Search Results

Every email you send passes through an email server at some point. The key question is whether the email still lives on the server or has been moved to local storage on a device like a workstation. In many business environments, email systems use a mix of both—recent emails are usually accessible through the company’s email server, while older messages are often archived locally on workstations or synchronized for offline use. --------------------------------------------------------------------------------------------------------- Cloud vs. On-Premises Mail Servers In recent years, many organizations have shifted from traditional on-premises email servers to cloud-based solutions or Software as a Service (SaaS) platforms like Microsoft 365 and Google Workspace. This transition has brought both advantages and challenges for evidence collection. With less direct control over physical infrastructure, organizations must rely on the tools provided by these platforms to search, preserve, and extract email and related server logs. Despite these changes, the goal remains the same: investigators need efficient ways to identify, extract, and analyze relevant emails and logs. --------------------------------------------------------------------------------------------------------- Techniques for Evidence Acquisition from Email Servers Export Individual Mailboxes This involves directly exporting mailboxes for the accounts in question. Vendor-Specific Tools Email platforms like Microsoft 365 and Google Workspace often come with built-in tools to help search, filter, and extract emails. Third-Party Tools and APIs Specialized third-party tools often leverage APIs (Application Programming Interfaces) to access email systems and server logs. Interestingly, APIs can sometimes yield more detailed or complete results compared to vendor-provided graphical tools. --------------------------------------------------------------------------------------------------------- The Recoverable Items Folder: A Goldmine for Investigations Modern email systems like Microsoft Exchange and Microsoft 365 include a feature called the Recoverable Items folder . This folder ensures that emails, even those deleted by users, aren’t immediately lost. Instead, emails go through several stages before being permanently purged: Deletions : When users delete emails (even with  + ), the messages move to this subfolder. Purges : Once the retention period (14 days by default) expires , emails are moved here temporarily before being permanently deleted. DiscoveryHold : Emails under a legal or eDiscovery hold are preserved indefinitely. Versions : If an email is modified while on hold, the system creates a snapshot of the original version using a “copy-on-write” method. This ensures the integrity of evidence. --------------------------------------------------------------------------------------------------------- Leveraging PowerShell for Exchange Server Investigations If you’re working with an on-premises Exchange Server, PowerShell is your best friend . It offers powerful tools to search, filter, and export data directly from the server without disrupting operations. Here are some common PowerShell commands for email investigations: Commands for Exchange 2010 SP1 and Above: New-MailboxImportRequest : Used to import mailbox data. New-MailboxExportRequest : Used to export mailbox data. Example Syntax: New-MailboxExportRequest -Mailbox akash_patel -FilePath \\Server\Folder\akash_patel.pst Export with Date Range and Advanced Filtering: New-MailboxExportRequest -Mailbox akash_patel -ContentFilter {(body -like "*Welcome*") -and (Received -gt "01/01/2024" -and Received -lt "03/01/2024")} -FilePath \\Server\Folder\akash_AdvancedFiltered.pst Export Multiple Mailboxes: Get-Mailbox -ResultSize Unlimited | Where-Object {$_.RecipientTypeDetails -eq "UserMailbox"} | New-MailboxExportRequest -FilePath \\Server\Folder\AllMailboxes.pst Incremental Export: New-MailboxExportRequest -Mailbox akash_patel -IncludeFolders "#Inbox#" -FilePath \\Server\Folder\Akash_Incremental.pst -IsArchive Exchange Server 2007 Exchange 2007 introduced similar but slightly different PowerShell-based commands for mailbox exports. These commands require the Exchange Management Tools to be installed as a snap-in to PowerShell. Example Commands: Export-Mailbox -Identity akash@gmail.com -PSTFolderPath C:\akash.pst Get-Mailbox -Database 'Corporate' | Export-Mailbox -PSTFolderPath C:\PST Export with Date Range: Export-Mailbox -Identity akash@gmail.com -StartDate "01/01/2022" -EndDate "03/01/2022" -PSTFolderPath C:\akash_DateFiltered.pst Export to Network Location: Get-Mailbox -Database 'Corporate' | Export-Mailbox -PSTFolderPath \\Network\Share\Corporate.pst Export Specific Folder: Export-Mailbox -Identity akash@gmail.com -IncludeFolders "\Sent Items" -PSTFolderPath C:\akash_SentItems.pst Exchange Server 2003, 2000, and 5.5 For older versions of Exchange, the primary tool for exporting mailbox data is ExMerge . While it lacks some of the advanced features of newer tools, ExMerge is capable of exporting individual user mailboxes to .PST files. Limitation of ExMerge: 2 GB PST Size Limit : This can be problematic for large mailboxes. Example command: ExMerge -B -F C:\userlist.txt -D C:\PST\ -S ExchangeServerName Conclusion PowerShell Cmdlets : Offer a flexible and powerful way to export mailbox data with advanced filtering options. Suitable for Exchange 2010 and above. ExMerge : Useful for older versions of Exchange but has a 2 GB PST size limitation. When choosing a method for extracting email data from Exchange servers, consider the version of Exchange, the size of mailboxes, required features, and compatibility with other tools or processes. Always ensure that the chosen method aligns with forensic best practices to maintain data integrity and admissibility in legal proceedings. --------------------------------------------------------------------------------------------------------- Best Practices for Email Evidence Collection Understand Your Tools Collaborate with Administrators Test Before You Rely Plan for Legacy Systems --------------------------------------------------------------------------------------------------------- Wrapping Up Modern email forensics is all about flexibility. Whether you’re using built-in vendor tools, APIs, or third-party solutions, preparation is key. Knowing how to navigate recoverable items, export mailboxes, and use filtering tools can make or break an investigation. By combining a clear understanding of email server technology with effective tools and techniques, you’ll be well-equipped to gather and analyze evidence in today’s complex email landscape. ------------------------------------------Dean------------------------------------------------------

Updated on 28 Jan,2025 When investigating emails during digital forensic analysis, knowing where and how emails are stored locally can make all the difference. Unlike server-based emails that are stored remotely , host-based email stores  are archives saved directly on a computer. These archives can be either a single large file  (like Microsoft Outlook's .OST files) or multiple files  where an index file helps organize metadata such as read status, flags, and replies. ------------------------------------------------------------------------------------------------------- Why Local Email Archives Matter in Investigations Even when companies use server-based email solutions, local email archives are still valuable sources of information. Here’s why: Many organizations limit mailbox sizes , leading users to archive old messages locally. Employees may store backup emails or contact lists  imported from other systems. Deleted emails  can often be recovered from these local archives. ------------------------------------------------------------------------------------------------------- How to Identify Local Email Archives Since local email archives are almost always tied to an installed email client, you can start by checking the system's installed applications . Other useful techniques include: File extension searches  (e.g., looking for .OST, .PST, or .NST files). Reviewing email client configurations  and registry settings on Windows. Using forensic tools  that can automatically detect known email archives. Some email clients allow password protection, but these usually just lock access to the application— not the email archive itsel f. If you need to retrieve email client passwords, Mail PassView from NirSoft  is a useful tool. ------------------------------------------------------------------------------------------------------- Microsoft Outlook: The Dominant Email Client For Windows users, Microsoft Outlook dominates the email client market . From a forensic standpoint, this is great news because Outlook’s email storage formats are well-documented and widely supported by forensic tools. Outlook’s Three Email Storage Formats .OST (Offline Outlook Data File):  Used by Microsoft 365, Exchange, IMAP, and Outlook.com accounts. .PST (Outlook Data File):  Used for POP email accounts, archives, and exported email backups. NST (Outlook Group Storage File):  Stores group conversations and calendar data for Microsoft 365 Groups. ------------------------------------------------------------------------------------------------------- Understanding Outlook’s Email Storage Formats PST Files:  Once the standard format for Outlook, these files store emails, attachments, contacts, and calendar entries . While newer versions o f Outlook favor .OST files , .PST files are still used for email backups and archives. OST Files:  Now the default for Microsoft 365 and Exchange accounts , these files act as local copies of server-based mailboxes. Unlike .PST files, OST files cannot be opened separately without Outlook. NST Files:   A newer format designed for Microsoft 365 Groups . Unlike the other two, NST files do not store emails permanently but instead cache group conversations and calendar events. ------------------------------------------------------------------------------------------------------- Where to Find Outlook Email Files The location of these files depends on your Outlook version and Windows setup. Typically, you can find them here: .PST File Locations: 1. Outlook 2019, Outlook 2016, Outlook 2013: C:\Users\[username]\Documents\Outlook Files 2. Outlook 2010: C:\Users\[username]\Documents\Outlook Files 3. Outlook 2007: C:\Users\[username]\AppData\Local\Microsoft\Outlook 4. Outlook 2003 and earlier: C:\Users\[username]\AppData\Local\Microsoft\Outlook .OST File Locations: 1. Outlook 2019, Outlook 2016, Outlook 2013: C:\Users\[username]\AppData\Local\Microsoft\Outlook 2. Outlook 2010: C:\Users\[username]\AppData\Local\Microsoft\Outlook 3. Outlook 2007: C:\Users\[username]\AppData\Local\Microsoft\Outlook 4. Outlook 2003: C:\Documents and Settings\[username]\Local Settings\Application Data\Microsoft\Outlook ------------------------------------------------------------------------------------------------------------- Update location as per 28 Jan 2025 %UserProfile%\Documents\Outlook %UserProfile%\AppData\Local\Microsoft\Outlook Older versions of Outlook may store archives in %UserProfile%\AppData\Roaming\Microsoft\Outlook Windows registry key  at  can help locate non-default storage locations. NTUSER\Software\Microsoft\Office\16.0\Outlook\ Notes: • It's always a good practice to check the actual locations in Outlook settings or through the registry: ------------------------------------------------------------------------------------------------------------- .PST Location Registry Key: • HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook • (Replace xx.0 with the version of Outlook you are using, e.g., 16.0 for Outlook 2016/2019 and 15.0 for Outlook 2013.) .OST Location Registry Key: • HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook • (Again, replace xx.0 with your Outlook version.) Look for the ForceOSTPath or ForcePSTPath values under these registry keys to find the custom paths set for .OST and .PST files, respectively ------------------------------------------------------------------------------------------------------------- Recovering Deleted Emails from Outlook Archives Outlook email files can be massive—modern versions support up to 50 GB per file  (compared to the 2 GB limit  in Outlook 2003 and earlier). Deleted emails often linger within these files  and can be recovered using forensic tools, even if they were “hard deleted” (permanently removed). Key Takeaways for Investigators Local email stores  are a goldmine for forensic analysis, even in cloud-based environments. Outlook dominates  the Windows email client market, making its archives crucial for investigations. Deleted emails and metadata  can often be recovered with the right tools. File location and registry analysis  can help track down hidden email archives. **************************************************************************************************************** When it comes to email forensics, it's nearly impossible to prepare for every single email client out there. However, focusing on the more common ones is a great starting point. Step 1: Identify Installed or Previously Used Email Clients One of the first steps you can take is to look for email programs installed or previously used on the system. The Windows registry, as well as execution artifacts like Prefetch files , can be a goldmine of information . They might even reveal references to email clients that were installed and later removed. If you're unsure about an unfamiliar program, a quick internet search can often provide details about its file types or archive structures. Step 2: Understand Email Archive Formats Most email clients store their data in clear-text archive formats, making it easier to access the contents. Outlook’s PST/OST files are among the few exceptions. Forensic suites excel at locating and parsing these archives, and they often come with robust searching capabilities. Some email archive formats include unallocated space, meaning even emails that were hard-deleted might still be recoverable. Step 3: Don’t Forget Other Data Email clients are often more than just tools for sending and receiving emails. Many are complete productivity hubs, featuring calendars, address books, and task lists . These features can generate additional artifacts, which might also be exported into various formats. These can provide useful context during an investigation. -------------------------------------------------------------------------------------------------------- Conclusion By understanding how host-based email storage works, forensic investigators can uncover crucial evidence, even when emails seem lost or deleted. ----------------------------------------Dean------------------------------------------------------

Key Points: Did you know that when you open an email attachment in Outlook, it doesn’t just disappear after you close it? Outlook temporarily saves it in a hidden folder on your computer. This “Secure Temp Folder” is an important artifact in forensic investigations, as it can reveal previously opened attachments—even if they were deleted from emails. Where Are These Attachments Stored? Outlook stores opened attachments in a special folder under the Internet Explorer cache: For IE10 and earlier  → Temporary Internet Files For IE11 and later  → INetCache Within these locations, you'll find a Content.Outlook  folder, which contains a randomly named subfolder where attachments are stored. T his is different from older Outlook versions (like Outlook 2003), which used an "OLK" folder. If you're trying to locate this folder manually, you can check the registry key: 📌 NTUSER\Software\Microsoft\Office\Outlook\Security (Value: OutlookSecureTempFolder ) Default L ocation: C :\Users\[username]\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ (Replace [username] with the actual username of the user profile.) ---------------------------------------------------------------------------------------------------- Why Does This Matter for Forensics? Before Outlook 2007, Forensic investigators could often recover multiple versions of the same file if it had been opened multiple times. Nowadays, Outlook automatically deletes files from this folder when it closes. However, there are exceptions: If Outlook crashes , the file might stay. If the file is still open  when the email is closed, Outlook won’t delete it. This means investigators can still find valuable evidence in this folder, even though it’s less common than before. ---------------------------------------------------------------------------------------------------- Recovering Deleted Attachments Even if Outlook has deleted an attachment from this folder, traces of it may still exist in forensic artifacts like: $Logfile USNJournal Volume Shadow Copies Using forensic tools, investigators can often reconstruct deleted attachments and track when they were accessed. ---------------------------------------------------------------------------------------------------- Timestamp Oddities: When Was the File Opened? Attachments inside an email don’t have their own timestamps —so how does Outlook handle them. Sometimes, Outlook backdates  the file’s creation date to match the email’s timestamp. Other times, it uses the modification time  of the original file. ---------------------------------------------------------------------------------------------------- Key Takeaways 🔹 Opened email attachments are temporarily stored on disk. 🔹 Outlook tries to delete them but doesn’t always succeed. 🔹 Timestamps on attachments can be misleading. 🔹 Deleted attachments may still be recoverable from forensic artifacts. For forensic analysts, this folder remains a hidden goldmine of information that can provide crucial insights into user activity—long after an email has been deleted. ----------------------------------------Dean--------------------------------------------------------

Why Local Email Clients Matter Webmail, which requires an internet to access messages, local email clients like Microsoft Outlook allow users to read, write, and organize emails even when they’re offline. This is possible because of Microsoft Exchange’s Cached Exchange Mode , which stores a copy of emails locally using Offline Outlook Data Files (.OST) . The Role of OST Files in Email Storage For Microsoft 365 (M365) and Outlook.com , OST files have become more common. These files store a cached version  of Exchange data, typically containing emails from the last 12 months and reaching sizes of up to 50 GB . ------------------------------------------------------------------------------------------------------------ Recovering Data from OST Files: The Challenges Unlike Personal Storage Table (.PST) files , which Outlook can open directly , OST files are encrypted and not easily accessible . This makes recovering data tricky. Convert OST to PST  – Several third-party tools, l ike ost2pst.exe , help convert OST files into PST format for easier access. Use Forensic Suites  – Advanced forensic tools like AXIOM, X-Ways, FTK, and EnCas e  can natively parse OST files for investigation. Beware of Duplicate Data  – Since OST files sync with the Exchange server, investigators often encounter duplicate emails  when analyzing both sources. ------------------------------------------------------------------------------------------------------------ Kindly note, sometimes orphaned OST files  (files that failed to sync due to errors like mailbox corruption) can also be found on a system. Fixing Corrupt OST Files If an OST file gets damaged, there are a couple of ways to repair it: scanost.exe  – A built-in Outlook tool that attempts to fix corrupt OST files. pffexport  – An open-source tool (part of the libpff library) that extracts data from both OST and PST files. ------------------------------------------------------------------------------------------------------------ Best Tools for Viewing and Extracting Emails While forensic suites can analyze PST and OST files, sometimes a standalone email viewer is more convenient. Some useful tools include: XstReader  – An open-source tool written in .NET/C# that allows quick access to PST, OST, and NST files. XstExporter  – A command-line tool for extracting emails and attachments in bulk. Kernel Data Recovery Viewers  – Free tools that allow users to view emails but require a paid version for exporting data. These tools have advantages over Outlook, such as: ✅ Opening files from any  Outlook version ✅ Bypassing  password protection ✅ Recovering  corrupted files ✅ Providing an easy-to-navigate  interface ------------------------------------------------------------------------------------------------------------ The Reality of Free vs. Paid Email Forensic Tools Unfortunately, when it comes to email forensics, free tools have limitations . Most investigators rely on commercial forensic suites for in-depth analysis. However, if you’re on a budget, some affordable tools include: PST Walker  – A low-cost PST viewer Aid4Mail, Emailchemy, and Logikcull  – Recommended by users for basic email extraction and analysis. Final Thoughts OST and PST files play a crucial role in email forensics, providing valuable insights even when data is deleted from the mail server. Whether you’re using forensic suites or standalone tools, understanding how these files work and where to find them is key to effective investigations. ------------------------------------------Dean----------------------------------------------

Google is known for its unique data storage formats , and Google Drive for Desktop  is no exception. Unlike JSON or XML , Google Drive stores critical metadata in Protocol Buffers (protobufs) —a binary format that is highly efficient but difficult to interpret . 🚀 Key Topics: ✅ What are Protocol Buffers (protobufs)? ✅ How to decode protobufs  in Google Drive databases ✅ Investigating Google Drive’s local file cache ✅ Mapping cached files to their original filenames ---------------------------------------------------------------------------------------------------------- 1️⃣ Understanding Protocol Buffers (protobufs) in Google Drive 🔍 What Are Protocol Buffers? Google developed Protocol Buffers (protobufs)  as a lightweight, efficient data format  for storing and transmitting structured data . Unlike JSON or XML , protobufs store data in binary , making them: ✅ Faster  to read/write ✅ More space-efficient ✅ Difficult for humans to interpret 📌 Where Are Protobufs Used in Google Drive? Several key Google Drive databases use protobufs for storing file metadata: Database Table Protobuf Field Description metadata_sqlite_db item_properties content-entry Stores cached file identifiers metadata_sqlite_db properties account_settings Stores Google account & sync settings ---------------------------------------------------------------------------------------------------------- 2️⃣ Decoding Protobufs Using CyberChef Protobufs are not human-readable . To extract valuable information, we need to decode them manually  using tools like CyberChef . 🛠️ Step-by-Step Protobuf Decoding (Using CyberChef) 1️⃣ Extract binary data  from the content-entry or account_settings field in metadata_sqlite_db. 2️⃣ Convert Hex to Binary  using CyberChef’s "From Hex"  operation. 3️⃣ Use the "Protobuf Decode" function  in CyberChef to parse the binary4️⃣ Extract file identifiers, hashes, and metadata  from the decoded protobuf. Example: 📌 Forensic Use: ✅ Recover filenames & hashes from cached files ✅ Extract Google account details from account_settings ✅ Tie cached files to their metadata in Google Drive ---------------------------------------------------------------------------------------------------------- 3️⃣ Collecting Google Drive’s Local Content Cache Since Google Drive operates as a virtual drive , forensic imaging of the system does not capture cloud-only files . Fortunately, Google Drive caches local copies  of some files, allowing investigators to recover deleted or cloud-only data . 📍 Cache Folder Location: C:\Users\\AppData\Local\Google\DriveFS\\content_cache\ Cached files are renamed  and lack file extensions . Files r emain in cache even after deletion from Google Driv e . Cached thumbnails and previews  may persist for longer periods . 📌 Forensic Use: (Using DB Browser) ✅ Recover cloud-only files that were previously accessed ✅ Extract deleted files from cache (even if removed from Google Drive) ✅ Analyze thumbnails and previews for additional evidence ---------------------------------------------------------------------------------------------------------- 4️⃣ Mapping Cached Files to Original Filenames(Investigating Cache Process) Since cached files lose their original names , we must rebuild their filenames  using metadata from metadata_sqlite_db. 📍 Key Database: metadata_sqlite_db 📌 Tables of Interest: Table Field Description items local_title Original filename items file_size File size (used for verification) item_properties content-entry Maps cached files to their original names 🛠️ Step-by-Step Process to Rebuild Filenames 1️⃣ Review items table to identify files of interest 2️⃣ Check item properties to see if cached (content-entry property) 3️⃣ Parse content-entry protobuf to identify filename on disk 4️⃣ Search content_cache folder for that filename and double-check with item file size information 📌 Forensic Use: ✅ Link cached files to their original names & locations ✅ Recover hidden files no longer visible in Google Drive ✅ Extract additional forensic metadata (e.g., file hash, timestamps) ---------------------------------------------------------------------------------------------------------- 5️⃣ File Type Identification Using Header Analysis Since cached files lack extensions , we must identify their types using header analysis . 🔍 Common File Headers (Magic Numbers) File Type Magic Number (Hex) JPEG Image FF D8 FF PNG Image 89 50 4E 47 PDF Document 25 50 44 46 ZIP Archive 50 4B 03 04 📌 Tools for Header Analysis: Hex Editors  (HxD, WinHex) Forensic Suites  (Autopsy, FTK, EnCase) 📌 Forensic Use: ✅ Determine file type even without extensions ✅ Identify potentially malicious files (e.g., renamed executables) ✅ Cross-check file headers against known malware signatures ---------------------------------------------------------------------------------------------------------- We will explore more about Google Drive in the next article (Automating Google Drive Forensics: Tools & Techniques)   , so stay tuned! See you in the next one.

Emails are an integral part of modern communication, serving as both a personal and professional lifeline. Behind the scenes of every email is a digital envelope known as the email header, a treasure trove of metadata that offers invaluable insights into the email's journey, authenticity, and origin. Email Transmission Path An email's journey is a multi-step process: Mail Client : Emails originate from a mail client, which can be a local application like Outlook or a web-based platform such as Yahoo! Mail. Mail Transfer Agent (MTA) : The client communicates with an MTA, a server running the Simple Mail Transfer Protocol (SMTP), responsible for email transmission. Route : The MTA identifies the recipient's server and forwards the email. In larger networks, emails may traverse multiple MTAs. Key Metadata in Email Headers While the body of an email contains the message, headers contain the metadata that digital investigators seek. Here are some crucial header fields and their implications: Message-ID : Acts as a unique tracking number for the email, aiding in tracking its journey. Received : Chronicles the email's path with server IP addresses, timestamps, and time zones. It's crucial to validate these entries for authenticity. ( Always analyze from Bottom to Up) X-Originating-IP : Previously used to reveal the sender's IP address, this field has been removed from Gmail and Outlook headers due to privacy concerns. X-Mailer : Once indicating the email client used, this field is now missing in modern Gmail and Outlook headers. Headers:   https://www.iana.org/assignments/message-headers/message-headers.xhtml X-headers: - X-Headers are experimental or extensions to normal RFC headers. Mail   providers can create X-Headers for internal tracking or administrative purposes. Implications for Forensic Analysis 1. X-Originating-IP: • Challenges: Due to the removal of this field, tracing the actual originating IP of an email sender from Gmail or Outlook headers has become more challenging. • Alternative: Investigators might have to rely on "Received" headers, but these are often internal server IPs and may not provide the actual sender's IP. 2. X-Mailer: • Challenges: Lack of "X-Mailer" makes it harder to determine if an email was composed locally or via a web-based client. • Alternative : Other metadata and content analysis can sometimes provide clues about the client used to compose the email, but it's less direct than having an "X-Mailer" field. Forensic Considerations Challenges and Alternatives Spoofing : While rare, spoofing can lead to misleading header information, requiring investigators to be vigilant. Privacy : Due to global regulations like GDPR, headers have been anonymized to protect user data, complicating investigations. Forensic Tools : Specialized tools can parse headers, extract metadata, and trace an email's path, aiding in investigations. Encryption and Security Headers Modern email services prioritize user security: TLS/SSL : Both Gmail and Outlook use Transport Layer Security (TLS) for email encryption, indicated in headers. SPF/DKIM/DMARC/ARC : Authentication methods to verify sender identity, also present in headers. Server-Side Changes Both Gmail and Outlook have undergone significant changes: Google Workspace : Google's transition to Workspace brought changes in server infrastructure and email processing. Cloud Integration : Microsoft's integration of Outlook with cloud services affects email storage, routing, and access. User-Agent Headers Modern browsers and mobile apps have influenced User-Agent headers: Modern Browsers : Email headers now reflect modern browser usage, providing less specific client device information. Key Elements to Analyse Received Headers : Start from the bottom and work your way up. These headers detail the servers the email passed through. SPF Records : Check for valid SPF records. Apple, for example, publishes SPF records. DKIM/ARC : Look for DKIM/ARC signatures to verify message integrity. Return Path : Verify that the return path is from a legitimate source, not a suspicious domain. Message ID : Compare with known legitimate messages to check for consistency. Construction of Message ID : Typically combines the current date/time with unique system identifiers like a process ID or domain name. Detection : Checking the message ID format can help detect forged emails. --------------------------------------------------------------------------------------------------- Updated on 28 January,2025 When investigating emails, one of the most critical elements to understand is how messages are linked together in a thread. Every email is assigned a unique Message-ID , which helps track conversations. To make things even easier, email systems use two important fields: References  and In-Reply-To . How Emails Are Linked in a Thread References Field : This field maintains a list of all previous Message-IDs in a thread. Every time someone replies, the parent email’s Message-ID is added to the lis t. In-Reply-To Field : This field records just the Message-ID of the direct parent email. Most modern email clients check if the In-Reply-To  ID exists in the References  field and add it if needed . Because of this, the References  field usually provides the most complete view of an email thread. Why Does This Matter in Forensics? These fields help investigators track related emails and identify missing messages. Since Message-IDs  are unique, they are excellent search terms when analyzing email logs or using forensic tools. The best email forensic tools leverage References  and In-Reply-To  fields to reconstruct conversation threads, making it easier to review messages efficiently. --------------------------------------------------------------------------------------------------- Conclusion Email headers, though often overlooked, are a goldmine for digital forensic investigators. By meticulously analyzing these headers, professionals can trace an email's journey, verify its authenticity, and gather valuable metadata for investigations. Despite challenges like spoofing, privacy concerns, and evolving server-side changes, a thorough approach and specialized forensic tools can navigate these obstacles. --------------------------------------Dean-----------------------------------------------

Emails, a ubiquitous form of communication in the digital age, hold a treasure trove of information for forensic investigators. Understanding the structure and nuances of emails is crucial for effective forensic analysis. Email Structure An email comprises mainly of three components: Header:  This contains metadata like sender, recipient, timestamp, and routing information. Body:  The main content of the email, which can include text, images, and other multimedia. Attachments:  Files that are sent along with the email, often carrying critical information. Most standard email clients hide header information, but dedicated forensic tools can unveil this hidden data, offering deeper insights into the email's journey. Email Body Analysis The email body is relatively simple to analyze. It primarily contains the content provided by the sender, often supplemented with signature blocks or device-specific tags. Analyzing email bodies often involves: Manual Review:  Using a forensic tool or email client to manually read each message. Keyword Searching:  Employing string searches to filter emails based on specific keywords or phrases. Data Reduction:  Removing duplicate emails to streamline the review process. When dealing with emails in foreign languages, ensure the forensic tool supports Unicode characters to avoid misinterpretation. Email Attachments Attachments are a goldmine of information, making up around 80% of email data. However, they come with their own set of challenges: Formats:  Attachments can be in various formats requiring specialized viewers. Identification:  Matching attachments with their corresponding emails can be tricky. Security Risks:  Attachments are a common vector for malware, necessitating thorough virus scanning. Forensic Considerations Binary Storage:  While emails are text-based, they can be stored as binary data, requiring specialized forensic tools for accurate searching. Raw Email Analysis:  When analyzing raw email data, remember that attachments are encoded (typically in MIME/base64 format), requiring decoding tools or email clients for proper viewing. Virus Scanning:  Given the potential security risks, scanning attachments for viruses is imperative. Ensure your forensic workstation has updated antivirus software with email client plugins for comprehensive scanning. Conclusion Email forensics, though seemingly straightforward, requires a meticulous approach to extract valuable information effectively. With the right tools and techniques, investigators can uncover critical evidence stored within emails, aiding in a variety of investigations ranging from corporate fraud to cybercrimes. Akash Patel

Email forensics is indeed a powerful in the realm of digital investigations. 1. Who sent the email? Identifying the sender is pivotal as it sets the foundation for any email investigation. While emails can be anonymized or spoofed, there are often traces left behind that can help in determining the true sender. Origination Address: The email's "From" address is the first clue. Even if it's spoofed, it can sometimes lead to known domains or entities that can be investigated further. IP Address: Every email sent over the internet carries with it the IP address of the sending server. This IP can often be traced back to an ISP or, in some cases, to a specific organization or location. Contextual Clues: The content of the email, the signature block, language patterns, and references can also provide hints about the sender's identity or affiliation. 2. When was it sent? Timestamps are crucial in establishing timelines, which can be vital in investigations. Message Timestamp: The email's internal timestamp can be altered, but it still provides a reference point. Mail Server Timestamp : This is a more reliable source for determining when an email was sent. Mail servers maintain logs that record the exact time an email was received or sent, providing a trustworthy timeline for investigators. Verifying Authenticity To confirm whether an email is genuine or has been altered, investigators analyze mail headers. These headers contain various data points, including timestamps that can indicate possible tampering. Authentication technologies like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and ARC (Authenticated Received Chain) help verify if an email is legitimate and whether it has been modified during transit. 4. Where was it sent from? Pinpointing the origin of an email can help trace its path and determine its legitimacy. IP Geolocation: The IP address associated with the sending server can be mapped to a geographical location using geolocation databases. This can give investigators an idea of where the email was sent from. Mail Server and ISP Tracking: By analyzing the email header, one can trace the path the email took through different mail servers and ISPs. This can help narrow down its origin and may lead to further investigative avenues. 5. Is there relevant content? While the above questions help in identifying the email's origin and path, the content often holds the key to understanding the email's significance to the investigation. Email Stores: Beyond the text and attachments, emails can contain valuable information stored in contact lists, calendar appointments, and task lists. This data can provide context to the email's intent and can be instrumental in corroborating evidence or establishing motive. In conclusion, email forensics is not just about reading emails but understanding the metadata, tracing its path, and extracting relevant content. A well-conducted email examination can provide a comprehensive view of an individual's activities, associations, and intentions, making it an indispensable tool for digital investigations -------------------------------------------------Dean-------------------------------------------------

Google Drive is one of the most widely used cloud storage services , integrated seamlessly with Gmail, Google Workspace (G Suite), and Android devices . With over one billion users , it presents unique forensic challenges  due to its virtual filesystem, cloud-only storage model, and metadata structures . ------------------------------------------------------------------------------------------------------------- 1️⃣ Understanding Google Drive for Desktop The Google Drive for Desktop  application ( previously called Google File Stream ) operates as a virtual FAT32 filesystem , appearing as a s eparate drive letter  (e.g., G:\ or H:\). 🔹 Key Forensic Challenges ✅ Cloud-Only Files:  Many files exist only in the cloud  and never touch local storage. ✅ Virtual Drive:  The mounted Google Drive folder disappears after logout , making live acquisition critical. ✅ Unique Metadata:   File information is stored in SQLite databases and protocol buffer (protobuf) formats . ------------------------------------------------------------------------------------------------------------- 2️⃣ Identifying Google Drive Activity on a System 📌 Key File Locations for Google Drive Artifacts Artifact Location Google Drive Local Storage %UserProfile%\Google Drive\  (if offline sync is enabled) Metadata Database %UserProfile%\AppData\Local\Google\DriveFS\\metadata_sqlite_db File Cache (Locally Stored Files) We can use this folder to recover original files stored in the cloud %UserProfile%\AppData\Local\Google\DriveFS\\content_cache\ Registry Keys ***** (Tracking the Mounter drive letter)**** NTUSER\Software\Google\DriveFS\Share Google Workspace Cloud Logs Google Workspace Admin Reports (for business users) 📌 Note:  The  folder is unique for each Google Drive account  and corresponds to Google Chrome profile IDs . ------------------------------------------------------------------------------------------------------------- 3️⃣ Investigating Google Drive Registry Keys Registry keys help confirm if Google Drive was installed, used, and what drive letter was assigned . 📍 Registry Key for Google Drive for Desktop: NTUSER\Software\Google\DriveFS\Share Value Description SyncTargets Tracks assigned drive letter and Google account ID (hex format) MountPoint (Older Versions) Path where Google Drive was mounted on older File Stream versions 💡 Forensic Use: Identify if Google Drive was installed and used . Determine the drive letter  Google Drive was mapped to. Cross-reference with Windows shell items, RecentDocs, and prefetch files  to track activity. ------------------------------------------------------------------------------------------------------------- 4️⃣ Metadata & File Forensics in Google Drive for Desktop The primary forensic database  for Google Drive is stored in SQLite format  and contains file details, ownership metadata, timestamps, and deletion status . 📍 Metadata Database Location: %UserProfile%\AppData\Local\Google\DriveFS\\metadata_sqlite_db 📌 Database Tables of Interest 🔹 Table: items (Tracks Google Drive Files & Folders) Column Description stable_id Unique file identifier id Cloud file identifier ( can be cross-referenced with Google Drive URLs & audit logs) trashed Indicates ****i f file is in Google Drive Trash (1 = Yes) is_owner Shows if the user owns the file (1 = Yes) is_folder Differentiates between files (0) and folders (1) local_title Actual file name file_size Size of the file in bytes modified_date Last modified time (Unix Epoch format) viewed_by_me_date Last time user interacted with file shared_with_me_date Indicates if file was shared (1 = Yes) proto Binary data containing MD5 file hash  (stored in protocol buffer format) 📌 Forensic Use: ✅ Identify files that were deleted (trashed = 1) . ✅ Correlate viewed_by_me_date with user activity to determine last access . ✅ Recover shared files & owners from shared_with_me_date . ✅ Extract MD5 hashes from proto column to match files with known malware databases . ------------------------------------------------------------------------------------------------------------- 5️⃣ Investigating Cached Files & Deleted Data Google Drive maintains locally cached files  in the following location: 📍 Cache Folder: %UserProfile%\AppData\Local\Google\DriveFS\\content_cache\ These temporary f iles may persist even after deletion  from the cloud. If a file was opened but not saved , it might still exist in cache . Cached files lack original filenames  but can be matched via metadata. 🔹 Table: item_properties (Tracks Cached & Deleted Files) These Below are all keys which u can search in Key folder Column Description pinned Indicates if file was stored offline  (1 = Yes) trashed_locally trashed_locally_name Original name of locally deleted file (found in $Recycle.Bin) content-entry Confirms if file is locally cached file drivefs.Zone.Identifier Provides file origin details (useful for identifying downloads) version-counter Tracks file modifications & revisions Modified-date Modification time of the file reported from the local filesystem Local-title Name of file or folder 📌 Forensic Use: ✅ Recover files that were deleted but still present in cache . ✅ Identify files that were deleted locally but still exist in Google Drive Trash . ✅ Determine if files were downloaded from external sources (drivefs.Zone.Identifier) . 🔍 Tools for Parsing Google Drive Databases: DB Browser for SQLite   protobuf-decoder   Google Drive API   ------------------------------------------------------------------------------------------------------------- 6️⃣ Investigating Google Drive Cloud Logs (Google Workspace Only) For Google Workspace (G Suite) users , cloud logs provide detailed file access records , including: ✅ Uploads, downloads, file deletions, and sharing events ✅ User email, IP address, timestamps, and file actions ✅ Cross-referencing file IDs with forensic artifacts 📍 Google Workspace Audit Log Location: Google Workspace Admin Console → Reports → Audit → Drive Audit Log 📌 Key Audit Events: Event Name Description File Edited Logs file modifications File Deleted Tracks deleted files (even if removed from Trash) File Downloaded Identifies files copied to another device File Uploaded Captures new files added to Google Drive File Shared Tracks when files are shared externally File Unshared Logs when shared access is removed 💡 Forensic Use: Identify stolen data  by tracking downloads and external shares . Recover deleted file information  using file IDs from forensic artifacts . Monitor insider threats  by analyzing suspicious access patterns . ------------------------------------------------------------------------------------------------------------- 7️⃣ Forensic Workflow: Investigating Google Drive for Desktop 🔹 Step 1: Identify Google Drive Usage on the System Check registry keys  (NTUSER\Software\Google\DriveFS\Share). Identify Google Drive mount point & assigned drive letter . 🔹 Step 2: Extract Metadata & File Listings Parse metadata_sqlite_db  to list all Google Drive files, including cloud-only files . Check i tem_properties  for cached & deleted files . 🔹 Step 3: Recover Locally Stored or Deleted Files Extract locally cached files  from content_cache . Look for deleted files in $Recycle.Bin and Google Drive Trash . 🔹 Step 4: Investigate External Sharing & Data Exfiltration Cross-reference file IDs  with Google Workspace Admin logs . Track file downloads & sharing events  to detect data leaks . 🔹 Step 5: Correlate with Other Forensic Artifacts Compare Google Drive activity with browser history, Windows Event Logs, and Prefetch data . Look for unauthorized access from unusual IP addresses . ------------------------------------------------------------------------------------------------------------- We will explore more about Google Drive in the next article ( Decoding Google Drive’s Protocol Buffers and Investigating Cached Files)   , so stay tuned! See you in the next one. ----------------------------------------------Dean------------------------------------------

Microsoft OneDrive for Business  is a powerful enterprise cloud storage solution , distinct from the personal OneDrive available by default on Windows . With Microsoft 365 integration, extensive logging, and advanced security controls , it provides rich forensic opportunities  for investigators. 🔹 Why Investigate OneDrive for Business? ✅ Tracks file uploads, downloads, deletions, and modifications ✅ Stores detailed metadata for all synchronized files ✅ Keeps 90 days of Unified Audit Logs (UAL)  with granular user activity ✅ Logs file sharing events, including external access 🚀 Let’s dive into forensic artifacts, registry keys, logs, and the powerful Microsoft 365 Unified Audit Log (UAL). ----------------------------------------------------------------------------------------------------- 1️⃣ Identifying OneDrive for Business on a System Unlike personal OneDrive, OneDrive for Business requires authentication with a Microsoft 365 account . A single system can sync: ✅ One personal OneDrive account ✅ Up to nine OneDrive for Business accounts 📌 Key File Locations for OneDrive for Business ✅ Up to nine OneDrive for Business accounts Artifact Location Synchronized Files %UserProfile%\OneDrive - \ Sync Metadata %UserProfile%\AppData\Local\Microsoft\OneDrive\settings\Business1\SyncEngineDatabase.db Sync Logs %UserProfile%\AppData\Local\Microsoft\OneDrive\logs\Business1\ Audit Logs (Cloud-based) Microsoft 365 Unified Audit Log 📌 Note:  If multiple OneDrive for Business accounts exist, folders and settings will be named Business2, Business3 , etc. ---------------------------------------------------------------------------------------------------------- 2️⃣ Investigating OneDrive for Business Registry Keys Forensic investigators must audit registry keys  to determine: ✅ The existence of OneDrive for Business accounts ✅ User authentication details (email, last sign-in time, account names) ✅ The actual sync folder location  (which may differ from default) 📍 Registry Keys for OneDrive for Business: NTUSER\Software\Microsoft\OneDrive\Accounts\Business1 Value Description UserFolder Path to OneDrive for Business local storage UserEmail Microsoft 365 account email UserName Name of the user tied to the account LastSignInTime Last authentication timestamp (Unix Epoch) ClientFirstSignInTimestamp Timestamp of first authentication SPOResourceID SharePoint URL linked to OneDrive Business 📌 Key Insight:   SPOResourceID  confirms SharePoint integration , as OneDrive for Business leverages SharePoint for storage and sharing . 🔍 Tracking Shared Folders & External Sources: NTUSER\Software\Microsoft\OneDrive\Accounts\Business1\Tenants ---------------------------------------------------------------------------------------------------------- 3️⃣ OneDrive for Business Sync Logs & Metadata Analysis Investigating OneDrive-Business for Sync Logs & Metadata Analysis is similar to analyzing data in a personal-OneDrive account . Headline of the article Advanced OneDrive Forensics: Investigating Cloud-Only Files & Synchronization https://www.cyberengage.org/post/advanced-onedrive-forensics-investigating-cloud-only-files-synchronization Part 3: Of the mentioned above Link/Article 3️⃣ Investigating Cloud-Only Files Using OneDrive Sync Database ---------------------------------------------------------------------------------------------------------- 4️⃣ Microsoft 365 Unified Audit Logs (UAL) for OneDrive Business OneDrive for Business integrates with Microsoft 365 Unified Audit Logs (UAL) , providing detailed forensic tracking  of user activity for 90 days . 📍 Accessing UAL Logs: Microsoft 365 Security & Compliance Center PowerShell (Search-UnifiedAuditLog) Microsoft Graph API 📌 Key UAL Events for OneDrive Investigations: Event Name Description FileAccessed Tracks file views (noisy, consider FileAccessedExtended) FileModified Tracks file edits (use FileModifiedExtended for fewer entries) FileDeleted Tracks file deletions FileDeletedFirstStageRecycleBin Identifies files moved to the OneDrive Recycle Bin FileDeletedSecondStageRecycleBin Identifies permanently deleted files FileDownloaded Tracks files downloaded from OneDrive/SharePoint AnonymousLinkCreated Tracks externally shared files (links sent outside the organization) FileSyncUploadedFull Logs full file uploads FileSyncDownloadedFull Logs full file downloads 💡 Forensic Use: Identify suspicious file downloads and deletions . Track data exfiltration via external sharing  (AnonymousLinkCreated). Correlate file access patterns  to suspicious login activity . https://learn.microsoft.com/en-us/purview/audit-search?tabs=microsoft-purview-portal ---------------------------------------------------------------------------------------------------------- 5️⃣ Investigating External File Sharing & Data Exfiltration Investigating OneDrive-Business for File Sharing & Data Exfiltration is similar to analyzing data in a personal-OneDrive account . Headline of the article Advanced OneDrive Forensics: Investigating Cloud-Only Files & Synchronization https://www.cyberengage.org/post/advanced-onedrive-forensics-investigating-cloud-only-files-synchronization Part 5: Of the mentioned above Link/Article 5️⃣ Tracking Shared Files & External Data Sources ---------------------------------------------------------------------------------------------------------- Final Thoughts: OneDrive for Business Forensics is a Goldmine for Investigators 🚀 Next Up: Google Drive for desktop– Investigating Enterprise Cloud Storage Activity  🔍 -------------------------------------------Dean-------------------------------------------------------

USB devices play an essential role in digital forensics. While some devices, like Human Interface Devices (HIDs), may not seem particularly data-rich, they can still hold critical clues . Knowing how to analyze USB artifacts is crucial, especially when investigating potential malicious activity or suspicious system behavior. ------------------------------------------------------------------------------------------------------------ Human Interface Devices (HIDs) HIDs, such as keyboards, mice, and game controllers, might not be the flashiest USB devices, but they can reveal important information. For instance, you might discover a new HID device installed during a time of suspicious activity. This is significant because malicious devices often disguise themselves as HIDs to bypass detection. One common attack involves using a HID keyboard to send pre-programmed keystrokes that execute scripts, such as PowerShell commands. Devices like the Hak5 Rubber Ducky are built specifically for this purpose. Other tools, like hardware keyloggers (e.g., AirDrive) and the USB Ninja, can mimic HID input to compromise systems stealthily. Fortunately, HIDs must associate with a USB device class , and this process leaves traces in the system registry. HID associations are stored under the registry SYSTEM\\Enum\HID. Here, you’ll typically find Vendor ID (VID), Product ID (PID), and timestamps. These timestamps, located in sub-keys like 0064, 0066, and 0067, record: First connected time Last connected time Last removal time ------------------------------------------------------------------------------------------------------------ Media Transfer Protocol (MTP) and Picture Transfer Protocol (PTP) Devices like smartphones, cameras, and music players often use MTP or PTP. These protocols differ from traditional mass storage devices and leave fewer forensic traces, but they are still worth investigating when analyzing data exfiltration or suspicious activity. Picture Transfer Protocol (PTP) PTP is an older protocol designed for transferring images, videos, and related metadata. It only allows files to be copied from the device to a computer and does not support other file types. Media Transfer Protocol (MTP) MTP is an upgraded protocol introduced by Microsoft to support a wider variety of file types. Unlike PTP, MTP allows two-way file transfers and enables simultaneous access to storage by both the device and the computer. In forensic investigations, MTP devices can be tricky. They don’t receive drive letters and are instead displayed under “Devices and Drives” in Windows 10+ o r “Portable Devices” on older systems. Additionally, accessing files on MTP devices may not create typical artifacts like .LNK files. To identify MTP or PTP devices, examine the following registry keys: SYSTEM\\Enum\USB SOFTWARE\Microsoft\Windows Portable Devices\Devices Artifacts like ShellBags and limited .LNK file records may also reference MTP. What Happens? When you open files from an MSC device (like a flash drive), you get these little LNK files. These files point back to what you opened and where it came from. ------------------------------------------------------------------------------------------------------------ Mass Storage Class (MSC) Devices Mass storage devices, such as external hard drives and flash drives, are among the most common USB devices . They leave behind a wealth of artifacts and are essential to examine in forensic investigations. Protocols for MSC Devices USB Storage Port (USBSTOR): This protocol supports the traditional Bulk-Only Transport (BOT) method, which allows straightforward data transfer. USB Attached SCSI Protocol (UASP): Introduced with USB 3.0, UASP enables faster, multi-threaded transfers and is commonly used with solid-state drives . UASP devices are recorded in the SCSI registry key rather than USBSTOR. MSC devices typically appear with a drive letter and are fully accessible for file transfers. They are recorded in the registry under USBSTOR or SCSI, depending on the protocol. ------------------------------------------------------------------------------------------------------------ Key Forensic Takeaways HID Devices: Look for suspicious timestamps and unexpected devices in the HID registry key. Even if attackers spoof VID/PID, the timing can provide valuable clues. MTP/PTP Devices: These devices leave fewer traces but can serve as potential data exfiltration points. Investigate their registry entries and any associated ShellBag or .LNK file artifacts. MSC Devices: These devices leave behind the most artifacts, making them easier to analyze. Pay attention to whether they use USBSTOR or SCSI protocols, as modern devices increasingly rely on UASP. By understanding these USB device types and the artifacts they leave behind, forensic investigators can better uncover and analyze suspicious activity on a system. -----------------------------------------Dean------------------------------------

Since their inception, r emovable devices have posed a significant threat to enterprise security. From insider threats and confidential data theft to data leakage and the propagation of malicious code, the challenges surrounding removable devices remain prevalent. With an estimated six billion USB devices in use worldwide , their ubiquity underscores the critical need for organizations to understand and manage their risks effectively. ---------------------------------------------------------------------------------------------------------- USB: The Dominant External Media Interface Among removable devices, USB (Universal Serial Bus) has long been the most widely adopted external media interface. While competitors such as FireWire (IEEE 1394) and eSATA once presented healthy alternatives, the industry has largely consolidated around USB. Fortunately, USB device usage leaves behind a wealth of digital artifacts . These artifacts enable investigators to piece together comprehensive stories of USB activity, including identifying connected devices, determining when they were introduced, and pinpointing the responsible users. ---------------------------------------------------------------------------------------------------------- Understanding USB Device Classes Not all USB devices are created equal. The USB Implementers Forum maintains over twenty distinct device classes , each with unique purposes and forensic footprints. While the Mass Storage Class —which includes external hard drives and flash drives—is often of primary interest Some notable USB device classes include: Human Interface Devices (HID):  This category includes keyboards, mice, microphones, and malicious devices like keyloggers. Identifying these peripherals can offer insights into unusual or suspicious activity. Media Transfer Protocol (MTP):  MTP devices, such as mobile phones, represent specialized USB-connected systems often relevant in investigations. Other Device Classes:  Beyond storage and HIDs, devices such as webcams, printers, and gaming controllers may also leave behind valuable artifacts. ---------------------------------------------------------------------------------------------------------- Investigative Techniques in USB Forensics Effective USB forensic investigations involve connecting disparate data points to form a cohesive narrative. By analyzing system logs, registry entries, and shell item data, investigators can determine: The types of devices connected to a system. The time and date of device introduction. The files and folders accessed via the device. The users responsible for the device’s connection and usage. Combining this information enables investigators to draw valuable conclusions about device activity and its potential implications for the enterprise. ---------------------------------------------------------------------------------------------------------- Challenges and Opportunities in USB Forensics USB forensics is not without its challenges. Device artifacts are often scattered across a system, requiring significant time and expertise to locate and interpret. Moreover, the diversity of device classes and the variety of data formats involved mean that investigators must remain adaptable, armed with the right tools and methodologies. USB device forensics is a powerful tool in combating insider threats, preventing data leaks, and uncovering malicious activity. By leveraging the insights provided by USB artifacts, organizations can enhance their security posture and respond more effectively to potential incidents. ---------------------------------------------------------------------------------------------------------- Conclusion By understanding the nuances of USB device classes and their associated artifacts, investigators can extract critical insights to address enterprise security risks. Although the process may require effort, the rich data obtained through USB forensics makes it an indispensable asset in the modern investigative toolkit. ---------------------------------------------Dean----------------------------------------------------