Email forensics: Web-based clients
This article discusses how to perform forensic investigations of Web-based email clients. While many organizations use Desktop based email clients for their employees, it is not uncommon to use web based clients using browsers to access emails. We will go through the process of acquiring and analyzing emails from web based clients.
Our Goal
What is the end goal of an email investigation? This depends on what the investigation is targeting. Following are the some of the common scenarios:
- Recovering deleted emails
- Searching for specific keywords in the emails
- Reading through the emails
This article focuses on the scenarios 2 and 3.
Learn Digital Forensics
Data acquisition from web mail client (Gmail)
Assuming that the suspect uses Gmail, the following steps show how to perform email acquisition from the account for further analysis. Gmail offers a feature called Google Takeout, which is available at the URL: https://takeout.google.com/settings/takeout
Accessing the preceding emails shows the following.
As shown in the preceding figure, select Mail to export emails. Clicking on Multiple formats, shows the Mail formats available for exporting.
As we can notice, Email messages are available only in MBOX format. Click OK and scroll down to see how to receive exported data.
As we can notice, we are exporting once in zip format. Click Create export after choosing appropriate options as shown in the preceding figure.
Depending on the size of the emails, it may take a few hours to days to export the data. Once done, we will receive an email with the download link. We can download the file and use it for further analysis.
Manual analysis
Let us discuss how the mbox file saved on the disk can be used to perform further analysis without directly logging into the suspects account. The exported file can be imported into an email client such as Apple Mail. Once imported, one can simply explore the emails locally using the email client without disturbing the evidence. The following steps show how to import the MBOX file into the Apple Mail client on a Mac machine.
Launch Mail application and navigate to File | Import Mailboxes. We should see the following window. Choose Files in mbox format as we obtained a copy in mbox format.
Click Continue and we should see all the emails being imported as shown below.
Once the import is complete, we should see the following message.
Click Done and we can now start exploring the emails in Apple Mail.
The preceding figure shows an email that claims to have come from Apple Support.
Learn Digital Forensics
Keyword searching
Keyword searching is another commonly used approach during investigations. Mbox file format contains content in simple text format and a hex editor can be used to search for keywords. The following excerpt shows that there are several hits in the mbox file when we searched for support@apple-support.com using grep.
spf=neutral (google.com: 93.99.104.210 is neither permitted nor denied by best guess record for domain of applesupport@apple-support.com) smtp.mailfrom=applesupport@apple-support.com
Return-Path: <applesupport@apple-support.com>
Received-SPF: neutral (google.com: 93.99.104.210 is neither permitted nor denied by best guess record for domain of applesupport@apple-support.com) client-ip=93.99.104.210;
spf=neutral (google.com: 93.99.104.210 is neither permitted nor denied by best guess record for domain of applesupport@apple-support.com) smtp.mailfrom=applesupport@apple-support.com
From: "Apple Support" <applesupport@apple-support.com>
Errors-To: applesupport@apple-support.com
Reply-To: applesupport@apple-support.com
In addition to email acquisition and investigation using the techniques shown, there could be scenarios where an investigator is looking for deleted emails. In such cases, places like browser cache, memory can be searched as the emails accessed using webmail will not directly touch the disk.
Sources
Learn Digital Forensics
Build your digital forensics skills with hands-on training in Infosec Skills. What you'll learn- Forensics concepts
- Computer forensics
- Mobile forensics
- Network forensics
- And more
In this Series
- Email forensics: Web-based clients
- Digital forensics and cybersecurity: Setting up a home lab
- Top 7 tools for intelligence-gathering purposes
- iOS forensics
- Kali Linux: Top 5 tools for digital forensics
- Snort demo: Finding SolarWinds Sunburst indicators of compromise
- Memory forensics demo: SolarWinds breach and Sunburst malware
- Digital forensics careers: Public vs private sector?
- Email forensics: desktop-based clients
- What is a Honey Pot? [updated 2021]
- Email analysis
- Investigating wireless attacks
- Wireless networking fundamentals for forensics
- Protocol analysis using Wireshark
- Wireless analysis
- Log analysis
- Network security tools (and their role in forensic investigations)
- Sources of network forensic evidence
- Network Security Technologies
- Network Forensics Tools
- The need for Network Forensics
- Network Forensics Concepts
- Networking Fundamentals for Forensic Analysts
- Popular computer forensics top 19 tools [updated 2021]
- 7 best computer forensics tools [updated 2021]
- Spoofing and Anonymization (Hiding Network Activity)
- Browser Forensics: Safari
- Browser Forensics: IE 11
- Browser Forensics: Firefox
- Browser forensics: Google chrome
- Webinar summary: Digital forensics and incident response — Is it the career for you?
- Web Traffic Analysis
- Network forensics overview
- Eyesight to the Blind – SSL Decryption for Network Monitoring [Updated 2019]
- Gentoo Hardening: Part 4: PaX, RBAC and ClamAV [Updated 2019]
- Computer forensics: FTK forensic toolkit overview [updated 2019]
- The mobile forensics process: steps and types
- Free & open source computer forensics tools
- An Introduction to Computer Forensics
- Common mobile forensics tools and techniques
- Computer forensics: Chain of custody [updated 2019]
- Computer forensics: Network forensics analysis and examination steps [updated 2019]
- Computer Forensics: Overview of Malware Forensics [Updated 2019]
- Incident Response and Computer Forensics
- Computer Forensics: Memory Forensics
- Comparison of popular computer forensics tools [updated 2019]
- Computer Forensics: Forensic Analysis and Examination Planning
- Computer forensics: Operating system forensics [updated 2019]
- Computer Forensics: Mobile Forensics [Updated 2019]
- Computer Forensics: Digital Evidence [Updated 2019]
- Computer Forensics: Mobile Device Hardware and Operating System Forensics
Get certified and advance your career!
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
Digital forensics
Digital forensics
Digital forensics
Digital forensics