1 / 39

CSCD 496 Computer Forensics

Lecture 15 Network Forensics Internet Information - Anonymity Winter 2010. CSCD 496 Computer Forensics. Lecture Outline. Two Main Topics Anonymity Hiding your identity on the Internet E-mail anonymity. Introduction. Internet - huge repository of information

ronna
Download Presentation

CSCD 496 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 15 Network Forensics Internet Information - Anonymity Winter 2010 CSCD 496Computer Forensics

  2. Lecture Outline • Two Main Topics • Anonymity • Hiding your identity on the Internet • E-mail anonymity

  3. Introduction • Internet - huge repository of information • A lot of information stored on Internet applications and servers • Today, look at becoming anonymous on the Internet • Look at anonymity servers and remailers • Should have had a chance to try out remailer from the lab

  4. Introduction • Problem with Internet information • Tracing activity to an individual is hard • Why might you want to be anonymous?

  5. Anonymity • Important • Investigators need to know • How to hide themselves on-line • How criminals and others hide themselves on-line • Undercover for gambling, child porn, drugs or stolen merchandise • What do you want to conceal? • Name, address, tel. number, IP address • Lots of ways to do this ...

  6. Free ISPs • Hiding On-line • Free ISPs – dial in without ID • Netzero is one that is free • NetZero launched in 1998, first free internet service provider • Grew to 1,000,000 users in six months • Limited to 10 hours/month • Bought Juno • Another service • http://www.fastfreedialup.com/

  7. Free ISPs • What does that get you? • Use a dial-up modem and provider such as Earthlink, Juno, or NetZero to connect to the Internet • Every time you dial in and connect to the Internet there is a very good chance that your IP address will be different • Calling different access numbers (different cities, different States even) will increase chance of getting a unique IP address

  8. Proxies • Another way to conceal IP while surfing the Web • Direct all page requests through a proxy • Proxy– remote machine connect through to the Net which forwards your IP traffic and makes it look like you are originating from • Web server logs records IP of proxy instead of actual client IP • Not all of them are free • Web proxy sites • http://www.the-cloak.com/anonymous-surfing-home.html • http://anon.inf.tu-dresden.de/ • https://proxy.org/ (a whole bunch at one site)‏

  9. Browser Proxies • Browser proxies • Add-on to your browser allows automated switching according to rules you set • Example: FoxyProxy for Firefox • FoxyProxy Firefox extension automatically switches an internet connection across one or more proxy servers based on URL pattern • FoxyProxy automates manual process of editing Firefox's Connection Settings dialog

  10. Results of Proxies • Proxies • What is accomplished by a proxy? • Hides your IP in Web logs • Makes it more difficult to find originating IP since must go back to proxy server to get IP of suspect • Connect to IRC or ICQ with a proxy • Not all of the ones on previous page allow this • Minimizes cookies and other types of tracking

  11. VPN Connections • How do they work? • Virtual Private Network (VPN) Providers: A VPN special network allows computers to securely and privately access resources through them • Computers configured to use a VPN can forward all traffic through the VPN and obscure their actual IP address • Commercial service will have access to your billing information

  12. Paid VPN's • Several paid services https://www.relakks.com/faq/legal/ • Swedish Broadband service • Really interesting terms of service • Other VPN Services • http://blacklogic.com/ • http://www.piratpartiet.se/international/english • http://www.hotspotvpn.com/

  13. Tests for Your Anonymity • WhatsMyIP http://www.whatsmyip.org/ • Privacy Test http://privacy.net/analyze-your-internet-connection/ • Lagado Test http://www.lagado.com/proxy­test • Zaloop http://zaloop.net

  14. Other Anonymity Services • The Onion Router (TOR)‏ http://www.torproject.org/ • TOR is a global Internet anonymity and privacy system. It utilizes between 800-1500 computers spread across the world to forward Internet traffic anonymously • A user installs TOR and configures their web traffic to move through the TOR network • This makes the user's traffic appear to originate at a random computer on the Internet

  15. Other Anonymity Services • Change your browser habits and an add-on • Stealther 1.0.8 - https://addons.mozilla.org/en-US/firefox/addon/1306 • Surf the web without leaving a trace in your local computer • What it does is temporarily disable the following: - Browsing History (also in Address bar)‏ - Cookies - Downloaded Files History - Disk Cache - Saved Form Information - Sending of ReferrerHeader - Recently Closed Tabs list

  16. Email Anonymity

  17. E-mail • Every message header contains information about its origin and destination • Possible to track e-mail back to its source • Identify the sender • Even when forged, there is information in e-mail headers

  18. E-mail • E-mail one of the most widely used services on the Internet • Most important ways criminals communicate • For more privacy, encryption is used or anonymous re-mailer • E-mail protected by strict privacy law – Which Law? • Electronic Communication Privacy Act (ECPA)‏ • Even if can obtain incriminating e-mail, difficult to prove specific individual sent a specific message • Claim they never sent it • Look more at anonymizing e-mail next

  19. Anonymous E-mail • There are two kinds of services in this category. • First is truly Anonymous: no one anywhere knows your identity • This is a one-way channel, can’t get return mail sent back to you • Usually encrypted • Typically, sent through more than one remailer • Example: Cypherpunk or Mixmaster

  20. Anonymous E-mail • Second, called Pseudo-anonymous or sometimes Pseudonymous • Owner of the service knows your identity and can be forced in a court of law to reveal it • Most truly anonymous services are free (it's difficult to bill an unknown, unnamed client), but they often require some skill and effort to use • You expect to have your email answered • You get your identify replaced with dummy address • Responses replaced with dummy address too • Example: Craigslist and match.com

  21. Anonymous E-mail • Remailers make it hard to determine who sent a particular message • But no message is totally anonymous • Sender puts txt in the message • Message leaves something behind with sender ID • Machines that handle message may have useful information • Forging and Tracking E-mail • Important to know how e-mail is actually created and transmitted • Understand e-mail headers too

  22. Cipher Punk Example http://anonymous.to/tutorials/anonymous-remailers/ • Steps • Create a message in your email client programs • Put the remailer address in the To: field remailer@cypherpunks.to • Message should have a subject, prior to it a '##' • In the body of the message type '::' • Then, next line, Anon-to: recipient@mail.com • One blank line, then type message • Its that simple!!!

  23. Cipher Punk Remailers • Example To: remailer@cypherpunks.to Subject: Testing anonymous email > Body: > :: > Anon-To: recipient@address.com > > ## > Subject: Subject of message > > Type your message here.

  24. Tracking E-mail • E-mail is like Real mail • Post offices in e-mail world called • Mail Transfer Agents (MTA)‏ • Message may travel through multiple MTA’s • Each MTA adds something to the header of a transmitted message • Time stamps, technical identifying information • Each creates its own received header • Passed along to next MTA until message reaches its destination

  25. Tracking E-mail • Default is not to see the e-mail header • Most e-mail clients have a setting that allows you to view e-mail header • Netscape email • View – Headers – All • Outlook Express • File – properties - click on details • Eudora • Click on blah-blah-blah • Opera • Right click email header, select View all headers

  26. Tracking E-mail • Identity in E-mail • Unless remailer or advanced forging technique used • Sender identity embedded in message • Two most useful header fields: • Message ID • Received field • Message ID • Is globally unique – current date/time, MTA domain name and sender’s account name Example: Message sent Dec. 4, 1999 from mail.corpX.com by user13 Message-id: <user13120499152415 – 00000153@mail.corpX.com>

  27. Tracking E-mail • Examining E-mail Headers • Some might have been forged, but the last few were likely valid, • Since e-mail message was delivered • Can achieve pseudo-anonymity through hotmail or netaddress e-mail account • Header will contain IP of original computer • Unless you went through an anonymizer ...

  28. Return-Path: <ctaylor888@hotmail.com> • Received: from hotmail.com (bay106-f21.bay106.hotmail.com[65.54.161.31])‏ • by granite.cs.uidaho.edu (8.13.3+Sun/8.13.3) with ESMTP id jA7IbwCl018714 • for <ctaylor@cs.uidaho.edu>; Mon, 7 Nov 2005 10:38:04 -0800 (PST)‏ • Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; • Mon, 7 Nov 2005 10:37:52 -0800 • Message-ID: <BAY106-F215B117D7F1A86414E304889650@phx.gbl> • Received: from 65.54.161.200 by by106fd.bay106.hotmail.msn.com with HTTP; • Mon, 07 Nov 2005 18:37:52 GMT • X-Originating-IP: [129.101.153.145] • X-Originating-Email: [ctaylor888@hotmail.com] • X-Sender: ctaylor888@hotmail.com • From: "Carol Taylor" <ctaylor888@hotmail.com> • To: ctaylor@cs.uidaho.edu • Subject: Sending a message to myself • Date: Mon, 07 Nov 2005 10:37:52 -0800 • Mime-Version: 1.0 • Content-Type: text/plain; format=flowed • X-OriginalArrivalTime: 07 Nov 2005 18:37:52.0628 (UTC) FILETIME=[5C97D340:01C5E3CA] • Content-Length: 270 Example: Hot mail

  29. Return-path: anonymousmailer@behidden.com • Received: from imta21.westchester.pa.mail.comcast.net (LHLO • imta21.westchester.pa.mail.comcast.net) (76.96.62.31) by • sz0050.ev.mail.comcast.net with LMTP; Tue, 2 Mar 2010 18:48:42 +0000 (UTC)‏ • Received: from mout.perfora.net ([74.208.4.195]) by • imta21.westchester.pa.mail.comcast.net with comcast Joh1d0194CTZVm0MJohcP; • Tue, 02 Mar 2010 18:48:42 +0000 • . . . • X-Authority-Analysis: v=1.1 • Received: from localhost (u15177982.onlinehome-server.com [82.165.253.19]) by • mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis1NaFSs0bDp-013hVr; Tue, 02 Mar 2010 13:48:40 -0500 • MIME-Version: 1.0 • To: ctaylor4214@comcast.net • From: AnonymousMailer@behidden.com • Subject: Trying beHidden.com • Content-Type: text/plain; charset="ISO-8859-1" • Content-Transfer-Encoding: 7bit • Message-ID: <0Lrebt-1NaFSs0bDp-013hVr@mrelay.perfora.net> • Date: Tue, 02 Mar 2010 10:48:39 -0800 • X-Provags-ID: V01U2FsdGVkX18zZyGxtJetADPAYPYc8Tl6hLwJECvXwZofTGD yRUgR+qvaXYsRBIFlqS6cVOGnapEF0Ar8AW+hMEGAxQXA8HIi • Trying this service to see what it sends.

  30. Email Anonymity • Hushmail • Another level of anonymity • Wants recepient to log in and get the message • See example

  31. Where Email Comes From • Superficially, it appears that email is passed directly from the sender's machine to the recipient's • Lie. Email passes through at least four computers during its lifetime • Most organizations have a dedicated machine to handle mail, called a "mail server” • When a user sends mail, • She normally composes the message on her own computer, then sends it off to her ISP's mail server • At this point her computer is finished with the job, but the mail server still has to deliver the message • It does this by finding the recipient's mail server, talking to that server and delivering the message

  32. Consider a couple of fictitious users: • rth@bieberdorf.edu and tmh@immense-isp.com • tmh is a dialup user of Immense ISP, Inc., using a mail program called Loris Mail • rth is a faculty member at the Bieberdorf Institute, with a workstation on his desk networked with the Institute's other computers • If rth wants to send a letter to tmh, • Composes it at his workstation alpha.bieberdorf.edu • Text passed to mail server, mail.bieberdorf.edu • Mail server, contacts other mail server mailhost.immense-isp.com • And delivers the mail to it • Message stored on mailhost.immense-isp.com until tmh dials in from his home computer and checks his mail • At that time, the mail server delivers any waiting mail, including the letter from rth, to it.

  33. During all this processing, headers will be added to the message three times: • 1. At composition time, by whatever email program rth is using; • 2. When that program hands control off to mail.bieberdorf.edu • 3. At the transfer from Bieberdorf to Immense. (Normally, the dialup node that retrieves the message doesn't add any headers.) • We can watch the evolution of these headers …

  34. Mail Headers • As generated by rth's mailer and handed off to mail.bieberdorf.edu: • From: rth@bieberdorf.edu (R.T. Hood)To: tmh@immense-isp.comDate: Tue, Mar 18 1997 14:36:14 PSTX-Mailer: Loris v2.32Subject: Lunch today?

  35. EMail Headers • As they are when mail.bieberdorf.edu transmits the message to mailhost.immense-isp.com: Received: from alpha.bieberdorf.edu (alpha.bieberdorf.edu [124.211.3.11]) by mail.bieberdorf.edu (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17 -0800 (PST)------------------------------------------------------------------------------------ From: rth@bieberdorf.edu (R.T. Hood)To: tmh@immense-isp.comDate: Tue, Mar 18 1997 14:36:14 PSTMessage-Id: <rth031897143614-0000298@mail.bieberdorf.edu>X-Mailer: Loris v2.32Subject: Lunch today? Header added

  36. Email Headers • As they are when mailhost.immense-isp.com finishes processing the message and stores it for tmh to retrieve: Received: from mail.bieberdorf.edu (mail.bieberdorf.edu [124.211.3.78]) by mailhost.immense-isp.com (8.8.5/8.7.2) with ESMTP id LAA20869 for <tmh@immense-isp.com>; Tue, 18 Mar 1997 14:39:24 -0800 (PST) ------------------------------------------------------------------------------ Received: from alpha.bieberdorf.edu (alpha.bieberdorf.edu [124.211.3.11]) by mail.bieberdorf.edu (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17 -0800 (PST)From: rth@bieberdorf.edu (R.T. Hood)To: tmh@immense-isp.comDate: Tue, Mar 18 1997 14:36:14 PSTMessage-Id: <rth031897143614-00000298@mail.bieberdorf.edu>X-Mailer: Loris v2.32Subject: Lunch today? This last set of headers is the one that tmh sees on the letter when he downloads and reads his mail. Header added

  37. Conclusion • Internet is a wealth of information sources • E-mail plus other ways to leave information • Useful for identifying criminal activity • Need to know if or how these sources were used in a suspected crime • Anonymity • Used a lot by people who want to hide their activities • Can hide a lot of things, but still some identifying information • Just harder

  38. Resources • Electronic Frontier Foundation http://www.eff.org/ • Privacy Author http://www.andrebacard.com/privacy.html • BeHidden – email and surfing http://www.behidden.com/ • Hushmail http://www.hushmail.com/ • Privacy Test http://privacy.net/analyze-your-internet-connection/ • VPN Encryption Tunnel https://www.relakks.com/faq/legal/

  39. End Next time: Case Study – Digital Evidence Internet Tracking someone via the Internet

More Related