lays on the fact, as mentioned before, that header manipulation and mail servers that do not enforce user authentication can be used for email spoofing.

Full non-repudiation, meaning that you can prove without doubt who the sender is, can be achieved by email signing with a digital signature. The signing process uses a PKI (public key infrastructure) based on asymmetric encryption, where the content of the message is hashed and then the hash is encrypted with the sender’s private key. Sadly, email signing is not as massively implemented as it should be.

Encryption can also be used for protecting the content of email messages: the content of the message can be encrypted with the recipient’s public key, meaning it can only be read by someone in possession of the associated private key. In this scenario, for example, if information is leaked it can be easily proved that it was first decrypted by the recipient.

Messaging Forensics

Instant message applications offer the possibility of real-time exchange of both message and files (i.e., documents, images, videos and audio). The security issues here are quite similar to the email scenario: illegitimate or abusive use branding from spam, phishing and malicious code distribution, cyberbullying, sending hate messages or racial abuse content, unauthorized disclosure of sensitive information, distributing child pornography and sexual harassment.

There are several protocols for instant messaging, including IRC (Internet Relay Chat) which is used to create ‘chat rooms’ for multiple users. Most current applications use either a proprietary protocol (Skype, Yahoo Messenger) or XMPP (Extensible Message and Presence Protocol), an open standard adopted by many popular IM clients such as Facebook and Google Chat.

The first challenge for IMs investigation is quite obvious: there are several applications, each storing information in different areas. An expert forensic investigator must be acquainted with all those places such as the registry or system folders (i.e., AppData, Program Files, Documents and Settings) which may vary according to the operating system language. Adding to this situation is the great variety of ways IMs indicate time: some may store local time, while others use UTC, but quite a few will have a particular (and not publically disclosed) way of timestamping messages. Similar variations also occur due to the constant evolution in history format that may be changed each time an IM application is updated.

Forming a strong case will be a question of knowing where to look for evidence and how to properly retrieve it.

How do I become a Digital Forensics expert?

Performing digital forensics analysis is quite a serious and complex task. While technical expertise is mandatory, it is also essential to have a proper understanding of the methodologies that allow the collection, analysis, preservation and presentation of evidence at a court of law, while avoiding any chance of contamination. This is where the InfoSec Institute can help you.

Aside from providing several freely available resources, created by experts in the field, our Computer Forensics Boot Camp delivers the best training for the CCFE certification examination by teaching the necessary skills to investigate computer threats and computer crime. Using InfoSec’s Boot Camp accelerated learning methodology, in the short period of five (5) days, students will gain in-depth knowledge of critical techniques and information about identifying, preserving, extracting, analyzing and reporting computer forensic evidence through the use of the most popular computer forensic tools.

As far as career advancing enablement in Computer Forensics goes, nothing beats being prepared for one of the industry recognized computer forensic certifications, especially the Infosec Institute Certified Computer Forensics Examiner (CCFE). Our Computer Forensics Boot Camp ensures you have the necessary skills to recognize the overwhelming number of computer threats and to investigate computer crime. What you get is first-hand experience, delivered by experts in the field, about the challenges of computer forensics, a walk through the process of forensic analysis and examination and a deep understanding of differences in evidence locations and examination techniques on Windows and Linux computers.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Web, Email and Messaging Forensics will remain a great professional field for years to come. Being technically prepared and sporting an expert level, globally recognized certification can place you ahead of the concurrence when new career opportunities arise. From legal and ethical principles to how the investigation process is completed, from basic forensic science to digital/application forensics for both hybrid and Emerging Technologies, InfoSec Institute’s Computer Forensics Boot Camp can make sure you are ready for any opportunity.

Claudio Dodt
Claudio Dodt

Cláudio Dodt is an Information Security Evangelist, consultant, trainer, speaker and blogger. He has more than ten years worth of experience working with Information Security, IT Service Management, IT Corporate Governance and Risk Management.