Download presentation
Presentation is loading. Please wait.
Published byGeoffrey Young Modified over 9 years ago
1
1 CSCD 496 Computer Forensics Lecture 15 Network Forensics Internet Information - Anonymity Winter 2010
2
2 Lecture Outline Two Main Topics –Anonymity Hiding your identity on the Internet E-mail anonymity
3
3 Introduction Internet - huge repository of information A lot of information stored on Internet applications and servers Today, look at becoming anonymous on the Internet Look at anonymity servers and remailers Should have had a chance to try out remailer from the lab
4
4 Introduction Problem with Internet information –Tracing activity to an individual is hard Why might you want to be anonymous?
5
5 Anonymity Important –Investigators need to know How to hide themselves on-line How criminals and others hide themselves on-line Undercover for gambling, child porn, drugs or stolen merchandise –What do you want to conceal? Name, address, tel. number, IP address Lots of ways to do this...
6
6 Free ISPs Hiding On-line –Free ISPs – dial in without ID –Netzero is one that is free –NetZero launched in 1998, first free internet service provider Grew to 1,000,000 users in six months Limited to 10 hours/month Bought Juno –Another service http://www.fastfreedialup.com/
7
7 Free ISPs What does that get you? – Use a dial-up modem and provider such as Earthlink, Juno, or NetZero to connect to the Internet – Every time you dial in and connect to the Internet there is a very good chance that your IP address will be different – Calling different access numbers (different cities, different States even) will increase chance of getting a unique IP address
8
8 Proxies Another way to conceal IP while surfing the Web Direct all page requests through a proxy –Proxy – remote machine connect through to the Net which forwards your IP traffic and makes it look like you are originating from Web server logs records IP of proxy instead of actual client IP Not all of them are free Web proxy sites –http://www.the-cloak.com/anonymous-surfing- home.html –http://anon.inf.tu-dresden.de/ –https://proxy.org/ (a whole bunch at one site)
9
9 Browser Proxies Browser proxies –Add-on to your browser allows automated switching according to rules you set –Example: FoxyProxy for Firefox FoxyProxy Firefox extension automatically switches an internet connection across one or more proxy servers based on URL pattern FoxyProxy automates manual process of editing Firefox's Connection Settings dialog
10
10 Results of Proxies Proxies –What is accomplished by a proxy? Hides your IP in Web logs –Makes it more difficult to find originating IP since must go back to proxy server to get IP of suspect Connect to IRC or ICQ with a proxy –Not all of the ones on previous page allow this Minimizes cookies and other types of tracking
11
11 VPN Connections How do they work? –Virtual Private Network (VPN) Providers: A VPN special network allows computers to securely and privately access resources through them – Computers configured to use a VPN can forward all traffic through the VPN and obscure their actual IP address –Commercial service will have access to your billing information
12
12 Paid VPN's Several paid services https://www.relakks.com/faq/legal/ –Swedish Broadband service –Really interesting terms of service Other VPN Services –http://blacklogic.com/ –http://www.piratpartiet.se/international/english –http://www.hotspotvpn.com/
13
13 Tests for Your Anonymity WhatsMyIP http://www.whatsmyip.org/ Privacy Test http://privacy.net/analyze-your-internet-connection/ Lagado Test http://www.lagado.com/proxytest Zaloop http://zaloop.net
14
14 Other Anonymity Services The Onion Router (TOR) http://www.torproject.org/ TOR is a global Internet anonymity and privacy system. It utilizes between 800-1500 computers spread across the world to forward Internet traffic anonymously A user installs TOR and configures their web traffic to move through the TOR network This makes the user's traffic appear to originate at a random computer on the Internet
15
15 Other Anonymity Services Change your browser habits and an add-on –Stealther 1.0.8 - https://addons.mozilla.org/en- US/firefox/addon/1306 –Surf the web without leaving a trace in your local computer –What it does is temporarily disable the following: - Browsing History (also in Address bar) - Cookies - Downloaded Files History - Disk Cache - Saved Form Information - Sending of ReferrerHeader - Recently Closed Tabs list
16
16 Email Anonymity
17
17 E-mail Every message header contains information about its origin and destination –Possible to track e-mail back to its source –Identify the sender –Even when forged, there is information in e- mail headers
18
18 E-mail E-mail one of the most widely used services on the Internet Most important ways criminals communicate For more privacy, encryption is used or anonymous re- mailer E-mail protected by strict privacy law – Which Law? –Electronic Communication Privacy Act (ECPA) Even if can obtain incriminating e-mail, difficult to prove specific individual sent a specific message –Claim they never sent it Look more at anonymizing e-mail next
19
19 Anonymous E-mail There are two kinds of services in this category. First is truly Anonymous: no one anywhere knows your identity –This is a one-way channel, can’t get return mail sent back to you –Usually encrypted –Typically, sent through more than one remailer –Example: Cypherpunk or Mixmaster
20
20 Anonymous E-mail Second, called Pseudo-anonymous or sometimes Pseudonymous Owner of the service knows your identity and can be forced in a court of law to reveal it –Most truly anonymous services are free (it's difficult to bill an unknown, unnamed client), but they often require some skill and effort to use –You expect to have your email answered –You get your identify replaced with dummy address –Responses replaced with dummy address too –Example: Craigslist and match.com
21
21 Anonymous E-mail Remailers make it hard to determine who sent a particular message –But no message is totally anonymous Sender puts txt in the message Message leaves something behind with sender ID Machines that handle message may have useful information Forging and Tracking E-mail –Important to know how e-mail is actually created and transmitted –Understand e-mail headers too
22
22 Cipher Punk Example http://anonymous.to/tutorials/anonymous-remailers/ Steps –Create a message in your email client programs –Put the remailer address in the To: field remailer@cypherpunks.to –Message should have a subject, prior to it a '##' –In the body of the message type '::' –Then, next line, Anon-to: recipient@mail.com –One blank line, then type message –Its that simple!!!
23
23 Cipher Punk Remailers Example To: remailer@cypherpunks.to Subject: Testing anonymous email > Body: > :: > Anon-To: recipient@address.com > > ## > Subject: Subject of message > > Type your message here.
24
24 Tracking E-mail E-mail is like Real mail –Post offices in e-mail world called Mail Transfer Agents (MTA) –Message may travel through multiple MTA’s Each MTA adds something to the header of a transmitted message –Time stamps, technical identifying information –Each creates its own received header –Passed along to next MTA until message reaches its destination
25
25 Tracking E-mail Default is not to see the e-mail header –Most e-mail clients have a setting that allows you to view e-mail header Netscape email –View – Headers – All Outlook Express –File – properties - click on details Eudora –Click on blah-blah-blah Opera –Right click email header, select View all headers
26
26 Tracking E-mail Identity in E-mail –Unless remailer or advanced forging technique used Sender identity embedded in message Two most useful header fields: –Message ID –Received field Message ID –Is globally unique – current date/time, MTA domain name and sender’s account name Example: Message sent Dec. 4, 1999 from mail.corpX.com by user13 Message-id:
27
27 Tracking E-mail Examining E-mail Headers –Some might have been forged, but the last few were likely valid, –Since e-mail message was delivered –Can achieve pseudo-anonymity through hotmail or netaddress e-mail account Header will contain IP of original computer Unless you went through an anonymizer...
28
28 Return-Path: Received: from hotmail.com (bay106-f21.bay106.hotmail.com[65.54.161.31]) by granite.cs.uidaho.edu (8.13.3+Sun/8.13.3) with ESMTP id jA7IbwCl018714 for ; Mon, 7 Nov 2005 10:38:04 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 7 Nov 2005 10:37:52 -0800 Message-ID: Received: from 65.54.161.200 by by106fd.bay106.hotmail.msn.com with HTTP; Mon, 07 Nov 2005 18:37:52 GMT X-Originating-IP: [129.101.153.145] X-Originating-Email: [ctaylor888@hotmail.com] X-Sender: ctaylor888@hotmail.com From: "Carol Taylor" To: ctaylor@cs.uidaho.edu Subject: Sending a message to myself Date: Mon, 07 Nov 2005 10:37:52 -0800 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 07 Nov 2005 18:37:52.0628 (UTC) FILETIME=[5C97D340:01C5E3CA] Content-Length: 270 Example: Hot mail
29
29 Return-path: anonymousmailer@behidden.com Received: from imta21.westchester.pa.mail.comcast.net (LHLO imta21.westchester.pa.mail.comcast.net) (76.96.62.31) by sz0050.ev.mail.comcast.net with LMTP; Tue, 2 Mar 2010 18:48:42 +0000 (UTC) Received: from mout.perfora.net ([74.208.4.195]) by imta21.westchester.pa.mail.comcast.net with comcast Joh1d0194CTZVm0MJohcP; Tue, 02 Mar 2010 18:48:42 +0000... X-Authority-Analysis: v=1.1 Received: from localhost (u15177982.onlinehome-server.com [82.165.253.19]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis1NaFSs0bDp-013hVr; Tue, 02 Mar 2010 13:48:40 -0500 MIME-Version: 1.0 To: ctaylor4214@comcast.net From: AnonymousMailer@behidden.com Subject: Trying beHidden.com Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Message-ID: Date: Tue, 02 Mar 2010 10:48:39 -0800 X-Provags-ID: V01U2FsdGVkX18zZyGxtJetADPAYPYc8Tl6hLwJECvXwZofTGD yRUgR+qvaXYsRBIFlqS6cVOGnapEF0Ar8AW+hMEGAxQXA8HIi Trying this service to see what it sends.
30
30 Email Anonymity Hushmail –Another level of anonymity –Wants recepient to log in and get the message –See example
31
31 Where Email Comes From Superficially, it appears that email is passed directly from the sender's machine to the recipient's Lie. Email passes through at least four computers during its lifetime Most organizations have a dedicated machine to handle mail, called a "mail server” When a user sends mail, –She normally composes the message on her own computer, then sends it off to her ISP's mail server –At this point her computer is finished with the job, but the mail server still has to deliver the message It does this by finding the recipient's mail server, talking to that server and delivering the message
32
32 Consider a couple of fictitious users: rth@bieberdorf.edu and tmh@immense-isp.com –tmh is a dialup user of Immense ISP, Inc., using a mail program called Loris Mail –rth is a faculty member at the Bieberdorf Institute, with a workstation on his desk networked with the Institute's other computers If rth wants to send a letter to tmh, –Composes it at his workstation alpha.bieberdorf.edu –Text passed to mail server, mail.bieberdorf.edu –Mail server, contacts other mail server mailhost.immense- isp.com –And delivers the mail to it –Message stored on mailhost.immense-isp.com until tmh dials in from his home computer and checks his mail –At that time, the mail server delivers any waiting mail, including the letter from rth, to it.
33
33 During all this processing, headers will be added to the message three times: 1. At composition time, by whatever email program rth is using; 2. When that program hands control off to mail.bieberdorf.edu 3. At the transfer from Bieberdorf to Immense. (Normally, the dialup node that retrieves the message doesn't add any headers.) We can watch the evolution of these headers …
34
34 Mail Headers As generated by rth's mailer and handed off to mail.bieberdorf.edu: From: rth@bieberdorf.edu (R.T. Hood) To: tmh@immense-isp.com Date: Tue, Mar 18 1997 14:36:14 PST X-Mailer: Loris v2.32 Subject: Lunch today?
35
35 EMail Headers As they are when mail.bieberdorf.edu transmits the message to mailhost.immense-isp.com: Received: from alpha.bieberdorf.edu (alpha.bieberdorf.edu [124.211.3.11]) by mail.bieberdorf.edu (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17 -0800 (PST) ------------------------------------------------------------------------------------ From: rth@bieberdorf.edu (R.T. Hood) To: tmh@immense-isp.com Date: Tue, Mar 18 1997 14:36:14 PST Message-Id: X-Mailer: Loris v2.32 Subject: Lunch today? Header added
36
36 Email Headers As they are when mailhost.immense-isp.com finishes processing the message and stores it for tmh to retrieve : Received: from mail.bieberdorf.edu (mail.bieberdorf.edu [124.211.3.78]) by mailhost.immense-isp.com (8.8.5/8.7.2) with ESMTP id LAA20869 for ; Tue, 18 Mar 1997 14:39:24 -0800 (PST) ------------------------------------------------------------------------------ Received: from alpha.bieberdorf.edu (alpha.bieberdorf.edu [124.211.3.11]) by mail.bieberdorf.edu (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17 -0800 (PST) From: rth@bieberdorf.edu (R.T. Hood) To: tmh@immense-isp.com Date: Tue, Mar 18 1997 14:36:14 PST Message-Id: X-Mailer: Loris v2.32 Subject: Lunch today? This last set of headers is the one that tmh sees on the letter when he downloads and reads his mail. Header added
37
37 Conclusion Internet is a wealth of information sources –E-mail plus other ways to leave information –Useful for identifying criminal activity –Need to know if or how these sources were used in a suspected crime Anonymity –Used a lot by people who want to hide their activities –Can hide a lot of things, but still some identifying information Just harder
38
38 Resources Electronic Frontier Foundation http://www.eff.org/ Privacy Author http://www.andrebacard.com/privacy.html BeHidden – email and surfing http://www.behidden.com/ Hushmail http://www.hushmail.com/ Privacy Test http://privacy.net/analyze-your-internet-connection/ VPN Encryption Tunnel https://www.relakks.com/faq/legal/
39
39 End Next time: Case Study – Digital Evidence Internet Tracking someone via the Internet
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.