Difference between pages "Paraben" and "Email Headers"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Initial version.)
 
Line 1: Line 1:
=Paraben=
+
'''Email Headers''' are lines of [[metadata]] attached to each email that contain lots of useful information for a [[forensic investigator]]. However, email headers can be easily forged, so they should never be used as the only source of information.
  
This company offers a wide variety of tools for analyzing disk drives and portable devices like cell phones and PDAs.
+
== Example ==
  
 +
This is an (incomplete) excerpt from an email header:
  
[http://www.paraben-forensics.com/ Paraben website]
+
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
 +
        by outgoing2.securityfocus.com (Postfix) with QMQP
 +
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
 +
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
 +
Precedence: bulk
 +
List-Id: <forensics.list-id.securityfocus.com>
 +
List-Post: <mailto:forensics@securityfocus.com>
 +
List-Help: <mailto:forensics-help@securityfocus.com>
 +
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
 +
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
 +
Delivered-To: mailing list forensics@securityfocus.com
 +
Delivered-To: moderator for forensics@securityfocus.com
 +
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
 +
From: YJesus <yjesus@security-projects.com>
 +
To: forensics@securityfocus.com
 +
Subject: New Tool : Unhide
 +
User-Agent: KMail/1.9
 +
MIME-Version: 1.0
 +
Content-Disposition: inline
 +
Date: Thu, 5 Jan 2006 16:41:30 +0100
 +
Content-Type: text/plain;
 +
  charset="iso-8859-1"
 +
Content-Transfer-Encoding: quoted-printable
 +
Message-Id: <200601051641.31830.yjesus@security-projects.com>
 +
X-HE-Spam-Level: /
 +
X-HE-Spam-Score: 0.0
 +
X-HE-Virus-Scanned: yes
 +
Status: RO
 +
Content-Length: 586
 +
Lines: 26
  
 +
== External Links ==
  
=Features=
+
* http://en.wikipedia.org/wiki/Computer_forensics#E-mail_Headers
 
+
==File Systems Understood==
+
 
+
* Major Windows formats
+
* RAW format
+
 
+
===Email Examiner===
+
 
+
Their tool for searching email ("Email Examiner") can pull apart these files:
+
 
+
* Outlook (PST)
+
* Outlook Express (DBX)
+
* AOL 6,7,8,9 (PFC)
+
* MBox
+
* Eudora
+
* Mozilla Mail
+
* Fox Mail
+
* Juno
+
* Calypso
+
* MSN Mail
+
* USENET newsgroups
+
 
+
 
+
==File Search Facilities==
+
 
+
 
+
 
+
==Historical Reconstruction==
+
 
+
Can it build timelines and search by creation date?
+
 
+
==Searching Abilities==
+
 
+
* With "Text Searcher". Offers complex queries and searching of slack space.
+
* Comes with an index building wizard.
+
 
+
==Hash Databases==
+
 
+
Can it create hashes of files and/or blocks? Can it compare these hash values to any databases?
+
What sort of hash functions does it use?
+
 
+
==Evidence Collection Features==
+
 
+
* Offers a feature called "Case Agent Companion v1.0" for tracking what the case agent does.
+
 
+
=History=
+
+
 
+
==License Notes==
+
 
+
Commercial.
+
 
+
= External Links =
+
 
+
[http://www.paraben-forensics.com/ Paraben website]
+
 
+
==External Reviews==
+

Revision as of 20:56, 21 March 2006

Email Headers are lines of metadata attached to each email that contain lots of useful information for a forensic investigator. However, email headers can be easily forged, so they should never be used as the only source of information.

Example

This is an (incomplete) excerpt from an email header:

Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
        by outgoing2.securityfocus.com (Postfix) with QMQP
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <forensics.list-id.securityfocus.com>
List-Post: <mailto:forensics@securityfocus.com>
List-Help: <mailto:forensics-help@securityfocus.com>
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
Delivered-To: mailing list forensics@securityfocus.com
Delivered-To: moderator for forensics@securityfocus.com
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
From: YJesus <yjesus@security-projects.com>
To: forensics@securityfocus.com
Subject: New Tool : Unhide
User-Agent: KMail/1.9
MIME-Version: 1.0
Content-Disposition: inline
Date: Thu, 5 Jan 2006 16:41:30 +0100
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-Id: <200601051641.31830.yjesus@security-projects.com>
X-HE-Spam-Level: /
X-HE-Spam-Score: 0.0
X-HE-Virus-Scanned: yes
Status: RO
Content-Length: 586
Lines: 26

External Links