Investigating . Tracing & Recovery

Transcription

1 Investigating Tracing & Recovery

2 Overview has become a primary means of communication. can easily be forged. can be abused Spam Aid in committing a crime Threatening ,

3 & Crime Locate potential victims for other crimes Used to initiate a hack of the pc Defame a person or organization Create an alibi Anonymous communication regarding illegal activity

4 Investigations: Overview evidence: Is in the itself (header) Left behind as the travels from sender to recipient. Contained in the various logs. Law enforcement can use subpoenas System ads have some logs.

5 Fundamentals travels from originating computer to the receiving computer through servers. All servers add to the header. Use important internet services to interpret and verify data in a header.

6 How Works Breakdown of an address ca = country - Canada utoronto = gateway - University of Toronto dgp = local host - dynamic graphics project mantei = recipient of - e.g., mantei tremaine Mail is passed from host to host until it arrives

7 Fundamentals Typical path of an message: Client Mail Server Mail Server Mail Server Client

8 Protocols: Post Office Service Protocol Characteristics Stores only incoming messages. Stores all messages Web-based send and receive. POP IMAP MS MAPI Lotus Notes HTTP Investigation must be at the workstation. Copies of incoming and outgoing messages might be stored on the workstation or on the server or on both. Incoming and outgoing messages are stored on the server, but there might be archived or copied messages on the workstation. Easy to spoof identity.

9 Protocols: SMTP Neither IMAP or POP are involved relaying messages between servers. Simple Mail Transfer Protocol: SMTP Easy, but can be spoofed easily.

10 SMTP Headers To enable headers: Eudora: Use the Blah Blah Blah button Hotmail: Options Preferences Message Headers. Juno: Options Show Headers MS Outlook: Select message and go to options. Yahoo!: Mail Options General Preferences Show all headers.

11 SMTP Headers Headers consists of header fields Originator fields from, sender, reply-to Destination address fields To, cc, bcc Identification Fields Message-ID-field is optional, but extremely important for tracing s through server logs. Informational Fields Subject, comments, keywords Resent Fields Resent fields are strictly speaking optional, but luckily, most servers add them. Resent-date, resent-from, resent-sender, resent-to, resent-cc, resentbcc, resent-msg-id

12 SMTP Headers Trace Fields Core of tracing. Regulated in RFC2821. When a SMTP server receives a message for delivery or forwarding, it MUST insert trace information at the beginning of the header.

13 SMTP Headers The FROM field, which must be supplied in an SMTP environment, should contain both (1) the name of the source host as presented in the EHLO command and (2) an address literal containing the IP address of the source, determined from the TCP connection. The ID field may contain an as suggested in RFC 822, but this is not required. The FOR field MAY contain a list of <path> entries when multiple RCPT commands have been given. A server making a final delivery inserts a return-path line.

14 SMTP Header Spotting spoofed messages Contents usually gives a hint. Each SMTP server application adds a different set of headers or structures them in a different way. A good investigator knows these formats. Use internet services in order to verify header data. However, some companies can outsource or use internal IP addresses. Look for breaks / discrepancies in the Received lines.

15 Sample SMTP Session S: HELO host.my R: 250 OK S: MAIL R: 250 OK S: RCPT R: 250 OK S: DATA R: 354 send the mail data, end with. S: [mail data (including mail header)] S:. R: 250 OK S: QUIT R: 221 closing connection

16 Sample Mail Message From: My Name To: Your Name Date: Tue, 7 Dec :25: Subject: This is sample mail This is my mail body Ends here

17 Headers What they mean Ask Who is it from? Where is it from? Never depend on the From: line Verify the first Received: header The Message-ID: matches the address in the From: line of the header

18 Received: from SpoolDir by FLEMING0 (Mercury 1.48); 10 Oct 02 15:11: (EDT) Return-path: Received: from daneeka.flemingc.on.ca ( ) by fleming0.flemingc.on.ca (Mercury 1.48); 10 Oct 02 15:11: (EDT) Received: (qmail invoked by alias); 10 Oct :11: Delivered-To: Received: (qmail invoked by uid 504); 10 Oct :11: Received: from by daneeka.flemingc.on.ca by uid 0 with qmail-scanner-1.12 (csav: version /SIGN.DEF created on Oct /SIGN2.DEF created on Oct /MACRO.DEF created on Sep /. Clear:. Processed in secs); 10 Oct :11: X-Qmail-Scanner-Mail-From: grance@prhc.on.ca via daneeka.flemingc.on.ca X-Qmail-Scanner: 1.12 (Clear:. Processed in secs) Received: from unknown (HELO mail.prhc.on.ca) ( ) by daneeka.flemingc.on.ca with SMTP; 10 Oct :11: Received: from [ ] (grance@prhc.on.ca) by mail.prhc.on.ca; Thu, 10 Oct :11: X-WM-Posted-At: mail.prhc.on.ca; Thu, 10 Oct 02 15:11: Date: Thu, 10 Oct :36: From: Gord Rance <grance@prhc.on.ca> To: blbrown@flemingc.on.ca

19 The Message-Id A Unique identifier in the header Added to the message by the mail server when the message was sent. System administrator could tell you who sent the associated message. Message-Id is not always from the originating computer

20 Received headers One of the most informative parts of the e- mail header Often contain the address of the person who sent the message Each MTA that handles a message adds a Received header to the top of the header. A Stack of pancakes

21 Server Logs logs usually identify messages by: Account received IP address from which they were sent. Time and date (beware of clock drift) IP addresses

22 Investigation Copy the messages Print hard copies View the headers Outlook = Options - Details Outlook Express = Properties - Details Eudora = Blah Blah Blah button Pine = S C header option Hotmail = Options preferences Mail display Copy headers if necessary

23 Tracing

24 Tracking an The two main goals are: To find the computer that was used to send the message and To find the person who was using that computer when the was sent.

25 Important Services Verification of IP addresses: Regional Internet Registry Whois» APNIC (Asia Pacific Network Information Centre).» ARIN (American Registry of Internet Numbers).» LACNIC Latin American and Caribbean IP address Regional Registry.» RIPE NCC (Réseau IP Européens Network Coordination Centre). Numerous other websites. My Favorite.

26 Important Services Domain Name System (DNS) translates between domain names and IP address. Name to address lookup: 1. Parses HOSTS file. 2. Asks local nameserver 3. Local nameserver contacts nameserver responsible for domain. 4. If necessary, contact root nameserver. 5. Remote nameserver sends data back to local nameserver. 6. Local nameserver caches info and informs client. HOSTS files can be altered. You can use this as a low-tech tool to block pop-ups. Local nameservers can/could be tricked into accepting unsolicited data to be cached. Hilary for Senate case.

27 1) Do the domain names in the first Received: header and the From: line match? 2)Attempt to "finger to find any information about the user. 3)Use whois to find out where the host is located and who runs it.

28 4)Perform a thorough search 5)Address and phone number If you have the person's name or address, search Switchboard

29 Finger address to find user info Whois to determine org info Traceroute location of org and IP Telnet verify valid users

30 telnet fserv2.bu.edu 25 vrfy james 252 vrfy xxdd vrfy bogus helo from.me 250 fserv2.bu.edu Hello xxxxx-a.xx.on.wave.home.com [xx.xxx.xx.xx], pleased to meet you mail from: me 250 me... Sender ok rcpt to: james 250 james... Recipient ok rcpt to: bogus 250 bogus... Recipient ok rcpt to: bogus bogus Recipient ok quit 221 fserv2.bu.edu closing connection

31 6)Last resort Contact your own ISP with the information and they might be able to help you. If the forger logged into an innocent domain, you could inform the owners that they are being abused. If you have found the forger's ISP you can contact them to get more information about the forger. Send the ISP a description of your complaint Search Dejanews to determine if anyone else have received similar messages or if the sender left any rough edges

32 References Whois Searching Network Solutions - solutions.com/cgi-bin/whois/whois/ Internic - The DOD - The European index - The Asia Pacific index -

33 Practice, practice, practice. Practice forging methods Don't separate and Usenet tracking from searching the Web, Dejanews and IRC. For the best results, track while it is still fresh. People can always deny that they sent an message, so you will probably need more evidence than a single or Usenet message to tie them to a crime. They are a starting point not an end point in an investigation.

34 If you do not have an actual , but only have an address, you can use the tracker tool in VisualRoute to track the user to their server. An added benefit is that you are able to see what SMTP software the mail server is running (many times with version information as well).

35 Analysis Tools trackerpro, ml Neotrace tracing tool SamSpade excellent tracing tool

36 Forged Forging allows the sender to customize the information that the recipient sees. This approach to anonymity is less effective than anonymous r ers because forgeries still contain the sender's IP address. Forged gives the receiver a false impression.

37 Forging SMTP enables mail communication Many SMTP servers are OPEN They do not care who connects and uses them You use these servers to send your fake or forged

38 SMTP Commands(Minimum Implementation) HELO Identify which host is sending mail MAIL Specify where the mail comes from RCPT Specify where the mail to go DATA Give the mail data RSET Reset all transaction status QUIT Terminate SMTP connection