9.4.3 Viewing E-mail Header
Download
Report
Transcript 9.4.3 Viewing E-mail Header
SAK 4801 INTRODUCTION TO COMPUTER FORENSICS
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
Mohd Taufik Abdullah
Department of Computer Science
Faculty of Computer Science and Information Technology
University Putra of Malaysia
Room No: 2.28
Portions of the material courtesy Nelson et. al., and EC-Council
Learning Objectives
At the end of this chapter, you will be able to:
•
•
•
•
•
2
Explain the role of e-mail in investigations
Describe client and server roles in e-mail
Describe tasks in investigating e-mail crimes and violations
Explain the use of e-mail server logs
Describe some available e-mail computer forensics tools
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
Chapter 9 Outline
9. Tracking E-mails and Investigating E-mail Crimes
3
9.1. Understanding Internet Fundamental and Internet Protocol
9.2. Exploring the roles of E-mail in Investigations
9.3. Exploring the roles of client and server in e-mail
9.4. Investigating e-mail crimes and violations
9.5. Tracing Back
9.6. Searching e-mail addresses
9.7. Handling Spam
9.8. Protecting e-mail address from Spam
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.1 Understanding Internet Fundamentals and Internet Protocols
9.1.1 Understanding Internet Fundamental
Internet
Internet Service Provider (ISP)
According to Webopedia.com “It is a company that provides access to the
Internet”
Dial-Up Connection
5
It is a huge collection of networks connecting millions of computers
According to Webopedia.com “It refers to connecting a device to network via a
modem and a public telephone network”
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.1.2 Understanding Internet Protocols
Internet Protocols
A set of standards determining the format and transmission of data
TCP/IP is the protocol used for E-mail (including SMTP ,POP3, and IMAP)
Transmission Control Protocol(TCP)
Internet Protocol(IP)
6
A connection-oriented protocol that enables the devices to establish connection
and then guarantees the delivery of data in the same order they were sent
It is a connectionless protocol that provides addressing scheme. It operates at the
network layer
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.2 Exploring the Roles E-mail in Investigation
8
With the increase in e-mail scams and fraud attempts with phishing or spoofing
Investigators need to know how to examine and interpret the unique content of
e-mail messages
Phishing e-mails are in HTML format
Which allows creating links to text on a Web page
One of the most noteworthy e-mail scams was 419, or the Nigerian Scam
Spoofing e-mail can be used to commit fraud
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.3 Exploring the Roles of the Client and server in E-mail
10
Send and receive e-mail in two environments
Internet
Controlled LAN, MAN, or WAN
Client/server architecture
Server OS and e-mail software differs from those on the client side
Protected accounts
Require usernames and passwords
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
11
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
12
Name conventions
Corporate: [email protected]
Public: [email protected]
Everything after @ belongs to the domain name
Tracing corporate e-mails is easier
Because accounts use standard names the administrator establishes
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.3.1 E-mail Crime
E-mail Crime is a “new-age crime” that is growing rapidly
E-mail crime can be categorized in two ways :
Crime committed by sending e-mails
Crime supported by e-mails.
13
E.g. – Spamming, mail bombing
E.g. – Harassment, child pornography
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.3.2 Spamming, Mail Bombing, Mail Storm
Spamming can be defined as sending unsolicited mails.The more common word for
spam is “ junk mails”
Mail bombing can be defined as the act of sending unwanted mails in excessive
amount, which makes recipient’s mailbox full
14
According to DictionaryWords.net “Mail Storm is flood of incoming mail that brings the
machine to its knees”
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.3.3 Chat Rooms
15
Chat rooms are open target for the pedophiles to use them for the sexual abuse of
children
According to WordNetDictionary “Child pornography can be defined as illegal use of
children in pornographic pictures and films”
Internet has become easy-to-use tool for harassment and e-mail has become the most
vulnerable feature of it
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.3.4 Identity Fraud, Chain Letter
Identity fraud can be defined as using or stealing one’s personal information
like name, address, and credit card number for economic gain
16
According to DictionaryWords.net “Chain Letter is a letter that is sent
successively to several people.”
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.3.5 Sending Fakemail
17
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4 Investigating E-mail Crimes and Violations
Similar to other types of investigations
Goals
19
Find who is behind the crime
Collect the evidence
Present your findings
Build a case
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
Depend on the city, state, or country
Becoming commonplace
Examples of crimes involving e-mails
20
Example: spam
Always consult with an attorney
Narcotics trafficking
Extortion
Sexual harassment
Child abductions and pornography
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.1 Investigating Process
Examining an e-mail message
Copying an e-mail message
Printing an e-mail message
Viewing e-mail headers
Examining an e-mail header
Examining attachments
Tracing an e-mail
21
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.2 Examining E-mail Messages
22
Access victim’s computer to recover the evidence
Using the victim’s e-mail client
Find and copy evidence in the e-mail
Access protected or encrypted material
Print e-mails
Guide victim on the phone
Open and copy e-mail including headers
Sometimes you will deal with deleted e-mails
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.2 Examining E-mail Messages (Cont.)
23
Copying an e-mail message
Before you start an e-mail investigation
You need to copy and print the e-mail involved in the crime or policy
violation
You might also want to forward the message as an attachment to another
e-mail address
With many GUI e-mail programs, you can copy an e-mail by dragging it to a
storage medium
Or by saving it in a different location
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.2 Examining E-mail Messages (Cont.)
24
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header
Learn how to find e-mail headers
After you open e-mail headers, copy and paste them into a text
document
So that you can read them with a text editor
Headers contain useful information
25
GUI clients
Command-line clients
Web-based clients
Unique identifying numbers, IP address of sending server, and sending
time
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header (Cont.)
Outlook
Outlook Express
26
Open the Message Options dialog box
Copy headers
Paste them to any text editor
Open the message Properties dialog box
Select Message Source
Copy and paste the headers to any text editor
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header (Cont.)
27
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header (Cont.)
28
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header (Cont.)
29
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header (Cont.)
30
Novell Evolution
Click View, All Message Headers
Copy and paste the e-mail header
Pine and ELM
Check enable-full-headers
AOL headers
Click Action, View Message Source
Copy and paste headers
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header (Cont.)
31
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header (Cont.)
32
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header (Cont.)
33
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header (Cont.)
34
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header (Cont.)
35
Hotmail
Click Options, and then click the Mail Display Settings
Click the Advanced option button under Message Headers
Copy and paste headers
Apple Mail
Click View from the menu, point to Message, and then click Long Header
Copy and paste headers
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header (Cont.)
36
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header (Cont.)
37
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header (Cont.)
38
Yahoo
Click Mail Options
Click General Preferences and Show All headers on incoming messages
Copy and paste headers
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.3 Viewing E-mail Header (Cont.)
39
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.4 Examining E-mail Header
Gather supporting evidence and track suspect
40
Return path
Recipient’s e-mail address
Type of sending e-mail service
IP address of sending server
Name of the e-mail server
Unique message number
Date and time e-mail was sent
Attachment files information
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.4 Examining E-mail Header (Cont.)
41
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.5 Examining Additional E-mail Files
E-mail messages are saved on the client side or left at the server
Microsoft Outlook uses .pst and .ost files
Most e-mail programs also include an electronic address book
In Web-based e-mail
42
Messages are displayed and saved as Web pages in the browser’s cache
folders
Many Web-based e-mail providers also offer instant messaging (IM)
services
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.6 Tracing an E-mail Message
Contact the administrator responsible for the sending server
Finding domain name’s point of contact
43
www.arin.net
www.internic.com
www.freeality.com
www.google.com
Find suspect’s contact information
Verify your findings by checking network e-mail logs against e-mail
addresses
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.7 Using Network Logs Related to E-mail
Router logs
Firewall logs
44
Record all incoming and outgoing traffic
Have rules to allow or disallow traffic
You can resolve the path a transmitted e-mail has taken
Filter e-mail traffic
Verify whether the e-mail passed through
You can use any text editor or specialized tools
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.7 Using Network Logs Related to E-mail (Cont.)
45
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.8 Understanding E-mail Server
E-mail server log file
46
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.8.1 Examining UNIX E-mail Server Logs
Log files and configuration files provide information related to e-mail
investigation
The syslog.conf file gives specification for saving various types of e-mail log files
47
Typical syslog.conf file
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.8.2 Examining Microsoft E-mail Server Logs
Message tracking log in verbose mode
48
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.8.3 Examining Novell GroupWise E-mail Logs
GroupWise
The Novell e-mail server software is a database server like Microsoft
Exchange and UNIX Send mail
Group Wise organize mailbox in two ways:
Permanent index files with IDX extension
Group Wise QuickFinder action
Group Wise manage the e-mail server in a centralized manner using
NGWGUARD.Db
49
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.9 Using Specialized E-mail Forensic Tools
50
Tools that can investigate e-mail messages:
EnCase
FTK
FINALeMAIL
Sawmill-GroupWise
Audimation for Logging
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.9.1 FINALeMAIL
Can restore lost emails to their original state.
Can recover the entire e-mail database files
FINALeMAIL e-mail search results
51
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.9.2 R-MAIL
52
R-Mail is basically an e-mail recovery tool, which recovers the e-mail
messages deleted accidentally
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.9.3 E-Mail Examiner by Paraben
53
Deleted mails can be
recovered
Examines more than 14
mail types
Recovers email deleted
from deleted items
Supports Windows
95/98/2000/2003/NT
4/ME/XP
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.4.9.4 Network E-Mail Examiner by Paraben
54
Examine variety of network
e-mail archives like
Exchange Server, Lotus
Domino Server etc
Views all the individual
email accounts
Supports Microsoft
Exchange and Lotus Notes
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.5 Tracing Back
56
The first step in tracing back fakemail is to view the header information
The header will show the originating mail server ex: mail.example.com
With a court order served by law enforcement or a civil complaint filed by
attorneys, obtain the log files from mail.example.com to determine who sent
the message
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.5.1 Tracing Back Web Based E-mail
57
Web based e-mail accounts (Webmail) can make establishing the identity of
the sender more difficult
It is possible to create a new online Webmail account easily
www.hotmail.com
www.yahoo.com
www.lycosmail.com
www.hyshmail.com
The above sites maintain the source IP address of each connection that
accesses the online webmail
Contact the mail provider (ex: Microsoft) to reveal subscriber information
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.6 Searching E-mail Addresses
59
Internet search engines make the search of specific e-mail addresses easy
The following sites provide e-mail searching services:
http://www.emailaddresses.com
http://www.dogpile.com
http://www.google.com
http://www.altavista.com
http://www.infospace.com
http://www.mamma.com
http://www.searchscout.com
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.6.1 E-mail Search Site
60
EmailChange.com is the one providing the Internet’s first email change
registry and search engine since Oct 1996
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.7 Handling Spam
62
Before taking legal action send a short notice on the illegality of spam to the
system administrator of the domain
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.7.1 Network Abuse Clearing House
63
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.7.2 Abuse.Net
64
Abuse.net provides a platform to report abusive activity on the Internet to
people who can do something about it
It provides only complaining services and has nothing to do with blacklist or
spam analysis services
Once registered,messages can be send to [email protected] where
source of abusive practices is the domain-name and from there message is
re-mailed to the best reporting address(es)
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.8 Protecting E-mail Address from Spam
66
One way to protect is to "encode" the e-mail address, making it more difficult to
discover
Be cautious before giving e-mail address online as posting email address on website will make spam the inbox
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.8.1 Tool
Enkoder Form is a powerful tool designed to prevent e-mail harvesting
http://automaticlabs.com/cgi-bin/index.cgi
67
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
9.8.1 Tool (Cont.)
68
eMailTrackerPro analyzes the e-mail header and provides the IP address of
the machine that sent the e-mail
SPAM Punish
This anti-spam tool makes the search for spammer ISP address easy
A complain can be send to the ISP of the sender using Send Complaint to
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
Summary
69
To investigate an e-mail, know how an e-mail server records and handles email messages
E-mail servers are databases of user information and e-mail messages
All e-mail servers contain a log file which can tell valuable information when
investigating a crime
For many e-mail investigations, rely on the message files, e-mail headers, and
e-mail server log files to investigate e-mail crimes
E-mail fraudsters use phishing and spoofing scam techniques
Send and receive e-mail via Internet or a LAN
Both environments use client/server architecture
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
Summary (Cont.)
70
E-mail investigations are similar to other kinds of investigations
Access victim’s computer to recover evidence
Copy and print the e-mail message involved in the crime or policy
violation
Find e-mail headers
Investigating e-mail abuse
Be familiar with e-mail servers and clients’ operations
Check
E-mail message files, headers, and server log files
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
Summary (Cont.)
71
Currently, only a few forensics tools can recover deleted Outlook and
Outlook Express messages
For e-mail applications that use the mbox format, a hexadecimal
editor can be used to carve messages manually
Chapter 9 Tracking E-mails and Investigating E-mail Crimes
SAK4801 Introduction to Computer Forensics
End of Chapter 9