Technical Awareness on Analysis of Headers

Agenda Headers – A Basic Introduction Viewing Headers in Web – Based Services Viewing Headers in Desktop – Based Client Applications Common Fields Available in Headers – A Brief Overview How Mail Works on the Internet Investigating an Header – Expert Analysis

What is Header? Headers are lines of metadata (data about data) attached to each that contain lots of useful information for a forensic investigators.

Web-Based Services Web-based allows user to manage via a web browser and sent or receive from anywhere. is not downloaded to a computer, but instead is left on the mail server until the user delete it. Examples of Web Based Client Applications are: - Gmail Yahoo! Mail

Hotmail Google Apps Google Apps Admin Live Exchange Office 365 IMAP

Gmail Log in to your Gmail account. Open the message you want to view headers for. Click the Down arrow next to the Reply button, located at the top right of the message pane. Select Show Original.

Desktop Based Services Desktop based clients are mailing applications that enable the users to easily manage their accounts and perform operations such as sending and receiving of s, managing tasks & calendar items, and many more. Examples of Desktop Based Client Applications are: -

Microsoft Outlook Outlook Express Mozilla Thunderbird The Bat Pocomail Lotus Notes Mailbird Postbox

Microsoft Outlook Open Outlook. Open a message. On the Message tab, located in the Tag group, click the Dialog Box Launcher icon. In the Message Options dialog box, the headers will appear in the Internet Headers box.

Investigating an Header Expert Analysis

Delivery-To filed of header shows the address of automailer. Return-Path of header used for bounces. The mail server will send a message to the specified address if the message cannot be delivered. Received-SPF: Sender Policy Framework is used to describe what mail server is allowed to send messages for a domain.

From: Displays the name of sender. However, this information can be easily forged and hence, is least reliable. To: Displays the name of receiver. Subject: Represent the subject of the message. Date: Shows the date and time, when the message was composed.

Message-ID: Every should have a message id field that: "provides a unique message identifier that refers to a particular version of a particular message. MIME-Version: Multipurpose Internet Mail Extensions is an Internet Standard that extends the format of message. Content-Type: Shows the format of the message, such as html, plain text, xml.

X-Mailer: The client used to send the message. Content-Language: Specify language used for content of page. X-Antivirus: This states that what the sender’s antivirus program is such as Norton, AVG, etc. X-Antivirus-Status: It shows that was free or not from any viruses.

Received

Received is the most essential field of the header. It creates a list of all the mail server through which the message traveled in order to reach the receiver. The best way to read the received fields are from bottom to top. The bottom “Received” shows the IP address of the sender’s mail server.

The top “Received” shows the IP address of receiver mail server. The middle “Received” shows the IP address of the mail server through which passes from sender to receiver.

Message Header View using MailXaminer (

Program in Python import re s = open("file.txt","r") #opens the file to analyze results = open("results.txt","w") #creates new file for search results resultsList = []

for line in s: if "From: " in line: address = line) if address: resultsList.append(address) resultsList.append(";") resultsList.append("\n")

if "To: " in line: if "Delivered-To:" in line: #avoids confusion with 'Delivered-To:' tag address = line) if address: for person in address: resultsList.append(person) resultsList.append(";") resultsList.append("\n")

for result in resultsList: results.writelines(result) s.close() results.close()