Forensic Email and Network Packet Data analysis

Forensic Email and Network Packet Data E-Discovery Services

Media Forensics can provide competent and detailed email and network packet data forensic services. These services can lead to the discovery, analysis and reporting of digital footprints associated with hacker or other compromising events. It can also lead to the identification of email scams and perpetrators of digital based crime or mis-conduct.

It is important to recognise that often data compromises are the result of a malicious action by a disgruntled employee (or ex-employee) within your organisation. Unintentional or careless actions by an employee i.e. downloading compromised multimedia or opening an email and clicking on a link will invites a malicious actor into your organisation.

Using a work laptop and/or phone at home for personal use or worse still, used by children for gaming and social media interactions typically results in compromised email passwords and/or computer system logins. When that laptop or phone reconnects with your business network the problems begin.

Hackers and scammers will typically sit on a compromised system for a long time (often months) to collect as much information as possible about your system configurations, user accounts, and potential targets such as upcoming large payments. They may even decide to use your system and user accounts to facilitate a jump across to a more valuable or vulnerable business and apply their scam to them using your business as the source.


Forensic email analysis

Forensic Email Analysis

Email password compromises typically lead to system access and invoice fraud. Often the email compromise will occur in another business that is used a stepping stone to branch out. Popular targets are Real Estate Conveyancing firms and small to medium sized businesses where large sums of money are exchanged.

Simple Email compromise checks

A quick way to determine if your email account has been compromised is to regularly check your “Sent Items” email folder(s) to see if there are any emails that you do not recall having sent. If there are emails not created and sent by you, change your email password immediately and advise those who were addressees of a hacker’s email using you account to change their passwords.

Most email scams are pretty obvious due to poor grammar, misspelt words, strange From and/or Return addresses and vague email addressees like “Dear “. However, the serious and successful ones can be very difficult to detect, with very subtle changes to From addresses i.e. substituting the uppercase letter O with the number 0 (zero) or the lower case letter l with the number 1 (one), creating a text string from R to L which displays as L to R or using hidden non-text characters. They do their homework and will duplicate valid business logos and links, and address the emails to and from valid specific staff members.

Educate staff to hover over any links (without clicking) within an email to determine where the link is really going to (typically seen a a pop-up in the lower left corner). Never open an attachment if it was unexpected and unnecessary (e.g. large JPG or a PDF when normal email body text would do) without first running anti-virus/anti-malware testing. If possible call the sender (using a known phone number – not what is provided in the email) and verify the email contents, particularly any requested changes to bank account or contact details.

Forensic Email services offered by Media Forensics

  • Email Recovery.
  • Email source tracking.
  • Phishing and Scam Email analysis.
  • Tracing links to other compromised systems.

Copies or traces of emails can usually be found on synchronised devices and on any linked cloud based services, not just the device or system used. There is often a limited time within which deleted emails can be recovered from cloud based storage locations or email servers.

Email metadata can contain a lot of information relating to the path the email took (routers and servers) and the dates and times of sending and receiving. A full understanding of email metadata can lead to a better understanding of the activities and actions of your staff’s communications. Email traffic date and time stamps can be misleading if the correct time zone is not taken into account.


Forensic network packet data analysis

Forensic Network Packet Data Analysis

Locking down a network to enhance security can make it very difficult for staff to undertake work as required. Opening up a network can allow malicious actors to get onto your network. Good network security requires a delicate balance to meet all objectives and still allow staff to work effectively and efficiently.

Two approaches used in network security are Black lists and White lists.

A Black List contains all web sites / IP or email addresses that are immediately blocked on outgoing/incoming connections. The list will typically start small with known problem sites and added to as problem addresses are identified. This is the least intrusive action from an employee’s viewpoint, but is potentially a problem as it becomes a reactive approach to IT Security.

A White List contains the web sites / IP or email addresses that are approved and allowed in or out. This is a very proactive secure action from an IT Security viewpoint, but very intrusive from a staff workflow point. Each time a new website is required to be accessed, the staff have to get approval and wait for the site to be assessed and added to the White list.

The balance of white lists vs black lists needs to be revisited on a regular basis.

Intrusion Detection Systems (IDS)

An IDS involves one or more devices on a system set up to monitor for potential suspicious activities and automatically generate alerts which are sent to selected IT staff. The IT staff (incident responder) then assess the activity and if necessary add the source to either a Black or White list.

The system needs to be configured well enough to recognise a problem packet or data transaction in order to generate an alert. This is another example of a reactive measure that could allow damage to occur before the alert is acted upon. The boundaries of acceptable vs unacceptable traffic requires regular review and threat assessment.

Intrusion Prevention Systems (IPS)

An IPS will be proactive in taking action against a pre-defined activity to block or otherwise deny the activity. This type of network security can be very time consuming to configure and maintain, and like White lists can impact on productivity if desired activities are unnecessarily blocked.

Data Analysis Services offered by Media Forensics

Often, network security devolves to a less than optimum level over time as IT staff receive more requests to lower security settings to meet a particular task. This can result in unintended holes forming in your network security configuration.

Media Forensics can configure network sniffers to collect and analyse data passing between computers on your internal Local Area Network (LANs or VLANs) and/or your Internet Wide Area Network (WAN) connection. This can be achieved by physically attending your site or by remotely logging in with cooperation of your IT System Administrator. Benefits are:

  • Identification of compromising Internal LAN activity.
  • External (or Internal) threat and attack analysis.
  • Identification of unnecessary outgoing or incoming network traffic.
  • Reassessment of Black and White lists.
  • Reassessment of IDS and/or IPS system settings.