In this chapter, we will cover the following recipes:
- Outlook mailbox parsing with Intella
- Thunderbird mailbox parsing with Autopsy
- Webmail analysis with Magnet AXIOM
- Skype forensics with Belkasoft Evidence Center
- Skype forensics with SkypeLogView
In this chapter, we will cover the following recipes:
Accessing a suspect's communications via email and instant messengers will help you to solve lots of cases; and you will be asked to find and extract such artifacts very often. It doesn't matter if the case is a phishing attack, intellectual property theft, or a terrorist act - a computer forensic examiner must be able to locate, parse, and analyze a suspect's digital communications.
In this chapter, we will show you how to parse and analyze artifacts from the most common Windows email clients - Microsoft Outlook, Mozilla Thunderbird, and Skype instant messenger.
Intella is a very powerful digital forensic and eDiscovery tool capable of processing, searching, and analyzing Electronically Stored Information (ESI). One of its main features is visual analytics. This feature can help an examiner to understand the ESI and custodian relationships better. In this recipe, we will show you how to parse an Outlook mailbox with this tool.
If you don't have a valid Intella license, you can get a free 14-day trial version from Vound Software's website (check the See also section). You will also need a PST or OST file to follow this recipe. It's easy to get one: simply use your own email address with Outlook, then go to C:\Users\...
Thunderbird is a free and open source mail client from Mozilla, the developers of the Firefox browser. If a user doesn't use Outlook, they are likely to use Thunderbird. In this recipe, we will show you how to extract data from Thunderbird MBOX files with a free and open source digital forensics platform — Autopsy.
Thunderbird stores mail data in MBOX files. These files can be found at the following location:
C:\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles
Here you will find a user profile folder, which can be exported and processed with a piece of forensic software, in our case Autopsy.
Of course, you can use the whole forensic image for processing...
As you may know, some people (including the authors) use only webmail and no mail clients. Is it possible to recover such forensic artifacts from a drive image? The answer is - yes! And in this recipe, we will show you how to recover webmail activity with Oleg's favorite digital forensic tool - Magnet AXIOM.
We are sure that you already have AXIOM installed on your workstation. So run the tool and create a new case. Now, the most interesting thing is the evidence source. If you have already walked through the recipe Extracting Web Browser Data from Pagefile.sys in Chapter 8, Web Browser Forensics, you may guess what we are going to do next. Yes, webmail artifacts can be...
On modern Windows systems Skype is installed by default, so it's very important for a forensic examiner to extract user data from this application. This can be calls, messages, transferred or received files, and so on. In this recipe, we will show you how to parse these valuable artifacts with Belkasoft Evidence Center.
First of all, you should get a Skype profile folder. Again, you can use a forensic image, but to save time for testing purposes, we recommend using a profile folder as the data source. You can find Skype profile folders (yes, there can be more than one folder, as multiple accounts can be used on the same device) here:
C:\Users\%USERNAME%\AppData...
It's always good to have some free pieces of software in your toolkit. There are some free and open source tools for Skype forensics, and one of them is SkypeLogView by NirSoft. You are already familiar with some NirSoft tools, and in this recipe we will show you how to use SkypeLogView for Skype forensicating.
Download SkypeLogView from NirSoft's website (check the See also section for the download link). At the time of writing, the most recent version of the tool is 1.55. Unpack the archive and you are ready to go. You can use the Skype profile folder exported for the previous recipe.