Download presentation
Presentation is loading. Please wait.
1
91.580.203 Computer & Network Forensics Xinwen Fu Chapter 13 E-mail Investigations
2
CS@UML 2 Outline Introduction to Email investigation Trace email senders
3
CS@UML 3 Email
4
CS@UML 4 E-mail Crimes and Violations Spam emails Becoming commonplace Legal or not depends on the city, state, or country and always consult with an attorney Crimes involving e-mails: Narcotic trafficking Extortion Sexual harassment
5
CS@UML 5 Investigating E-mail Crimes and Violations Similar to other types of investigations Goals Find who is behind the crime Collect the evidence Present your findings Build a case
6
CS@UML 6 Examining E-mail Messages Access victim’s computer and retrieve evidence Investigate the victim’s e-mail Find and copy evidence in the e-mail Access protected or encrypted material Print e-mails Open and copy e-mail including headers Sometimes you will deal with deleted e- mails
7
CS@UML 7 Outline Introduction to Email investigation Trace email senders
8
CS@UML 8 Tracing Normal Emails Name conventions Corporate: john.smith@somecompany.com Everything after @ belongs to the domain name Tracing corporate e-mails is easier
9
CS@UML 9 Tracing Emails from Public Email Servers Can you send seemingly anonymous emails from public email accounts such as Yahoo, Hotmail, etc.? Public: whatever@hotmail.com
10
CS@UML 10 Tracing by Viewing E-mail Headers Learn how to find e-mail headers GUI clients Command-line clients Web-based clients Headers contain useful information Unique identifying numbers Sending time IP address of sending email server IP address of the email client
11
CS@UML 11 SMTP (simple mail transfer protocol) The current SMTP header is put to the head of an email The first “received: from” of an email header identifies the closest hop to the sender smtp server 1 smtp server 2 smtp server 3 server 1server 2server 3 From BobTo Alice Bob Alice
12
CS@UML 12 1.From doris_ben01@hotmail.com Wed Sep 14 13:30:34 2005 2.Received: from smtp-relay.tamu.edu (smtp-relay.tamu.edu [165.91.143.199]) 3. by pine.cs.tamu.edu (8.12.9/8.12.9) with ESMTP id j8EIUUSt013552; 4. Wed, 14 Sep 2005 13:30:30 -0500 (CDT) 5.Received: from hotmail.com (bay22-f12.bay22.hotmail.com [64.4.16.62]) 6. by smtp-relay.tamu.edu (8.13.3/8.13.3/oc) with ESMTP id j8EIUa3V052539; 7. Wed, 14 Sep 2005 13:30:37 -0500 (CDT) 8. (envelope-from doris_ben01@hotmail.com) 9.Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; 10. Wed, 14 Sep 2005 11:30:22 -0700 11.Message-ID: 12.Received: from 212.100.250.207 by by22fd.bay22.hotmail.msn.com with HTTP; 13. Wed, 14 Sep 2005 18:30:22 GMT 14.X-Originating-IP: [212.100.250.207] 15.X-Originating-Email: [doris_ben01@hotmail.com] 16.X-Sender: doris_ben01@hotmail.com 17.From: "Doris Benson" doris_ben01@hotmail.comdoris_ben01@hotmail.com 18.Bcc: 19.Subject: REPLY NEEDED 20.Date: Wed, 14 Sep 2005 14:30:22 -0400 Trace back to a naive spammer
13
CS@UML 13 Standard intelligence collecting techniques Whois – databases with a compilation of information designed to maintain contact information for network resources Name service based whois Information about a domain Example: whois uml.edu or http://www.whois.sc/ Network service based whois Information about network management data Boundary of a network Example: whois -h whois.arin.net 66.38.151.10 (ARIN - American Registry for Internet Numbers, http://ws.arin.net/whois) http://ws.arin.net/whois
14
CS@UML 14 Domain name system (DNS) DNS: mapping between numeric ip addresses and names dig Get domain name ip and nameservers dig www.uml.eduwww.uml.edu SERVER: 129.63.16.100#53(129.63.16.100) For query Mail Servers (port 25) in domain dig www.uml.edu MXwww.uml.edu Nslookup – same as dig but obsolete
15
CS@UML 15 Google Email Header (Cont.)
16
CS@UML 16 Google Email Header (Cont.)
17
CS@UML 17 Yahoo Email Header
18
CS@UML 18 Yahoo Email Header (Cont.)
19
CS@UML 19 Hotmail Email Header then
20
CS@UML 20 Hotmail Email Header (Cont.) then
21
CS@UML 21 Hotmail Email Header (Cont.) Now
22
CS@UML 22 Hotmail Email Header (Cont.) View E-mail Message Source Every email sent directly from a Hotmail account or other special mail server contains the "X-originating-IP" or "X-Sender- Ip" in the message headers. This number indicates the IP address (or the specific computer ID) the person was using at the time they sent the email
23
CS@UML 23 Thunderbird Email Header
24
CS@UML 24
25
CS@UML 25 Once you identify the IP address … To find the suspect, you may have to check a lot of computer logs to identify the suspect
26
CS@UML 26 Using Specialized E-mail Forensics Tools Tools AccessData’s FTK EnCase FINALeMAIL Sawmill-GroupWise DBXtract MailBag Assistant Paraben
27
CS@UML 27 Reference jmates, E-Mail Flow, 2006/02/06, http://sial.org/howto/sendmail/ http://sial.org/howto/sendmail/ Configuring DNS, 2006, http://www.linuxhomenetworking.com/lin ux-hn/dns-static.htm http://www.linuxhomenetworking.com/lin ux-hn/dns-static.htm Mark D. Roth, sendmail Tutorial, 2006, http://www.feep.net/sendmail/tutorial/ http://www.feep.net/sendmail/tutorial/
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.