Email Tracing Computer Forensics 152 / 252.

Slides:

Advertisements

Similar presentations

Computer Forensics 252 Tracing  Thomas Schwarz, S.J

Advertisements

COEN 350 Security. Contents Why? How to forge ? How to spot spoofed . Distribution Lists The twist that makes authentication … interesting.

How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.

CPSC 441: FTP & SMTP1 Application Layer: FTP & Instructor: Carey Williamson Office: ICT Class.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Computer & Network Forensics Xinwen Fu Chapter 13 Investigations.

COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.

Chapter 30 Electronic Mail Representation & Transfer

POP Configuration Microsoft Outlook Express 6.x.

2440: 141 Web Site Administration Services Instructor: Enoch E. Damson.

Introduction 1 Lecture 7 Application Layer (FTP, ) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.

Phishing Analysis. Ojectives Phishing Internet Protocol (IP) addresses Domain Name System (DNS) names Analyse “From” addresses Analyse URL’s Trace the.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

Spam Sonia Jahid University of Illinois Fall 2007.

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.

POP Configuration Microsoft Outlook What is POP? Short for Post Office Protocol, a protocol used to retrieve from a mail server. Most.

CT NIKHEF Nov Mail NIKHEF CT system support.

» Explain the way that electronic mail ( ) works » Configure an client » Identify message components » Create and send messages.

COEN 351 Non-Repudiation. A non-repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false.

Introduction 1-1 Chapter 2 FTP & Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 IC322 Fall.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.

Tracing Examples Computer Forensics Tracing Examples.

Technology ICT Option: . Electronic mail is the transmission of mainly text based messages across networks This can be within a particular.

SMTP, POP3, IMAP.

CISCO NETWORKING ACADEMY Chabot College ELEC Application Layer Puzzles.

PC Maintenance: Preparing for A+ Certification Chapter 25: The Internet.

Outlook 2000 Summertime Technology 2002 Vicki Blackwell Tangipahoa Parish Schools.

Prepared by: Ms Melinda Chung Chapter 3: Basic Communication on the Internet: .

IT 424 Networks2 IT 424 Networks2 Ack.: Slides are adapted from the slides of the book: “Computer Networking” – J. Kurose, K. Ross Chapter 2: Application.

Intro to Computer Networks Bob Bradley The University of Tennessee at Martin.

Review: –How do we address “a network end-point”? –What services are provided by the Internet? –What is the network logical topology observed by a network.

SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.

Application Protocols: ELECTRONIC MAIL (SMTP, POP) CSNB534 Semester 2, 2007/2008 Asma Shakil.

Guide to Computer Forensics and Investigations, Second Edition Chapter 13 Investigations.

A form of communication in which electronic messages are created and transferred between two or more devices connected to a network.

1 Applications Electronic Mail. 2 Electronic Mail Many user applications use client-server architecture. Electronic mail client accepts mail.

Simple Mail Transfer Protocol (SMTP)

1 Using Messages sent from machine to machine and stored for later reading. You will use a client to read –Type mail or pine in UNIX to read.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

Forensic and Investigative Accounting Chapter 14 Digital Forensics Analysis © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL

The Internet 8th Edition Tutorial 2 Basic Communication on the Internet: .

What is and How Does it Work?  Electronic mail ( ) is the most popular use of the Internet. It is a fast and inexpensive way of sending messages.

File Transfer Protocol (FTP)

Postfix Mail Server Postfix is used frequently and handle thousands of messages. compatible with sendmail at command level. high performance program easier-

1 SMTP - Simple Mail Transfer Protocol –RFC 821 POP - Post Office Protocol –RFC 1939 Also: –RFC 822 Standard for the Format of ARPA Internet Text.

Tracing COEN 152 / 252 Computer Forensics  Thomas Schwarz, S.J

COEN 351 Non-Repudiation. A non-repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false.

Tracing Computer Forensics 252  Thomas Schwarz, S.J

LinxChix And Exim. Mail agents MUA = Mail User Agent Interacts directly with the end user  Pine, MH, Elm, mutt, mail, Eudora, Marcel, Mailstrom,

XP New Perspectives on The Internet, Sixth Edition— Comprehensive Tutorial 2 1 Evaluating an Program and a Web-Based Service Basic Communication.

Protocols COM211 Communications and Networks CDA College Olga Pelekanou

SMTP Tapu Ahmed Jeremy Nunn. Basics Responsible for electronic mail delivery. Responsible for electronic mail delivery. Simple ASCII protocol that runs.

Technical Awareness on Analysis of Headers.

SMTP - Simple Mail Transfer Protocol RFC 821

CITA 310 Section 6 Providing Services (Textbook Chapter 8)

Slides based on Carey Williamson’s: FTP & SMTP1 File Transfer Protocol (FTP) r FTP client contacts FTP server at port 21, specifying TCP as transport protocol.

Linux Operations and Administration Chapter Twelve Configuring a Mail Server.

Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.

26.1 Electronic Mail Sending/Receiving Mail Addresses User Agent MIME Mail Transfer Agent Mail Access Protocols.

@Yuan Xue A special acknowledge goes to J.F Kurose and K.W. Ross Some of the slides used in this lecture are adapted from their.

Spring 2006 CPE : Application Layer_ 1 Special Topics in Computer Engineering Application layer: Some of these Slides are Based on Slides.

درس مهندسی اینترنت – مهدی عمادی مهندسی اینترنت برنامه‌نویسی در اینترنت 1 SMTP, FTP.

how to configure Gmail account in MS Outlook 2010 account?

SMTP - Simple Mail Transfer Protocol POP - Post Office Protocol

Internet Business Associate v2.0

SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH

SMTP, POP3, IMAP.

Chapter 2 Application Layer

Presentation transcript:

Email Tracing Computer Forensics 152 / 252

Email Investigations: Overview Email has become a primary means of communication. Email can easily be forged. Email can be abused Spam Aid in committing a crime … Threatening email, …

Email Investigations: Overview Email evidence: Is in the email itself (header) Left behind as the email travels from sender to recipient. Contained in the various logs. Law enforcement can use subpoenas System ads have some logs.

Email Fundamentals Email travels from originating computer to the receiving computer through email servers. All email servers add to the header. Use important internet services to interpret and verify data in a header.

Email Fundamentals Typical path of an email message: Mail Server Client Mail Server Client Mail Server

Email Fundamentals: Important Services Verification of IP addresses: Regional Internet Registry APNIC (Asia Pacific Network Information Centre). ARIN (American Registry of Internet Numbers). LACNIC Latin American and Caribbean IP address Regional Registry. RIPE NCC (Réseau IP Européens Network Coordination Centre). Whois www.samspade.org Numerous other websites. My Favorite.

Email Fundamentals: Important Services Domain Name System (DNS) translates between domain names and IP address. Name to address lookup: Parses HOSTS file. Asks local nameserver Local nameserver contacts nameserver responsible for domain. If necessary, contact root nameserver. Remote nameserver sends data back to local nameserver. Local nameserver caches info and informs client. HOSTS files can be altered. You can use this as a low-tech tool to block pop-ups. Local nameservers can/could be tricked into accepting unsolicited data to be cached. “Hilary for Senate” – case.

Email Fundamentals IP-Addressing IP Version 4 is slowly replaced by IP Version 6. IPv4: 4 digital numbers between 0 and 255. IPv6: 8 digital numbers between 0000 and 0xffff. Static / dynamic addresses Dynamic addresses assigned by DHCP within a local domain (with same leading portion of IP address).

Email Fundamentals: Important Services Many organizations use Network Address Translation. NAT boxes have a single visible IP. Incoming I-packet analyzed according to address and port number. Forwarded to interior network with an internal IP address. Typically in the private use area: 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0-192.168.255.255 Private use addresses are never used externally.

Email Protocols: Email program such as outlook is a client application. Needs to interact with an email server: Post Office Protocol (POP) Internet Message Access Protocol (IMAP) Microsoft’s Mail API (MAPI)

Email Protocols: A mail server stores incoming mail and distributes it to the appropriate mail box. Behavior afterwards depends on type of protocol. Accordingly, investigation needs to be done at server or at the workstation.

Email Protocols: Post Office Service Protocol Characteristics Stores only incoming messages. POP Investigation must be at the workstation. Stores all messages IMAP MS’ MAPI Lotus Notes Copies of incoming and outgoing messages might be stored on the workstation or on the server or on both. Web-based send and receive. HTTP Incoming and outgoing messages are stored on the server, but there might be archived or copied messages on the workstation. Easy to spoof identity.

Email Protocols: SMTP Neither IMAP or POP are involved relaying messages between servers. Simple Mail Transfer Protocol: SMTP Easy, but can be spoofed easily.

Email Protocols: SMTP How to spoof email: telnet server8.engr.scu.edu 25 220 server8.engr.scu.edu ESMTP Sendmail 8.12.10/8.12.10; Tue, 23 Dec 2003 16:32:07 -0800 (PST) helo 129.210.16.8 250 server8.engr.scu.edu Hello dhcp-19-198.engr.scu.edu [129.210.19.198], pleased to meet you mail from: jholliday@engr.scu.edu 250 2.1.0 jholliday@engr.scu.edu... Sender ok rcpt to: tschwarz 250 2.1.5 tschwarz... Recipient ok data 354 Enter mail, end with "." on a line by itself This is a spoofed message. . 250 2.0.0 hBO0W76P002752 Message accepted for delivery quit 221 2.0.0 server8.engr.scu.edu closing connection

Email Protocols: SMTP This looks very convincing. From jholliday@engr.scu.edu Tue Dec 23 16:44:55 2003 Return-Path: <jholliday@engr.scu.edu> Received: from server8.engr.scu.edu (root@server8.engr.scu.edu [129.210.16.8]) by server4.engr.scu.edu (8.12.10/8.12.10) with ESMTP id hBO0itpv008140 for <tschwarz@engr.scu.edu>; Tue, 23 Dec 2003 16:44:55 -0800 From: JoAnne Holliday <jholliday@engr.scu.edu> Received: from 129.210.16.8 (dhcp-19-198.engr.scu.edu [129.210.19.198]) by server8.engr.scu.edu (8.12.10/8.12.10) with SMTP id hBO0W76P002752 for tschwarz; Tue, 23 Dec 2003 16:41:55 -0800 (PST) Date: Tue, 23 Dec 2003 16:32:07 -0800 (PST) Message-Id: <200312240041.hBO0W76P002752@server8.engr.scu.edu> X-Spam-Checker-Version: SpamAssassin 2.60-rc3 (1.202-2003-08-29-exp) on server4.engr.scu.edu X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=ham version=2.60-r c3 This is a spoofed message. This looks very convincing. Only hint: received line gives the name of my machine, defaulting to dhcp-19-198. The DHCP server logs might tell you what machine this is, given the time. But you need to know the clock drift at the various machines.

Email Protocols: SMTP Things are even easier with Windows XP. Turn on the SMTP service that each WinXP machine runs. Create a file that follows the SMTP protocol. Place the file in Inetpub/mailroot/Pickup

Email Protocols: SMTP To: tschwarz@engr.scu.edu From: HolyFather@vatican.va This is a spoofed message. From HolyFather@vatican.va Tue Dec 23 17:25:50 2003 Return-Path: <HolyFather@vatican.va> Received: from Xavier (dhcp-19-226.engr.scu.edu [129.210.19.226]) by server4.engr.scu.edu (8.12.10/8.12.10) with ESMTP id hBO1Plpv027244 for <tschwarz@engr.scu.edu>; Tue, 23 Dec 2003 17:25:50 -0800 Received: from mail pickup service by Xavier with Microsoft SMTPSVC; Tue, 23 Dec 2003 17:25:33 -0800 To: tschwarz@engr.scu.edu From: HolyFather@vatican.va Message-ID: <XAVIERZRTHEQXHcJcKJ00000001@Xavier> X-OriginalArrivalTime: 24 Dec 2003 01:25:33.0942 (UTC) FILETIME=[D3B56160:01C3C9 BC] Date: 23 Dec 2003 17:25:33 -0800 X-Spam-Checker-Version: SpamAssassin 2.60-rc3 (1.202-2003-08-29-exp) on server4.engr.scu.edu X-Spam-Level: X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=no version=2.60-rc3 This is a spoofed message.

Email Protocols: SMTP SMTP Headers: Each mail-server adds to headers. Additions are being made at the top of the list. Therefore, read the header from the bottom. To read headers, you usually have to enable them.

SMTP Headers To enable headers: Eudora: Hotmail: Juno: MS Outlook: Use the Blah Blah Blah button Hotmail: Options  Preferences  Message Headers. Juno: Options  Show Headers MS Outlook: Select message and go to options. Yahoo!: Mail Options  General Preferences  Show all headers.

SMTP Headers Headers consists of header fields Originator fields from, sender, reply-to Destination address fields To, cc, bcc Identification Fields Message-ID-field is optional, but extremely important for tracing emails through email server logs. Informational Fields Subject, comments, keywords Resent Fields Resent fields are strictly speaking optional, but luckily, most servers add them. Resent-date, resent-from, resent-sender, resent-to, resent-cc, resent-bcc, resent-msg-id

SMTP Headers Trace Fields Core of email tracing. Regulated in RFC2821. When a SMTP server receives a message for delivery or forwarding, it MUST insert trace information at the beginning of the header.

SMTP Headers The FROM field, which must be supplied in an SMTP environment, should contain both (1) the name of the source host as presented in the EHLO command and (2) an address literal containing the IP address of the source, determined from the TCP connection. The ID field may contain an "@" as suggested in RFC 822, but this is not required. The FOR field MAY contain a list of <path> entries when multiple RCPT commands have been given. A server making a final delivery inserts a return-path line.

SMTP Header Spotting spoofed messages Contents usually gives a hint. Each SMTP server application adds a different set of headers or structures them in a different way. A good investigator knows these formats. Use internet services in order to verify header data. However, some companies can outsource email or use internal IP addresses. Look for breaks / discrepancies in the “Received” lines.

SMTP Header Investigation of spoofed messages Verify all IP addresses Keeping in mind that some addresses might be internal addresses. Make a time-line of events. Change times to universal standard time. Look for strange behavior. Keep clock drift in mind.

Server Logs E-mail logs usually identify email messages by: Account received IP address from which they were sent. Time and date (beware of clock drift) IP addresses

Server Logs Many servers keep copies of emails. Most servers purge logs. Law-enforcement: Vast majority of companies are very cooperative. Don’t wait for the subpoena, instead give system administrator a heads-up of a coming subpoena. Company: Local sys-ad needs early warning. Getting logs at other places can be dicey.

Unix Sendmail Configuration file /etc/sendmail.cf and /etc/syslog.conf Gives location of various logs and their rules. maillog (often at /var/log/maillog) Logs SMTP communications Logs POP3 events You can always use: locate *.log to find log files.