Presentation is loading. Please wait.

Presentation is loading. Please wait.

91.580.203 Computer & Network Forensics Xinwen Fu Chapter 13 E-mail Investigations.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "91.580.203 Computer & Network Forensics Xinwen Fu Chapter 13 E-mail Investigations."— Presentation transcript:

1 91.580.203 Computer & Network Forensics Xinwen Fu Chapter 13 E-mail Investigations

2 CS@UML 2 Outline  Introduction to Email investigation  Trace email senders

3 CS@UML 3 Email

4 CS@UML 4 E-mail Crimes and Violations  Spam emails Becoming commonplace Legal or not depends on the city, state, or country and always consult with an attorney  Crimes involving e-mails: Narcotic trafficking Extortion Sexual harassment

5 CS@UML 5 Investigating E-mail Crimes and Violations  Similar to other types of investigations  Goals Find who is behind the crime Collect the evidence Present your findings Build a case

6 CS@UML 6 Examining E-mail Messages  Access victim’s computer and retrieve evidence  Investigate the victim’s e-mail Find and copy evidence in the e-mail Access protected or encrypted material Print e-mails Open and copy e-mail including headers  Sometimes you will deal with deleted e- mails

7 CS@UML 7 Outline  Introduction to Email investigation  Trace email senders

8 CS@UML 8 Tracing Normal Emails  Name conventions Corporate: john.smith@somecompany.com Everything after @ belongs to the domain name  Tracing corporate e-mails is easier

9 CS@UML 9 Tracing Emails from Public Email Servers  Can you send seemingly anonymous emails from public email accounts such as Yahoo, Hotmail, etc.? Public: whatever@hotmail.com

10 CS@UML 10 Tracing by Viewing E-mail Headers  Learn how to find e-mail headers GUI clients Command-line clients Web-based clients  Headers contain useful information Unique identifying numbers Sending time IP address of sending email server IP address of the email client

11 CS@UML 11 SMTP (simple mail transfer protocol)  The current SMTP header is put to the head of an email  The first “received: from” of an email header identifies the closest hop to the sender smtp server 1 smtp server 2 smtp server 3 server 1server 2server 3 From BobTo Alice Bob Alice

12 CS@UML 12 1.From doris_ben01@hotmail.com Wed Sep 14 13:30:34 2005 2.Received: from smtp-relay.tamu.edu (smtp-relay.tamu.edu [165.91.143.199]) 3. by pine.cs.tamu.edu (8.12.9/8.12.9) with ESMTP id j8EIUUSt013552; 4. Wed, 14 Sep 2005 13:30:30 -0500 (CDT) 5.Received: from hotmail.com (bay22-f12.bay22.hotmail.com [64.4.16.62]) 6. by smtp-relay.tamu.edu (8.13.3/8.13.3/oc) with ESMTP id j8EIUa3V052539; 7. Wed, 14 Sep 2005 13:30:37 -0500 (CDT) 8. (envelope-from doris_ben01@hotmail.com) 9.Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; 10. Wed, 14 Sep 2005 11:30:22 -0700 11.Message-ID: 12.Received: from 212.100.250.207 by by22fd.bay22.hotmail.msn.com with HTTP; 13. Wed, 14 Sep 2005 18:30:22 GMT 14.X-Originating-IP: [212.100.250.207] 15.X-Originating-Email: [doris_ben01@hotmail.com] 16.X-Sender: doris_ben01@hotmail.com 17.From: "Doris Benson" doris_ben01@hotmail.comdoris_ben01@hotmail.com 18.Bcc: 19.Subject: REPLY NEEDED 20.Date: Wed, 14 Sep 2005 14:30:22 -0400 Trace back to a naive spammer

13 CS@UML 13 Standard intelligence collecting techniques  Whois – databases with a compilation of information designed to maintain contact information for network resources  Name service based whois Information about a domain Example: whois uml.edu or http://www.whois.sc/  Network service based whois Information about network management data  Boundary of a network Example: whois -h whois.arin.net 66.38.151.10 (ARIN - American Registry for Internet Numbers, http://ws.arin.net/whois) http://ws.arin.net/whois

14 CS@UML 14 Domain name system (DNS)  DNS: mapping between numeric ip addresses and names  dig Get domain name ip and nameservers dig www.uml.eduwww.uml.edu  SERVER: 129.63.16.100#53(129.63.16.100) For query Mail Servers (port 25) in domain dig www.uml.edu MXwww.uml.edu  Nslookup – same as dig but obsolete

15 CS@UML 15 Google Email Header (Cont.)

16 CS@UML 16 Google Email Header (Cont.)

17 CS@UML 17 Yahoo Email Header

18 CS@UML 18 Yahoo Email Header (Cont.)

19 CS@UML 19 Hotmail Email Header  then

20 CS@UML 20 Hotmail Email Header (Cont.)  then

21 CS@UML 21 Hotmail Email Header (Cont.)  Now

22 CS@UML 22 Hotmail Email Header (Cont.)  View E-mail Message Source Every email sent directly from a Hotmail account or other special mail server contains the "X-originating-IP" or "X-Sender- Ip" in the message headers. This number indicates the IP address (or the specific computer ID) the person was using at the time they sent the email

23 CS@UML 23 Thunderbird Email Header

24 CS@UML 24

25 CS@UML 25 Once you identify the IP address …  To find the suspect, you may have to check a lot of computer logs to identify the suspect

26 CS@UML 26 Using Specialized E-mail Forensics Tools  Tools AccessData’s FTK EnCase FINALeMAIL Sawmill-GroupWise DBXtract MailBag Assistant Paraben

27 CS@UML 27 Reference  jmates, E-Mail Flow, 2006/02/06, http://sial.org/howto/sendmail/ http://sial.org/howto/sendmail/  Configuring DNS, 2006, http://www.linuxhomenetworking.com/lin ux-hn/dns-static.htm http://www.linuxhomenetworking.com/lin ux-hn/dns-static.htm  Mark D. Roth, sendmail Tutorial, 2006, http://www.feep.net/sendmail/tutorial/ http://www.feep.net/sendmail/tutorial/

Download ppt "91.580.203 Computer & Network Forensics Xinwen Fu Chapter 13 E-mail Investigations."

Similar presentations

Internet – Part I. What is Internet? Internet is a global computer network of inter-connected networks.

Internet – Part I. What is Internet? Internet is a global computer network of inter-connected networks.
Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.

Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.
Kalpesh Vyas & Seward Khem

Kalpesh Vyas & Seward Khem
Basic Communication on the Internet:

Basic Communication on the Internet:
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Email Basics. 2 Class Outline Part 1 - Introduction –Explaining email –Parts of an email address –Types of email services –Acquiring an email account.

Basics. 2 Class Outline Part 1 - Introduction –Explaining –Parts of an address –Types of services –Acquiring an account.
1 Internet Umm Alqura University السنة التحضيرية مهارات الحاسب الالي (1)

1 Internet Umm Alqura University السنة التحضيرية مهارات الحاسب الالي (1)
The Internet Useful Definitions and Concepts About the Internet.

The Internet Useful Definitions and Concepts About the Internet.
Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.

Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.
Tracking the source of email spam by examining its header Anh Nguyen May 3 rd, 2010.

Tracking the source of spam by examining its header Anh Nguyen May 3 rd, 2010.
Chapter 2: Application layer  2.1 Web and HTTP  2.2 FTP 2-1 Lecture 5 Application Layer.

Chapter 2: Application layer  2.1 Web and HTTP  2.2 FTP 2-1 Lecture 5 Application Layer.
Guide to Computer Forensics and Investigations Third Edition Chapter 12 E-mail Investigations.

Guide to Computer Forensics and Investigations Third Edition Chapter 12 Investigations.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.

COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
COS 413 Day 17. Agenda Quiz 2 corrected –2 A’s, 6 B’s & 1 C Assignment 5 corrected –5 B’s, 2 C’s, 1 non-submit & 1 corrupt file that I cannot read Lab.

COS 413 Day 17. Agenda Quiz 2 corrected –2 A’s, 6 B’s & 1 C Assignment 5 corrected –5 B’s, 2 C’s, 1 non-submit & 1 corrupt file that I cannot read Lab.
Introduction 1 Lecture 7 Application Layer (FTP, e-mail) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.

Introduction 1 Lecture 7 Application Layer (FTP, ) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
» Explain the way that electronic mail (e-mail) works » Configure an e-mail client » Identify e-mail message components » Create and send e-mail messages.

» Explain the way that electronic mail ( ) works » Configure an client » Identify message components » Create and send messages.
Introduction 1-1 Chapter 2 FTP & Email Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 IC322 Fall.

Introduction 1-1 Chapter 2 FTP & Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 IC322 Fall.
Tracing an Email by Etienne Takougang by Etienne Takougang.

Tracing an by Etienne Takougang by Etienne Takougang.

Similar presentations

Ads by Google