Greetings Dear TurkHackTeam Members
In this topic, I will tell you about E-mail forensics and share what I know in the most understandable way. If you are ready, hold on to your hat, Here comes 'Execution...

WHAT'S E-MAIL FORENSICS?

E-mail forensics is a computer forensics investigation to gather information about who sent an e-mail, when and where it was sent, and what was sent. Tasks, contacts etc. added to the calendar in e-mails. Information can also be collected by analyzing. In this topic, we will learn about how e-mail forensics is performed and on which platforms.
During the e-mail analysis, 3 different parts are examined. These parts are the e-mail header, content and file attachments.

ANALYZING THE E-MAIL HEADERS
Received : It is the part that gives information about all the servers that an e-mail sent until it reaches the target. It contains the IP information of the sender and the IP information of the servers visited.

From : Stands for the email sender

To : Stands for the email receiver

Message-ID : It is the part of the sender that gives information about the operating system when appropriate. It is the value assigned by the mail server from which the mail was created. Details can be accessed by searching on the server.

X-Mailer : It gives information about the server where the e-mail was created.It is optional.

X-Originating : Shows the IP address to which the e-mail was sent. It is not included in every e-mail header. (It changes company by company)

Mıme-Version : It can provide information about the sender's operating system. It also ensures that the sent file is encrypted at the sender and decrypted at the receiver. It expands the format of the e-mail content.

ANALYZING THE E-MAIL BODY
It is the part created by the sender. Creates the content of the e-mail. It can be analyzed manually without using tools.

ANALYZING THE E-MAIL ATTACHMENTS
Files added other than the text sent by the sender to the recipient are called "attachments". When these files are sent to the receiver in an encoded form, the analyzer must properly decode the attachments and view the content.

FORENSICS ON WEB-BASED E-MAILS
Such e-mails are not hosted offline on computers as the user logs into e-mail services using a browser, because forensic information analysis would become difficult. By using web-based e-mail services, the data obtained by the user can be accessed by the Forensic IT specialist through techniques such as data recovery and character search on disk images. The web-based e-mail service used by the user can be learned from the browser history. Then, information such as the IP address from which e-mail addresses can be accessed can be requested and obtained from the service provider.

HOST-BASED E-MAIL SERVERS
When host-based mails are sent, they can be found encrypted or unencrypted on disks instead of the client. The Iocation of the files can be accessed by making the necessary searches. For example, Microsoft Outlook, Windows Mail and Mozilla Thunderbird can be included in these applications.

FORENSICSON HOST-BASED E-MAIL SERVERS
Microsoft Outlook : It is a free mail application created by Microsoft. In this application, e-mails are located in files with pst extension. By accessing these pst files, calendar content, attachments and all files in the mail can be discovered. pst files can be protected with a personal password. These passwords can be accessed by various tools.


Windows Mail : This is a free software developed by Windows. All mails are stored in different files with .eml extension. Files with this extension are in text format and can be accessed when deleted. It also includes title information. Index and folder information are stored in files with .fol extensions instead of .eml extensions.

There are many mail applications such as the applications I have mentioned above. Examples can be more expanded

E-MAIL FORENSICS SOFTWARES
All existing forensics software has the ability to perform various analyzes on e-mails. The usage fees of these software vary depending on the usefulness of the software and the features it contains. The best example of these is ProDiscover software.

ProDiscover software includes all of the following features and even more
Viewing and filtering emaild
Hard disk imaging
Accessing and analyzing protected areas on disk
Making forensic copies
Splitting or merging forensic copy files
Copying folders and files outside of forensic copy
Detailed search operation
Detecting and viewing graphics preview files
Viewing Internet history
Performing registry analysis
Event log analysis

E-POSTA HOSTS
E-mails can be hosted on the client or on the server and also on both at the same time. I will explain some e-mail servers below and share various information about them,

Microsoft Exchange Server

It is the corporate mail server that almost everyone knows and widely used. Edb and stm extensions are hosted on this server. edb extension files, mails, address books, etc. files with stm extension contain attachments. Offline files that can be accessed without connecting to the Exchange server are also stored as ost extensions. It has a very important place in E-Mail analysis. Deleted data are completely deleted from the database within 14 to 30 days.
Accessing to data can be provided offline and online on this server. Offline access is provided by copying edb and stm extension files while the server is inoperative during the interruption of data exchange. Online accesses are those made while the exchange server is running. It is more secure and takes longer to access than offline access.

Lotus Notes

It is an e-mail client that stores database files on both the server and the client. To summarize the calendar, address book and communications, it stores everything that the user can see in the database with .nsf extension. It is the most preferred e-mail service after Exchange software.

I end my article here and I thank you for reading. Have a good day :)
Source: https://www.turkhackteam.org/adli-bi...lackcoder.html
Translator: @Dolyetyus