1 CSCD 496 Computer Forensics Lecture 15 Network Forensics Internet Information - Anonymity Winter 2010
2 Lecture Outline Two Main Topics –Anonymity Hiding your identity on the Internet anonymity
3 Introduction Internet - huge repository of information A lot of information stored on Internet applications and servers Today, look at becoming anonymous on the Internet Look at anonymity servers and r ers Should have had a chance to try out r er from the lab
4 Introduction Problem with Internet information –Tracing activity to an individual is hard Why might you want to be anonymous?
5 Anonymity Important –Investigators need to know How to hide themselves on-line How criminals and others hide themselves on-line Undercover for gambling, child porn, drugs or stolen merchandise –What do you want to conceal? Name, address, tel. number, IP address Lots of ways to do this...
6 Free ISPs Hiding On-line –Free ISPs – dial in without ID –Netzero is one that is free –NetZero launched in 1998, first free internet service provider Grew to 1,000,000 users in six months Limited to 10 hours/month Bought Juno –Another service
7 Free ISPs What does that get you? – Use a dial-up modem and provider such as Earthlink, Juno, or NetZero to connect to the Internet – Every time you dial in and connect to the Internet there is a very good chance that your IP address will be different – Calling different access numbers (different cities, different States even) will increase chance of getting a unique IP address
8 Proxies Another way to conceal IP while surfing the Web Direct all page requests through a proxy –Proxy – remote machine connect through to the Net which forwards your IP traffic and makes it look like you are originating from Web server logs records IP of proxy instead of actual client IP Not all of them are free Web proxy sites – home.html – – (a whole bunch at one site)
9 Browser Proxies Browser proxies –Add-on to your browser allows automated switching according to rules you set –Example: FoxyProxy for Firefox FoxyProxy Firefox extension automatically switches an internet connection across one or more proxy servers based on URL pattern FoxyProxy automates manual process of editing Firefox's Connection Settings dialog
10 Results of Proxies Proxies –What is accomplished by a proxy? Hides your IP in Web logs –Makes it more difficult to find originating IP since must go back to proxy server to get IP of suspect Connect to IRC or ICQ with a proxy –Not all of the ones on previous page allow this Minimizes cookies and other types of tracking
11 VPN Connections How do they work? –Virtual Private Network (VPN) Providers: A VPN special network allows computers to securely and privately access resources through them – Computers configured to use a VPN can forward all traffic through the VPN and obscure their actual IP address –Commercial service will have access to your billing information
12 Paid VPN's Several paid services –Swedish Broadband service –Really interesting terms of service Other VPN Services – – –
13 Tests for Your Anonymity WhatsMyIP Privacy Test Lagado Test Zaloop
14 Other Anonymity Services The Onion Router (TOR) TOR is a global Internet anonymity and privacy system. It utilizes between computers spread across the world to forward Internet traffic anonymously A user installs TOR and configures their web traffic to move through the TOR network This makes the user's traffic appear to originate at a random computer on the Internet
15 Other Anonymity Services Change your browser habits and an add-on –Stealther US/firefox/addon/1306 –Surf the web without leaving a trace in your local computer –What it does is temporarily disable the following: - Browsing History (also in Address bar) - Cookies - Downloaded Files History - Disk Cache - Saved Form Information - Sending of ReferrerHeader - Recently Closed Tabs list
16 Anonymity
17 Every message header contains information about its origin and destination –Possible to track back to its source –Identify the sender –Even when forged, there is information in e- mail headers
18 one of the most widely used services on the Internet Most important ways criminals communicate For more privacy, encryption is used or anonymous re- mailer protected by strict privacy law – Which Law? –Electronic Communication Privacy Act (ECPA) Even if can obtain incriminating , difficult to prove specific individual sent a specific message –Claim they never sent it Look more at anonymizing next
19 Anonymous There are two kinds of services in this category. First is truly Anonymous: no one anywhere knows your identity –This is a one-way channel, can’t get return mail sent back to you –Usually encrypted –Typically, sent through more than one r er –Example: Cypherpunk or Mixmaster
20 Anonymous Second, called Pseudo-anonymous or sometimes Pseudonymous Owner of the service knows your identity and can be forced in a court of law to reveal it –Most truly anonymous services are free (it's difficult to bill an unknown, unnamed client), but they often require some skill and effort to use –You expect to have your answered –You get your identify replaced with dummy address –Responses replaced with dummy address too –Example: Craigslist and match.com
21 Anonymous R ers make it hard to determine who sent a particular message –But no message is totally anonymous Sender puts txt in the message Message leaves something behind with sender ID Machines that handle message may have useful information Forging and Tracking –Important to know how is actually created and transmitted –Understand headers too
22 Cipher Punk Example Steps –Create a message in your client programs –Put the r er address in the To: field –Message should have a subject, prior to it a '##' –In the body of the message type '::' –Then, next line, Anon-to: –One blank line, then type message –Its that simple!!!
23 Cipher Punk R ers Example To: Subject: Testing anonymous > Body: > :: > Anon-To: > > ## > Subject: Subject of message > > Type your message here.
24 Tracking is like Real mail –Post offices in world called Mail Transfer Agents (MTA) –Message may travel through multiple MTA’s Each MTA adds something to the header of a transmitted message –Time stamps, technical identifying information –Each creates its own received header –Passed along to next MTA until message reaches its destination
25 Tracking Default is not to see the header –Most clients have a setting that allows you to view header Netscape –View – Headers – All Outlook Express –File – properties - click on details Eudora –Click on blah-blah-blah Opera –Right click header, select View all headers
26 Tracking Identity in –Unless r er or advanced forging technique used Sender identity embedded in message Two most useful header fields: –Message ID –Received field Message ID –Is globally unique – current date/time, MTA domain name and sender’s account name Example: Message sent Dec. 4, 1999 from mail.corpX.com by user13 Message-id:
27 Tracking Examining Headers –Some might have been forged, but the last few were likely valid, –Since message was delivered –Can achieve pseudo-anonymity through hotmail or netaddress account Header will contain IP of original computer Unless you went through an anonymizer...
28 Return-Path: Received: from hotmail.com (bay106-f21.bay106.hotmail.com[ ]) by granite.cs.uidaho.edu ( Sun/8.13.3) with ESMTP id jA7IbwCl for ; Mon, 7 Nov :38: (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 7 Nov :37: Message-ID: Received: from by by106fd.bay106.hotmail.msn.com with HTTP; Mon, 07 Nov :37:52 GMT X-Originating-IP: [ ] X-Originating- X-Sender: From: "Carol Taylor" To: Subject: Sending a message to myself Date: Mon, 07 Nov :37: Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 07 Nov :37: (UTC) FILETIME=[5C97D340:01C5E3CA] Content-Length: 270 Example: Hot mail
29 Return-path: Received: from imta21.westchester.pa.mail.comcast.net (LHLO imta21.westchester.pa.mail.comcast.net) ( ) by sz0050.ev.mail.comcast.net with LMTP; Tue, 2 Mar :48: (UTC) Received: from mout.perfora.net ([ ]) by imta21.westchester.pa.mail.comcast.net with comcast Joh1d0194CTZVm0MJohcP; Tue, 02 Mar :48: X-Authority-Analysis: v=1.1 Received: from localhost (u onlinehome-server.com [ ]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis1NaFSs0bDp-013hVr; Tue, 02 Mar :48: MIME-Version: 1.0 To: From: Subject: Trying beHidden.com Content-Type: text/plain; charset="ISO " Content-Transfer-Encoding: 7bit Message-ID: Date: Tue, 02 Mar :48: X-Provags-ID: V01U2FsdGVkX18zZyGxtJetADPAYPYc8Tl6hLwJECvXwZofTGD yRUgR+qvaXYsRBIFlqS6cVOGnapEF0Ar8AW+hMEGAxQXA8HIi Trying this service to see what it sends.
30 Anonymity Hushmail –Another level of anonymity –Wants recepient to log in and get the message –See example
31 Where Comes From Superficially, it appears that is passed directly from the sender's machine to the recipient's Lie. passes through at least four computers during its lifetime Most organizations have a dedicated machine to handle mail, called a "mail server” When a user sends mail, –She normally composes the message on her own computer, then sends it off to her ISP's mail server –At this point her computer is finished with the job, but the mail server still has to deliver the message It does this by finding the recipient's mail server, talking to that server and delivering the message
32 Consider a couple of fictitious users: and –tmh is a dialup user of Immense ISP, Inc., using a mail program called Loris Mail –rth is a faculty member at the Bieberdorf Institute, with a workstation on his desk networked with the Institute's other computers If rth wants to send a letter to tmh, –Composes it at his workstation alpha.bieberdorf.edu –Text passed to mail server, mail.bieberdorf.edu –Mail server, contacts other mail server mailhost.immense- isp.com –And delivers the mail to it –Message stored on mailhost.immense-isp.com until tmh dials in from his home computer and checks his mail –At that time, the mail server delivers any waiting mail, including the letter from rth, to it.
33 During all this processing, headers will be added to the message three times: 1. At composition time, by whatever program rth is using; 2. When that program hands control off to mail.bieberdorf.edu 3. At the transfer from Bieberdorf to Immense. (Normally, the dialup node that retrieves the message doesn't add any headers.) We can watch the evolution of these headers …
34 Mail Headers As generated by rth's mailer and handed off to mail.bieberdorf.edu: From: (R.T. Hood) To: Date: Tue, Mar :36:14 PST X-Mailer: Loris v2.32 Subject: Lunch today?
35 Headers As they are when mail.bieberdorf.edu transmits the message to mailhost.immense-isp.com: Received: from alpha.bieberdorf.edu (alpha.bieberdorf.edu [ ]) by mail.bieberdorf.edu (8.8.5) id 004A21; Tue, Mar :36: (PST) From: (R.T. Hood) To: Date: Tue, Mar :36:14 PST Message-Id: X-Mailer: Loris v2.32 Subject: Lunch today? Header added
36 Headers As they are when mailhost.immense-isp.com finishes processing the message and stores it for tmh to retrieve : Received: from mail.bieberdorf.edu (mail.bieberdorf.edu [ ]) by mailhost.immense-isp.com (8.8.5/8.7.2) with ESMTP id LAA20869 for ; Tue, 18 Mar :39: (PST) Received: from alpha.bieberdorf.edu (alpha.bieberdorf.edu [ ]) by mail.bieberdorf.edu (8.8.5) id 004A21; Tue, Mar :36: (PST) From: (R.T. Hood) To: Date: Tue, Mar :36:14 PST Message-Id: X-Mailer: Loris v2.32 Subject: Lunch today? This last set of headers is the one that tmh sees on the letter when he downloads and reads his mail. Header added
37 Conclusion Internet is a wealth of information sources – plus other ways to leave information –Useful for identifying criminal activity –Need to know if or how these sources were used in a suspected crime Anonymity –Used a lot by people who want to hide their activities –Can hide a lot of things, but still some identifying information Just harder
38 Resources Electronic Frontier Foundation Privacy Author BeHidden – and surfing Hushmail Privacy Test VPN Encryption Tunnel
39 End Next time: Case Study – Digital Evidence Internet Tracking someone via the Internet