DIGITAL FORENSICS

DA-5
NAME-YASH RAJ SINGH
REG NO.-19BCE0288
Q. Write down the details gathered from the mail header analysis, capture screenshots
from each website(tool), and add them after the details
•All the emails must have your details like Name, [Link], Course, Digital Assignment5
.•Totally four emails header must be analyse
ANSWER
TOOLS USED
Website and Tools for Email Header Analyzer.
•[Link]
•[Link]
•[Link]
•[Link]
•[Link]
org/[Link]
•[Link]
AID4MAIL ANALYSIS WITH THUNDERBIRD AND REPORT GENERATED
IN PDF ,CSV AND XML FILE
5/04/2022
EMAIL 1ST

PERSONAL MAIL

HEADER
Delivered-To: yashrj74@[Link]
Received: by [Link] with SMTP id i9csp1379041mde;
Wed, 20 Apr 2022 [Link] -0700 (PDT)
X-Google-Smtp-Source:
ABdhPJyVpDNYrGPbzGukz5iZo2ATO0EzYfDXbHp5Y+sHJEQQ49UyO2BPaFQKeP1+Sj05nAppc/
47
X-Received: by [Link] with SMTP id r11-
20020a5d6c6b000000b001ea77eadde8mr15112320wrz.690.1650448660039;
Wed, 20 Apr 2022 [Link] -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1650448660; cv=none;
d=[Link]; s=arc-20160816;
b=aXOs7hB91VREaVBrD0gfffBnTWIjU58GQA738NusHHPaN7fSs10SDym+YuwrFuM1W9
4V424Aw00UgGPrzq7clr0bWEyqji+9laMVQnhXm3If8y+/VqX+0KlczVtisvGXQg9gdV

ejIm8R58H9MROw4U+W7mOxyL0VbY9nzFOZaU8NPUSmKp+tO1dVMe73Ayr0ob3pfJMSIS
y4jvf8IJuaxlpKnb4fKMLu81QyXsU1VjyageD+dRBRoOSZ2LO4P6SlHKwDAtdkePb1Pm
xd7ZaFLLP8VtUXpFY2x37TNo6rYu31a9mQSmQEv/WELKdTj7gqDhGCULklpOLQOwOFA8
ojNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=[Link]; s=arc-
20160816;
h=list-help:list-unsubscribe:list-id:feedback-id
:content-transfer-encoding:mime-version:subject:message-id:to
:reply-to:from:date:dkim-signature;
bh=fg7PD0+FoUlhHxBty8sr3sxvolM2wgv0WzNouUhmIlA=;
b=Hg+kdS8qiZJ6OVEGl7FpqoJsyszYGFnxPKGlWwIw/dqrC4Kc3WBBiLEdq5vEtOg/Kq
E27fEgvP7qo1Zyr5YG2Tq0tObxFXPd/qaokTe0fFoVrbnJ/XTOD/5YrStvb0RZd0nIsn
vzu0km18/8CpL+xgT4HX7KPa7IL7NaI9jYd580XDCfwWP9rPEWn5gpqCOc+02tp8C7pV

KXxTfRV6LW2vGWPT23TDyYYRWVzfZNk/47UExWxpKwWTOwp0JTtSwpsQm9vepfjEkxm1
thi0vjH1k1XXc073sDvwscVYan1FNsWtqzazpLnVlq54y/BmY8gsamB0iulmkAxhzoAp
bSmA==
ARC-Authentication-Results: i=1; [Link];
 dkim=pass header.i=@[Link] header.s=ecm1 header.b=drdulDV+;
spf=pass ([Link]: domain of g-17736452788-17196-1700868853-
1650448645358@[Link] designates [Link] as permitted
sender) [Link]=g-17736452788-17196-1700868853-
1650448645358@[Link];
dmarc=pass (p=REJECT sp=REJECT dis=NONE) [Link]=[Link]
Return-Path: <g-17736452788-17196-1700868853-
1650448645358@[Link]>
Received: from [Link]
([Link]. [[Link]])
by [Link] with ESMTPS id f12-
20020a7bc8cc000000b0038ec7fcb9cdsi3444506wml.58.2022.[Link].39
for <yashrj74@[Link]>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Apr 2022 [Link] -0700 (PDT)
Received-SPF: pass ([Link]: domain of g-17736452788-17196-1700868853-
1650448645358@[Link] designates [Link] as permitted
sender) client-ip=[Link];
Authentication-Results: [Link];
dkim=pass header.i=@[Link] header.s=ecm1 header.b=drdulDV+;
spf=pass ([Link]: domain of g-17736452788-17196-1700868853-
1650448645358@[Link] designates [Link] as permitted
sender) [Link]=g-17736452788-17196-1700868853-
1650448645358@[Link];
dmarc=pass (p=REJECT sp=REJECT dis=NONE) [Link]=[Link]
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=[Link]; q=dns/txt;
s=ecm1; bh=fg7PD0+FoUlhHxBty8sr3sxvolM2wgv0WzNouUhmIlA=; h=date:from:reply-
to:to:subject:message-id:mime-version:content-type:content-transfer-encoding:list-id:list-
help:list-unsubscribe:x-csa-complaints;
b=drdulDV+C2L7ZA/7opgQM4EJeLh2Ax0TW3CAUpHfVUEhTMqUlgsWvtRLy65DimqfBEM/Cd
AH9
EKDMsjsUtmQpEsR/aznvT6JrPuJxrIIKdVlQGgig7Lcj2dphbPCu1iFcPhUVhwTyCvGsP10vBW5
/TtEM1qi8JUcLes+lJu2P20=
Received: from [Link] ([Link]
[[Link]]) (envelope-from <g-17736452788-17196-1700868853-
1650448645358@[Link]>) by hp13mtaq112 (mtaq-
receiver/2.20220110.1) with ESMTP id xsK5g5rkmf9R for <yashrj74@[Link]>; Wed, 20
Apr 2022 [Link] +0200
Date: Wed, 20 Apr 2022 [Link] +0200 (CEST)
From: SonyLIV <info@[Link]>
Reply-To: SonyLIV <info-reply@[Link]>
To: yashrj74@[Link]
Message-ID: <wc3spw.l27eid4enjeg5re@[Link]>
Subject: Have you watched Puneeth Rajkumar's latest blockbuster ‘James’ ? Stream now in
Hindi!
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Feedback-ID: 1700868853:1700277500:[Link]
X-eC-messenger-mid: 1700868853
List-Id: <[Link]>
X-eC-messenger-cid: 17196
X-eC-messenger-token: s4nit1I85btqk4
List-Unsubscribe:
<[Link]
77500&uid=17736452788&mid=1700868853&siglistunsub=MDLPHDIILNEFPGDA&errorPage
=/public/list_unsubscribe.jsp>, <[Link]
17736452788@[Link]>
X-eC-messenger-sender-domain: [Link]
X-eC-messenger-sendouttypeid: 0
X-eC-messenger-addresseeroleid: 1
X-eC-messenger-recipienttypeid: 2
List-Help: [Link]
[Link]
[Link]
[Link]

[Link]
[Link]

[Link]
2ND SPAM MAIL
EMAIL HEADER
Delivered-To: yashrj74@[Link]
Received: by [Link] with SMTP id r19csp753528mdc;
Fri, 15 Apr 2022 [Link] -0700 (PDT)
X-Google-Smtp-Source:
ABdhPJwIuczjHBcb6fR5n+HoPr/fZJoHs3tQnZuefEO1lSo9ItYTDhTHlKUrsHIbGHWmmNukfRFo
X-Received: by [Link] with SMTP id u34-
20020a056a0009a200b00505974f9fd6mr2341060pfg.12.1650091427174;
Fri, 15 Apr 2022 [Link] -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1650091427; cv=none;
d=[Link]; s=arc-20160816;
b=Vm5N2Xzbl54wiCrO7a0fkMbvFeQpDIyXWSI7AQ706+ftRg6oIipW1EWDVZZ9g8ZpS9
iOdWVJTbBVlf/xnieC7mxW/axb1zwEOwBOf4X+YkUniDeftYhTUKgU0w6PmzSXBBYhxa
KVM6ImB5sOlJcBCv/WzfqXrvgR/KVFLnW0/LS+3eH4k8CwByWbakQA+9wEexNrpf0e5F
fq5Zaqkxwia8EegaVdqh5uIJjtc5tlxHZdAQsYM7W3vRMpRDeIZwhCiQTwqIW3VXvLRI
LOfCGxzao6ipzL1x9n4mEJuEHkt4N2Nvj5ZGv3GXxI+Xk2wS0nKs1N9VIB7Gq7LlFSRC
Vw6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=[Link]; s=arc-
20160816;
h=dkim-signature:mime-version:subject:message-id:to:reply-to:from
:date:dkim-signature;
bh=bcSwHgdKIqeIrxKfUGEEJzjuPJVs41OsJsn8CIteyFQ=;
b=U3/ddTY+rafAt+/i31KM42QMD0f2VLL8iuWL/EY629i37sXjkuDCdqDuVAww/zebgs
2UyU3HAouKfNZ77RCuOTmi3s2q7dfrRIj6tHwBqN3+glNM3BTHM5e7hmcGf60Ea4Ax/d
xILdHL76dmIX/eOfPZTtgZDkOvuO36aCUNXwraATLhIKALulN/bRBMPhAduXJUNHwzBG
aPYPTnoFUv7FFUre2mwLeOWhSUpV2JN6y9aK0/f9DBC2ajxG7zfy0F+kxiXXTEc5f8sG
yWy8gE5iQN31P7IZizs4nOK/VA4IcA2PjHLYpL7HSD+kYHMz27Cn8I9ofqrMssuFbbdk
iB1g==
ARC-Authentication-Results: i=1; [Link];
dkim=pass header.i=@[Link] header.s=mgtr header.b=bP+cyiKs;
dkim=pass header.i=@[Link] header.s=tr header.b=f2vfxfuF;
spf=pass ([Link]: domain of bounce-71553500000000-0004311612044255985000-
yashrj74=[Link]@[Link] designates [Link] as
permitted sender) [Link]="bounce-71553500000000-0004311612044255985000-
YASHRJ74=[Link]@[Link]"
Return-Path: <bounce-71553500000000-0004311612044255985000-
YASHRJ74=[Link]@[Link]>
Received: from [Link] (emsrv-
[Link]. [[Link]])
by [Link] with ESMTPS id g7-
20020a63b147000000b0039d6172e359si3398393pgp.414.2022.[Link].46
for <yashrj74@[Link]>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 15 Apr 2022 [Link] -0700 (PDT)
Received-SPF: pass ([Link]: domain of bounce-71553500000000-
0004311612044255985000-yashrj74=[Link]@[Link]
designates [Link] as permitted sender) client-ip=[Link];
Authentication-Results: [Link];
dkim=pass header.i=@[Link] header.s=mgtr header.b=bP+cyiKs;
dkim=pass header.i=@[Link] header.s=tr header.b=f2vfxfuF;
spf=pass ([Link]: domain of bounce-71553500000000-0004311612044255985000-
yashrj74=[Link]@[Link] designates [Link] as
permitted sender) [Link]="bounce-71553500000000-0004311612044255985000-
YASHRJ74=[Link]@[Link]"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mgtr; d=[Link];
h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type;
i=michaelkors@[Link]; bh=bcSwHgdKIqeIrxKfUGEEJzjuPJVs41OsJsn8CIteyFQ=;
b=bP+cyiKsbthsMV8xCE0Rd5CUkxi4gC/eAT3zy9VZevm1BAfHaN6q9oOYAIbywEmjVRMdXhL
qka7f

p8Bne57Fe+pQkQPHo6S/2oOou9XxTQB/Kilzed9DLqMdJLPWz1qYqXc/QBbXs52ENJOImmDw
jX3s
cNHc0VR7FtVGUqwBXVk=
Date: Sat, 16 Apr 2022 [Link] +0530 (IST)
From: Michael Kors <michaelkors@[Link]>
Reply-To: michaelkors@[Link]
To: yashrj74@[Link]
Message-ID: <[Link]@EFPS_05>
Subject: Easy, Everyday Essentials for Men
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----
=_Part_60168746_761381444.1650091232734"
X-platform: BLR
DKIM-Signature: a=rsa-sha256;
b=f2vfxfuF7R7VwvfaITcKJ3+gX+HEHXdZ3gil8GMH15valmhcyLskg8fh4VbosORNhyOL19Pq94
p5Nm/0RamOhzc499l+TJtWNbjjoPUF5YM41fqyrKH/636/rj9kiJsm2ysRQhg0cRkAxbrbdIyDiUZ
fpqsT7Wbw3iGsct0Nmv8=; s=tr; c=relaxed/relaxed; d=[Link]; v=1;
bh=bcSwHgdKIqeIrxKfUGEEJzjuPJVs41OsJsn8CIteyFQ=; h=From;

------=_Part_60168746_761381444.1650091232734
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

[Link]
[Link]
[Link]
[Link]
[Link]

[Link]
3RD MAIL
TEMP MAIL ID- fipoti8511@[Link]

Received: from [Link] (Unknown [[Link]]) by d5218e916744

(Haraka/2.8.28) with ESMTP id A0A05B1E-7381-4D22-8D8D-85532AF6B1F0.1
envelope-from <trial-mode@[Link]>; Thu, 21 Apr 2022 [Link] +0000
Received: by [Link] with SMTP id h27so8200588lfj.13 for
<fipoti8511@[Link]>; Thu, 21 Apr 2022 [Link] -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=[Link]; s=202101 …
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=[Link]; …
X-Gm-Message-State:
AOAM531ejU5MNj+XpgwRjdbzZbeFhiTD4K5pe+EGIcoNwzOvn/GTO26P
eKMPh8BMXeq8PA82TNYqvG/1uWwRmE7yc3XuX/oJJob/bfY=
X-Google-Smtp-Source:
ABdhPJzMTeyvATCZtUx85iSj/iEsRv0QRujWXgLPs5Tq5wtX5pdVWgmGWC+0oTelzSW9R2Fm
WU7QbHSeetf6mrKISqI=
X-Received: by [Link] with SMTP id x30-
20020a056512131e00b0046b8cdb1bb6mr18675483lfu.630.1650544700437; Thu, 21 Apr
2022 [Link] -0700 (PDT)
MIME-Version: 1.0
From: Yash Raj Singh <trial-mode@[Link]>
Date: Thu, 21 Apr 2022 [Link] +0530
Message-ID:
<CAHMxu=F2YzYeJMji0UvvBwuEySMy8UkHTq2S7TrKXk6uWYMPKg@[Link]>
Subject: [Created with Aid4Mail in trial mode]
To: fipoti8511@[Link]
Content-Type: multipart/alternative; boundary="0000000000008e3b3a05dd29627c”

[Link]
[Link]
[Link]

[Link]
[Link]
4TH EMAIL
TRIAL MALE- toxegef333@[Link]
MAIL HEADER
Received: from [Link] (Unknown [[Link]]) by d5218e916744
(Haraka/2.8.28) with ESMTP id 94DBC2D8-ECE3-48A0-9D79-
D3CEDDA1202F.1 envelope-from <trial-mode@[Link]>; Wed, 20 Apr 2022 [Link]
+0000
Received: by [Link] with SMTP id 17so2789508lji.1 for
<toxegef333@[Link]>; Wed, 20 Apr 2022 [Link] -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=[Link]; s=202101 …
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=[Link]; …
X-Gm-Message-State:
AOAM532P5mexHsgGa2qrBVWOGkciVW4w4hguSMM8KGtS3tB+0TruZh8E
qOhsgRUPUm0IeyUATjHNzye06+RI9M+utywqsFCbSOtXoRU=
X-Google-Smtp-Source:
ABdhPJwUhzVik+JXsD6KeKEL/jhswl3s+PHLO9eOq/LDnfMX/P4Rc3JsZxmlR/G2emhDQYqWwx
JeW/H0xsE8Npm8dhE=
X-Received: by [Link] with SMTP id o22-
20020a2e90d6000000b002460e44bcf6mr14033626ljg.501.1650476750850; Wed, 20 Apr
2022
[Link] -0700 (PDT)
MIME-Version: 1.0
From: Yash Raj Singh <trial-mode@[Link]>
Date: Wed, 20 Apr 2022 [Link] +0530
Message-ID:
<CAHMxu=HhoM9Owc0Hd7FvNW7EtardqArzshVBTY9XRY5TZ0sdfg@[Link]>
Subject: [Created with Aid4Mail in trial mode]
To: toxegef333@[Link]
Content-Type: multipart/alternative; boundary="00000000000071ccdb05dd19901”
[Link]

[Link]
[Link]
[Link]
[Link]

Q2. Identify two unique mobile device forensics tools-

Write down details about the tools-
Features of the tools-
Pros and Cons of the tools-
Compare both the forensics tools using a tabular column

TWO TOOLS USED ARE

• Paraben’s Device Seizure
• Cellebrite’s UFED

A) Cellebrite’s UFED

ABOUT AND FEATURE OF THE TOOLS

The UFED (Universal Forensics Extraction Device) is a handheld device

that can extract data from mobile devices, such as smartphones and
PDAs. The UFED can connect to mobile devices in a variety of ways,
making it adaptable to a wide range of applications.

The UFED, according to Cellebrite, can connect and analyse data from 95
percent of available phones on the market without impacting the data
on the phone.

Following the analysis and copying of phone data, the UFED may
generate thorough HTML reports that can be printed or emailed (or
perhaps used in a court case).

PROS

The UFED can collect and save phonebook, photo, video, text message,
call log, ESN, and IMEI data from mobile devices without the need for an
external computer. It can also be used to perform QCP file format
"system dumps" on mobile devices. Such system dumps can be studied
to recover data that was recently in memory, as well as objects that
were possibly removed recently.
 The ease of use and large list of compatible mobile phones are what
make Cellebrite's UFED so versatile. The UFED system comes with 65
connection cables to connect to the vast majority of mobile phones on
the market.

The UFED interfaces to mobile devices or mobile storage with the

following connection types:
• Bluetooth
• USB
• IrDA
• Mini DIN to PC COM Port
• Mini-USB extension
• SIM / USIM reader
• SD Card reader

Local storage, in the form of USB storage or SD cards, can be used to

house data from multiple mobile devices. This, paired with the
portability of the UFED, makes the tool extremely useful in situations
requiring immediate data backup

CONS

• This tool is proprietary; non-free

• The UFED could also become useful to a malicious user, if stolen
• Additionally, it does not provide an authentication mechanism for the
user of the device.
• Development Language not known

Paraben’s Device Seizure

ABOUT AND FEATURE OF PARABEN DEVICE SEIZURE

With the release of PDA Seizure in early 2002, the Paraben Corporation
established itself as a pioneer in specialist computer forensics software.
Paraben then developed Cell Seizure, the first commercial tool for cell
phone forensics, not long after. Device Seizure v2.2 was created using
 the combination of these two tools. Over 1,950 mobile devices, PDAs,
and GPS devices, including the popular iPhones, are collected and
analysed by Device Seizure. Device Seizure, unlike many other
commercial and free software devices, does not allow data to be
modified on the device. If gadgets are built to not only view data but
also to upload data, this creates a potentially dangerous situation while
performing a forensic analysis.

PRO
Device Seizure can collect the following information:
• Deleted SMS • SMS History (Text Messages)
• A telephone directory (Both stored in the memory of the phone and on
the SIM card)
• Call History - received calls, dialled numbers, missed calls, as well as
call dates and lengths
• A calendar
• Timetabler
• Create a calendar
• Checklist
• Physical memory dumps (file system):
• Files in the system
• Multimedia documents (images, videos, etc.)
• Files in Java

CONS
• Device Seizure does not support many common phone types
• Seizure may not be able to acquire any data even if the device has been
tested by Paraben.
• This is a significant disadvantage of the product because it is not very
affordable as price starts at $1095
• Lastly, with the price rate of this product, you would assume that if a
given device is password protected, it could be recovered as well by
Device Seizure. However, an additional password recovery software tool
is required

TABULAR COLUMN
PARABEN DEVICE SEIZURE CELLEBRITE UEFD

Less Used tools More Commonly Used Tools

Around 65% of available can be Around 95% of available can be
used used

If a user’s device has no data The methods of circumvention

connection, been flashed with would be specific to the device
a firmware update, been
unlocked to work on different
networks, been dropped and
damaged, has had internal
firmware failures, or requires a
different driver set, etc., Device
Seizure is perhaps unable to
perform a forensic examination
on a given device.
Expensive than Cellebrite UEFD Cheaper

Paraben’s Device Seizure Cellebrite claims that they

initially supports the following provide updates to their
cell phone manufacturers: LG, customers; however, to
Motorola (including IDEN), continuously add support for
Nokia, Siemens, Samsung, phones as they become
Sony-Ericsson, and, as available.
previously mentioned, the
iPhone
More Secure tools Less secure than Paraben
Device Seizure