ISSC351 Email Forensics and Windows Operating Systems Forensics Discussion

/in /by

ISSC351 Email Forensics and Windows Operating Systems Forensics Discussion

Need to respond to the following two student discussion post below with 100 words minimum for each discussion. Also below in bold are the questions the students are answering.

Questions:

  1. Email is one of the most common methods of communications today. What are some of the ways that email can be investigated and used as evidence?
  2. Discuss the various laws that have been enacted for email investigations.
  3. The Windows Operating system is the most common operating system on the planet. Discuss some of the tools and files that are routinely examined and used in a Windows Operating System investigation.

Student one:

Hello Class!

It has been a rough few weeks, but I am finally able to start doing school again.

I believe this week’s topic goes along with the e-mail lab that we had.

1. Quite similarly to when one person pings a server that is not on their network, that ping makes several hops between nodes/relays until it pings the destination. When an e-mail message is sent, it acts quite the same. The information of said e-mail is mirrored onto every node that it passes through; all this information is stored in its header and can be pulled out by forensic investigators to see the data. The mentioned nodes also store the information and the e-mail information can be taken from them as well and used in court.

2. The Electronic Communications Privacy Act (ECPA) set the standards and processes to follow by law enforcement when it comes to collecting data about electronic communications. Said Act also prohibits the collection of this communications data while it is being transferred. This can be side-stepped via a court order.
The Stored Communications Act (SCA) allows law enforcement to collect electronic communications stores for less than 181 days via warrant direction.

3. Page 174 of our online course book discusses some of the tools used: PsList, PsInfo, and ListDLLs. PsList shows all the processes that are running on a current system. PsInfo displays how long a system has been on since last reboot, details, and basic system information. Lastly, ListDLLs shows the loaded libraries for each process.

Thank you for stopping by!

Stay awesome!

-Kit

Reference

Easttom, Chuck (2014). System Forensics, Investigation and Response. Jones and Bartlett (2nd ed) ISBN: 978-1-284-03105-8 ebook.

Student two:

1. You can trace the origin of an email by tracing. This is done by examining the email header information. Email server forensics allows the investigator to examine the email file extensions on a server.

2. The fourth amendment to the U.S. Constitution: How this works is information (an email) is stored on your computer. Your computer can’t be seized without probable cause and a search warrant. The fourth amendment governs how items can be seized. The electronic communications privacy act. This act governs how information can be retrieved from a internet service provider. This act has created restrictions from the government gaining access to information on ISPs. There are four different processes. Basic subscriber information: This is basic information that a subscriber has on file (name, address, credit card number, ect.). All these items can be obtained with a subpoena or search warrant. Transactional information: This covers information gathered from web sites visited and email addresses. Content information covers information retrieved from emails and unretrieved stored emails. Lastly real time access. This covers the interception of internet traffic coming and going. The CAN-SPAM Act: This act is designed to deter unsolicited emails. Foreign intelligence surveillance act: This is designed govern how we collect foreign intelligence. The USA Patriot Act: This was passed as a response of the attacks on 9/11. This handled how we combated terrorism within the United States.

3. Some of the investigation tools used on the windows operating system are. PsList, ListDLLs, and PsLoggedOn. PsList is used to view the processes and statistics on a system. ListDLLs displays a view of all the currently loaded dynamic link libraries. PsLoggedOn will show all users that have logged on locally and remotely.

Reference

Easttom, Chuck (2014). System Forensics, Investigation and Response. Jones and Bartlett (2nd ed) ISBN: 978-1-284-03105-8 ebook.

-Vincient