270 likes | 392 Views
91.580.203 Computer & Network Forensics. Xinwen Fu Chapter 13 E-mail Investigations. Outline. Introduction to Email investigation Trace email senders. Email. E-mail Crimes and Violations. Spam emails Becoming commonplace
E N D
91.580.203 Computer & Network Forensics Xinwen Fu Chapter 13 E-mail Investigations
Outline • Introduction to Email investigation • Trace email senders
E-mail Crimes and Violations • Spam emails • Becoming commonplace • Legal or not depends on the city, state, or country and always consult with an attorney • Crimes involving e-mails: • Narcotic trafficking • Extortion • Sexual harassment
Investigating E-mail Crimes and Violations • Similar to other types of investigations • Goals • Find who is behind the crime • Collect the evidence • Present your findings • Build a case
Examining E-mail Messages • Access victim’s computer and retrieve evidence • Investigate the victim’s e-mail • Find and copy evidence in the e-mail • Access protected or encrypted material • Print e-mails • Open and copy e-mail including headers • Sometimes you will deal with deleted e-mails
Outline • Introduction to Email investigation • Trace email senders
Tracing Normal Emails • Name conventions • Corporate: john.smith@somecompany.com • Everything after @ belongs to the domain name • Tracing corporate e-mails is easier
Tracing Emails from Public Email Servers • Can you send seemingly anonymous emails from public email accounts such as Yahoo, Hotmail, etc.? • Public: whatever@hotmail.com
Tracing by Viewing E-mail Headers • Learn how to find e-mail headers • GUI clients • Command-line clients • Web-based clients • Headers contain useful information • Unique identifying numbers • Sending time • IP address of sending email server • IP address of the email client
From Bob To Alice SMTP (simple mail transfer protocol) • The current SMTP header is put to the head of an email • The first “received: from” of an email header identifies the closest hop to the sender smtp server 3 smtp server 1 smtp server 2 Bob Alice server 1 server 2 server 3
Trace back to a naive spammer • From doris_ben01@hotmail.com Wed Sep 14 13:30:34 2005 • Received: from smtp-relay.tamu.edu (smtp-relay.tamu.edu [165.91.143.199]) • by pine.cs.tamu.edu (8.12.9/8.12.9) with ESMTP id j8EIUUSt013552; • Wed, 14 Sep 2005 13:30:30 -0500 (CDT) • Received: from hotmail.com (bay22-f12.bay22.hotmail.com [64.4.16.62]) • by smtp-relay.tamu.edu (8.13.3/8.13.3/oc) with ESMTP id j8EIUa3V052539; • Wed, 14 Sep 2005 13:30:37 -0500 (CDT) • (envelope-from doris_ben01@hotmail.com) • Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; • Wed, 14 Sep 2005 11:30:22 -0700 • Message-ID: <BAY22-F12906DA8E15D93E4EA3F5D9B9F0@phx.gbl> • Received: from 212.100.250.207 by by22fd.bay22.hotmail.msn.comwith HTTP; • Wed, 14 Sep 2005 18:30:22 GMT • X-Originating-IP: [212.100.250.207] • X-Originating-Email: [doris_ben01@hotmail.com] • X-Sender: doris_ben01@hotmail.com • From: "Doris Benson" doris_ben01@hotmail.com • Bcc: • Subject: REPLY NEEDED • Date: Wed, 14 Sep 2005 14:30:22 -0400
Standard intelligence collecting techniques • Whois – databases with a compilation of information designed to maintain contact information for network resources • Name service based whois • Information about a domain • Example: whois uml.eduor http://www.whois.sc/ • Network service based whois • Information about network management data • Boundary of a network • Example: whois -h whois.arin.net 66.38.151.10 (ARIN - American Registry for Internet Numbers, http://ws.arin.net/whois)
Domain name system (DNS) • DNS: mapping between numeric ip addresses and names • dig • Get domain name ip and nameserversdig www.uml.edu • SERVER: 129.63.16.100#53(129.63.16.100) • For query Mail Servers (port 25) in domaindig www.uml.edu MX • Nslookup – same as dig but obsolete
Hotmail Email Header • then
Hotmail Email Header (Cont.) • then
Hotmail Email Header (Cont.) • View E-mail Message Source Every email sent directly from a Hotmail account or other special mail server contains the "X-originating-IP" or "X-Sender-Ip" in the message headers. This number indicates the IP address (or the specific computer ID) the person was using at the time they sent the email
Once you identify the IP address … • To find the suspect, you may have to check a lot of computer logs to identify the suspect
Using Specialized E-mail Forensics Tools • Tools • AccessData’s FTK • EnCase • FINALeMAIL • Sawmill-GroupWise • DBXtract • MailBag • Assistant • Paraben
Reference • jmates, E-Mail Flow, 2006/02/06, http://sial.org/howto/sendmail/ • Configuring DNS, 2006, http://www.linuxhomenetworking.com/linux-hn/dns-static.htm • Mark D. Roth, sendmail Tutorial, 2006, http://www.feep.net/sendmail/tutorial/