SAK 4801 INTRODUCTION TO COMPUTER FORENSICS Chapter 9 Tracking E-mails and Investigating E-mail Crimes Mohd Taufik Abdullah Department of Computer Science.

Slides:



Advertisements
Similar presentations
Kalpesh Vyas & Seward Khem
Advertisements

Basic Communication on the Internet:
Guide to Computer Forensics and Investigations Fourth Edition
6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.
Basics. 2 Class Outline Part 1 - Introduction –Explaining –Parts of an address –Types of services –Acquiring an account.
Standard Grade Computing Electronic Communication.
Basic Communication on the Internet: Integrated Browser Programs and Web-Based Services Tutorial 3.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
Computer & Network Forensics Xinwen Fu Chapter 13 Investigations.
Guide to Computer Forensics and Investigations Third Edition Chapter 12 Investigations.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
COS 413 Day 17. Agenda Quiz 2 corrected –2 A’s, 6 B’s & 1 C Assignment 5 corrected –5 B’s, 2 C’s, 1 non-submit & 1 corrupt file that I cannot read Lab.
Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.
Guide to Operating System Security Chapter 10 Security.
-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.
» Explain the way that electronic mail ( ) works » Configure an client » Identify message components » Create and send messages.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Hands-on: Capturing an Image with AccessData FTK Imager
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
Technology ICT Option: . Electronic mail is the transmission of mainly text based messages across networks This can be within a particular.
Computer Concepts 2014 Chapter 7 The Web and .
1 Outlook Lesson 1 Outlook Basics and Microsoft Office 2010 Introductory Pasewark & Pasewark.
Pasewark & Pasewark 1 Outlook Lesson 1 Outlook Basics and Microsoft Office 2007: Introductory.
Introduction to Window Understanding the Internet Using Lecture 2 Chapter 2.
Prepared by: Ms Melinda Chung Chapter 3: Basic Communication on the Internet: .
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.
Guide to Computer Forensics and Investigations, Second Edition Chapter 13 Investigations.
A form of communication in which electronic messages are created and transferred between two or more devices connected to a network.
and Webmail Forensics. 2 Objectives Understand the flow of electronic mail across a network Explain the difference between resident e- mail client.
1 Chapter 2 (Continued) Section 2.2 Section 2.2. Internet Service Provider (ISP) ISP - a company that connects you through your communications line to.
Lesson 2 — The Internet and the World Wide Web
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
1 Jordan University of Science & Technology Faculty of Computer & Information Technology Department of Computer Science CIS 100Internet.
Chapter 13 – Network Security
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
Guide to Computer Forensics and Investigations Fourth Edition Unit 8 Investigations.
Computer Concepts – Illustrated 8 th edition Unit A: Computer and Internet Basics.
(or ?) Short for Electronic Mail The transmission of messages over networks.
Windows Tutorial 4 Working with the Internet and
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
Forensic and Investigative Accounting Chapter 14 Digital Forensics Analysis © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
The Internet 8th Edition Tutorial 2 Basic Communication on the Internet: .
Basics. 2 Professional Development Centre Class Outline Part 1 - Introduction –Explaining –Parts of an address –Types of services.
Unit 10 Communication Services
Unit 2—Using the Computer Lesson 14 and Electronic Communication.
advantages The system is nearly universal because anyone who can access the Internet has an address. is fast because messages.
Pasewark & Pasewark Microsoft Office 2003: Introductory 1 INTRODUCTORY MICROSOFT OUTLOOK Lesson 1 – Outlook Basics and .
Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.
Chapter 9 Sending and Attachments. 2Practical PC 5 th Edition Chapter 9 Getting Started In this Chapter, you will learn: − How works − How.
The Internet 8th Edition Tutorial 3 Using Web-Based Services for Communication and Collaboration.
NetTech Solutions Microsoft Outlook and Outlook Express Lesson Four.
NetTech Solutions Troubleshooting Office Applications Lesson Seven.
Technical Awareness on Analysis of Headers.
RYAN HICKLING. WHAT IS AN An messages distributed by electronic means from one computer user to one or more recipients via a network.
Basics What is ? is short for electronic mail. is a method for sending messages electronically from one computer.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Guide to Computer Forensics and Investigations Fifth Edition
is short for electronic mail!. What is ? An electronic message sent from one computer to another. saves money and time compared to regular.
Windows Vista Configuration MCTS : Productivity Applications.
18-1 PRENTICE HALL ©2008 Pearson Education, Inc. Upper Saddle River, NJ FORENSIC SCIENCE An Introduction By Richard Saferstein.
Objectives Understand the flow of electronic mail across a network
Internet Business Associate v2.0
is short for electronic mail!
Guide to Computer Forensics and Investigations Fifth Edition
Technology ICT Option: .
Introduction to Computer Concept
Unit-V Investigations
Technology ICT Option: .
Guide to Computer Forensics and Investigations Third Edition
Presentation transcript:

SAK 4801 INTRODUCTION TO COMPUTER FORENSICS Chapter 9 Tracking s and Investigating Crimes Mohd Taufik Abdullah Department of Computer Science Faculty of Computer Science and Information Technology University Putra of Malaysia Room No: 2.28 Portions of the material courtesy Nelson et. al., and EC-Council

2 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Learning Objectives At the end of this chapter, you will be able to: Explain the role of in investigations Describe client and server roles in Describe tasks in investigating crimes and violations Explain the use of server logs Describe some available computer forensics tools

3 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Chapter 9 Outline 9. Tracking s and Investigating Crimes 9.1. Understanding Internet Fundamental and Internet Protocol 9.2. Exploring the roles of in Investigations 9.3. Exploring the roles of client and server in Investigating crimes and violations 9.5. Tracing Back 9.6. Searching addresses 9.7. Handling Spam 9.8. Protecting address from Spam

9.1 Understanding Internet Fundamentals and Internet Protocols

5 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Understanding Internet Fundamental Internet It is a huge collection of networks connecting millions of computers Internet Service Provider (ISP) According to Webopedia.com “It is a company that provides access to the Internet” Dial-Up Connection According to Webopedia.com “It refers to connecting a device to network via a modem and a public telephone network”

6 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Understanding Internet Protocols Internet Protocols A set of standards determining the format and transmission of data TCP/IP is the protocol used for (including SMTP,POP3, and IMAP) Transmission Control Protocol(TCP) A connection-oriented protocol that enables the devices to establish connection and then guarantees the delivery of data in the same order they were sent Internet Protocol(IP) It is a connectionless protocol that provides addressing scheme. It operates at the network layer

9.2 Exploring the Roles in Investigation

8 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics With the increase in scams and fraud attempts with phishing or spoofing Investigators need to know how to examine and interpret the unique content of messages Phishing s are in HTML format Which allows creating links to text on a Web page One of the most noteworthy scams was 419, or the Nigerian Scam Spoofing can be used to commit fraud

9.3 Exploring the Roles of the Client and server in

10 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Send and receive in two environments Internet Controlled LAN, MAN, or WAN Client/server architecture Server OS and software differs from those on the client side Protected accounts Require usernames and passwords

11 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics

12 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Name conventions Corporate: Public: Everything belongs to the domain name Tracing corporate s is easier Because accounts use standard names the administrator establishes

13 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Crime Crime is a “new-age crime” that is growing rapidly crime can be categorized in two ways : Crime committed by sending s E.g. – Spamming, mail bombing Crime supported by s. E.g. – Harassment, child pornography

14 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Spamming, Mail Bombing, Mail Storm Spamming can be defined as sending unsolicited mails.The more common word for spam is “ junk mails” Mail bombing can be defined as the act of sending unwanted mails in excessive amount, which makes recipient’s mailbox full According to DictionaryWords.net “ Mail Storm is flood of incoming mail that brings the machine to its knees”

15 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Chat Rooms Chat rooms are open target for the pedophiles to use them for the sexual abuse of children According to WordNetDictionary “ Child pornography can be defined as illegal use of children in pornographic pictures and films” Internet has become easy-to-use tool for harassment and has become the most vulnerable feature of it

16 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Identity Fraud, Chain Letter Identity fraud can be defined as using or stealing one’s personal information like name, address, and credit card number for economic gain According to DictionaryWords.net “ Chain Letter is a letter that is sent successively to several people.”

17 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Sending Fak

9.4 Investigating Crimes and Violations

19 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Similar to other types of investigations Goals Find who is behind the crime Collect the evidence Present your findings Build a case

20 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Depend on the city, state, or country Example: spam Always consult with an attorney Becoming commonplace Examples of crimes involving s Narcotics trafficking Extortion Sexual harassment Child abductions and pornography

21 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Investigating Process Examining an message Copying an message Printing an message Viewing headers Examining an header Examining attachments Tracing an

22 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Examining Messages Access victim’s computer to recover the evidence Using the victim’s client Find and copy evidence in the Access protected or encrypted material Print s Guide victim on the phone Open and copy including headers Sometimes you will deal with deleted s

23 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Examining Messages (Cont.) Copying an message Before you start an investigation You need to copy and print the involved in the crime or policy violation You might also want to forward the message as an attachment to another address With many GUI programs, you can copy an by dragging it to a storage medium Or by saving it in a different location

24 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Examining Messages (Cont.)

25 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header Learn how to find headers GUI clients Command-line clients Web-based clients After you open headers, copy and paste them into a text document So that you can read them with a text editor Headers contain useful information Unique identifying numbers, IP address of sending server, and sending time

26 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header (Cont.) Outlook Open the Message Options dialog box Copy headers Paste them to any text editor Outlook Express Open the message Properties dialog box Select Message Source Copy and paste the headers to any text editor

27 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header (Cont.)

28 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header (Cont.)

29 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header (Cont.)

30 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header (Cont.) Novell Evolution Click View, All Message Headers Copy and paste the header Pine and ELM Check enable-full-headers AOL headers Click Action, View Message Source Copy and paste headers

31 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header (Cont.)

32 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header (Cont.)

33 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header (Cont.)

34 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header (Cont.)

35 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header (Cont.) Hotmail Click Options, and then click the Mail Display Settings Click the Advanced option button under Message Headers Copy and paste headers Apple Mail Click View from the menu, point to Message, and then click Long Header Copy and paste headers

36 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header (Cont.)

37 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header (Cont.)

38 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header (Cont.) Yahoo Click Mail Options Click General Preferences and Show All headers on incoming messages Copy and paste headers

39 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Viewing Header (Cont.)

40 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Examining Header Gather supporting evidence and track suspect Return path Recipient’s address Type of sending service IP address of sending server Name of the server Unique message number Date and time was sent Attachment files information

41 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Examining Header (Cont.)

42 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Examining Additional Files messages are saved on the client side or left at the server Microsoft Outlook uses.pst and.ost files Most programs also include an electronic address book In Web-based Messages are displayed and saved as Web pages in the browser’s cache folders Many Web-based providers also offer instant messaging (IM) services

43 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Tracing an Message Contact the administrator responsible for the sending server Finding domain name’s point of contact Find suspect’s contact information Verify your findings by checking network logs against addresses

44 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Using Network Logs Related to Router logs Record all incoming and outgoing traffic Have rules to allow or disallow traffic You can resolve the path a transmitted has taken Firewall logs Filter traffic Verify whether the passed through You can use any text editor or specialized tools

45 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Using Network Logs Related to (Cont.)

46 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Understanding Server server log file

47 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Examining UNIX Server Logs Log files and configuration files provide information related to investigation The syslog.conf file gives specification for saving various types of log files Typical syslog.conf file

48 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Examining Microsoft Server Logs Message tracking log in verbose mode

49 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Examining Novell GroupWise Logs GroupWise The Novell server software is a database server like Microsoft Exchange and UNIX Send mail Group Wise organize mailbox in two ways: Permanent index files with IDX extension Group Wise QuickFinder action Group Wise manage the server in a centralized manner using NGWGUARD.Db

50 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Using Specialized Forensic Tools Tools that can investigate messages: EnCase FTK FINAL Sawmill-GroupWise Audimation for Logging

51 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics FINAL Can restore lost s to their original state. Can recover the entire database files FINAL search results

52 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics R-MAIL R-Mail is basically an recovery tool, which recovers the messages deleted accidentally

53 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Examiner by Paraben Deleted mails can be recovered Examines more than 14 mail types Recovers deleted from deleted items Supports Windows 95/98/2000/2003/NT 4/ME/XP

54 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Network Examiner by Paraben Examine variety of network archives like Exchange Server, Lotus Domino Server etc Views all the individual accounts Supports Microsoft Exchange and Lotus Notes

9.5 Tracing Back

56 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics The first step in tracing back fak is to view the header information The header will show the originating mail server ex: mail.example.com With a court order served by law enforcement or a civil complaint filed by attorneys, obtain the log files from mail.example.com to determine who sent the message

57 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Tracing Back Web Based Web based accounts (Webmail) can make establishing the identity of the sender more difficult It is possible to create a new online Webmail account easily The above sites maintain the source IP address of each connection that accesses the online webmail Contact the mail provider (ex: Microsoft) to reveal subscriber information

9.6 Searching Addresses

59 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Internet search engines make the search of specific addresses easy The following sites provide searching services:

60 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Search Site Change.com is the one providing the Internet’s first change registry and search engine since Oct 1996

9.7 Handling Spam

62 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Before taking legal action send a short notice on the illegality of spam to the system administrator of the domain

63 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Network Abuse Clearing House

64 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Abuse.Net Abuse.net provides a platform to report abusive activity on the Internet to people who can do something about it It provides only complaining services and has nothing to do with blacklist or spam analysis services Once registered,messages can be send to where source of abusive practices is the domain-name and from there message is r ed to the best reporting address(es)

9.8 Protecting Address from Spam

66 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics One way to protect is to "encode" the address, making it more difficult to discover Be cautious before giving address online as posting address on web- site will make spam the inbox

67 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Tool Enkoder Form is a powerful tool designed to prevent harvesting

68 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Tool (Cont.) TrackerPro analyzes the header and provides the IP address of the machine that sent the SPAM Punish This anti-spam tool makes the search for spammer ISP address easy A complain can be send to the ISP of the sender using Send Complaint to

69 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Summary To investigate an , know how an server records and handles e- mail messages servers are databases of user information and messages All servers contain a log file which can tell valuable information when investigating a crime For many investigations, rely on the message files, headers, and server log files to investigate crimes fraudsters use phishing and spoofing scam techniques Send and receive via Internet or a LAN Both environments use client/server architecture

70 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Summary (Cont.) investigations are similar to other kinds of investigations Access victim’s computer to recover evidence Copy and print the message involved in the crime or policy violation Find headers Investigating abuse Be familiar with servers and clients’ operations Check message files, headers, and server log files

71 Chapter 9 Tracking s and Investigating Crimes SAK4801 Introduction to Computer Forensics Summary (Cont.) Currently, only a few forensics tools can recover deleted Outlook and Outlook Express messages For applications that use the mbox format, a hexadecimal editor can be used to carve messages manually

End of Chapter 9

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.