Previously we discussed webmail artifacts and how they relate to traditional host-based forensic analysis and focused on how Internet Evidence Finder (IEF) analyzes the browser artifacts and provides the results in an easily sortable report, helping the investigator identify any relevant evidence.
But what about other sources of webmail evidence?
Forensic investigations have moved beyond just desktop PCs or laptops since most people now access email from their mobile devices as well. What started out as a tool for only the most serious business person has now spread to even the most casual consumer. IEF is able to analyze email found on the two most commonly used platforms, Android and iOS.
There are many forensic tools that specialize in mobile acquisitions. Cellebrite, XRY, and Oxygen are excellent resources to acquire the large variety of mobile devices and connectors. Much like previous versions of IEF, IEF Advanced focuses on the analysis of the acquired data and leaves the imaging to the other tools. Once the image is acquired, IEF will analyze all of the common outputs from the mobile acquisition tools (dd, raw, img, bin, 001, ima, vfd, flp, bif) as well as all the EnCase formats (E01, L01, Ex01, Lx01).
Focusing on the analysis allows IEF to specialize in the artifacts that are found within an image and produce the best results whether the evidence is found on a suspect’s PC or mobile device.
IEF can handle both physical and logical mobile images for iOS and Android, but a physical image is always preferable when possible in order to carve out deleted artifacts stored in unallocated space. If a logical image is acquired, unallocated space is not captured and therefore cannot be searched.
Android/iOS Mailbox, Gmail Application
Emails are handled differently on a mobile device than webmail is on a traditional PC. Typically on a PC, webmail is handled through the browser, and most of the evidence is found in browser artifacts or memory. Howerver, with mobile devices, there is typically a native mailbox application for all of a user’s email accounts, whether they are webmail or server based.
For iOS the native mailbox is stored as a SQLite database here:
/private/var/mobile/Library/Mail/Protected Index and Envelope Index
For Android it is also stored as a SQLite database here:
/data/data/com.google.android.email/databases/EmailProvider.db
IEF is able to parse and carve the native email clients for both iOS and Android devices by accessing the SQLite database that stores the messages and structures the sender/recipients, CC/BCC, date/time, subject, status, message content, and attachment for each message recovered from the native application into the IEF Report Viewer.
Email can also be stored in a dedicated application if one exists, as is the case with Gmail.
Many mobile devices have a dedicated mail application for Gmail or other popular webmail accounts. This provides users with enhanced features available to Gmail based webmail that might not be available if the native mailbox is used.
The Gmail application is stored as a SQLite database for Android devices here:
/data/data/com.google.android.gm/databases/mailstore.%GmailUserID%@gmail.com.db
In addition, make sure to search the mobile browser activity for additional webmail that may have been accessed through the browser and wasn’t setup in either the native or custom mailbox application, such as the Gmail app.
Webmail has extended far beyond the traditional browser and your investigation should as well. With mobile database applications storing messages from multiple webmail accounts and new application artifacts being created regularly, it is difficult for an investigator to know where to look for all potential evidence, let alone have the time to search everywhere for each case. Tools such as IEF expedite that process greatly and help investigators understand the bigger picture when it comes to Internet evidence—and the number applications that store the evidence only continues to grow.
As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie.mcquaid(at)magnetforensics(dot)com.
Jamie McQuaid
Forensics Consultant, Magnet Forensics
