Transcript Slides

91.580.203
Computer & Network Forensics
Xinwen Fu
Chapter 13
E-mail Investigations
Outline
Introduction to Email investigation
 Trace email senders

2
CS@UML
Email
3
CS@UML
E-mail Crimes and Violations

Spam emails



Becoming commonplace
Legal or not depends on the city, state, or
country and always consult with an attorney
Crimes involving e-mails:



Narcotic trafficking
Extortion
Sexual harassment
4
CS@UML
Investigating E-mail Crimes and Violations
Similar to other types of investigations
 Goals





Find who is behind the crime
Collect the evidence
Present your findings
Build a case
5
CS@UML
Examining E-mail Messages
Access victim’s computer and retrieve
evidence
 Investigate the victim’s e-mail






Find and copy evidence in the e-mail
Access protected or encrypted material
Print e-mails
Open and copy e-mail including headers
Sometimes you will deal with deleted emails
6
CS@UML
Outline
Introduction to Email investigation
 Trace email senders

7
CS@UML
Tracing Normal Emails

Name conventions



Corporate: [email protected]
Everything after @ belongs to the domain
name
Tracing corporate e-mails is easier
8
CS@UML
Tracing Emails from Public Email Servers

Can you send seemingly anonymous
emails from public email accounts such as
Yahoo, Hotmail, etc.?

Public: [email protected]
9
CS@UML
Tracing by Viewing E-mail Headers

Learn how to find e-mail headers




GUI clients
Command-line clients
Web-based clients
Headers contain useful information




Unique identifying numbers
Sending time
IP address of sending email server
IP address of the email client
10
CS@UML
SMTP (simple mail transfer protocol)


The current SMTP header is put to the head of an email
The first “received: from” of an email header identifies the
closest hop to the sender
smtp server 3
smtp server 1
smtp server 2
server 3
server 2
server 1
From Bob
To Alice
Bob
Alice
11
CS@UML
Trace back to a naive spammer
1. From [email protected] Wed Sep 14 13:30:34 2005
2. Received: from smtp-relay.tamu.edu (smtp-relay.tamu.edu [165.91.143.199])
3.
by pine.cs.tamu.edu (8.12.9/8.12.9) with ESMTP id j8EIUUSt013552;
4.
Wed, 14 Sep 2005 13:30:30 -0500 (CDT)
5. Received: from hotmail.com (bay22-f12.bay22.hotmail.com [64.4.16.62])
6.
by smtp-relay.tamu.edu (8.13.3/8.13.3/oc) with ESMTP id j8EIUa3V052539;
7.
Wed, 14 Sep 2005 13:30:37 -0500 (CDT)
8.
(envelope-from [email protected])
9. Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
10.
Wed, 14 Sep 2005 11:30:22 -0700
11.Message-ID: <[email protected]>
12.Received: from 212.100.250.207 by by22fd.bay22.hotmail.msn.com with HTTP;
13.
Wed, 14 Sep 2005 18:30:22 GMT
14.X-Originating-IP: [212.100.250.207]
15.X-Originating-Email: [[email protected]]
16.X-Sender: [email protected]
17.From: "Doris Benson" [email protected]
18.Bcc:
19.Subject: REPLY NEEDED
12
20.Date:
Wed,
14
Sep
2005
14:30:22
-0400
CS@UML
Standard intelligence collecting techniques

Whois – databases with a compilation of information
designed to maintain contact information for network
resources

Name service based whois



Information about a domain
Example: whois uml.edu
or http://www.whois.sc/
Network service based whois


Information about network management data
 Boundary of a network
Example: whois -h whois.arin.net 66.38.151.10 (ARIN American Registry for Internet Numbers,
http://ws.arin.net/whois)
13
CS@UML
Domain name system (DNS)
DNS: mapping between numeric ip
addresses and names
 dig


Get domain name ip and nameservers
dig www.uml.edu



SERVER: 129.63.16.100#53(129.63.16.100)
For query Mail Servers (port 25) in domain
dig www.uml.edu MX
Nslookup – same as dig but obsolete
14
CS@UML
Google Email Header (Cont.)
15
CS@UML
Google Email Header (Cont.)
16
CS@UML
Yahoo Email Header
17
CS@UML
Yahoo Email Header (Cont.)
18
CS@UML
Hotmail Email Header

then
19
CS@UML
Hotmail Email Header (Cont.)

then
20
CS@UML
Hotmail Email Header (Cont.)

Now
21
CS@UML
Hotmail Email Header (Cont.)

View E-mail Message Source
Every email sent directly from a
Hotmail account or other
special mail server contains the
"X-originating-IP" or "X-SenderIp" in the message headers.
This number indicates the IP
address (or the specific
computer ID) the person was
using at the time they sent the
email
22
CS@UML
Thunderbird Email Header
23
CS@UML
24
CS@UML
Once you identify the IP address …

To find the suspect, you may have to
check a lot of computer logs to identify
the suspect
25
CS@UML
Using Specialized E-mail Forensics Tools

Tools








AccessData’s FTK
EnCase
FINALeMAIL
Sawmill-GroupWise
DBXtract
MailBag
Assistant
Paraben
26
CS@UML
Reference
jmates, E-Mail Flow, 2006/02/06,
http://sial.org/howto/sendmail/
 Configuring DNS, 2006,
http://www.linuxhomenetworking.com/lin
ux-hn/dns-static.htm
 Mark D. Roth, sendmail Tutorial, 2006,
http://www.feep.net/sendmail/tutorial/

27
CS@UML