When a user syncs their e-mail account(s)
to a device, account information as well as e-mail content is stored within the
device.
Databases/plists
keychain-2.db
This database stores user login
credentials and other metadata related to those accounts. Wi-Fi accounts, application
logins, e-mail accounts, and more can be found here. The following tables can be found in
this database:
The “inet” table
is where e-mail account data can be found. The “acct” column contains the e-mail address,
or for an Exchange account, the domain and username. The “srvr” column includes the mail
server that the device is retrieving content from, the “ptcl” and “port” columns list the
protocol and port used to connect to that mail server, and the “data” column contains the
encrypted password for that account.
Databases.db
This databases
contains three tables:
The “Databases” table is the only one containing unique data, and
here the examiner can view the various webkit database files on the device. For example, if
the user synced both Yahoo and Gmail, the folder containing each database is listed in the
“origins” column. For the databases listed below, the origins are:
http_m.mg.mail.yahoo.com_0 and
https_mail.google.com_0 >. These are
subfolders, which also contain the database file. In the “Databases” table, the examiner
can also see the e-mail address for the user.
The
database within the Yahoo mail folder contains a significant amount of important data,
including the e-mail addresses of the senders and the recipients of the e-mail, e-mail
subjects, timestamps, and even partial e-mail content. The following is a listing of the
tables contained within this database:
_WebKitDatabaseInfoTable_
The two tables worth looking at are the “folder” and “message” tables.
The message table contains the full e-mail subject, partial e-mail
content (in the “snippet” column), the e-mail addresses of both the sender and receiver,
and finally the Unix Epoch timestamp. When converted, this is the date and time when the
e-mail was received. There is also a column called “hasAttachment,” which, as expected,
will have a “1” if there was a file attached to that particular e-mail (otherwise it will
have a “0”).
The folder table shows a list of all of the
folders within that e-mail account. The standard folders, such as Inbox, Sent, Trash, etc.,
may not be of importance, but this table also contains a list of the personal folders
created by the user. Along with the folder names, also included as part of this table is
the total number of messages within each folder and the number of messages:
The database within the Google mail
folder also contains the e-mail addresses of the senders and the recipients of the e-mail,
e-mail subjects, timestamps, and partial e-mail content. The following is a listing of the
tables contained within this database:
__WebKitDatabaseInfoTable__
cached_conversation_headers
The two main tables
to focus on in this database are “cached_conversation_headers” and “cached_messages.” While
some of the contents between these two tables overlap, there are some differences making it
worthwhile to take a look at both.
The following is a
breakdown of each of the columns within the cached_conversation_headers table that contain
relevant information and a definition of each:
•
isInbox/isSpam/isTrash/etc.: These columns are flagged with a “1” if true. For example,
if the “isInbox” column contains a “1,” then the e-mail message in that row was
recovered from the user's Inbox.
• subject: Contains the message Subject.
• snippetHtml: Contains a
portion of the message body.
• senderListHtml: Contains the name assigned to the sender
in the e-mail contacts (not necessarily the e-mail address).
• dateMs: The date and
time the message was received in Unix Epoch (milliseconds). To convert manually, the
examiner will need to remove the last three digits; otherwise, it can be converted
through a website or other tool.
• modifyDateMs: The date and time the message was modified
in Unix Epoch (milliseconds). This is typically the same timestamp as the
dateMs.
•
hasAttachment: If the message has an attachment, this field will be flagged with a “1”
(otherwise it will be a “0”).
The
following is a breakdown of each of the columns within the cached_messages table that
contain relevant information and a definition of each.
• messageID: A unique ID assigned to each message.
• conversationId: An ID
assigned for each conversation (group of messages for each sender). This ID might be the
same as the message.
• isInbox/isSpam/isTrash/etc.: These columns are flagged with a “1” if true.
For example, if the “isInbox” column contains a “1,” then the e-mail message in that row
was recovered from the user's Inbox.
• subject: Contains the message Subject.
• snippetHtml: Contains a
portion of the message body.
• address_from: Contains the e-mail address of the
sender.
•
address_to/address_cc/address_bcc: Contains the e-mail address that the message was sent
to. If an individual was cc'd or bcc'd, that e-mail address would be listed in the
appropriate columns.
• receivedDateMs: dateMs: The date and time the message was received in Unix
Epoch (milliseconds). To convert manually, the examiner will need to remove the last
three digits; otherwise, it can be converted through a website or other
tool.
Analyst notes
From the files
described in the previous sections, one can see that there are various locations within the
iPhone file system where e-mail remnants can be found: the “Mail” folder and the “WebKit”
folder. The databases within the WebKit folder have been thoroughly discussed as they
contain allocated files. Next, the contents of the Mail folder are discussed.
As mentioned earlier, there is a specific folder assigned to each
Mail account synced to the device, and these files can be viewed with a physical image of
the device. For an exchange mail account, the folder will begin with “ExchangeActiveSync…,”
whereas a Gmail or Yahoo account might begin with “
[email protected]”. Within this
folder, the following folders can be seen:
23K241-39E2-AP09-A284-B39T02955E.mbox (User's
Inbox - random string of characters)
Within these folders are
some of the actual e-mail messages in the form of a “.emlx” extension. These files can be
viewed in a text editor, or by importing them into the Mail program on a Mac. In addition to
e-mail messages, there are also files with a “.emlxpart” extension. This contains files that
have been attached to one or more of the e-mails. Let us assume that this file extension is
unknown. The following command can be run on a Linux machine to determine what type of file
this is, and thus understand what tool is needed to view it. First, we will list out the
files in the “Messages” folder and then determine the file type.
root@linux-001:~/mount/mobile/Library/Mail/ExchangeActiveSync-[Mail-ID].mbox/Messages#
ls -l
-rw-r-?-r-?- 1 501 501 721191 2010-08-05 13:53
14.1.2.emlxpart
-rw-r-?-r-?- 1 501 501 148142 2010-08-05 13:05
16.emlx
-rw-r-?-r-?- 1 501 501 178494 2010-08-05 13:05
17.emlx
-rw-r-?-r-?- 1 501 501 403407 2010-08-05 13:05
20.emlx
root@linux-001:~/mount/mobile/Library/Mail/ExchangeActiveSync-[Mail-ID].mbox/Messages#
file 14.1.2.emlxpart
14.1.2.emlxpart: Zip archive data, at least v2.0 to
extract
root@linux-001:~/mount/mobile/Library/Mail/ExchangeActiveSync-[Mail-ID].mbox/Messages#
file 16.emlx
16.emlx: RFC 822 mail text
From the output of the “file” command, it can be seen that the .emlx file is text
and the .emlxpart file is a compressed archive, which must be unzipped. This file can be
copied to another location on the examiner's machine (since the iPhone dmg should be mounted
as read-only) and unzipped to view the file contents and attachments.
While messages in the user's “Deleted” mail folder can be recovered, those that
have been fully deleted or emptied from trash cannot be found in the Mail folder. A file
carving utility can be used to extract e-mails from a disk image (see the “File Carving”
section earlier in this chapter). Here, e-mails can be recovered, including those that have
been deleted. The examiner can then use the “grep” command to search through all the e-mail
files for specific keywords. In the following example, all the e-mail files (*.email) are
searched for the viaForensics e-mail address shown.
$ cd
scalpel-output/email-10-0
With the ability to
perform file carving on a full physical disk image, a significant amount of e-mail content
can be recovered from a device. Unfortunately, a physical acquisition is not always
possible. In the event that only a logical or backup acquisition is possible, the WebKit is
a good place for an examiner to start, and at the very least, e-mail account information can
always be found in the keychain database. Refer back to
Chapter 5 for
details on how passwords stored in this database can be decrypted!