An analysis of Hotmail artefacts in Firefox 9

Webmail is a convenient way of accessing emails via a web browser on any computer connected to the Internet and it has gained popularity amongst Internet users. Many webmail service providers offer a free email service where users can set up an email account online by supplying their personal details and choosing a preferred username. Email artefacts such as usernames, aliases, message subject and body may be useful in a digital investigation and thus require recovery and analysis. Unlike client based email software where a user’s messages are stored locally on the hard disk, webmail messages are stored remotely on the webmail provider’s servers, potentially making it difficult for digital investigators to obtain relevant artefacts. However, since webmail is accessed through a browser and browsers leave their own artefacts, it may be possible to recover artefacts that may be useful in investigations. This paper discusses certain artefacts that can be left on a user’s hard disk as a result of using Hotmail. For instance, artefacts that could be used to infer when an email account was created and the details supplied at set up; details of exchanged emails such as who a user sent an email to, when the email was sent and whether it was replied to; full or partial contents of the email; details of contacts that had been added, edited, deleted or restored by the account user. The experiments are carried out on Hotmail using Firefox 9 and involve the analysis of the various file formats used by Firefox as well as their evidential value. The research also involves a multi-tool analysis technique which is necessary due to the differences in the format of artefacts recovered and to ensure the accurate interpretation of data. A hex editor, SQLite analysis tool, standalone JSON viewer, and a cache analysis tool are some of the tools identified as useful and are discussed in this paper.