1 / 27

91.580.203 Computer & Network Forensics

91.580.203 Computer & Network Forensics. Xinwen Fu Chapter 13 E-mail Investigations. Outline. Introduction to Email investigation Trace email senders. Email. E-mail Crimes and Violations. Spam emails Becoming commonplace

chinue
Download Presentation

91.580.203 Computer & Network Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 13 E-mail Investigations

  2. Outline • Introduction to Email investigation • Trace email senders

  3. Email

  4. E-mail Crimes and Violations • Spam emails • Becoming commonplace • Legal or not depends on the city, state, or country and always consult with an attorney • Crimes involving e-mails: • Narcotic trafficking • Extortion • Sexual harassment

  5. Investigating E-mail Crimes and Violations • Similar to other types of investigations • Goals • Find who is behind the crime • Collect the evidence • Present your findings • Build a case

  6. Examining E-mail Messages • Access victim’s computer and retrieve evidence • Investigate the victim’s e-mail • Find and copy evidence in the e-mail • Access protected or encrypted material • Print e-mails • Open and copy e-mail including headers • Sometimes you will deal with deleted e-mails

  7. Outline • Introduction to Email investigation • Trace email senders

  8. Tracing Normal Emails • Name conventions • Corporate: john.smith@somecompany.com • Everything after @ belongs to the domain name • Tracing corporate e-mails is easier

  9. Tracing Emails from Public Email Servers • Can you send seemingly anonymous emails from public email accounts such as Yahoo, Hotmail, etc.? • Public: whatever@hotmail.com

  10. Tracing by Viewing E-mail Headers • Learn how to find e-mail headers • GUI clients • Command-line clients • Web-based clients • Headers contain useful information • Unique identifying numbers • Sending time • IP address of sending email server • IP address of the email client

  11. From Bob To Alice SMTP (simple mail transfer protocol) • The current SMTP header is put to the head of an email • The first “received: from” of an email header identifies the closest hop to the sender smtp server 3 smtp server 1 smtp server 2 Bob Alice server 1 server 2 server 3

  12. Trace back to a naive spammer • From doris_ben01@hotmail.com Wed Sep 14 13:30:34 2005 • Received: from smtp-relay.tamu.edu (smtp-relay.tamu.edu [165.91.143.199]) • by pine.cs.tamu.edu (8.12.9/8.12.9) with ESMTP id j8EIUUSt013552; • Wed, 14 Sep 2005 13:30:30 -0500 (CDT) • Received: from hotmail.com (bay22-f12.bay22.hotmail.com [64.4.16.62]) • by smtp-relay.tamu.edu (8.13.3/8.13.3/oc) with ESMTP id j8EIUa3V052539; • Wed, 14 Sep 2005 13:30:37 -0500 (CDT) • (envelope-from doris_ben01@hotmail.com) • Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; • Wed, 14 Sep 2005 11:30:22 -0700 • Message-ID: <BAY22-F12906DA8E15D93E4EA3F5D9B9F0@phx.gbl> • Received: from 212.100.250.207 by by22fd.bay22.hotmail.msn.comwith HTTP; • Wed, 14 Sep 2005 18:30:22 GMT • X-Originating-IP: [212.100.250.207] • X-Originating-Email: [doris_ben01@hotmail.com] • X-Sender: doris_ben01@hotmail.com • From: "Doris Benson" doris_ben01@hotmail.com • Bcc: • Subject: REPLY NEEDED • Date: Wed, 14 Sep 2005 14:30:22 -0400

  13. Standard intelligence collecting techniques • Whois – databases with a compilation of information designed to maintain contact information for network resources • Name service based whois • Information about a domain • Example: whois uml.eduor http://www.whois.sc/ • Network service based whois • Information about network management data • Boundary of a network • Example: whois -h whois.arin.net 66.38.151.10 (ARIN - American Registry for Internet Numbers, http://ws.arin.net/whois)

  14. Domain name system (DNS) • DNS: mapping between numeric ip addresses and names • dig • Get domain name ip and nameserversdig www.uml.edu • SERVER: 129.63.16.100#53(129.63.16.100) • For query Mail Servers (port 25) in domaindig www.uml.edu MX • Nslookup – same as dig but obsolete

  15. Google Email Header (Cont.)

  16. Google Email Header (Cont.)

  17. Yahoo Email Header

  18. Yahoo Email Header (Cont.)

  19. Hotmail Email Header • then

  20. Hotmail Email Header (Cont.) • then

  21. Hotmail Email Header (Cont.) • Now

  22. Hotmail Email Header (Cont.) • View E-mail Message Source Every email sent directly from a Hotmail account or other special mail server contains the "X-originating-IP" or "X-Sender-Ip" in the message headers. This number indicates the IP address (or the specific computer ID) the person was using at the time they sent the email

  23. Thunderbird Email Header

  24. Once you identify the IP address … • To find the suspect, you may have to check a lot of computer logs to identify the suspect

  25. Using Specialized E-mail Forensics Tools • Tools • AccessData’s FTK • EnCase • FINALeMAIL • Sawmill-GroupWise • DBXtract • MailBag • Assistant • Paraben

  26. Reference • jmates, E-Mail Flow, 2006/02/06, http://sial.org/howto/sendmail/ • Configuring DNS, 2006, http://www.linuxhomenetworking.com/linux-hn/dns-static.htm • Mark D. Roth, sendmail Tutorial, 2006, http://www.feep.net/sendmail/tutorial/

More Related