EVALUATION OF E-MAIL ACTIVITY RECONSTRUCTION TOOLS FOR E-MAIL CLIENT Chew Eng Hin1, Asrul Hadi Bin Yaacob2,

Mohd Fikri Azli Bin Abdullah3 Faculty of Information Science & Technology, Multimedia University (MMU) Melaka Campus, Malaysia protolmax@gmail.com Faculty of Information Science & Technology, Multimedia University (MMU) Melaka Campus, Malaysia asrulhadi.yaacob@mmu.edu.my
3 2 1

School of Electronics and Computer Engineering Chonnam National University, South Korea mfikriazli@gmail.com Abstract

Electronic mail (E-mail) is one of the most common and important messaging infrastructures used in the organization. Among all the critical and important systems in the organization, Email system is the one that required significant ongoing investment both in technology and personnel to run smoothly. E-mail crimes are increasing from years to years. In order to cut down the number of the E-mail crime, various E-mail Forensics Tools had been introduced to recover and trace the source of the particular E-mail. Tools for E-mails allow E-mail administrators to complete common and time consuming tasks in their E-mail environment more effectively. The function of E-mail Forensics Tools can be divided into Activity Reconstruction, Message Tracing, Investigation, Forensics, Compliance, and Trend Analysis. However, the focus of this evaluation is more into E-mail Activity Reconstruction which is the first necessary step in E-mail Forensics. In E-mail Activity Reconstruction, there are tools that could read the proprietary E-mail repository format. Thus, an evaluation of E-mail Activity Reconstruction Tools is done on two open source tools and one commercial tool. These E-mail Activity Reconstruction Tools which could read DBX files are tested not only based on the basic characteristics and requirements that serve as test criteria; they are also being compared and contrasted as well. All the tests are done under a constant environment and the results are documented to provide a clear view of efficiency and accuracy of tools. Informative analysis of the results of evaluation is provided to increase understanding of Email Activity Reconstruction. Keywords: E-mail Forensics, E-mail Activity Reconstruction, DBX 1. Introduction E-mail is a communication method of exchanging digital information between two or more parties. E-mail system is basically based on infrastructure in which E-mail server systems accept, forward, deliver and store messages on behalf of users. From years to years, E-mail system has been improved and now it is the most widely preferred communication tool within the business field. Thus, it is the first board electronic communication in business.

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

467

E-mail is one of the most common and important messaging infrastructures used in the organization. Among all the critical and important systems in the organization, messaging infrastructure is the one that required significant ongoing investment both in technology and personnel to run smoothly. Moreover, E-mail crimes are increasing from years to years. In order to cut down the number of the E-mail crime, various E-mail Forensics Tools had been introduced to recover and trace the source of the particular E-mail. Klein (2006) mentioned that the overall impact of E-mail Forensics in fixing this vulnerability can only be speculated at, it is unquestionable that the number of cases will be reduced. Tools for E-mails allow Email administrators to complete common and time consuming tasks in their E-mail environment more effectively. Demands from end users increasing every year and IT managers are required to answer more detailed questions about their messaging infrastructure than ever before. Solutions are needed to helps organizations to implement E-mail Forensics quickly. The function of E-mail Forensics Tools can be divided into Activity Reconstruction, Message Tracing, Investigation, Forensics, Compliance, and Trend Analysis. However, the focus of this evaluation is more into E-mail Activity Reconstruction which is the first necessary step in E-mail Forensics. In E-mail Activity Reconstruction, there are tools that could read the proprietary E-mail Clients repository format. The chosen E-mail repositories format is DBX which is the repository of Microsoft Outlook Express. The focuses are on Microsoft Outlook Express mainly because based on Figure 1 which is according to E-mail client popularity (2009, June) it is the default E-mail Client that has high usage percentage. It also comes free with Windows XP which is the most preferred Microsoft OS in Organizations.

E-mail Client User Usage

3% 6% 8% 15% 16% 5% 2% 1% 4% 40%

Microsoft Outlook
Yahoo! Mail Hotmail Apple Mail iPhone/iPod Touch Gmail

Figure 1: E-mail Client User Usage The most important step of E-mail Forensics is the E-mail Activity Reconstruction which is also the very first step before any analysis could be done. Jones, Bejtlich and Rose (2006) stated E-mail Activity Reconstruction Tools are used to reconstruct the E-mail repositories that local E-mail applications use to store the E-mail a suspect sends or receives. Usually, Reconstruction of E-mail requires some applications installed on the Forensics workstation. The main reason is the proprietary repository format that used by E-mail applications. Although the Forensics could be done with the proper E-mail application installed, E-mail Activity Reconstruction Tools that could read the E-mail without original application will be much more efficient.

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

468

2. The Architecture 2.1 E-mail Client Leung and Hou (n.d.) mentioned E-mail client, also known as E-mail reader or more formally known Mail User Agent (MUA), is a computer program that is used to manage E-mail. The term E-mail client may refer to any agent that acting as a client toward an E-mail server, regardless of it being a mail user agent, a relaying server, or a human typing on a terminal. Moreover, a web application providing message management, composition, and reception functionality is sometimes considered as E-mail client as well.

Internet

Mail Server

Mail Server

Sender

Mail User Agent

Mail User Agent

Receiver

Figure 2: Mail User Agent MUA like most client programs, need to be activated when users want to retrieve message from a mailbox like in Figure 2. Messages are stored on a remote server and the MUA has to request them on behalf of the users. Access to remote servers mailboxes comes in two flavors. American Prosecutors Research Institute (2005) provided much information about how E-mail works. The first one is the Post Office Protocol (POP) which allows the client to download messages one at a time and only delete them from the sever after they have been successfully saved on local storage. POP is suitable for multi clients as it is possible to leave the messages on the server for another client to download them. Besides that, there is no provision for flagging a specific message as seen, answered, or forwarded, thus POP might not convenient for users who access the same mail from different machines or clients. On the other hand, the Internet Message Access Protocol (IMAP) allows users to keep messages on the server and flagging them as appropriate. Moreover, IMAP provides subfolders like Sent, Drafts, and Trash folders are created by default. Both POP and IMAP clients can be configured to access more than one mailboxes at the same time. However, IMAP is equipped with extra features such as idle extension for real time updates. It could
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 469

provide faster notification than polling where long lasting connections are feasible. Lastly settings like IP address, user name and password on Client are required for each remote incoming mailbox. Table 1: E-mail Protocols Port Assignment Protocol POP3 IMAP4 SMTP MSA HTTP 2.2 DBX Use Incoming Mail Incoming Mail Outgoing Mail Outgoing Mail Webmail Plain Text/Encrypt Sessions 110 143 25 587 80 443 Plain Text Sessions Only Encrypt Sessions Only 995 993 (unofficial) 465

Folder DBX File

Inbox E-Mail DBX

Sent Items E-Mail DBX

Drafts E-Mail DBX

Deleted Items E-Mail DBX

Figure 3: DBX Files According to Jones et al. (2005), there are two types of DBX files as shown in Figure 3. The first type is called Folder DBX file which is a catalogue of the other DBX files on the system. The second type of DBX file is called an E-Mail DBX file. This is the file that contains the actual E-Mail messages which includes the content and also the attachments. Each E-Mail DBX file is catalogued in the Folders DBX file so that Outlook Express can recreate the folder structure for the user. 3. Purpose of The Evaluation The purpose of the evaluation of E-mail Activity Reconstruction Tools is to determine whether the tested tools meet the basic characteristics and requirements as a forensics tools. There are two open source tools, Eideutig and libDBX will be tested. In addition, another commercial tool, Parabens E-mail Examiner is added into the evaluation in order to compare and contrast the open source tool and the commercial tool. These tools are critical to E-mail forensics application because E-mail Activity Reconstruction is the very first basic steep of E-mail forensics. Yet the quality of these tools are very often an unknown. Thus, a specific tool evaluation and testing are required and essential in order to determine the performance and quality of the tools.

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

470

4. Software and Hardware Two test computers, one desktop and one laptop will be used in this test. Complete hardware specifications for both machines are listed below. Desktop Dell Dimension 5150 Intel i945 Motherboard Dell BIOS version A07 Intel Pentium D 820 CPU 2GiB DDR2 Memory Laptop Dell Latitude E6400 Intel GM 45 Dell BIOS version A20 Intel Mobile Core 2 Duo T9800 4GiB DDR2 Memory On the other hand, the software listed below were used in order to perform the testing. Cygwin Tool that provides a Linux-like environment to run the tools. Eindeutig The tool under test. libDBX The tool under test. Parabens E-mail Examiner The tool under test. FTK Imager Tool that mount the image for forensics purposes 5. Methodology
Comparison

Testing Environment for Tool 1

Testing Environment for Tool n

Tools

Input

Resources

Tools

Input

Resources

.
Based On Based On Basic Characteristics and Requirements Basic Characteristics and Requirements

n = 1, 2, 3 , 4.

Figure 4: Environment of Tools Comparison

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

471

Figure 4 shows the methodology for E-mail Activity Reconstruction Tools testing and evaluation. All the tools will be given the same resources as the input and comparison will be based on the basic characteristics and requirements that already been set earlier. Moreover, each tool will be tested in separate environment so that all the uncertainty can be isolated. The result of the testing will be collected and well documented. Then these results will be compiled and tabled, thus, will be formed as the comparison of the tools. After the comparison of E-mail Activity Reconstruction Tools, all of the valuable data will then be collected and documented. A table of results will be established in order to provide a better view of tools testing. The table will then be analyzed and evaluated. Analysis and evaluation could increase the understanding of E-mail Activity Reconstruction Tools. 6. Testing The tools testing are done on each tool and compare to Microsoft Outlook Express. Based on all the criteria, tools will be rated as either Passed or Failed. Below are the basic characteristics and requirements that serve as testing criteria. Basic Characteristics and Requirements (Criteria) 1. 2. 3. 4. 5. 6. 7. The tool shall be able to interpret DBX repository correctly. The tool shall be able to preserve the integrity of both E-mail and DBX repository. The tool shall be able to reconstruct E-mail activity. The tool shall be able to extract selected E-mail. The tool shall be able to warn users if there is an error occurs. The tool shall be able to extract any attachments found in the E-mail. The tool shall be user-friendly and easy to be executed.

6.1 Microsoft Outlook Express

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

472

Figure 5: Microsoft Outlook Express 6.2 Eindeutig

Figure 6: Eindeutig Eindeutig is tested with following command: Command: dbxparse [-e|-f] [options] <filename> -t The field delimiter for spreadsheet output. -f FORCE the input file as FOLDER type -e FORCE the input file as E-MAIL type -s Only an E-mail summary spreadsheet will be listed. -o The output directory for exported E-mail.

6.3 libDBX

Figure 7: libDBX
Proceedings of Regional Conference on Knowledge Integration in ICT 2010 473

libDBX is tested with following command:

Command:

readdbx [OPTIONS] -h display this help and exit -V output version information and exit -f "file" input DBX file -o "file" file to write mbox format to -q don't display extra information.

6.4 Parabens E-mail Examiner

Figure 8: Parabens E-mail Examiner Parabens E-mail Examiner is equipped with user-friendly GUI. Thus, clicking with cursor is the only action required in order to execute the program.

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

474

7. Result Table 2: Result of Tools Testing Criteria Tools Eindeutig libDBX Parabens Email Examiner 1 2 3 4 5 6 7

8. Analysis and Evaluation 8.1 Analysis 8.1.1 Analysis of Test of Criteria 1 From the information of the test of Criteria 1, all the tools are performed very well in interpreting the DBX repository. All tools could read the hexadecimal string contained in DBX file correctly. Meaningful information is the result of the interpretation. 8.1.2 Analysis of test of Criteria 2 The second test shows that the tools could preserve the integrity of the E-mail and also the DBX repository. Both E-mail and DBX file are not altered or changed after the interpretation of the tools. Preservation of the E-mail and the DBX repository is very important in order to use these data as digital evidence in court. 8.1.3 Analysis of test of Criteria 3 From the result above, all tools are able to reconstruct the E-mail activity from the DBX file without any error. E-mail activity describes the activity or action that the users have done with his/her E-mail system. E-mail activity includes number of E-mail that has been sent, read, deleted and etc. 8.1.4 Analysis of test of Criteria 4 As the fourth test shows, all tools are able to extract E-mail from the DBX file successfully. The contents of E-mail like E-mail header and Message body could be viewed without any problem. 8.1.5 Analysis of test of Criteria 5

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

475

All the tools that are tested are able to warn users if there is any error occurs during the Email activity reconstruction process. Alerts or errors will be displayed to warn users in order to avoid any faults to be included In E-mail forensics.

8.1.6 Analysis of test of Criteria 6 The result of the test above indicates the shortcoming of both open source tools (Eindeutig & libDBX) compared to commercial tool that are full of features. Both open source tools are not able to extract the attachments that found on the extracted E-mail. Although the extraction of attachments could be done with another tool named munpack, the Parabens E-mail Examiner appears to be a more complete package.

8.1.7 Analysis of test of Criteria 7 The last test was about the user-friendliness of the tools. The results shows that both open source tools that are developed in CLI interface are not as easy and simple to be used compare to the commercial tool. The GUI interface that appears on the commercial tool simplifies the execution of the tool as clicking is the only action required. 8.2 Evaluation E-mail Activity Reconstruction Tools can be divided into open source tools and commercial tools. Eindeutig and libDBX appeared to be open source tools while Parabens E-mail Examiner is the commercial tool. However, Parabens E-mail Examiner always appear to be a more complete package with user-friendly GUI and lots of extra features that always come in handy. On the other hand, Eindeutig and libDBX are more specific into certain function as they could on parse DBX file compare to multiple file format that supported by Parabens Email Examiner. Thus, other open source tools like munpack might have to be combined in order to achieve certain function that provided by Parabens E-mail Examiner. Moreover, support and development of Eindeutig are inactive since year 2005 just like open source tools that frequently described as being developed slower and supported lesser compared to commercial tools. At the bright side, open source tools are much more flexible as the source code is freely available and modification could be done based on specific needs. A GUI could be added to Eindeutig as the front-end that could interact with users at a more friendly and easy-to-use manner. Open source tools are great for research and study as well. 9 Conclusion

E-mail Activity Reconstruction Tools are essential in E-mail Forensics as Activity Reconstruction is the very first necessary step in E-mail Forensics. These tools must at least be able to meet the basic characteristics and requirements such as: 1. 2. 3. 4. The tool shall be able to interpret DBX repository correctly. The tool shall be able to preserve the integrity of both E-mail and DBX repository. The tool shall be able to reconstruct E-mail activity. The tool shall be able to extract selected E-mail.
476

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

5. The tool shall be able to warn users if there is an error occurs. All the tools tested met the criteria and done well in the test. However, there is still a long way for open source tools to keep up with commercial tools. As the benefits of society, open source tools should be given more attention and support from developers. 10 Acknowledgement

I would like to take this opportunity to express my gratitude to Mr. Asrul Hadi Bin Yaacob and Mr. Mohd Fikri Azli Abdullah for their supervision, guidance, encouragement and support throughout the whole project. Both of them showed me different ways to approach a research problem and the need to be persistent to accomplish any goal. Besides that, I would also like to thank my family: my parents for giving me unconditional support and encouragement to pursue my interests and dreams. My sisters who often help me in search for materials related to the project title. My brothers who share their experience throughout their research and always there to give me advices whenever I needed. Besides that, thanks for my family who always remind me that my research should always be useful and provide good information to the community.

References American Prosecutors Research Institute. (2005). Understanding E-mail: A primer for local prosecutors (Grant No. 98LS-VX-0002). Washington, DC: U. S. Government Printing Office. E-mail client popularity. (2009, June). Retrieved from http://www.campaignmonitor.com/stats/E-mail-clients/ Jones, K., Bejtlich, R., & Rose, C. (2005). Real digital Forensics: computer security and incident response. Addison-Wesley Professional. Klein, D. V. (2006). A Forensic analysis of a distributed two-stage web-based spam attack. Leung, Y. W., Hou, R. (n.d.) Mail Server [Presentation slides]. Retrieved from Hong Kong Baptist University web site: http://www.comp.hkbu.edu.hk/~comp2650/tutorial/notes/lab_notes_5.pdf

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

477

Proceedings of Regional Conference on Knowledge Integration in ICT 2010

478