Professional Documents
Culture Documents
Sean Robertson - Automating Email Evidence Discovery - 4/19/21
Sean Robertson - Automating Email Evidence Discovery - 4/19/21
Sean Robertson - Automating Email Evidence Discovery - 4/19/21
JBL Lab 7
4/19/21
By
Sean Robertson
1 | Page
Sean Robertson - Automating Email Evidence Discovery – 4/19/21
Table of Contents
Summary of Findings 3
Forensic Analysis 4
Lab Exercise 1 4
Analysis Process 4
Forensic Evidence 4
Figure 1 4
Investigator Analysis of Findings 4
References 5
Table of Figures
2 | Page
Sean Robertson - Automating Email Evidence Discovery – 4/19/21
Summary of Findings
Online communication mediums have gone through a steady and evergrowing change since the
dawn of the internet, but none truly stand the test of time quite like Email does. That means
that in the field of cyberforensics, cyber forensics specialists all of stripes must know how to
find and properly analyze evidence of the email variety, off of seized devices. E3 is one such tool
that creates an effective and efficient workflow for analyzing email evidence. (JBL 2019) As such
with no criminal case or background given, the Investigator Analysis of Findings section will
primarily be to demonstrate the importance of the tool or method in cyberforenices
investigations or litigations. With Part 1 of both Section one and two going over how to
correctly add and sort evidence in E3, (JBL, 2019) This lab report will streamline this lab into one
Lab Exercise in order to better focus on the new material presented. This one Lab Exercise will
go in-depth on how a cyber forensics specialist would use E3 to identify suspected files in an
email system of a seized device.
3 | Page
Sean Robertson - Automating Email Evidence Discovery – 4/19/21
Forensic Analysis
Lab Exercise 1
Analysis Process
After the Evidence is loaded into E3 and the data on the hard drive image is correctly indexed
and sorted, the cyber forensics specialist then opens the evidence under the sorted files tab.
(JBL 2019)
Forensic Evidence
E3 has found 1 chat file referred to as ‘main.db’ and carrying a type of ‘Skype 4 or later’. The
text this file contains can be viewed under the text view box and seems to be a conversation
between two different parties. (JBL, 2019) Going into the seven emails accounted for by E3, each
with their own MD5 and SHA1 encryption hashes. After choosing the file labeled ‘outbox’ and
indexing that into the case content, the cyber forensics specialist can now view the contents of
the suspect’s sent mail. As seen in Figure 1.
Figure 1: [first ‘no subject’ email found in suspect sent mail] (JBL Robertson, 2021)
4 | Page
Sean Robertson - Automating Email Evidence Discovery – 4/19/21
References
Easttom, C. (2019). Lab Access for System Forensics, Investigation, and Response (Version 3e)
[Virtualized Education Environment]. Jones & Bartlett Learning.
https://www.jblearning.com/cybersecurity
Robertson, S. M. & JBL. (2021, April 19). Figure 1: first ‘no subject’ email found in suspect sent
mail [Screen Capture]. Google Photos. https://photos.app.goo.gl/XbZUbgDNxeWgnVuK9
5 | Page