Web & Email Forensics
Pierre Louw
Master of Science (MSc) Information & Computer Science | Certified in Cybersecurity (CC) | Revenue Generation | Sales Strategy Design & Execution | Technical Solution Sales | Pre-Post Sales Project Management
Communication is the lifeblood of society, both on a business and personal level. Network devices such as computers, tablets, and mobile phones connected to the internet allow people to communicate with business, family, and friends worldwide in real-time, connecting communities and making people more mobile than ever before. In addition, immediate and limitless access to the internet is made possible by arrays of networked devices offering endless amounts of information stored in remote cloud environments available at a click of a button that makes the world genuinely borderless. However, the sheer scale, complexity, and size have also created a multi-billion dollar industry for cybercriminals taking advantage of any opportunity to enrich themselves at someone else's cost.
The most common ways attackers achieve their goals are through web/internet applications using spoofing, pharming, sequel injection (SQLI), and mail applications using phishing, spam, and malware. Worldwide approximately 320 billion emails are sent daily, of which 26% are sent from Google's freemail platform G-mail. Digital forensics in this space requires special skills and the ability to stay one step ahead of attackers. It is said that forensic specialists should have the same ability and persona as attackers to be successful in their job.
Data is no longer confined to local on-premise storage devices but rather scattered over public, private, dedicated, hybrid and multi-cloud storage environments. Delegating duties to cloud service providers offering models such as infrastructure as a Service (IaaS), software as a Service (SaaS) and Platforms as a Service (PaaS) gives users all the benefits of on-premise computing hosted in the cloud with none of the overhead costs associated. This segregated vastness of the internet makes it easy for bad actors to hide their tracks and very difficult to obtain concrete forensic evidence. Furthermore, the introduction of 5G technology allows for a rapid increase in internet speeds geared for the Internet of Things (IoT), with an estimated 20 billion connected devices worldwide, increasing the threat landscape exponentially. This technology is prone to cyberattacks due to physical security complications, intricate architecture and vulnerable firmware design. Therefore internet and email forensics have the most prevalent challenges within the forensics process due to the diverse infrastructures upon which these services are built. In addition, the speed of technological advancements and the proliferation of services along the forensics chain increases the complexity and nature of evidence collection.
Each stage in the forensic process has its own challenges with obtaining and handling evidence. It is essential to understand that web and email forensics focus on both server-side and client-side data analysis and that the majority of data gathered out of these registries are not humanly readable and therefore rely on software to assist in analysing this data. We highlight the most important aspects of web and email evidence and solutions used to analyse data and its Integrity;
?
Web / Internet
Each web address query directs a user to a specific Internet Protocol (IP) address through the internet's telephone directly called Domain Name System (DNS), a decentralised naming system to identify resources on the internet. The main aim of web forensics is to establish activity and movement over time. It is, therefore, possible to retrieve valuable internet data such as originating Internet Protocol (IP) addresses, browser used, websites visited, frequency of browsing, keyword searches and location access through the collection of cookies, browsing history, and cache memory. However, it becomes more complicated when private browsers or Virtual Private Networks (VPN) are used to re-route data through other computers, disabling cookies and auto-deleting browser history. As a result, forensic analysis software such as Wireshark, Registry Recon and Xplico is used to identify network traffic required by forensic investigations.
?
Email providers and email clients allow for the diversification of email traffic through hosted, unhosted, direct and shared email account structures. Furthermore, these email accounts are replicated on many devices, including Internet of Things (IoT) devices that generally save minimal information. Therefore, the segregated data leads to incomplete data sets that influence data integrity. Email messages are broken up into byte-size packets, after which they are sent from source to destination; however, each email includes a header and footer for keeping a record of data within the packet transmission. Furthermore, acquiring data from an email Personal Storage Table (PST) file, logs from a Simple Mail Transfer Protocol (SMTP) server and for webmail accessing an Internet Message Access Protocol (IMAP) server allows for the gathering of legitimate forensic data. Products such as Xtractor and Advik offer the ability to retrieve legitimate email data for forensics purposes.
?
Challenges in Attribution
Digital forensic investigators' primary focus is to collect substantial and consistent evidence that is authentic and admissible in a court of law. Attribution based on hearsay or speculation will be deemed inconsistent and inadmissible, leading to wasted time, resources and money. More commonly, digital forensic attribution is generally broken down into the following levels of hierarchy;
?
Challenges in digital forensic attribution include but are not limited to the following methods;
Ethical and Legal Considerations
Specific laws exist protecting individual rights to decide how personal information can be used and shared in everyday life, where more than 60% of all financial transactions occur over the internet. Stricter legislative laws governing data protection are being enforced worldwide to reduce people's liability for being held ransom by perpetrators for their own gain. Some of the most important legislations enforced worldwide are the General Data Protection Regulation (GDPR) EU Law, which offers individuals the right to be informed, access, rectify, erasure, restrict processing, data portability, and object. In addition, the Privacy and Electronic Communications Regulation (PECR) offers people specific privacy rights concerning electronic communication, including the use of internet cookies, marketing communication, directory listings and caller line identification. Digital sovereignty is primarily maintained by the country, which naturally means control of all national interests relating to politics, economics, and security remains within its borders. However, law enforcement may still infringe upon individuals' privacy and rights should they suspect that any activity may relate to criminal activity, largely with the help of high court interdicts and subpoenas. Furthermore, cybercrime and digital forensics raise the question of the applicability of non-tangible data handling and presentation as evidence and to what extent digital data can be used as documentary evidence.
?
Possible Solutions
The CIA-Triad security model incorporates three principles for protecting information security systems. Confidentiality which is the ability to hide information from unauthorised people, Integrity, the ability to ensure data is kept accurate and unchanged from its original format and Availability, the ability to ensure information is available for authorised viewers only. Adopting a principle of Least Privilege as businesses currently do with Privileged Access Management allows us to evaluate both the Bell and LaPadula model ensuring Confidentiality, and the Biba model, ensuring Integrity. Access attributes are categorised by read, append, execute, write and control.
?
Bell and LaPadula;
This method is defined by granting access upwards, with "No Write Down" capability, granting write access to objects with an equal or higher hierarchical structure, and "No Read Up" capability, granting read access to objects with an equal or lower hierarchical structure, therefore, enforcing Confidentiality.???????????????????????????????????????????????????????????????????????????????????????????????
Biba;
This method is defined by granting access downwards, with "No Write Up" capability, granting write access to objects with an equal or lower hierarchical structure, and "No Read Down" capability, granting read access to objects with an equal or higher hierarchical structure, therefore, enforcing Integrity.
????????????????
Conclusion
I have highlighted the challenges of web and email forensics. Focusing on data Integrity and Availability throughout the chain of custody, discussing the limited success in email and web forensics attribution. Data traversing the internet via all available mediums allows the hiding and masking of crucial evidence that can be used in the fight against cybercrime. However, email messages and web browsers record a wealth of information that, if collected accurately and in time, can prove invaluable in a court of law. I have also established those end-to-end authentication methods for data both in transit and at rest are required to have consistency and keep data integrity throughout its lifecycle.