S/MIME(Secure/ Multi purpose mail extension) is the stranded used for public key encryption and digitally signing the MIME base email data. Most of the email software and services and using the S/MIME encryption for the secure communication. It provides the cryptographic security features such as Authentication, Integrity, privacy data security etc. This encryption method help the receiver to confirm that they receive the exact message from the verified sender. To enable the S/MIME both the sender and the receiver must be integrated with Public Key and digital signature. The public key is used for the encrypt & decrypt email message and the digital signature is used for verify the identity of the sender.
OpenPGP(Open Pretty Good Privacy) is one of the most widely using email encryption standard. Which uses the Public Key Infrastructure to create the key assigned to individual email address. Use the symmetric encryption to encrypt the email message. Each encrypted data contains the message and the encryption key. The receiver retrieves the random key using their private key and using that random key they will decrypt OpenPGP message.
Analysis Of Encrypted Email with File Forensic Tool
The analysis of encrypted email data during the forensic investigation is a challenging process for the investigators. The email forensics tool provides an automated solution to solve this problematic situation. Which help the investigators to remove encryption from email messages of PST, OST & EDB files to perform analysis of the digital data in efficient way. In the bellow section we are discussing about how to decrypt SMIME & OpenPGP email message with the help of encryption removal software feature of computer forensics tool and analyse encrypted email data.
Create new case or open the existing case from the database to forensically decrypt the encrypted email and extract the evidence.
- New case: Create a new case directory to add and analyse the forensic evidence.
- Open case: Open the already created case from the case directory to manage the evidences.
To add the encrypted email data file into the software click on the Add evidence button of the tool. After that the select the file format you need to add. The forensic tool supports to decrypt email message from PST, OST, and EDB file.
For performing the examination of the encrypted email files, user needs to change the Decryption settings. This will help the user to remove Exchange Server email encryption and decrypt encrypted PST, OST email messages.
Select the option Detect Digital Signature and Encryption which will automatically detect encrypted email files and the email files containing the digital signature. Checking the Remove encryption option will allow you to add encryption keys in two ways.
- Add keys: By choosing this option, the user can input the decryption keys manually into the software to remove encryption from emails.
- Upload CSV: Using this option, users can add a CSV file containing the keys for decryption. For adding multiple keys for the decryption process, browse the CSV file.
To add keys manually, select the Add Keys option from the Add Decryption Keys section.
Now select the encryption type using the drop-down menu. Mainly there are two type of Encryptions available SMIME & OpenPGP
After selecting the technology, enter the Key File and Password in the respective fields.
- Certificate and respective Password is needed for decrypt S MIME email.
- Private key and respective Password is need decrypt OpenPGP message.
Users can also add more keys using the Add Additional Keys option.
To add multiple decryption keys in a single go, users can choose the Upload CSV option. This option allows users to import a CSV file containing multiple decryption keys.
The software provides an option to Download sample CSV file. In this file, the user can enter Encryption type, Key Path and Password.
Browse the CSV file containing Encryption Type, Key Path and respective Password from the desired location.
After decrypting the encrypted email message from PST, OST & EDB files, user can access the email data. The key symbol with email file represent that the file is encrypted and if the file contains digital signature, it will be indicated by the badge symbol.
If the tool successfully decrypt email message it will shows the data in its original form. This will help the investigator to easily analyze and extract the evidence evidence.
To preview the email details, just click on the respective email and a new window will open displaying various details of the selected email.
