Guide to Computer Forensics and Investigations, 4th ed., 1435498836 Ch. 12 Solutions-1 Chapter 12 Solutions Review Questions 1. E-mail headers contain which of the following information? (Choose all that apply.) a. The sender and receiver e-mail addresses b. An Enhanced Simple Mail Transport Protocol (ESMTP) or reference number c. The e-mail servers the message traveled through to reach its destination 2. What’s the main piece of information you look for in an e-mail message you’re investigating? b. Originating e-mail domain or IP address 3. In Microsoft Outlook, what are the e-mail storage files typically found on a client computer? a. .pst and .ost 4. When searching a victim’s computer for a crime committed with a specific e-mail, which of the following provides information for determining the e-mail’s originator? (Choose all that apply.) a. E-mail header c. Firewall log 5. UNIX, NetWare, and Microsoft e-mail servers create specialized databases for every e-mail user. True or False? False 6. Which of the following is a current formatting standard for e-mail? b. MIME 7. All e-mail headers contain the same types of information. True or False? True 8. When you access your e-mail, what type of computer architecture are you using? c. Client/server 9. To trace an IP address in an e-mail header, what type of lookup service can you use? (Choose all that apply.) c. A domain lookup service, such as www.arin.net, www.internic.com, or www.whois.net d. Any Web search engine 10. Router logs can be use for validating what types of e-mail data? c. Tracking flows through e-mail server ports 11. Logging options on many e-mail servers can be: d. All of the above 12. In UNIX e-mail, the syslog.conf file contains what information? b. The event, the priority level of concern, and the action taken when an e-mail is logged Guide to Computer Forensics and Investigations, 4th ed., 1435498836 Ch. 12 Solutions-2 13. What information is not in an e-mail header? (Choose all that apply.) a. Blind copy (Bcc) addresses d. Contents of the message 14. Which of the following types of files can provide useful information when you’re examining an e-mail server? c. .log files 15. Internet e-mail accessed with a Web browser leaves files in temporary folders. True or False? True 16. When confronted with an e-mail server that no longer contains a log with the date information you require for your investigation, and the client has deleted the e-mail, what should you do? b. Restore the e-mail server from a backup. 17. You can view e-mail headers in all popular e-mail clients. True or False? True 18. To analyze e-mail evidence, an investigator must be knowledgeable about an e-mail server’s internal operations. True or False? False 19. What is the e-mail storage format in Novell Evolution? c. Mbox 20. Sendmail uses which file for instructions on processing an e-mail message? a. sendmail.cf Hands-On Projects Hands-On Project 12-1 This project should produce 3 hits in 3 files for the word “cash” and 15 hits in 7 files for the word “money.” The report students write should list all files and any duplicate files the two searches might have generated. Hands-On Project 12-2 This project gives students experience in sorting through e-mails manually to locate messages with attachments and then explaining what they have found. They should discover that one JPEG file’s extension was modified so that the message could get past the receiver’s antivirus filter. Students should note this modification in their reports. Hands-On Project 12-3 Students should locate six deleted messages that FTK recovered and list any information about money and who is requesting it. Hands-On Project 12-4 Guide to Computer Forensics and Investigations, 4th ed., 1435498836 Ch. 12 Solutions-3 In this project, students locate all Internet addresses and e-mail addresses, export them to an HTML file, and then print the file from a Web browser. Hands-On Project 12-5 In this project, students practice manually carving message data from a tarball file of Martha Dax’s .evolution e-mail directory. Only two messages contain the string “special project.” For the first message, the beginning offset position is 0x0026E4E, and the ending offset position is 0x002712A. The second file’s beginning offset is 0x0070FA1, and the ending offset is 0x00710ED. Case Projects Case Project 12-1 Students’ responses will vary, but they should at least include time-sensitive issues, witness interviews, use of e-mail headers to trace e-mails, warrants or subpoenas, contacting ISPs, reviewing logs, and so forth. Students in law enforcement might describe different procedures, such as notifying law enforcement of the situation first; they should also include steps such as issuing subpoenas to identify the e-mail’s point of origin. Case Project 12-2 Answers will vary by state. For example, in Washington State, running away is not a crime, so law enforcement is unable to help in a case that’s solely a runaway issue. Similar to Case Project 12-1, students’ reports should include examining the runaway’s computer to search for correspondence that might provide information on her whereabouts. If any messages indicate where she might have gone, students’ reports should explain what steps to take to notify law enforcement. Case Project 12-3 Students’ reports should outline steps to confirm or deny the allegation of a possible ITAR violation and mention consulting with the company’s general counsel to avoid becoming an agent of law enforcement. Students should also state that the investigation should be done before contacting federal authorities and under the general counsel’s guidance if the allegation is found to be true. Case Project 12-4 Similar to the Signal Lake Venture Fund case covered in this chapter, students should state that messages from Mary Jane had duplicate ESMTP numbers, and these messages were found only on Billy’s computer.