|
Description
There are many tools used today by law enforcement officers for the recovery of evidence from personal computers. Leading software applications provide the investigator with a comprehensive image of a user's computer. However, in the field of Computer Forensics, only Hot Pepper Technology provides a dedicated software tool that allows investigators to extract all email contents (including graphics) from America Online's database stores on a user's disk drive.
"E-Mail Detective - Forensic Software Tool" is used by law enforcement agencies in the U.S. and has become an invaluable tool in numerous investigations and data recovery by forensic examiners. The EMD application is an exceptionally quick and easy application to use. Within minutes, any AOL email that has been cached or saved on a user's disk drive is extracted, complete with all embedded pictures. Additionally, a comprehensive report is produced that contains all the emails for a user. This report can then be instantly viewed and searched for any specific words or phrases by the investigator.
With a few simple keystrokes, the EMD application relieves the investigator from tedious searching through raw data dumps of a user's disk drive when trying to view a user's AOL email. AOL email data stores of all sizes - from 1 MB to 1 Gig or greater are easily processed. Combined with the ability to run the EMD application from a USB jump drive for field investigations. This makes EMD the best Tool on the Market for extracting AOL email.
Frequently Asked Questions
Is there a demo version available?
Yes, there is a demo version of the software. Only the demo version can be given out to an associate for review. This demo version has a limit on the number of messages it will decode along with several other feature limitations. One of the best ways to review the software is to look through the EMD user's manual that is installed with the demo. Click here to submit the demo request form.
Which versions of America Online and CompuServe does EMail Detective work with?
EMD works with all versions of AOL from 1.0 - 9.0, AOL 9.0 security edition, AOL 9.0vr (vista ready), OpenRide, and Compuserve versions 6.0 - 7.0.
Can I search an entire hard drive for all AOL db's?
Yes, this can easily be done by selecting the “Read mail folder…” menu option in the EMD application. Select the top level drive, i.e. C:\ or D:\ and then select the “Okay” button. Doing this will take the EMD application a considerable amount of time, based on the disk size, number of files and speed of the PC. All the AOL db's found will be cataloged and have a report produced in your specified output directory.
Why are the photos stored in a separate directory from the EMD report?
This is just done as a convenience factor, based on user feedback. Additionally, If multiple or duplicate usernames are encountered on the local drive, then keeping track of the pictures associated with each username becomes much easier with separate directories.
Why are some photos renamed by the EMD application?
See next question.
Why are there duplicate photos in the directory?
Example: There are two different Email messages both with photos. The photos in each message have the same name and size, but are completely different pictures. If the EMD application were to save the extracted photos under the given name, then only one would be present in the output directory. The second one saved would overwrite the first one. In order to differentiate between the two photo's the EMD application will assign a unique name to each when they are saved. In this case, the report will reflect the name assigned to each photo in each Email message.
What are the photos with the ART extension and how come I cannot view them?
Many years ago there existed a company Johnson–Grace which created a compression format with the “.art” extension. AOL acquired this company and now uses this proprietary format for many of its embedded graphics. There are a few viewer's that can be used with these files: Smart_Pix_Manager is one such utility. Or if you have access to AOL's v9.0 or later software, then these files can be viewed by selecting the "File" then "Open My Picture Finder..." menus. A good general free graphic viewer is IrfanView, however it does not support ".art" files.
I cannot find AOL's dB's on a users system.
In version 9.0, AOL moved its default mail directory from below its application path to the following “C:\Documents and Settings\All Users\Application Data\AOL” . This directory is normally hidden under the Windows XP OS. To unhide this directory, using Windows Explorer – select “Tools”, “Folder Options...”, “View” tab, select “Show hidden files and folders”.
You should now be able to navigate to this AOL directory using Windows Explorer or any file open dialogue.
Will EMD work with Compuserve?
Yes, Versions 6.0 and 7.0 of Compuserve use the same PFC format as the America Online client. EMD will extract the email from the Compuserve client and produce reports.
I am trying to recover deleted email but the EMD application does not find the mail item.
AOL has a very efficient email database. It is very compact and extremely fast for the client application (AOL) to access and and manipulate. When a user deletes an email that has been stored offline. The AOL software will mark this record in its database as deleted. If the user reads additional mail after this item is deleted, then AOL may reuse this space and place the new mail item here. Unless EMD is run directly after an item has been deleted, it is very unlikely any deleted records remain in AOL's database or will they be found. See note #1 above. The EMD application does not recover or search unallocated disk space or the Windows swap file. Deleted message fragments can possibly be recovered if they are present on a hard drive in an existing or restored AOL mail db sometimes referred to as a pfc file.
Can I run the EMD software in the field using a USB Jump Drive?
The EMD application can be installed and run from a USB jump drive or a USB memory stick. The output reports can also be saved to the USB device, permitting an investigator to quickly scan a target system in the field. To install to a USB jump drive, just point the installation program to the virtual drive represented by the USB device. All files necessary to run the EMD program are installed on the USB device. In the field the minimum system requirements are Windows 98SE2, supporting USB. To run the EMD software, open Windows Explorer, then open the USB device and select the EMD icon.
What's the difference between the Text and HTML reports generated by the EMD software.
The EMD program generates two types of reports:
The HTML report is geared towards an attorney's viewing. This report will show the viewer how the email message looked (includes color, graphics and font information) when presented to the reader.
The Text report is geared towards the examiner. It is easily manipulated, contains no live links and can be readily searched and viewed. All graphics, fonts and HTML commands have been removed. Graphics have been replaced with links to the files extracted on disk.
When using the EMD program and choosing to generate an HTML report, the following items should be considered:
1) The report may contain live Internet links.
2) When viewing the report with Internet Explorer (IE), or any other browser, the browser will attempt to connect to the Internet and resolve all the links contained in the email messages.
3) The size of this report can get very large: 15 MG or greater if the number of emails processed > 2000.
4) IE and other browsers may be slow in processing a file of this size. Browsers were not designed to handle HTML files with massive links or large file sizes.
5) Lab systems tend to be higher end (more RAM and faster processor) than an attorney's.
6) If you are passing this HTML report on to the attorney or another person, either by saving it onto a CD or by email, then the makeup of the attorney's system may be of concern.
7) Does the viewer's system have a high speed Internet connection? Does it have a lot of RAM?
8) Is this report being printed right away or will it be several months before it's reviewed and printed?
9) Live links can expire or the material may no longer be present after some time passes.
10) On low end systems, viewing a report of this size may not be possible or all images may not come up.
Suggested method for handling HTML reports
Once the HTML report has been generated take the following steps:
Open the HTML report and select "Save As" - Web page complete, in IE. This will cause all the links to be resolved and saved to your local disk drive in the specified folder. All of the files saved along with the web page should be transferred to a CD or zipped up and then transferred to the attorney. This allows for offline viewing of a static HTML.
This method may be a procedure your lab wishes to follow regardless of the program that generates any HTML report.
Screenshot 
|
