Investigating . Tracing & Recovery

Similar documents
s. has become a primary means of communication. can easily be forged. can be abused

Electronic mail, usually called , consists of simple text messages a piece of text sent to a recipient via the internet.

CSCE 463/612 Networks and Distributed Processing Spring 2018

Application: Electronic Mail

Header- A Forensic Key to Examine an

CSC 401 Data and Computer Communications Networks

SMTP Simple Mail Transfer Protocol

CIT 470: Advanced Network and System Administration. Topics. Mail Policies.

CSC 4900 Computer Networks:

Chapter 2 Application Layer

Mail agents. Introduction to Internet Mail. Message format (1) Message format (2)

Fig (1) sending and receiving s

Forensics. CSF: Forensics Cyber-Security. Part III. Techniques and Tools for Network Forensics. Fall 2017 Nuno Santos

Internet Technology. 03r. Application layer protocols: . Paul Krzyzanowski. Rutgers University. Spring 2016

CS 43: Computer Networks. 12: and SMTP September 28, 2018

The Application Layer: & SMTP

Electronic Mail. Electronic Mailboxes

Application Layer: , DNS

Electronic Mail. Three Components: SMTP SMTP. SMTP mail server. 1. User Agents. 2. Mail Servers. 3. SMTP protocol

Outline. EEC-484/584 Computer Networks. Slow Start Algorithm. Internet Congestion Control Algorithm

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Chapter 2: Application layer

How Internet Works

. SMTP, POP, and IMAP

Internet and Intranet Protocols and Applications

Chapter 2 part B: outline

Networking Revision. TCP/IP Protocol Stack & OSI reference model. Basic Protocols. TCP/IP Model ANTHONY KAO NETWORKING FINAL EXAM SPRING 2014 REVISION

Chapter 2: outline. 2.6 P2P applications 2.7 socket programming with UDP and TCP

Contents. Management. Client. Choosing One 1/20/17

The Application Layer: SMTP, FTP

anti-spam techniques beyond Bayesian filters

Introduction to Internet Mail. Philip Hazel. University of Cambridge Computing Service. Mail agents

Additional laboratory

Computer Networks. More on Standards & Protocols Quality of Service. Week 10. College of Information Science and Engineering Ritsumeikan University

Lecture 6: Application Layer Web proxies, , and SMTP

Application Inspection and Control for SMTP

CCNA Exploration1 Chapter 3: Application Layer Functionality and Protocols

Lab 3.4.3: Services and Protocols

Application-layer Protocols

Simple Network Management Protocol (SNMP)

Applications & Application-Layer Protocols: (SMTP) and DNS

SMTP. George Porter CSE 124 February 12, 2015

Basics BUPT/QMUL

Status Node Reference

Electronic Mail Paradigm

DNS and SMTP. James Walden CIT 485: Advanced Cybersecurity. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31

Electronic Mail

WWW: the http protocol

IT Certification Exams Provider! Weofferfreeupdateserviceforoneyear! h ps://

Practical Traceability (101) 31st October 2000

Basics BUPT/QMUL

Lecture 25. Tuesday, November 21 CS 475 Networks - Lecture 25 1

ECE 435 Network Engineering Lecture 6

Internet Protocol Stack! Principles of Network Applications! Some Network Apps" (and Their Protocols)! Application-Layer Protocols! Our goals:!

Addressing protocols. TELE3118 lecture notes Copyright by Tim Moors Aug-09. Copyright Aug-09, Tim Moors

Internet Routing Protocols, DHCP, and NAT

is still the most used Internet app. According to some studies around 85% of Internet users still use for communication.

Protocols. Networking CS 3470, Section 1 Sarah Diesburg

Lab 2: Creating Secure Architectures

Agenda. What is ? Brief Introduction To . History Of . Components Of System. Basics

COSC 301 Network Management. Lecture 14: Electronic Mail

Lab 1: Creating Secure Architectures (Revision)

SMTP Mail. February 14, 2012 Lotus Mail Routing Team IBM Corporation

Exam Questions

RSC Part II: Network Layer 3. IP addressing (2nd part)

FTP. Mail. File Transfer Protocol (FTP) FTP commands, responses. Electronic Mail. TDTS06: Computer Networks

PASS4TEST. Prüfungshilfen für IT Zertifizierungen. Wir bieten Ihnen einen kostenlosen einjährigen Upgrade Service an

Computer Networking Introduction

CSCD 330 Network Programming Winter 2015

Mail Assure. Quick Start Guide

CAMELOT Configuration Overview Step-by-Step

ESMTP Support for Cisco IOS Firewall

Backtracing s Computer Forensics

Electronic Mail. Prof. Indranil Sen Gupta. Professor, Dept. of Computer Science & Engineering Indian Institute of Technology Kharagpur

Protocols and Software. Nixu Ltd.

Visual WhoIs 2004 Manual Software River Solutions, Inc.

General Network Troubleshooting

My The guide.

Ciphermail Webmail Messenger Administration Guide

and Web Site Tracing

Chapter 20 SMTP. Slides from TCP/IP - Forouzan. User Agent (UA) Addressing Delayed Delivery Aliases Mail Transfer Agent (MTA) MIME POP.

CSN09101 Networked Services. Module Leader: Dr Gordon Russell Lecturers: G. Russell

Defining Which Hosts Are Allowed to Connect Using the Host Access Table

Use and Abuse of Anti-Spam White/Black Lists

Computer Networking. Chapter #1. Dr. Abdulrhaman Alameer

Internet Concepts ML Study Guide Created by Advisers

Defining Which Hosts Are Allowed to Connect Using the Host Access Table

Spam and Cybercrime SMTP

Chapter 10: Application Layer

Computer Networking: Applications George Blankenship. Applications George Blankenship 1

Hands-On Ethical Hacking and Network Defense

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Internet Applications. Dr Steve Gordon ICT, SIIT

SCS3004 Networking Technologies Application Layer Protocols

Ethical Hacking and. Version 6. Spamming

Computer and Network Security

CS321: Computer Networks ELECTRONIC MAIL

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

& Online Evidence Collection

Information Network Systems The application layer. Stephan Sigg

Transcription:

Investigating Email Tracing & Recovery

Overview Email has become a primary means of communication. Email can easily be forged. Email can be abused Spam Aid in committing a crime Threatening email,

Email & Crime Locate potential victims for other crimes Used to initiate a hack of the pc Defame a person or organization Create an alibi Anonymous communication regarding illegal activity

Email Investigations: Overview Email evidence: Is in the email itself (header) Left behind as the email travels from sender to recipient. Contained in the various logs. Law enforcement can use subpoenas System ads have some logs.

Email Fundamentals Email travels from originating computer to the receiving computer through email servers. All email servers add to the header. Use important internet services to interpret and verify data in a header.

How Email Works Breakdown of an email address mantei@dgp.utoronto.ca ca = country - Canada utoronto = gateway - University of Toronto dgp = local host - dynamic graphics project mantei = recipient of email - e.g., mantei tremaine Mail is passed from host to host until it arrives

Email Fundamentals Typical path of an email message: Client Mail Server Mail Server Mail Server Client

Email Protocols: Post Office Service Protocol Characteristics Stores only incoming messages. Stores all messages Web-based send and receive. POP IMAP MS MAPI Lotus Notes HTTP Investigation must be at the workstation. Copies of incoming and outgoing messages might be stored on the workstation or on the server or on both. Incoming and outgoing messages are stored on the server, but there might be archived or copied messages on the workstation. Easy to spoof identity.

Email Protocols: SMTP Neither IMAP or POP are involved relaying messages between servers. Simple Mail Transfer Protocol: SMTP Easy, but can be spoofed easily.

SMTP Headers To enable headers: Eudora: Use the Blah Blah Blah button Hotmail: Options Preferences Message Headers. Juno: Options Show Headers MS Outlook: Select message and go to options. Yahoo!: Mail Options General Preferences Show all headers.

SMTP Headers Headers consists of header fields Originator fields from, sender, reply-to Destination address fields To, cc, bcc Identification Fields Message-ID-field is optional, but extremely important for tracing emails through email server logs. Informational Fields Subject, comments, keywords Resent Fields Resent fields are strictly speaking optional, but luckily, most servers add them. Resent-date, resent-from, resent-sender, resent-to, resent-cc, resentbcc, resent-msg-id

SMTP Headers Trace Fields Core of email tracing. Regulated in RFC2821. When a SMTP server receives a message for delivery or forwarding, it MUST insert trace information at the beginning of the header.

SMTP Headers The FROM field, which must be supplied in an SMTP environment, should contain both (1) the name of the source host as presented in the EHLO command and (2) an address literal containing the IP address of the source, determined from the TCP connection. The ID field may contain an "@" as suggested in RFC 822, but this is not required. The FOR field MAY contain a list of <path> entries when multiple RCPT commands have been given. A server making a final delivery inserts a return-path line.

SMTP Header Spotting spoofed messages Contents usually gives a hint. Each SMTP server application adds a different set of headers or structures them in a different way. A good investigator knows these formats. Use internet services in order to verify header data. However, some companies can outsource email or use internal IP addresses. Look for breaks / discrepancies in the Received lines.

Sample SMTP Session S: HELO host.my R: 250 OK S: MAIL FROM:<name@host.my> R: 250 OK S: RCPT TO:<user@to.go> R: 250 OK S: DATA R: 354 send the mail data, end with. S: [mail data (including mail header)] S:. R: 250 OK S: QUIT R: 221 closing connection

Sample Mail Message From: My Name <foo@my.from> To: Your Name <bar@you.to> Date: Tue, 7 Dec 1999 14:25:20 +0800 Subject: This is sample mail This is my mail body Ends here

Headers What they mean Ask Who is it from? Where is it from? Never depend on the From: line Verify the first Received: header The Message-ID: matches the e-mail address in the From: line of the header

Received: from SpoolDir by FLEMING0 (Mercury 1.48); 10 Oct 02 15:11:27-0400 (EDT) Return-path: <grance@prhc.on.ca> Received: from daneeka.flemingc.on.ca (192.197.148.227) by fleming0.flemingc.on.ca (Mercury 1.48); 10 Oct 02 15:11:24-0400 (EDT) Received: (qmail 30587 invoked by alias); 10 Oct 2002 19:11:15-0000 Delivered-To: alias-blbrown@flemingc.on.ca Received: (qmail 30582 invoked by uid 504); 10 Oct 2002 19:11:15-0000 Received: from grance@prhc.on.ca by daneeka.flemingc.on.ca by uid 0 with qmail-scanner-1.12 (csav: version 4.64.1/SIGN.DEF created on Oct 1 2002/SIGN2.DEF created on Oct 2 2002/MACRO.DEF created on Sep 23 2002/. Clear:. Processed in 0.137783 secs); 10 Oct 2002 19:11:15-0000 X-Qmail-Scanner-Mail-From: grance@prhc.on.ca via daneeka.flemingc.on.ca X-Qmail-Scanner: 1.12 (Clear:. Processed in 0.137783 secs) Received: from unknown (HELO mail.prhc.on.ca) (204.187.140.10) by daneeka.flemingc.on.ca with SMTP; 10 Oct 2002 19:11:15-0000 Received: from [127.0.0.1] (grance@prhc.on.ca) by mail.prhc.on.ca; Thu, 10 Oct 2002 15:11:06-0400 X-WM-Posted-At: mail.prhc.on.ca; Thu, 10 Oct 02 15:11:06-0400 Date: Thu, 10 Oct 2002 14:36:10-0400 From: Gord Rance <grance@prhc.on.ca> To: blbrown@flemingc.on.ca

The Message-Id A Unique identifier in the header Added to the message by the mail server when the message was sent. System administrator could tell you who sent the associated message. Message-Id is not always from the originating computer

Received headers One of the most informative parts of the e- mail header Often contain the e-mail address of the person who sent the message Each MTA that handles a message adds a Received header to the top of the e-mail header. A Stack of pancakes

Server Logs E-mail logs usually identify email messages by: Account received IP address from which they were sent. Time and date (beware of clock drift) IP addresses

Investigation Copy the messages Print hard copies View the headers Outlook = Options - Details Outlook Express = Properties - Details Eudora = Blah Blah Blah button Pine = S C header option Hotmail = Options preferences Mail display Copy headers if necessary

Tracing Email

Tracking an Email The two main goals are: To find the computer that was used to send the e-mail message and To find the person who was using that computer when the e-mail was sent.

Important Services Verification of IP addresses: Regional Internet Registry Whois» APNIC (Asia Pacific Network Information Centre).» ARIN (American Registry of Internet Numbers).» LACNIC Latin American and Caribbean IP address Regional Registry.» RIPE NCC (Réseau IP Européens Network Coordination Centre). www.samspade.org Numerous other websites. My Favorite.

Important Services Domain Name System (DNS) translates between domain names and IP address. Name to address lookup: 1. Parses HOSTS file. 2. Asks local nameserver 3. Local nameserver contacts nameserver responsible for domain. 4. If necessary, contact root nameserver. 5. Remote nameserver sends data back to local nameserver. 6. Local nameserver caches info and informs client. HOSTS files can be altered. You can use this as a low-tech tool to block pop-ups. Local nameservers can/could be tricked into accepting unsolicited data to be cached. Hilary for Senate case.

1) Do the domain names in the first Received: header and the From: line match? 2)Attempt to "finger user@host.domain" to find any information about the user. 3)Use whois to find out where the host is located and who runs it.

4)Perform a thorough search 5)Address and phone number If you have the person's name or e-mail address, search Switchboard

Finger address to find user info Whois to determine org info Traceroute location of org and IP Telnet verify valid users http://www.switchboard.com/ http://www.middlebury.edu/cgibin/webph?other_ph_servers http://www.traceroute.org/

telnet fserv2.bu.edu 25 vrfy james 252 <james@acs.bu.edu> vrfy xxdd9201 252 <xxdd9201@acs.bu.edu> vrfy bogus2321 252 <bogus2321@acs.bu.edu> helo from.me 250 fserv2.bu.edu Hello xxxxx-a.xx.on.wave.home.com [xx.xxx.xx.xx], pleased to meet you mail from: me 250 me... Sender ok rcpt to: james 250 james... Recipient ok rcpt to: bogus 250 bogus... Recipient ok rcpt to: bogus2321 250 bogus2321... Recipient ok quit 221 fserv2.bu.edu closing connection

6)Last resort Contact your own ISP with the information and they might be able to help you. If the forger logged into an innocent domain, you could inform the owners that they are being abused. If you have found the forger's ISP you can contact them to get more information about the forger. Send the ISP a description of your complaint Search Dejanews to determine if anyone else have received similar messages or if the sender left any rough edges

References Whois Searching Network Solutions - http://www.network solutions.com/cgi-bin/whois/whois/ Internic - http://www.internic.net/whois.html The DOD - http://www.nic.mil.dodnic/ The European index - http://www.arin.net/whois/index.html The Asia Pacific index - http://www.apnic.net/search/

Practice, practice, practice. Practice forging methods Don't separate e-mail and Usenet tracking from searching the Web, Dejanews and IRC. For the best results, track e-mail while it is still fresh. People can always deny that they sent an e-mail message, so you will probably need more evidence than a single e-mail or Usenet message to tie them to a crime. They are a starting point not an end point in an investigation.

If you do not have an actual e-mail, but only have an e-mail address, you can use the emailtracker tool in VisualRoute to track the user to their e-mail server. An added benefit is that you are able to see what SMTP software the mail server is running (many times with version information as well).

Email Analysis Tools emailtrackerpro, http://www.visualware.com/personal/products/emailtrackerpro/index.ht ml Neotrace tracing tool SamSpade excellent tracing tool

Forged Email Forging e-mail allows the sender to customize the information that the recipient sees. This approach to anonymity is less effective than anonymous re-mailers because forgeries still contain the sender's IP address. Forged e-mail gives the receiver a false impression.

Forging Email SMTP enables mail communication Many SMTP servers are OPEN They do not care who connects and uses them You use these servers to send your fake or forged email

SMTP Commands(Minimum Implementation) HELO Identify which host is sending mail MAIL Specify where the mail comes from RCPT Specify where the mail to go DATA Give the mail data RSET Reset all transaction status QUIT Terminate SMTP connection

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback