Tracing COEN 152 / 252 Computer Forensics  Thomas Schwarz, S.J. 2006

Investigations: Overview has become a primary means of communication. can easily be forged. can be abused Spam Aid in committing a crime … Threatening , …

Investigations: Overview evidence: Is in the itself Header Contents In logs: Left behind as the travels from sender to recipient. Law enforcement uses subpoenas to follow the trace. System admins have some logs under their control. Notice: All fak ing that you will be learning can be easily traced.

Fundamentals travels from originating computer to the receiving computer through servers. All servers add to the header. Use important internet services to interpret and verify data in a header.

Fundamentals Typical path of an message: Client Mail Server Client

Internet Basics IP Address – IPv4 IP Address – IPv6 IP Address Types Hostnames & DNS Routing Resources

Internet Basics: IP Address – IPv4 Dominant standard for addressing 32 bit address space 4 bytes  2 32 or 4.3B addresses Typical representation is 4 octets Ranges from to E.g. – Integer representation is 3,518,986,822 Almost a 30 year old standard >90% of all IPv4 addresses allocated

Internet Basics: IP Address – IPv6 Next Generation of Internet addressing 128 bit address space 16 bytes  or 3.4× trillion trillion trillion 340,000,000,000,000,000,000,000,000,000, ,000 Represented as 8 hexadecimal numbers Ranges from 0:0:0:0:0:0:0:0 to FFFF:FFFF:FFFF:FFFF: FFFF:FFFF:FFFF:FFFF Examples (with shorthand notation) 2001:db8:1f70::999:de8:7648:6e8 FF3E:40:2001:dead:beef:cafe:1234: years of deployment, but still maturing

Internet Basics: IP Address Types Public / Private Some addresses are public or externally visible Others are private or internal to an organization RFC 3330 defines these ranges and their purpose The most commonly seen “private” addresses – – – Private addresses are unroutable externally Proxies Anonymizers, Satellites, International and Regional

Internet Basics: IP Address Types (cont) Static / Dynamic addresses Some IP addresses are statically assigned to a single computer Typically infrastructure and/or servers Some are shared by multiple computers using NAT or DHCP within a local organization Many organizations use Network Address Translation (NAT) NAT boxes – single externally visible IP address Incoming packet examined and routed according to the source address and port number Forwarded to an internal, private IP address

Internet Basics: Hostnames & DNS DNS is the Domain Name System Translates between human friendly host/domain names (e.g. and machine friendly IP addresseswww.yahoo.com Forward DNS Lookup “dig or “nslookup  Reverse DNS Lookup “dig –x ” or “nslookup ” 

Internet Basics: Hostnames & DNS DNS Overview Conceptually a cached hierarchy of host/domain name assignments and IP addresses Each node is a name server Requests originate local to the user and escalate “up” only as far as necessary, then “down” as soon as possible – tree traversal DNS Root servers are at the “top”

Internet Basics: Hostnames & DNS DNS Overview (continued) Searches start with the “local host” file Missing or stale entries escalate up Local name server is the first stop, then usually the local ISP’s up through to the Root Name Servers as necessary Once an authoritative, responsible name server is found, the search is downward focused until the specific machine name/address is found.

Internet Basics: Hostnames & DNS DNS Overview (continued) Complete escalation is usually not required, as caching is extensively used The local “host file” file can be altered Can be used to block pop-ups and bad websites E.g., Spybot uses this as a preventative technique Malware can use this “feature” as well Local name servers can/could be injected with malicious data See the “Hillary for Senate” case

Internet Basics: Resources Internet Assigned Numbers Authority Responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources Managed resources include Port Numbers Autonomous Systems Numbers Top Level Domains (TLDs)

Internet Basics: Resources (cont) Regional Internet Registries Five regions APNIC – Asia and the Pacific region ARIN – North America (the first registry, legacy entries) LACNIC – Latin American and Caribbean RIPE – Europe AfriNIC – Africa Regionally allocates IP addresses to orgs Each provides IP address “whois” services i.e. who is responsible for an IP address

Internet Basics: Resources (cont) IP address top level allocations and registry assignments whois Regional Internet registries  definitive source DNSStuff -  alternativehttp:// whois provides owner, location, contact info Geolocation Maxmind -

Internet Basics: Resources (cont) Hostname lookups dig, replacing nslookup “dig “dig –x ” (reverse lookup) “traceroute” (tracert) Great for verifying general location and possible affiliations Web versions are available from around the world

Fundamentals: Important Services Domain Name System (DNS) translates between domain names and IP address. MX records ( in the DNS database specify the host’s or domains mail exchangerhttp://en.wikipedia.org/wiki/MX_record Can have multiple MX records, with priority attached: to will then be sent to If that site is down, then it will be sent to The mailer at both sites needs also be set up to accept the messages. MX10cse MX 100mailhost.soe.uscs.edu

Protocols: A mail server stores incoming mail and distributes it to the appropriate mail box. Behavior afterwards depends on type of protocol. Accordingly, investigation needs to be done at server or at the workstation.

Protocols: program such as Outlook or Groupwise are a client application. Needs to interact with an server: Post Office Protocol (POP) Internet Message Access Protocol (IMAP) Microsoft’s Mail API (MAPI) Web-based uses a web-page as an interface with an server.

Protocols: Post Office ServiceProtocolCharacteristics Stores only incoming messages. POPInvestigation must be at the workstation. Stores all messagesIMAP MS’ MAPI Lotus Notes Copies of incoming and outgoing messages might be stored on the workstation or on the server or on both. Web-based send and receive. HTTPIncoming and outgoing messages are stored on the server, but there might be archived or copied messages on the workstation. Easy to spoof identity.

Protocols: SMTP Neither IMAP or POP are involved relaying messages between servers. Simple Mail Transfer Protocol: SMTP Easy. Has several additions. Can be spoofed: By using an unsecured or undersecured server. By setting up your own smtp server.

Protocols: SMTP How to spoof telnet endor.engr.scu.edu endor.engr.scu.edu ESMTP Sendmail /8.13.5; Wed, 28 Dec :58: helo server8.engr.scu.edu Hello dhcp engr.scu.edu [ ], please d to meet you mail from: Sender ok rcpt to: Recipient ok data 354 Enter mail, end with "." on a line by itself This is a spoofed message jBSMwnTd Message accepted for delivery quit endor.engr.scu.edu closing connection

Protocols: SMTP Return-path: Received: from MGW2.scu.edu [ ] by gwcl-22.scu.edu; Wed, 28 Dec :00: Received: from endor.engr.scu.edu (unverified [ ]) by MGW2.scu.edu (Vircom SMTPRS ) with ESMTP id for ; Wed, 28 Dec :00: X-Modus-BlackList: X-Modus-Trusted: =NO Received: from bobadilla.engr.scu.edu (bobadilla.engr.scu.edu [ ]) by endor.engr.scu.edu (8.13.5/8.13.5) with SMTP id jBSMwnTd for Wed, 28 Dec :00: Date: Wed, 28 Dec :58: From: JoAnne Holliday Message-Id: this is a spoofed message. This looks very convincing. Only hint: received line gives the name of my machine. If I were to use a machine without a fixed IP, then you can determine the DHCP address from the DHCP logs.

Protocols: SMTP How to spoof Endor will only relay messages from machines that have properly authenticated themselves within the last five minutes. Subject lines etc. are part of the data segment. However, any misspelling will put them into the body of the message.

Protocols: SMTP How to spoof telnet endor.engr.scu.edu endor.engr.scu.edu ESMTP Sendmail /8.13.5; Wed, 28 Dec :36: mail from: Sender ok rcpt to: Recipient ok data 354 Enter mail, end with "." on a line by itself Date: 23 Dec 05 11:22:33 From: To: Subject: Congrats You are hrby appointed the next president of Santa Clara University, effectively immediately. Best, Paul jBSNaDlu Message accepted for delivery quit

Protocols: SMTP How to spoof

Unix Use sendmail %usr/lib/sendmail –t –f <

Protocols: SMTP Things are even easier with Windows XP. Turn on the SMTP service that each WinXP machine runs. Create a file that follows the SMTP protocol. Place the file in Inetpub/mailroot/Pickup

Protocols: SMTP To: From: This is a spoofed message. From Tue Dec 23 17:25: Return-Path: Received: from Xavier (dhcp engr.scu.edu [ ]) by server4.engr.scu.edu ( / ) with ESMTP id hBO1Plpv for ; Tue, 23 Dec :25: Received: from mail pickup service by Xavier with Microsoft SMTPSVC; Tue, 23 Dec :25: To: From: Message-ID: X-OriginalArrivalTime: 24 Dec :25: (UTC) FILETIME=[D3B56160:01C3C9 BC] Date: 23 Dec :25: X-Spam-Checker-Version: SpamAssassin 2.60-rc3 ( exp) on server4.engr.scu.edu X-Spam-Level: X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=no version=2.60-rc3 This is a spoofed message.

Protocols: SMTP SMTP Headers: Each mail-server adds to headers. Additions are being made at the top of the list. Therefore, read the header from the bottom. To read headers, you usually have to enable them in your mail client.

SMTP Headers To enable headers: Eudora: Use the Blah Blah Blah button Hotmail: Options  Preferences  Message Headers. Juno: Options  Show Headers MS Outlook: Select message and go to options. Yahoo!: Mail Options  General Preferences  Show all headers. Groupwise: Message itself is “attached” to each . You need to look at it.

SMTP Headers Headers consists of header fields Originator fields from, sender, reply-to Destination address fields To, cc, bcc Identification Fields Message-ID-field is optional, but extremely important for tracing s through server logs. Informational Fields Subject, comments, keywords Resent Fields Resent fields are strictly speaking optional, but luckily, most servers add them. Resent-date, resent-from, resent-sender, resent-to, resent-cc, resent-bcc, resent-msg-id

SMTP Headers Trace Fields Core of tracing. Regulated in RFC2821. When a SMTP server receives a message for delivery or forwarding, it MUST insert trace information at the beginning of the header.

SMTP Headers The FROM field, which must be supplied in an SMTP environment, should contain both (1) the name of the source host as presented in the EHLO command and (2) an address literal containing the IP address of the source, determined from the TCP connection. The ID field may contain an as suggested in RFC 822, but this is not required. The FOR field MAY contain a list of entries when multiple RCPT commands have been given. A server making a final delivery inserts a return-path line.

SMTP Header Spotting spoofed messages Contents usually gives a hint. Each SMTP server application adds a different set of headers or structures them in a different way. A good investigator knows these formats. Use internet services in order to verify header data. However, some companies can outsource or use internal IP addresses. Look for breaks / discrepancies in the “Received” lines.

SMTP Header Investigation of spoofed messages Verify all IP addresses Keeping in mind that some addresses might be internal addresses. Make a time-line of events. Change times to universal standard time. Look for strange behavior. Keep clock drift in mind. Additonal Info:

Server Logs logs usually identify messages by: Account received IP address from which they were sent. Time and date (beware of clock drift) IP addresses

Server Logs Dec 31 18:26:15 endor sendmail[30597]: k012OV1i030597: size=147, class=0, nrcpts=1, msgid=, proto=SMTP, daemon=MTA, relay=c hsd1.il.comcast.net [ ] Dec 31 18:26:15 endor spamd[28512]: spamd: connection from localhost [ ] at port Dec 31 18:26:15 endor spamd[28512]: spamd: setuid to tschwarz succeeded Dec 31 18:26:15 endor spamd[28512]: spamd: processing message for tschwarz:1875 Dec 31 18:26:15 endor spamd[28512]: spamd: clean message (4.6/5.0) for tschwarz:1875 in 0.2 seconds, 525 bytes. Dec 31 18:26:15 endor spamd[28512]: spamd: result:. 4 - MSGID_FROM_MTA_ID,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL scantime=0.2,size=525,user=tschwarz,uid=1875,required_score=5.0,rhost=localhost,raddr = ,rport=42865,mid=,aut olearn=no Dec 31 18:26:15 endor spamd[21352]: prefork: child states: II Dec 31 18:26:15 endor sendmail[30726]: k012OV1i030597: delay=00:01:02, xdelay=00:00:00, mailer=local, pri=30464, dsn=2.0.0, stat=Sent Sample log entry at endor.

Server Logs Many servers keep copies of s. Most servers purge logs. Law-enforcement: Vast majority of companies are very cooperative. Don’t wait for the subpoena, instead give system administrator a heads-up of a coming subpoena. Company: Local sys-ad needs early warning. Getting logs at other places can be dicey.

Unix Sendmail Configuration file /etc/sendmail.cf and /etc/syslog.conf Gives location of various logs and their rules. maillog (often at /var/log/maillog) Logs SMTP communications Logs POP3 events You can always use: locate *.log to find log files.

Techniques Investigating for forgery Evidentiary material is Directly in header Indirectly in formatting headers Timestamps Header Trace Resource

Techniques Header Investigation Lookup all host names and IP addresses Check for inconsistencies Be aware of internal IP addresses web hosting company Generate Timeline Be aware of clock drift, delays, time zone differences