Internet Evidence Finder (IEF) is well known for its ability to excel at recovering Internet artifacts from chat, social networking and browsers including webmail. New with IEF v6.4, we’ve expanded those capabilities to include desktop email as well. Microsoft Outlook is the most popular email client used in the enterprise today, and IEF is now able to parse PST and OST files for email evidence. IEF has also added support for the MBOX mail format commonly used by other email clients such as Mozilla Thunderbird. Finally, support for the enterprise instant messaging program Microsoft Lync, formerly known as Office Communicator, has also been included.
Outlook stores email, contact and additional data that it receives from POP, IMAP, or Exchange servers in PST and OST archives for its users. IEF will search for these files anywhere on the user’s system but they are typically stored in the following locations:
ROOTDocuments & Settings%userprofile%Local SettingsApplication DataMicrosoftOutlook
IEF will recover emails, contacts, appointments, journals, notes and tasks from Outlook, plus it will also give the investigator the option to extract any attachments related to these artifacts. Additionally, IEF will also search the user’s browser history for any evidence indicating that the user might have used Outlook Web Application (OWA), and can now also recover traces of email content and other metadata from OWA usage.
IEF users will notice that along with the traditional Details view, we have added additional views for the email Body, Headers and Attachments.
Although the email body can be viewed from the IEF details, the new Body tab gives investigators a clearer view of what the suspect saw as they either sent or received the message. Below, the headers are laid out in a separate tab for easier analysis, which is especially useful if you are investigating a phishing or spoofed email.
Finally, the Attachments tab gives investigators a listing of all the attachments of a given email and allows them to be exported and saved individually, or in bulk.
Often investigators are able to gain access to the corporate Exchange server that might aid in their investigation, but even in those cases, it’s still advisable to view any additional data that isn’t stored with Exchange. Outlook is able to manage webmail accounts for Hotmail, Gmail, etc., so there might be additional data beyond what is synced with the Exchange server.
MBOX is a commonly used format to store mail data and is popular with many UNIX or LINUX based mail clients, most notably, Mozilla Thunderbird. IEF recovers and presents MBOX data in a similar format as it does with Outlook data, including the Details, Body, Headers and Attachments views.
Microsoft Lync is a commonly used instant messaging client in the enterprise. Formerly known as Microsoft Office Communicator (OCS), Lync integrates well with Outlook Exchange. Beyond just chat and IM, Lync is also able to do voice and video calling, screen sharing and file transfers. Unlike Skype and MSN Messenger, it was designed to work in an enterprise setting and not for consumers.
IEF is able to carve chat messages, call logs and file transfers from allocated and unallocated space from a number of different sources, including Windows, Mac and Windows Phone.
IEF has always been strong at analyzing webmail, which has helped many investigators uncover the truth in their investigation. By adding desktop email artifacts, including Outlook, MBOX and chat application Lync, IEF can assist examiners further by providing them with additional evidence to help piece together the relevant data.
Here are some other resources worth taking a look at:
- Blog: Webmail Forensics-Digging deeper into the browser (Part 1)
- Blog: Webmail Forensics-Mobile Applications (Part 2)
- More Information about IEF
- Try it:
- New to IEF – Request a 30 day trial of IEF
As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at firstname.lastname@example.org
Forensics Consultant, Magnet Forensics