Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Web Forensics.

Slides:



Advertisements
Similar presentations
The Internet 8th Edition Tutorial 3 Using Web-Based Services for Communication and Collaboration.
Advertisements

Managing Incoming Chapter 3 Bit Literacy. Terminology client – program which retrieves s from a mail server, lets you read the mails,
6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 8: and Webmail Forensics.
Introduction to Your Name Goes Here
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
PYP002 Intro.to Computer Science Working with 1 Working With Chapter 18.
XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
Exploring Microsoft Office Outlook Microsoft Outlook 2000 A Desktop Information Manager By Robert T. Grauer Maryann Barber.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.
Surrey Libraries Computer Learning Centres Totally New to Computers Easy Gmail September 2013 Easy Gmail Teaching Script.
CLIENTS Advantages Setup Features. Advantages Allows programs and websites to use “default ” Scanners Picture Programs Word Processing programs.
Mail Server Fitri Setyorini. Content SMTP POP3 How mail server works IMAP.
-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.
Boris Tshibangu. What is a proxy server? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from.
» Explain the way that electronic mail ( ) works » Configure an client » Identify message components » Create and send messages.
Practical PC, 7 th Edition Chapter 9: Sending and Attachments.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
Electronic Mail (SMTP, POP, IMAP, MIME)
Technology ICT Option: . Electronic mail is the transmission of mainly text based messages across networks This can be within a particular.
Computer Concepts 2014 Chapter 7 The Web and .
Pasewark & Pasewark 1 Outlook Lesson 1 Outlook Basics and Microsoft Office 2007: Introductory.
Unit 9 Communication Services
1 Application Layer Lecture 5 Imran Ahmed University of Management & Technology.
Prepared by: Ms Melinda Chung Chapter 3: Basic Communication on the Internet: .
Backup Local Online For secure offsite storage of your , and making it available from any computer or smart phone. Backup accessed with.
Communication Through Internet ADE100- Computer Literacy Lecture 25.
Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 9
1 Computer Communication & Networks Lecture 27 Application Layer: Electronic mail and FTP Waleed.
Fall 2005 By: H. Veisi Computer networks course Olum-fonoon Babol Chapter 7 The Application Layer.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.
Module 8: Managing Client Configuration and Connectivity.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
and Webmail Forensics. 2 Objectives Understand the flow of electronic mail across a network Explain the difference between resident e- mail client.
Unit 10 Communication Services.  Identify types of electronic communication  Describe users of electronic communication  Identify major components.
Some Data Comm. Standards
CPT 499 Internet Skills for Educators Electronic Mail Session Five.
INSTALLING MICROSOFT EXCHANGE SERVER 2003 CLUSTERS AND FRONT-END AND BACK ‑ END SERVERS Chapter 4.
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
(or ?) Short for Electronic Mail The transmission of messages over networks.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
Basics. 2 Professional Development Centre Class Outline Part 1 - Introduction –Explaining –Parts of an address –Types of services.
Unit 10 Communication Services
What is and How Does it Work?  Electronic mail ( ) is the most popular use of the Internet. It is a fast and inexpensive way of sending messages.
Unit 2—Using the Computer Lesson 14 and Electronic Communication.
Concepts  messages are passed through the internet by using a protocol called simple mail transfer protocol.  The incoming messages are.
NETWORK HARDWARE AND SOFTWARE MR ROSS UNIT 3 IT APPLICATIONS.
The Internet 8th Edition Tutorial 3 Using Web-Based Services for Communication and Collaboration.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 8: and Webmail Forensics.
  is a system of electronic communication that allows the user to exchange messages over the internet  Everyone’s address is unique  Two.
Technical Awareness on Analysis of Headers.
(Electronic Mail) a message sent and received electronically via telecommunication links between computers.
Amanda Fristy Damara Thea Bayu Gerhana Yuda Evita Fitri Ila Uswatun Hasanah Putri Ayuning Kartika Presented by :
RYAN HICKLING. WHAT IS AN An messages distributed by electronic means from one computer user to one or more recipients via a network.
Chapter 9 Sending and Attachments. Sending and Attachments FAQs: – How does work? – How do I use local ? – How do I use Web-based.
COM: 111 Introduction to Computer Applications Department of Information & Communication Technology Panayiotis Christodoulou.
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
Dr. Adil Yousif University of Alneelian – Master of CS - IT Electronic Mail.
Spring 2006 CPE : Application Layer_ 1 Special Topics in Computer Engineering Application layer: Some of these Slides are Based on Slides.
Objectives Understand the flow of electronic mail across a network
Internet Business Associate v2.0
How Works Ameera Al Ghamdi ID:
Introduction to Your Name Goes Here
THE BASICS.
Technology ICT Option: .
Introduction to Your Name Goes Here
ICT Communications Lesson 5: Communicating Using
How Works Ameera Al Ghamdi ID:
Technology ICT Option: .
Presentation transcript:

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Web Forensics & Tracing 8/24/06 Learning by Doing Theory  Practice

Objectives Understand the flow of electronic mail across a network Explain the difference between resident client programs and webmail Understand the difference between typical desktop data storage and server data storage Identify the components of headers Understand the flow of instant messaging across the network

Importance of as Evidence can be pivotal evidence in a case Due to its informal nature, it does not always represent corporate policy Many cases provide examples of the use of as evidence –Enron –Microsoft - Bill Gate –Knox vs. State of Indiana –Harley vs. McCoach –Nardinelli et al. vs. Chevron –Adelyn Lee vs. Oracle Corporation

Working with evidence typically used to corroborate or refute other testimony or evidence Can be used by prosecutors or defense parties Two standard methods to send and receive –Client/server applications –Webmail

Data Flow User has a client program such as Outlook or Eudora Client program is configured to work with one or more servers s sent by client reside on PC A larger machine runs the server program that communicates with the Internet, where it exchanges data with other servers

Sending User creates on her client User issues send command Client moves to Outbox Server acknowledges client and authenticates account Client sends to the server Server sends to destination server If the client cannot connect with the server, it keeps trying

Receiving User opens client and logs on User issues receive command Client contacts server Server acknowledges, authenticates, and contacts mail box for the account Mail downloaded to local computer Messages placed in Inbox to be read POP deletes messages from server; IMAP retains copy on server

Working with Resident Files Users are able to work offline with is stored locally, a great benefit for forensic analysts because the is readily available when the computer is seized Begin by identifying clients on system You can also search by file extensions of common clients

Working with ClientExtensionType of File AOL.abi.aim.arl.bag AOL6 organizer file Instant Message launch Organizer file Instant Messenger file Outlook Express.dbx.dgr. .eml OE mail database OE fax page OE mail message OE electronic mail Outlook.pab.pst.wab Personal address book Personal folder Windows address book (Continued)

Working with ClientExtensionType of File Lotus Notes.box.ncf.nsf Notes mailbox Notes internal clipboard Notes database Novell Groupwise.mlmSaved (using WP5.1 format) Eudora.mbxEudora message base

Popular Clients America Online (AOL) - users have a month to download or save before AOL deletes messages Outlook Express - installed by default with Windows Outlook - bundled with Microsoft Office Eudora - popular free client Lotus Notes - integrated client option for Lotus Domino server

Webmail Data Flow User opens a browser, logs in to the webmail interface Webmail server has already placed mail in Inbox User uses the compose function followed by the send function to create and send mail Web client communicates behind the scenes to the webmail server to send the message No s are stored on the local PC; the webmail provider houses all

Working with Webmail Entails a bit more effort to locate files Temporary files is a good place to start Useful keywords for webmail programs include: –Yahoo! mail: ShowLetter, ShowFolder Compose, “Yahoo! Mail” –Hotmail: HoTMail, hmhome, getmsg, doattach, compose –Gmail: mail[#]

Protocol POP3IMAPWebmail accessible from anywhere NoYes Remains stored on server No (unless included in a backup of server) YesYes, unless POP3 was used too Dependence on Internet ModerateVery strong Strong Special software required Yes No

Working with Mail Servers Some initial things to consider: –How many users are serviced? – retention policies of the company –Accessibility of the server

Working with Mail Servers Redundant array of independent disks (RAID) –RAID 0: Basic disk striping –RAID 1: Disk mirroring –RAID 3: Striping with parity –RAID 5: Striping with distributed parity –RAID 0+1 and 10 (1+0): Mirror of stripes and striped mirroring

Working with Mail Servers Harvesting data from RAID servers –Easiest way to obtain the data is over the network –Considerations: Time to obtain the data Physical configuration and space Production server downtime

Examining s for Evidence Understanding headers –The header records information about the sender, receiver, and servers it passes along the way –Most clients show the header in a short form that does not reveal IP addresses –Most programs have an option to show a long form that reveals complete details

Examining s for Evidence Most common parts of the header are logical addresses of senders and receivers Logical address is composed of two parts –The mailbox, which comes before sign –The domain or hostname that comes after sign The mailbox is generally the userid used to log in to the server The domain is the Internet location of the server that transmits the

Examining s for Evidence Reviewing headers can offer clues to true origins of the mail and the program used to send it Common header fields include: –Bcc –Cc –Content-Type –Date –From –Message-ID –Received –Subject –To –X-Priority

IP Address Registries African Network Information Asia Pacific Network Information American Registry for Internet Number Latin American and Caribbean Internet Addresses Registry Réseaux IP Européens Network Coordination Centre

Examining s for Evidence Understanding attachments –MIME standard allows for HTML and multimedia images in –Searching for base64 can find attachments in unallocated or slack space Anonymous r ers –Allow users to remove identifying IP data to maintain privacy –Stems from users citing the First Amendment and freedom of speech

Private IP Address Classifications IP Address RangeClassificationUse to Class A Local network use—not recognized on the Internet to Class B Local network use—not recognized on the Internet to Class C Local network use—not recognized on the Internet

Working with Instant Messaging Most widely used IM applications include: –Windows Messenger –Google Talk –AIM (AOL Instant Messenger) –ICQ (“I Seek You”) Instant Messenger Newer versions of IM clients and servers allow the logging of activity Can be more incriminating than

Taking the Initial Report GET THE HEADERS!!! Get as accurate a timeline as possible Timezones are important!! Be sure the original is not deleted Simply forwarding does not preserve the headers

Right Click

Tools for Tracing Nslookup –DOS Command Prompt – American Registry. Sam Spade:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.