eM Client Forensics
eM Client discovered in the year 2006 rapidly captured a lot of user attention than a number of other renowned desktop based applications. Clearly this Windows specific application served a humongous variety of configuration options and other features. The application can be summed up as a powerful platform as it doesn’t just serve emailing, but also offers PIM (Personal Information Manager) services along with IM (Instant Messaging). A quickly accessible sidebar brings together all these virtual assistants on one screen making end user convenience an asset of the platform.
Along with the support to Windows 8 configuration the client also supports all major email services used heavily worldwide for communication. From cloud based services to desktop application, the client supports import and configuration from most of them. And regardless of how fast paced technology is, emails are still one of the most preferred mediums of electronic communication as well as source and target of malicious cyber activities. This paper discusses the operational and construction of eM Client forensics and how it can be studied from an analysis angle to carve out crucial information for eDiscovery purpose.
The Email Database: Storage & Format
eM Client mailbox analysis has a default database storage for all of its components at the following path:
A set of three file types are created for storing the component data and information associated with the client, i.e.: –
Following are the three file types that are generated by default in the store folder and help in eM Client forensics:
1. .DAT: This is standard data file consisting of data that is accessed or composed by eM Client. Some DAT files can be opened but most consist of the corresponding program data that can only be referenced by the specific program, i.e. eM Client in this case, that too while it is being operated. However, only the DAT files created as a text file can be opened and viewed without the client availability. Otherwise, it is not meant to be accessed by manual means and eM Client analysis is the only application that can use it. There are three components for which only a DAT file is created i.e. Certificate, Telemetry, and Security.
2. .DAT-SHM: An SHM or shared-memory file consists of no persistent information. The sole purpose of a shm file is to render a shared memory block to be used by multiple numbers of processes accessing a common database under WAL mode. Both WAL and Shared-Memory files are interrelated, i.e. both share the same lifetime. An SHM is created when a WAL file is generated and is deleted with its deletion too. When a WAL file is being recovered, SHM file is also recreated but from the scratch which depends on the recovered contents of WAL file.
3. .DAT-WAL: SQLite version 3.7.0 started supporting a new type of control mechanism for transactions, i.e. WAL (Write-ahead log). .dat-wal file or a database when suffixed with –wal denotes that it is in wal mode. This means that any or all connections made to the respective database should use WAL as well. A WAL file is located in the same folder as that of the database and has the same file name with a string appended to it – “-wal”. Forensically, to examine what is within a WAL file the associated database needs to be opened and contents of it will get written or CHECKPOINTED to the main data. However, this may come with a number of problems:
a. Old information in the main data file could be overwritten by the information extracted from WAL file losing the potentially valuable data from evidential point.
b. The unused spaces within a WAL file could possibly consist of deleted data.
4. XML: Then there is a settings.xml file which consists of the settings applied on eM Client analysis for its working.
ActiveSync & Unfiltered Spam: Configuration Tip
Supportive for all of the available standard protocols including Exchange Web Services and ActiveSync makes eM Client mailbox analysis the only one (besides Microsoft) to connect with services like Outlook.com via ActiveSync and not IMAP for a change.
However, this configuration also promotes the unfiltered download of spam messages. Though the emails will get listed in the Junk Folder but images in the body of the message won’t be blocked as usual. This download promotes entry of malicious content that puts eM Client database under threat of vulnerability to corruption.
NOTE: In case of consistency issues with the client if the database gets corrupted, eM Client forensics comes with a DB Repair application which is located in its Program Files folder. Running the tool will execute a consistency check on the database and repair issues.
Nevertheless, eM Client is not responsible for this vulnerability to the downloading of spam along with internal media but ActiveSync is. However, the eM client analysis does download virus and surprisingly executes them as well which puts the DB under more of a severe threat.
Promotes Spamming & Undisclosed Emailing
The application comes with a “Send As Mass Mail” option that clearly promotes activities like spamming, email bombing, etc. And what makes it worst is:
• Firstly, mass messaging can be done without disclosing recipients about other recipients
• Secondly, these facilities are unrestrictedly served in the client’s 30 day freeware edition
Evidentially Crucial Data: Storage And Backup
Apart from DAT, DAT-SHM, & DAT-WAL file, eM Client Forensics is capable of storing its data in some other file types too, but only if voluntarily exported to:
1. EML: With the Export option, eM client mailbox analysis gives away the choice to store each email as a single text based EML file.
Traversing An EML Message: Reading through the contents and structure of a file with .eml extension is feasible than most. Internal information and structure of an EML file or a single email file can be examined with the simple usage of Notepad or any text editor. For exemplification, an email received in the Inbox of eM Client mailbox analysis was traversed using Notepad with the following findings that are crucial from an investigative point of view:
a. SPF & DKIM: An SPF comes with a purpose of describing the mailserver that has been permitted to transmit messages for a particular domain. Used for avoiding fail mail ID, the SPF values neutral or pass are safe but when it is fail the message shall not be received as it would have been rejected already by the exchanger. Whereas, a DKIM, i.e. the DomainKeys Identified Mail is a source of relating a domain with an email which further allows an organization to be liable for a mail in such a way that a recipient can validate.
b. DKIM Signature: In eM client email forensics, this portion is a signature that is used by SMTP receiver of a message for verifying that whether the one claiming to be the sender of the email is genuine or not. Also, any tampering done with the message can be detected. To verify the sender, its public key can be retrieved and with the help of its ‘s’ & ‘d’ fields a manual query against DNS can be generated to get a TEXT resource record of the host.
c. Message ID: Each email has a unique message ID which is a field that is put into an email header either by the MUA or its first MTA.
d. Received From: The server involved in sending or relaying the message at a given point is shown in this portion of the header.
e. Received By: This column of the header indicates the server name or IP from which the message was received by when it was originally sent.
TIP: Investigators during eM client forensics and examination tend to follow strict methods to cut short the time duration of an investigation. Thus, third party email forensic tools have been on the rise as a result. MailXaminer for the record is a dedicated, quick & convenient email forensic analysis platform with full support for EML files & many others that is also trusted application by Law Enforcements.
2. vCard: Contacts of the selected category are exportable into vCard (VCF file). While exporting the file location can be chosen as well as file creation type, i.e. single VCF for all contacts or a vCard file for each.
3. ICS: Similar customization applies to ICS files however; they are generated while exporting both; events and tasks. To verify whether the sender of the message is the one who it claims to be, message ID of the current message and any previous message received from the same sender can be matched. However, as they are also prone to spoofing, one should not depend on it alone.
4. XML: Settings, Rules, Accounts, and Save Passwords are exportable into the XML file at a preferred location where settings and accounts are selected by default whereas; Save Passwords and Rules can be selected if wanted. However, note that when saving passwords the export may prompt for a Custom Password to add an additional layer of security.
Along with this, eM client forensics also permits the backup of DAT files for all the components in a zipped archive at a user defined location. MailFTI to Maildata along with attachment, contacts, security, certificate, folders, IM Data, etc., is included during the backup which can be restored right from the client’s File menu in case of any inconsistency.
Final Observation: eM Client mailbox analysis seems to be an extremely user friendly email platform that comes along with PIM facilities. The simplicity of this client in a way promotes an easier way of committing offenses like; email bombing, spamming, sharing of intellectual property with an intervening party without letting the recipient know of the same. The manipulation of digital information has clearly become unimaginably easier but detection of traces left during such activities has parallelly grown stronger & become more feasible with the help of innumerous methods and platforms made available for eM Client forensics of data files, storage database, and email headers.