Investigating Email Tracing & Recovery
Overview Email has become a primary means of communication. Email can easily be forged. Email can be abused Spam Aid in committing a crime Threatening email,
Email & Crime Locate potential victims for other crimes Used to initiate a hack of the pc Defame a person or organization Create an alibi Anonymous communication regarding illegal activity
Email Investigations: Overview Email evidence: Is in the email itself (header) Left behind as the email travels from sender to recipient. Contained in the various logs. Law enforcement can use subpoenas System ads have some logs.
Email Fundamentals Email travels from originating computer to the receiving computer through email servers. All email servers add to the header. Use important internet services to interpret and verify data in a header.
How Email Works Breakdown of an email address mantei@dgp.utoronto.ca ca = country - Canada utoronto = gateway - University of Toronto dgp = local host - dynamic graphics project mantei = recipient of email - e.g., mantei tremaine Mail is passed from host to host until it arrives
Email Fundamentals Typical path of an email message: Client Mail Server Mail Server Mail Server Client
Email Protocols: Post Office Service Protocol Characteristics Stores only incoming messages. Stores all messages Web-based send and receive. POP IMAP MS MAPI Lotus Notes HTTP Investigation must be at the workstation. Copies of incoming and outgoing messages might be stored on the workstation or on the server or on both. Incoming and outgoing messages are stored on the server, but there might be archived or copied messages on the workstation. Easy to spoof identity.
Email Protocols: SMTP Neither IMAP or POP are involved relaying messages between servers. Simple Mail Transfer Protocol: SMTP Easy, but can be spoofed easily.
SMTP Headers To enable headers: Eudora: Use the Blah Blah Blah button Hotmail: Options Preferences Message Headers. Juno: Options Show Headers MS Outlook: Select message and go to options. Yahoo!: Mail Options General Preferences Show all headers.
SMTP Headers Headers consists of header fields Originator fields from, sender, reply-to Destination address fields To, cc, bcc Identification Fields Message-ID-field is optional, but extremely important for tracing emails through email server logs. Informational Fields Subject, comments, keywords Resent Fields Resent fields are strictly speaking optional, but luckily, most servers add them. Resent-date, resent-from, resent-sender, resent-to, resent-cc, resentbcc, resent-msg-id
SMTP Headers Trace Fields Core of email tracing. Regulated in RFC2821. When a SMTP server receives a message for delivery or forwarding, it MUST insert trace information at the beginning of the header.
SMTP Headers The FROM field, which must be supplied in an SMTP environment, should contain both (1) the name of the source host as presented in the EHLO command and (2) an address literal containing the IP address of the source, determined from the TCP connection. The ID field may contain an "@" as suggested in RFC 822, but this is not required. The FOR field MAY contain a list of <path> entries when multiple RCPT commands have been given. A server making a final delivery inserts a return-path line.
SMTP Header Spotting spoofed messages Contents usually gives a hint. Each SMTP server application adds a different set of headers or structures them in a different way. A good investigator knows these formats. Use internet services in order to verify header data. However, some companies can outsource email or use internal IP addresses. Look for breaks / discrepancies in the Received lines.
Sample SMTP Session S: HELO host.my R: 250 OK S: MAIL FROM:<name@host.my> R: 250 OK S: RCPT TO:<user@to.go> R: 250 OK S: DATA R: 354 send the mail data, end with. S: [mail data (including mail header)] S:. R: 250 OK S: QUIT R: 221 closing connection
Sample Mail Message From: My Name <foo@my.from> To: Your Name <bar@you.to> Date: Tue, 7 Dec 1999 14:25:20 +0800 Subject: This is sample mail This is my mail body Ends here
Headers What they mean Ask Who is it from? Where is it from? Never depend on the From: line Verify the first Received: header The Message-ID: matches the e-mail address in the From: line of the header
Received: from SpoolDir by FLEMING0 (Mercury 1.48); 10 Oct 02 15:11:27-0400 (EDT) Return-path: <grance@prhc.on.ca> Received: from daneeka.flemingc.on.ca (192.197.148.227) by fleming0.flemingc.on.ca (Mercury 1.48); 10 Oct 02 15:11:24-0400 (EDT) Received: (qmail 30587 invoked by alias); 10 Oct 2002 19:11:15-0000 Delivered-To: alias-blbrown@flemingc.on.ca Received: (qmail 30582 invoked by uid 504); 10 Oct 2002 19:11:15-0000 Received: from grance@prhc.on.ca by daneeka.flemingc.on.ca by uid 0 with qmail-scanner-1.12 (csav: version 4.64.1/SIGN.DEF created on Oct 1 2002/SIGN2.DEF created on Oct 2 2002/MACRO.DEF created on Sep 23 2002/. Clear:. Processed in 0.137783 secs); 10 Oct 2002 19:11:15-0000 X-Qmail-Scanner-Mail-From: grance@prhc.on.ca via daneeka.flemingc.on.ca X-Qmail-Scanner: 1.12 (Clear:. Processed in 0.137783 secs) Received: from unknown (HELO mail.prhc.on.ca) (204.187.140.10) by daneeka.flemingc.on.ca with SMTP; 10 Oct 2002 19:11:15-0000 Received: from [127.0.0.1] (grance@prhc.on.ca) by mail.prhc.on.ca; Thu, 10 Oct 2002 15:11:06-0400 X-WM-Posted-At: mail.prhc.on.ca; Thu, 10 Oct 02 15:11:06-0400 Date: Thu, 10 Oct 2002 14:36:10-0400 From: Gord Rance <grance@prhc.on.ca> To: blbrown@flemingc.on.ca
The Message-Id A Unique identifier in the header Added to the message by the mail server when the message was sent. System administrator could tell you who sent the associated message. Message-Id is not always from the originating computer
Received headers One of the most informative parts of the e- mail header Often contain the e-mail address of the person who sent the message Each MTA that handles a message adds a Received header to the top of the e-mail header. A Stack of pancakes
Server Logs E-mail logs usually identify email messages by: Account received IP address from which they were sent. Time and date (beware of clock drift) IP addresses
Investigation Copy the messages Print hard copies View the headers Outlook = Options - Details Outlook Express = Properties - Details Eudora = Blah Blah Blah button Pine = S C header option Hotmail = Options preferences Mail display Copy headers if necessary
Tracing Email
Tracking an Email The two main goals are: To find the computer that was used to send the e-mail message and To find the person who was using that computer when the e-mail was sent.
Important Services Verification of IP addresses: Regional Internet Registry Whois» APNIC (Asia Pacific Network Information Centre).» ARIN (American Registry of Internet Numbers).» LACNIC Latin American and Caribbean IP address Regional Registry.» RIPE NCC (Réseau IP Européens Network Coordination Centre). www.samspade.org Numerous other websites. My Favorite.
Important Services Domain Name System (DNS) translates between domain names and IP address. Name to address lookup: 1. Parses HOSTS file. 2. Asks local nameserver 3. Local nameserver contacts nameserver responsible for domain. 4. If necessary, contact root nameserver. 5. Remote nameserver sends data back to local nameserver. 6. Local nameserver caches info and informs client. HOSTS files can be altered. You can use this as a low-tech tool to block pop-ups. Local nameservers can/could be tricked into accepting unsolicited data to be cached. Hilary for Senate case.
1) Do the domain names in the first Received: header and the From: line match? 2)Attempt to "finger user@host.domain" to find any information about the user. 3)Use whois to find out where the host is located and who runs it.
4)Perform a thorough search 5)Address and phone number If you have the person's name or e-mail address, search Switchboard
Finger address to find user info Whois to determine org info Traceroute location of org and IP Telnet verify valid users http://www.switchboard.com/ http://www.middlebury.edu/cgibin/webph?other_ph_servers http://www.traceroute.org/
telnet fserv2.bu.edu 25 vrfy james 252 <james@acs.bu.edu> vrfy xxdd9201 252 <xxdd9201@acs.bu.edu> vrfy bogus2321 252 <bogus2321@acs.bu.edu> helo from.me 250 fserv2.bu.edu Hello xxxxx-a.xx.on.wave.home.com [xx.xxx.xx.xx], pleased to meet you mail from: me 250 me... Sender ok rcpt to: james 250 james... Recipient ok rcpt to: bogus 250 bogus... Recipient ok rcpt to: bogus2321 250 bogus2321... Recipient ok quit 221 fserv2.bu.edu closing connection
6)Last resort Contact your own ISP with the information and they might be able to help you. If the forger logged into an innocent domain, you could inform the owners that they are being abused. If you have found the forger's ISP you can contact them to get more information about the forger. Send the ISP a description of your complaint Search Dejanews to determine if anyone else have received similar messages or if the sender left any rough edges
References Whois Searching Network Solutions - http://www.network solutions.com/cgi-bin/whois/whois/ Internic - http://www.internic.net/whois.html The DOD - http://www.nic.mil.dodnic/ The European index - http://www.arin.net/whois/index.html The Asia Pacific index - http://www.apnic.net/search/
Practice, practice, practice. Practice forging methods Don't separate e-mail and Usenet tracking from searching the Web, Dejanews and IRC. For the best results, track e-mail while it is still fresh. People can always deny that they sent an e-mail message, so you will probably need more evidence than a single e-mail or Usenet message to tie them to a crime. They are a starting point not an end point in an investigation.
If you do not have an actual e-mail, but only have an e-mail address, you can use the emailtracker tool in VisualRoute to track the user to their e-mail server. An added benefit is that you are able to see what SMTP software the mail server is running (many times with version information as well).
Email Analysis Tools emailtrackerpro, http://www.visualware.com/personal/products/emailtrackerpro/index.ht ml Neotrace tracing tool SamSpade excellent tracing tool
Forged Email Forging e-mail allows the sender to customize the information that the recipient sees. This approach to anonymity is less effective than anonymous re-mailers because forgeries still contain the sender's IP address. Forged e-mail gives the receiver a false impression.
Forging Email SMTP enables mail communication Many SMTP servers are OPEN They do not care who connects and uses them You use these servers to send your fake or forged email
SMTP Commands(Minimum Implementation) HELO Identify which host is sending mail MAIL Specify where the mail comes from RCPT Specify where the mail to go DATA Give the mail data RSET Reset all transaction status QUIT Terminate SMTP connection