±Forensic Focus Partners
|New Today: 0||Overall: 34963|
|New Yesterday: 4||Visitors: 161|
WebinarsBack to top Back to main Skip to menu
Using Paraben's E3 Platform For Email Analysis
Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.
Welcome to Paraben’s Electronic Evidence Examiner, or E3, email examination webinar.
Paraben’s E3 Universal, E3 P2C and E3 EMX packages allow you to view and analyze the contents of mailstore evidence from different email clients such as:
• Microsoft Outlook
• The Bat
• Outlook Express
• Windows Mail
• as well as Google Takeout Storage
In this webinar we will go through the processes of email analysis using E3.
To begin, we first add our evidence by selecting Add Evidence. This opens the new evidence wizard and we then select the email database evidence category and then we select its source type.
We choose the email format and navigate to the evidence source file or folder, in this example we will use a Microsoft Outlook PST file. At this point we can give the evidence a custom name or label if necessary, then click OK.
When adding mailstore evidence you might be asked to define its options. For example, when adding a Microsoft Outlook database you have the option to select scan database for deleted messages to recover the deleted messages in the mailstore. Once the options are selected, the database is added to the case.
As soon as the evidence is added the Content Analysis wizard opens. This powerful wizard quickly automates much of the processing normally done during an investigation. The content analysis wizard gives you the option to perform the following actions on the evidence file:
Sorting email attachments by file types which speeds up the examination of the email attachments.
Next you can index the keywords in the email database which drastically expedites all text searches.
The optical character recognition, OCR, feature allows for the extraction of textual data from images, so you can perform text searches on graphic files. E3 is the only tool that has this capability.
Once the Content Analysis wizard options have been selected we then view our evidence. The mailstore is viewed using the Case Content and the Data View pane. The “in” and “total” columns will show the total number of items in each folder and sub-folder. To calculate the totals we click the “Start Counting Folder Content” icon and the totals are quickly displayed.
To speed up your investigation you can also hide all the empty folders. On the “View” tab in the “Display Data” group there is an option to “Hide Empty Folders”.
The Data View pane represents a list of messages stored in the mailbox in the same that that it would be displayed in the email client with unread messages represented in Bold. You can then use the email data viewer to examine a selected message in different formats as well as a list of all its attachments. If there is an attachment you wish to examine more closely, select the attachments tab and double-click the filename of the attachment. E3 will automatically offer a variety of viewers for the attachment to include the native file viewer.
Next we’ll look at bookmarking email data.
For faster navigation within your email evidence you can add bookmarks to important folders, messages, parts of messages or attachments. To bookmark a piece of data go to the Analysis Tab, and in the Bookmarks group click “Bookmark Selected Data” or you can right click on the data you wish to Bookmark and select “Bookmark Selected Data” from the drop down menu that appears.
Once you’ve selected a piece of information to be bookmarked a wizard will open up and give you the option of naming your Bookmark and giving you the option to add a description about the bookmark if you choose. You can also organize your bookmarks in custom folders for organization purposes or more convenient navigation. E3 also allows you to easily print any email data.
In the Data View pane select the email you’d like to print or you can right-click on your email of choice and select print from the drop down menu. Searching data is one of the key functions of an investigation and E3 allows you to perform a variety of types of searches on your email evidence.
The “Sorted File Search” function allows you to search for attachments of a certain type or with a certain file name. These files are sorted during the Content Analysis process discussed earlier. The “Keyword Search” finds textual data in evidence that has been keyword indexed during Content Analysis process. The “Advanced Search” function is a multi-parameter search tool to find text within messages or filter out messages by sender, recipient, date range and much more. The “Advanced Search” function does not require the email data to be keyword indexed.
To search for attachments after sorting select the Sorted File Search and enter the filename or MD5 hash value. You can use Hash Databases to filter out known files or to find files of high importance based on their hash code. Click “Run Query” to start the search. The results are then displayed at the bottom of the “sorted files search” pane.
To perform text searches or OCR searches after keyword indexing is complete select a mailbox folder or message where you’d like to run your search. Right click and select keyword search from the drop down menu or click Keyword Search on the Analysis tab. Then enter the search request, you can use logical expressions like AND, OR and NOT to perform complex searches. Define the search area in the message body such as “subject” “body” “sender” etc. Click Start or press Enter. Immediately the search begins and its status is displayed in the task pane, and the search can be stopped, paused or restarted. When the keyword search is complete the results are displayed on the bottom part of the search pane.
To perform an Advanced Search on your mailstore evidence select the folder or message where you’d like to perform your search. Right click and select advanced search from the drop down menu or click Advanced Search on the Analysis tab.
Define the search parameters by entering the search request, defining the search area, filtering out specific senders and recipients, define a date range and click Start or Press Enter.
The Advanced Search starts and its status is displayed in the task pane, and the search can be stopped, paused or restarted. When the Advanced search is complete the results are displayed on the bottom part of the search pane.
Next we will discuss email exporting. E3 allows you to export an email database or its parts to one of the following formats:
- or EMX, which is Paraben’s special archive format.
You can also choose to export only email attachments.
To export mailstorage evidence select the folder or email you’d like to export
Right-click and select Export or click Export on the Export tab in the Common Export Group. On the Source and Output page define the Source, Output Format, and Destination. On the Export options page define the options for exporting. On the filters page you can filter out data you’d like to export using a variety of parameters. On the duplicated data page you can choose the option that allows you to avoid exporting duplicated messages. Once you’ve defined all your export options click Finish and the export process starts. Again, the export status is displayed in the task pane.
You can also generate an attachments list file with a list of attachments from the selected messages and their MD5’s. To do this select the messages you’d like to create your attachments list for and right click and select create attachments list or select create attachments list on the Evidence tab in the mailstorage group.
Next you’ll define the name and destination for the attachments list. After the list is created a notification will be displayed.
Reporting: E3 allows you to generate different kinds of reports. To generate a report, first select the data you want to add to your report. On the Analysis tab in the Reports Group select Generate Report. Select the report type and destination folder.
You have several report type options, these include:
• The HTML investigative report, which is a detailed report on mailstorage evidence including its structure and properties of the folders and messages. This report can also be generated as a Text, CSV and RTF file formats.
• The HTML Evidence Summary Report is a report with generalized information about the case.
• The HTML Email Message Report is a report that contains specific messages from the mailstorage evidence.
When generating your report you can move between the various pages in the report wizard and select the necessary options.
When all the options are selected click “Finish” to generate the report. The report generation process begins and you can monitor its status in the task pane.
Once the report is generated you can open it either directly from the folder it was created in or by right clicking on the completed “report generating” task in the task pane.
E3 Network Email Archives without the need for a long and painstaking restore process. (use video footage) add at the beginning.
• Microsoft Exchange
• Lotus Notes
Show the Adding Evidence of Network Email Platform Email Deduplication
In this next portion we’ll showcase how you can use E3’s export functions to deduplicate email archives. What data is removed. And how to import the exported data back into your case. There are six formats with which the email data processed by E3 can be exported:
• Attachments Only
• and MHT
this chart shows all the data that is associated with each type of export.
So let’s dive in with how to export and import email data in E3.
Once a case file is opened, and this can be a new or existing case, you will open the Add Evidence wizard. In this example we will be using a Microsoft Outlook database. We will include all the processing options for this example.
Once the PST is loaded into the case file, one of my preferred steps in this process is to go to the Analysis tab and have E3 count the folder contents so I can see at a glance how many email messages are in each folder. For this example we are going to focus on the IN box of the archive and all of its sub-folders.
To export, we simply right-click on the IN box, select Export and now the wizard appears offering the different archive formats, for this example we’ll keep it as a PST file. I’ll drop the new export to my Desktop and continue through the wizard passing the options and filters and getting to the Deduplicated Data screen. I select export to a unique mailbox. As you can see there are other options, the Export All Messages allow you to export all the messages from the mailstore. The Unique to Folder option allows you to remove duplicates from a specific folder. The Unique to Mailbox allows you to remove duplicates from a mailbox, our IN box. The Unique to Storage is the most time-consuming as it will remove duplicates from the entire mailstore.
The reason for so many choices is to allow the investigator the flexibility to choose how much time is spent processing a piece of evidence. If time is short or circumstances only require the processing of the IN box or SENT folder you don’t have to wait for the entire archive to process. Next you can see in the Tasks Pane that the Export process is underway.
Now that the Export is complete, we take note of the destination path of the new file and then select Add Evidence to bring the new, deduplicated IN box back into the case. So there is our new Inbox export.
We bring it into the case and we will leave the evidence name as Inbox to differentiate between our original archive and our deduplicated archive. Now you can see what have our two evidence stores together and next we will Start Counting Folder Contents on the new archive. So in our original mailstore we had 369 messages; in our deduplicated archive we have 351 messages, so a total of 18 duplicates were removed. Duplicates are removed by their hash value, not the date stamp.
So drilling down a little more let’s have a look at a couple of different folders. In the original mailstore there were 4 messages, in the deduplicated archive she only has 1. In the next one the original had 28 emails but in the deduplicated archive there are only 13.
OCR Data Analysis
E3 also has a unique feature not found in any other forensics tool by adding structure to otherwise unstructured data. Using Optical Character Recognition, or OCR, E3 can extract textual data from graphic files then allows you to search the extracted text. You also have the option of choosing different languages for the extracted text data. By default English is the only option but you can download different language packs from Paraben’s website.
Single file text extraction: you can extract text from an individual file while you are viewing it using the extracted text viewer. To choose the correct language for extraction right click and choose the “extracted text” pane then select the proper language from the list.
Multiple File Text Extraction: You can also extract text from multiple files while simultaneously searching for specific data.
Using the Advanced Search function: Right click on the evidence node where you want to perform your search and select Advanced Search. Enter your search terms in the Search field, then select the File System Data tab and check the Extracted Text Data for Images option, choose the language you want to search for and click Start. As you can see the search results include extracted text from the graphics files.
Multiple Graphic File Indexing
You can also index the keywords from images which will allow you to perform quick keyword searches on text in graphic files. Right click on the evidence node and select Content Analysis. From the menu choices we then select Index Keywords in Images. The content analysis wizard appears with the “extract and index text from graphic files” already selected. Click Finish.
Once the extracted text is parsed and indexed you can quickly perform keyword searches using the Keyword Search function. We select the node we want to search, select Keyword search, enter our keyword and click Start.
Now the text extracted from the graphic files will automatically be included in the search results.
End of Transcript