Understanding Technology Crime Investigation for Managers
Session 3 A grounding in technology concepts (Tracing & Instant Messages)
How works cannot be sent directly from computer to computer (think about what would happen if the destination computer was turned off?) It works in a similar way to real mail – it passes through a series of servers (post offices) until it is near the destination. Then when it is appropriate (ie the end user requests to download the mail), it is delivered to the recipient.
Tracing – breadcrumbs! Every time an is received by a server it stamps the message with details of the server that it received the mail from. This effectively leaves a trail which can be used to return to the originator Confused……?
Mail Server with IP: User sends from IP address: Mail server stamps the header with originating IP: Recipient downloads e- mail: the last stamp contains the IP of the Mail Server
Tracing – headers Why can’t you see this information in an e- mail? Information is stored in extended headers We need to know how to access (and read) these headers…. Demo!
Simple faking It’s very easy to create a (superficially) fake software does not check that you have entered the correct identity information when you set up an account Demo!
Simple faking Exercise Use the client Outlook Express to create a new account on your computer You must use the correct mail server settings, but you can choose a fake identity Send a to your neighbour Open the that you receive & see how it looks – view the header and then trace the originating IP address.
content Of course, being able to trace the is extremely important. However, we also need to understand the nature of the content s can be received in two ways –Plain text –HTML encoded with multimedia addins
content Of course, being able to trace the is extremely important. However, we also need to understand the nature of the content s can be received in two ways –Plain text –HTML encoded with multimedia addins
content If you receive an in plain text, then wysiwyg However, s in HTML coding can be used to hide true content and location of any hyperlinks Thus they are commonly used to perpetrate frauds
Fraud A good example is in your manual (P.59) This involves a case where a large US ISP’s website was faked The fraudsters then sent out a huge volume of s hoping that at least some of them would be received by Earthlink customers The s directed victims to the fake website and instructed them to submit personal details
Fraud
<a tion/step1_e.htm">
<a fication/step1_e.htm”>
<a tion/step1_e.htm">
<a ation/step1_e.htm”>
<a ation/step1_e.htm”>
Fraud
Instant Messaging Real time text chat facilities Many people (especially youngsters) use as a complement or replacement for Therefore may contain criminal communications
Instant Messaging Real time text chat facilities Many people (especially youngsters) use as a complement or replacement for Therefore may contain criminal communications
Instant Messaging Example of when a trace of instant messaging may be required Example (see page 65 of manual)
as a Spy Tool or for undercover work (extra topic)
Normal Tracing After receiving the , we view the header and use the information to trace the originating IP address BUT… What if you are conducting an undercover operation and want to trace a suspect address without receiving an from the suspect?
Tracking s How to spy on someone using s? Commercial services are available which claim to: –Prove the was opened –Show the time that the was opened –Show the IP address of the computer used –Show if any links were clicked in the message –Show if the was forwarded…
ReadNotify.com
How does it Work? Readnotify allows a short free trial Using this it is possible to analyse how it works A fre account with was used to register To send tracked mail, we just need to add.readnotify.com to the end of the target address
Demo A Test was sent using the fre account Addressed to When received, it looks like this…
Demo
The was received by MS Outlook and viewed using the preview pane A check was then made at realnotify website to see if this had been recorded…
Demo
A new demo – this time to PEN
Once again, we check with the ReadNotify website to see if they have a record… This time though, it has no record to report – even though the has been opened. However, if “launch” is selected instead of file viewer, this opens ‘Netscape’ web browser
A new demo – this time to PEN
This time, the ReadNotify website tells us that the has been opened.
A new demo – this time to PEN
So, what is happening? We now know that the tracking will only work in web-enabled clients. Therefore, if the is html, we need to look at the code behind it…
So, what is happening?
Final example in a non- html client (Linux)
Conclusions (from an investigation p.o.v.) This method is a very good way of tracing addresses in a covert way The user must be using html enabled , but nowadays it is very unusual not to be This includes web-mail as well as POP mail Unfortunately, need to subscribe if using for a long period
Conclusions (from a personal p.o.v.) This tool shows how easy it is for spammers to know if you receiving and viewing their mail Others can know if you are forwarding the mail and to whom! Privacy is being compromised This is why many people are insisting on using non-html
Summary