chao-hsien chu, ph.d. college of information sciences and technology
DESCRIPTION
Web Forensics & E-mail Tracing. Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 [email protected]. Theory Practice. Learning by Doing. 8/24/06. Objectives. - PowerPoint PPT PresentationTRANSCRIPT
Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology
The Pennsylvania State UniversityUniversity Park, PA 16802
Web Forensics & E-mail Tracing
8/24/06
LearningbyDoing
Theo
ry
Practi
ce
ObjectivesObjectives
• Understand the flow of electronic mail across a network
• Explain the difference between resident e-mail client programs and webmail
• Understand the difference between typical desktop data storage and server data storage
• Identify the components of e-mail headers• Understand the flow of instant messaging across
the network
Importance of E-Mail as EvidenceImportance of E-Mail as Evidence
• E-mail can be pivotal evidence in a case• Due to its informal nature, it does not always
represent corporate policy• Many cases provide examples of the use of e-mail as
evidence– Enron – Microsoft - Bill Gate– Knox vs. State of Indiana– Harley vs. McCoach– Nardinelli et al. vs. Chevron– Adelyn Lee vs. Oracle Corporation
Working with E-MailWorking with E-Mail
• E-mail evidence typically used to corroborate or refute other testimony or evidence
• Can be used by prosecutors or defense parties
• Two standard methods to send and receive e-mail:– Client/server applications– Webmail
E-mail Data FlowE-mail Data Flow
• User has a client program such as Outlook or Eudora
• Client program is configured to work with one or more servers
• E-mails sent by client reside on PC
• A larger machine runs the server program that communicates with the Internet, where it exchanges data with other e-mail servers
Sending E-MailSending E-Mail
User creates e-mail on her client User issues send
command Client moves e-mail to Outbox
Server acknowledges client and authenticates
e-mail account
Client sends e-mail to the serverServer sends e-mail to
destination e-mail server
If the client cannot connect with the server, it keeps trying
Receiving E-MailReceiving E-Mail
User opens client and logs on User issues receive
command Client contacts server
Server acknowledges, authenticates, and
contacts mail box for the account
Mail downloaded to local computerMessages placed in
Inbox to be read
POP deletes messages from server; IMAP retains copy on server
Working with Resident e-mail FilesWorking with Resident e-mail Files
• Users are able to work offline with e-mail• E-mail is stored locally, a great benefit for
forensic analysts because the e-mail is readily available when the computer is seized
• Begin by identifying e-mail clients on system
• You can also search by file extensions of common e-mail clients
Working with E-MailWorking with E-Mail
E-Mail Client Extension Type of File
AOL
.abi.aim.arl.bag
AOL6 organizer fileInstant Message launchOrganizer fileInstant Messenger file
Outlook Express
.dbx.dgr
.email.eml
OE mail databaseOE fax pageOE mail messageOE electronic mail
Outlook.pab.pst
.wab
Personal address bookPersonal folderWindows address book
(Continued)
Working with E-MailWorking with E-Mail
E-Mail Client Extension Type of File
Lotus Notes .box
.ncf
.nsf
Notes mailbox
Notes internal clipboard
Notes database
Novell Groupwise
.mlm Saved e-mail (using WP5.1 format)
Eudora .mbx Eudora message base
Popular e-mail ClientsPopular e-mail Clients
• America Online (AOL) - users have a month to download or save before AOL deletes messages
• Outlook Express - installed by default with Windows
• Outlook - bundled with Microsoft Office• Eudora - popular free client• Lotus Notes - integrated client option for
Lotus Domino server
Webmail Data FlowWebmail Data Flow
• User opens a browser, logs in to the webmail interface
• Webmail server has already placed mail in Inbox• User uses the compose function followed by the
send function to create and send mail• Web client communicates behind the scenes to the
webmail server to send the message• No e-mails are stored on the local PC; the
webmail provider houses all e-mail
Working with WebmailWorking with Webmail
• Entails a bit more effort to locate files• Temporary files is a good place to start• Useful keywords for webmail programs
include:– Yahoo! mail: ShowLetter, ShowFolder Compose,
“Yahoo! Mail”– Hotmail: HoTMail, hmhome, getmsg, doattach,
compose– Gmail: mail[#]
E-Mail ProtocolE-Mail Protocol
E-Mail Protocol POP3 IMAP Webmail
E-mail accessible from anywhere
No Yes Yes
Remains stored on server
No (unless included in a backup of server)
Yes Yes, unless POP3 was used too
Dependence on Internet
Moderate Very strong
Strong
Special software required
Yes Yes No
Working with Mail ServersWorking with Mail Servers
• Some initial things to consider:– How many users are serviced?– E-mail retention policies of the company– Accessibility of the e-mail server
Working with Mail ServersWorking with Mail Servers
• Redundant array of independent disks (RAID)– RAID 0: Basic disk striping– RAID 1: Disk mirroring– RAID 3: Striping with parity– RAID 5: Striping with distributed parity– RAID 0+1 and 10 (1+0): Mirror of stripes and
striped mirroring
Working with Mail ServersWorking with Mail Servers
• Harvesting data from RAID servers– Easiest way to obtain the data is over the network– Considerations:
• Time to obtain the data
• Physical configuration and space
• Production server downtime
Examining E-Mails for EvidenceExamining E-Mails for Evidence
• Understanding e-mail headers– The header records information about the sender,
receiver, and servers it passes along the way– Most e-mail clients show the header in a short
form that does not reveal IP addresses– Most programs have an option to show a long form
that reveals complete details
Examining E-Mails for EvidenceExamining E-Mails for Evidence
• Most common parts of the e-mail header are logical addresses of senders and receivers
• Logical address is composed of two parts– The mailbox, which comes before the @ sign
– The domain or hostname that comes after the @ sign
• The mailbox is generally the userid used to log in to the e-mail server
• The domain is the Internet location of the server that transmits the e-mail
Examining E-Mails for EvidenceExamining E-Mails for Evidence
• Reviewing e-mail headers can offer clues to true origins of the mail and the program used to send it
• Common e-mail header fields include:– Bcc– Cc– Content-Type– Date– From
– Message-ID– Received– Subject– To– X-Priority
IP Address RegistriesIP Address Registries
• African Network Information
• Asia Pacific Network Information
• American Registry for Internet Number
• Latin American and Caribbean Internet Addresses Registry
• Réseaux IP Européens Network Coordination Centre
Examining E-Mails for EvidenceExamining E-Mails for Evidence
• Understanding e-mail attachments– MIME standard allows for HTML and multimedia
images in e-mail– Searching for base64 can find attachments in
unallocated or slack space
• Anonymous remailers– Allow users to remove identifying IP data to
maintain privacy– Stems from users citing the First Amendment and
freedom of speech
Private IP Address ClassificationsPrivate IP Address Classifications
IP Address Range Classification Use
10.0.0.0 to 10.255.255.255 Class ALocal network use—not recognized on the Internet
172.16.0.0 to 172.31.255.255 Class BLocal network use—not recognized on the Internet
192.168.0.0 to 192.168.255.255 Class CLocal network use—not recognized on the Internet
Working with Instant MessagingWorking with Instant Messaging
• Most widely used IM applications include:– Windows Messenger– Google Talk– AIM (AOL Instant Messenger)– ICQ (“I Seek You”) Instant Messenger
• Newer versions of IM clients and servers allow the logging of activity
• Can be more incriminating than e-mail
Taking the Initial ReportTaking the Initial Report
• GET THE HEADERS!!!• Get as accurate a timeline as possible• Timezones are important!!
http://tycho.usno.navy.mil/tzonemap.html
• Be sure the original e-mail is not deleted• Simply forwarding e-mail does not preserve
the headers
Right Click
Tools for E-mail TracingTools for E-mail Tracing
• Nslookup – DOS Command Prompt– www.infobear.com/nslookup.shtml
• www.traceroute.org
• http://www.whois.net/
• American Registry. http://www.arin.net/index.shtml
• Sam Spade: www.samspade.org