Home ExamRange Practice Tests

CHFI (312-49) Digital Forensics Simulation

Welcome to this digital forensics scenario. You will analyze email server logs to trace the origin and routing of suspicious communications, focusing on SMTP artifact identification.

Investigation Scenario

During an email-forensics investigation at a corporate headquarters in Chicago, several executives reported receiving sophisticated phishing emails designed to look like internal legal subpoenas. A forensic analyst has acquired a forensically sound image of the corporate mail server's storage volume and has begun carving out log files.

To determine the origin of the attack and build an accurate timeline of the intrusion attempts, the investigator zeroes in on the raw SMTP transit logs generated during the timeframe of the incident.

Evidence Collected

> CASE ID: INV-2026-044-CHI > ARTIFACT: /var/log/maillog (Extracted from E01 Image) > HASH VERIFIED: 9a3b8c2d1e4f9a7b3c4d5e6f7a8b9c0d --- LOG EXCERPT --- Apr 10 14:22:05 mx01 postfix/smtpd[28391]: connect from unknown[198.51.100.45] Apr 10 14:22:06 mx01 postfix/smtpd[28391]: 3A2B1C4D5E: client=unknown[198.51.100.45] Apr 10 14:22:06 mx01 postfix/cleanup[28394]: 3A2B1C4D5E: message-id=<20260410142206.5E4D@attacker-box.local> Apr 10 14:22:06 mx01 postfix/qmgr[1452]: 3A2B1C4D5E: from=<legal@chicago-corp-secure.com>, size=4821, nrcpt=1 (queue active) Apr 10 14:22:07 mx01 postfix/smtp[28395]: 3A2B1C4D5E: to=<ceo@chicago-corp.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.2, delays=0.1/0/0/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7B8C9D0E1F) Apr 10 14:22:07 mx01 postfix/smtpd[28391]: disconnect from unknown[198.51.100.45]

Question

During an email-forensics investigation in Chicago, an analyst is examining the SMTP logs of a mail server to trace the path of a suspicious email. Which of the following information can be found in the SMTP logs?

Forensic Hint: SMTP (Simple Mail Transfer Protocol) is responsible strictly for the routing and delivery of messages. Think about what a post office records when a package moves through a sorting facility.

Expert Analysis

1. What the Evidence Shows

The extracted maillog artifact clearly documents an inbound SMTP connection. It explicitly shows the source IP address (198.51.100.45), the date and time of the transaction (Apr 10 14:22:05), the sender's claimed address (from=<legal@chicago-corp-secure.com>), and the target recipient (to=<ceo@chicago-corp.com>).

2. Forensic Stage

This falls under the Examination and Analysis phase. The investigator is analyzing server-side application logs to trace digital movement, establish timelines, and extract Indicators of Compromise (IoCs).

3. Why the Correct Answer is Correct

Option A is correct. SMTP is the protocol used to transport email across the internet. Its logs are transactional and focus entirely on metadata regarding the delivery process. Consequently, SMTP logs will always record connection timestamps, connecting IP addresses, and the SMTP envelope data (MAIL FROM and RCPT TO addresses).

4. Why Others are Wrong

B is incorrect: While SMTP transmits the content, standard SMTP server logs do not store the email body or attachments due to privacy and storage constraints. To find content, an investigator must examine the recipient's mailbox (e.g., EDB, PST files) or a packet capture (PCAP) of the active session.

C is incorrect: Authentication credentials (passwords) are not logged in clear text within transit logs. Security best practices and standard logging configurations prevent the recording of passwords.

D is incorrect: Browsing history is an endpoint artifact (found in browser caches, index.dat, or WebCacheV01.dat). A mail transit server has absolutely no access to the local browsing activity of a connecting client.

5. Real-World Forensic Action

In a real investigation, a forensic analyst uses these SMTP logs to map the attack infrastructure. The identified source IP (198.51.100.45) will be checked against Threat Intelligence platforms, and the firewall will be updated to block future connections. The message-id is then used to track the malicious message into the internal Exchange/O365 environment to purge it from user inboxes.

MINI LESSON: Email Forensic Artifacts

  • SMTP Logs: Used to trace routing, timestamps, and IP origins. Contains Envelope sender/recipient data.
  • Email Headers (RFC 5322): Contains the client's internal IP addresses, mail client (User-Agent), and routing hops (Received lines).
  • Mailbox Files (PST/OST/EDB/MBOX): Used to recover actual message content, attachments, and read-status flags.
  • POP3/IMAP Logs: Used to track when a user accessed or downloaded their mail from the server.

Ready for the next case?

Explore more CHFI simulations and master digital forensics investigation.

Practice More Scenarios