91.580.203 Computer & Network

Forensics

Xinwen Fu

Chapter 13E-mail Investigations

2

CS@UML

Outline Introduction to Email investigation Trace email senders

3

CS@UML

Email

4

CS@UML

E-mail Crimes and Violations Spam emails

Becoming commonplace Legal or not depends on the city, state, or

country and always consult with an attorney Crimes involving e-mails:

Narcotic trafficking Extortion Sexual harassment

5

CS@UML

Investigating E-mail Crimes and Violations Similar to other types of investigations Goals

Find who is behind the crime Collect the evidence Present your findings Build a case

6

CS@UML

Examining E-mail Messages Access victim’s computer and retrieve

evidence Investigate the victim’s e-mail

Find and copy evidence in the e-mail Access protected or encrypted material Print e-mails Open and copy e-mail including headers

Sometimes you will deal with deleted e-mails

7

CS@UML

Outline Introduction to Email investigation Trace email senders

8

CS@UML

Tracing Normal Emails Name conventions

Corporate: john.smith@somecompany.com Everything after @ belongs to the domain

name Tracing corporate e-mails is easier

9

CS@UML

Tracing Emails from Public Email Servers Can you send seemingly anonymous

emails from public email accounts such as Yahoo, Hotmail, etc.? Public: whatever@hotmail.com

10

CS@UML

Tracing by Viewing E-mail Headers Learn how to find e-mail headers

GUI clients Command-line clients Web-based clients

Headers contain useful information Unique identifying numbers Sending time IP address of sending email server IP address of the email client

11

CS@UML

SMTP (simple mail transfer protocol) The current SMTP header is put to the head of an email The first “received: from” of an email header identifies the

closest hop to the sender

smtp server 1

smtp server 2

smtp server 3

serv

er 1

serv

er 2

serv

er 3

From

B

ob

To A

lice

Bob Alice

12

CS@UML

1. From doris_ben01@hotmail.com Wed Sep 14 13:30:34 20052. Received: from smtp-relay.tamu.edu (smtp-relay.tamu.edu [165.91.143.199])3. by pine.cs.tamu.edu (8.12.9/8.12.9) with ESMTP id j8EIUUSt013552;4. Wed, 14 Sep 2005 13:30:30 -0500 (CDT)5. Received: from hotmail.com (bay22-f12.bay22.hotmail.com [64.4.16.62])6. by smtp-relay.tamu.edu (8.13.3/8.13.3/oc) with ESMTP id j8EIUa3V052539;7. Wed, 14 Sep 2005 13:30:37 -0500 (CDT)8. (envelope-from doris_ben01@hotmail.com)9. Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;10. Wed, 14 Sep 2005 11:30:22 -070011. Message-ID: <BAY22-F12906DA8E15D93E4EA3F5D9B9F0@phx.gbl>12. Received: from 212.100.250.207 by by22fd.bay22.hotmail.msn.com with HTTP;13. Wed, 14 Sep 2005 18:30:22 GMT14. X-Originating-IP: [212.100.250.207]15. X-Originating-Email: [doris_ben01@hotmail.com]16. X-Sender: doris_ben01@hotmail.com17. From: "Doris Benson" doris_ben01@hotmail.com18. Bcc:19. Subject: REPLY NEEDED20. Date: Wed, 14 Sep 2005 14:30:22 -0400

Trace back to a naive spammer

13

CS@UML

Standard intelligence collecting techniques Whois – databases with a compilation of information

designed to maintain contact information for network resources

Name service based whois Information about a domain Example: whois uml.edu

or http://www.whois.sc/

Network service based whois Information about network management data

Boundary of a network Example: whois -h whois.arin.net 66.38.151.10 (ARIN -

American Registry for Internet Numbers, http://ws.arin.net/whois)

14

CS@UML

Domain name system (DNS) DNS: mapping between numeric ip

addresses and names dig

Get domain name ip and nameserversdig www.uml.edu

SERVER: 129.63.16.100#53(129.63.16.100) For query Mail Servers (port 25) in domain

dig www.uml.edu MX Nslookup – same as dig but obsolete

15

CS@UML

Google Email Header (Cont.)

16

CS@UML

Google Email Header (Cont.)

17

CS@UML

Yahoo Email Header

18

CS@UML

Yahoo Email Header (Cont.)

19

CS@UML

Hotmail Email Header

then

20

CS@UML

Hotmail Email Header (Cont.) then

21

CS@UML

Hotmail Email Header (Cont.) Now

22

CS@UML

Hotmail Email Header (Cont.) View E-mail Message Source

Every email sent directly from a Hotmail account or other special mail server contains the "X-originating-IP" or "X-Sender-Ip" in the message headers. This number indicates the IP address (or the specific computer ID) the person was using at the time they sent the email

23

CS@UML

Thunderbird Email Header

24

CS@UML

25

CS@UML

Once you identify the IP address … To find the suspect, you may have to

check a lot of computer logs to identify the suspect

26

CS@UML

Using Specialized E-mail Forensics Tools

Tools AccessData’s FTK EnCase FINALeMAIL Sawmill-GroupWise DBXtract MailBag Assistant Paraben

27

CS@UML

Reference jmates, E-Mail Flow, 2006/02/06,

http://sial.org/howto/sendmail/ Configuring DNS, 2006,

http://www.linuxhomenetworking.com/linux-hn/dns-static.htm

Mark D. Roth, sendmail Tutorial, 2006, http://www.feep.net/sendmail/tutorial/