260 likes | 437 Views
Intro to Cyber Crime and Computer Forensics CSE 4273/6273 April 15, 2013. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Information we can gather from emails. To and from information Computer name IP address ISP Client used Time zone.
E N D
Intro to Cyber Crime and Computer Forensics CSE 4273/6273 April 15, 2013 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
Information we can gather from emails. • To and from information • Computer name • IP address • ISP • Client used • Time zone
Outlook, Thunderbird, Eudora, Pine, etc. Use the Simple Mail Transport Protocol (SMTP) to communicate with the user’s E-Mail server Here: mail.msstate.edu Gmail, Hotmail, Yahoo!, etc. HTTP interface to a web application that uses SMTP behind the scenes Client machine never communicates directly with the SMTP server Two different ways to get email. Email Client Web-mail
Email Address UserName@mail.server.com Id of the user you wish to contact Name of mail server dampier@cse.msstate.edu
SMTP • Simple Mail Transfer Protocol • Became popular in the early 1980’s • Simple text based protocol • Used by email servers to transfer emails
Sample E-Mail Bob’s PC SMTP • Bob (bob@example.com) composes a message for Alice, at alice@example.org • Bob’s E-mail client is configured to use mail.example.com as an SMTP server • Message is first sent to mail.example.com via SMTP mail.example.com SMTP Internet mail.example.org POP Alice’s PC
Sample E-Mail Bob’s PC SMTP • mail.example.com accepts this message for delivery and notes that the recIPient is a user at example.org • Therefore, the message must be relayed to a mailserver that can deliver it to the correct user mail.example.com SMTP Internet mail.example.org POP Alice’s PC
Sample E-Mail Bob’s PC SMTP • The mail is relayed from mail.example.com to mail.example.org using SMTP mail.example.com SMTP Internet mail.example.org POP Alice’s PC
Sample E-Mail Bob’s PC SMTP • Finally, Alice can use her E-Mail program to receive the E-Mail from mail.example.org using POP mail.example.com SMTP Internet mail.example.org POP Alice’s PC
In Reality it Gets More Complicated • From a user at yahoo to a user at cse.msstate.edu (relayed through 4 servers!): • web35303.mail.mud.yahoo.com • canit01.its.msstate.edu • sav06.its.msstate.edu • cse.msstate.edu • Spam/Virus Scanning, Load Balancing, etc.
Structure of an Email Received: From: username1@cse.msstate.edu To: username2@cse.msstate.edu Cc: Subject: Date: Message Header
A “Received” line for every server Received: From: username1@cse.msstate.edu To: username2@cse.msstate.edu Cc: Subject: Date: Message Received: Received: Received:
I’ve never seen these so called “Received” lines. • Most email programs hide this header information • Look for a “message source” or “view entire header” option • If you can’t find it do some online research • www.spamcop.net • https://hdc.tamu.edu/reference/documentation
Things to think about.. • Always base your findings on the IP address not the hostname. • False “Received” lines can be added before the email is sent. • Be aware people can hack into machines to send email from them.
Some more things to think about • Don’t forget DHCP. It’s important to include dates and times when requesting information from an ISP. • Viruses sometimes spread by emailing themselves out without the user being aware.
http://cypherpunks.faithweb.com Anonymous Re-mailers :: Anon-To: final@recIPient.com ## Subject: MESSAGE
Are you awake? “ping” – DOS or Unix based command that queries servers to see if they are “awake.”
DNS “nslookup” – find out who an IP address belongs to or what IP address is associated with a web address.
Follow the path of a packet “traceroute” – a ping that lists the servers it goes through. Unix command, but there are Window’s programs that will perform the same function.
Who’s there? “whois” – queries databases to find contact and registration information on IP or web addresses. A Unix command, but there are plenty of websites that perform the searches for you. http://ws.arin.net/whois http://www.networksolutions.com/whois/
Preservation (“Freeze”) Order • 18 USC Sec. 2703(f) • http://uscode.house.gov/usc.htm • (f) Requirement to Preserve Evidence. – • In general. - A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.
Freeze Order cont.. (2) Period of retention. - Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.
Dangers of a freeze order!!! • ISP may attempt to notify the target about your actions. • The ISP may terminate the account.
Finally ISP contact list http://www.forensicsweb.com
Putting it all together • Gather emails and print out headers • Compare headers to see if they contain different originating IP’s • Check email header for spoofing • Trace IP(s) back to their source to discover what ISP the suspect is using • Subpoena yahoo, hotmail, or other for user information • Subpoena ISP for user information • Make sure to include all the information you have on the user including the email account, IP, time, and date.