Download Week9b - Personal.psu.edu

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
Document related concepts

Server Message Block wikipedia , lookup

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Deep packet inspection wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

Zero-configuration networking wikipedia , lookup

DomainKeys Identified Mail wikipedia , lookup

Real-Time Messaging Protocol wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Lag wikipedia , lookup

Transcript 
Web Forensics & E-mail Tracing
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
[email protected]
8/24/06
Objectives
• Understand the flow of electronic mail across a
network
• Explain the difference between resident e-mail
client programs and webmail
• Understand the difference between typical desktop
data storage and server data storage
• Identify the components of e-mail headers
• Understand the flow of instant messaging across
the network
Importance of E-Mail as Evidence
• E-mail can be pivotal evidence in a case
• Due to its informal nature, it does not always
represent corporate policy
• Many cases provide examples of the use of e-mail as
evidence
–
–
–
–
–
–
Enron
Microsoft - Bill Gate
Knox vs. State of Indiana
Harley vs. McCoach
Nardinelli et al. vs. Chevron
Adelyn Lee vs. Oracle Corporation
Working with E-Mail
• E-mail evidence typically used to
corroborate or refute other testimony or
evidence
• Can be used by prosecutors or defense
parties
• Two standard methods to send and receive
e-mail:
– Client/server applications
– Webmail
E-mail Data Flow
• User has a client program such as Outlook
or Eudora
• Client program is configured to work with
one or more servers
• E-mails sent by client reside on PC
• A larger machine runs the server program
that communicates with the Internet, where
it exchanges data with other e-mail servers
Sending E-Mail
User creates e-mail
on her client
User issues send
command
Client moves e-mail
to Outbox
Server acknowledges
client and authenticates
e-mail account
Server sends e-mail to
destination e-mail server
Client sends e-mail
to the server
If the client cannot connect with
the server, it keeps trying
Receiving E-Mail
User opens client and
logs on
User issues receive
command
Client contacts server
Server acknowledges,
authenticates, and
contacts mail box for
the account
Messages placed in
Inbox to be read
Mail downloaded to
local computer
POP deletes messages from server;
IMAP retains copy on server
Working with Resident e-mail Files
• Users are able to work offline with e-mail
• E-mail is stored locally, a great benefit for
forensic analysts because the e-mail is
readily available when the computer is
seized
• Begin by identifying e-mail clients on
system
• You can also search by file extensions of
common e-mail clients
Working with E-Mail
E-Mail Client
Extension
Type of File
AOL
.abi
.aim
.arl
.bag
Outlook Express
.dbx
.dgr
.email
.eml
OE mail database
OE fax page
OE mail message
OE electronic mail
Outlook
.pab
.pst
.wab
Personal address book
Personal folder
Windows address book
AOL6 organizer file
Instant Message launch
Organizer file
Instant Messenger file
(Continued)
Working with E-Mail
E-Mail Client
Extension Type of File
Lotus Notes
.box
.ncf
.nsf
Notes mailbox
Notes internal clipboard
Notes database
Novell
Groupwise
.mlm
Saved e-mail (using WP5.1
format)
Eudora
.mbx
Eudora message base
Popular e-mail Clients
• America Online (AOL) - users have a
month to download or save before AOL
deletes messages
• Outlook Express - installed by default with
Windows
• Outlook - bundled with Microsoft Office
• Eudora - popular free client
• Lotus Notes - integrated client option for
Lotus Domino server
Webmail Data Flow
• User opens a browser, logs in to the webmail
interface
• Webmail server has already placed mail in Inbox
• User uses the compose function followed by the
send function to create and send mail
• Web client communicates behind the scenes to the
webmail server to send the message
• No e-mails are stored on the local PC; the
webmail provider houses all e-mail
Working with Webmail
• Entails a bit more effort to locate files
• Temporary files is a good place to start
• Useful keywords for webmail programs
include:
– Yahoo! mail: ShowLetter, ShowFolder Compose,
“Yahoo! Mail”
– Hotmail: HoTMail, hmhome, getmsg, doattach,
compose
– Gmail: mail[#]
E-Mail Protocol
E-Mail Protocol
POP3
IMAP
Webmail
E-mail accessible
from anywhere
No
Yes
Yes
Remains stored on
server
No (unless included in
a backup of server)
Yes
Yes, unless POP3
was used too
Dependence on
Internet
Moderate
Very
strong
Strong
Special software
required
Yes
Yes
No
Working with Mail Servers
• Some initial things to consider:
– How many users are serviced?
– E-mail retention policies of the company
– Accessibility of the e-mail server
Working with Mail Servers
• Redundant array of independent disks (RAID)
–
–
–
–
–
RAID 0: Basic disk striping
RAID 1: Disk mirroring
RAID 3: Striping with parity
RAID 5: Striping with distributed parity
RAID 0+1 and 10 (1+0): Mirror of stripes and
striped mirroring
Working with Mail Servers
• Harvesting data from RAID servers
– Easiest way to obtain the data is over the network
– Considerations:
• Time to obtain the data
• Physical configuration and space
• Production server downtime
Examining E-Mails for Evidence
• Understanding e-mail headers
– The header records information about the sender,
receiver, and servers it passes along the way
– Most e-mail clients show the header in a short
form that does not reveal IP addresses
– Most programs have an option to show a long form
that reveals complete details
Examining E-Mails for Evidence
• Most common parts of the e-mail header are logical
addresses of senders and receivers
• Logical address is composed of two parts
– The mailbox, which comes before the @ sign
– The domain or hostname that comes after the @ sign
• The mailbox is generally the userid used to log in to the
e-mail server
• The domain is the Internet location of the server that
transmits the e-mail
Examining E-Mails for Evidence
• Reviewing e-mail headers can offer clues to
true origins of the mail and the program used
to send it
• Common e-mail header fields include:
–
–
–
–
–
Bcc
Cc
Content-Type
Date
From
–
–
–
–
–
Message-ID
Received
Subject
To
X-Priority
IP Address Registries
•
•
•
•
African Network Information
Asia Pacific Network Information
American Registry for Internet Number
Latin American and Caribbean Internet
Addresses Registry
• Réseaux IP Européens Network
Coordination Centre
Examining E-Mails for Evidence
•
Understanding e-mail attachments
– MIME standard allows for HTML and multimedia
images in e-mail
– Searching for base64 can find attachments in
unallocated or slack space
•
Anonymous remailers
– Allow users to remove identifying IP data to
maintain privacy
– Stems from users citing the First Amendment and
freedom of speech
Private IP Address Classifications
IP Address Range
Classification
Use
10.0.0.0 to 10.255.255.255
Class A
Local network use—not
recognized on the Internet
172.16.0.0 to 172.31.255.255
Class B
Local network use—not
recognized on the Internet
192.168.0.0 to 192.168.255.255
Class C
Local network use—not
recognized on the Internet
Working with Instant Messaging
• Most widely used IM applications include:
–
–
–
–
Windows Messenger
Google Talk
AIM (AOL Instant Messenger)
ICQ (“I Seek You”) Instant Messenger
• Newer versions of IM clients and servers
allow the logging of activity
• Can be more incriminating than e-mail
Taking the Initial Report
• GET THE HEADERS!!!
• Get as accurate a timeline as possible
• Timezones are important!!
http://tycho.usno.navy.mil/tzonemap.html
• Be sure the original e-mail is not deleted
• Simply forwarding e-mail does not preserve
the headers
Right Click
Tools for E-mail Tracing
• Nslookup
– DOS Command Prompt
– www.infobear.com/nslookup.shtml
• www.traceroute.org
• http://www.whois.net/
• American Registry.
http://www.arin.net/index.shtml
• Sam Spade: www.samspade.org
Related documents
Email Slides - University of San Francisco
Email Slides - University of San Francisco
Clase modelo
Clase modelo
Sales promotion service mail
Sales promotion service mail
It`s Not The Destination
It`s Not The Destination
Email Guide - Webmail
Email Guide - Webmail
What Is the Internet Powerpoint presentation - NC-NET
What Is the Internet Powerpoint presentation - NC-NET
Outcome 3 Develop promotional media communications Provide an
Outcome 3 Develop promotional media communications Provide an
Chapter 5: Action Step 5
Chapter 5: Action Step 5
Understanding the Types of Direct Marketing
Understanding the Types of Direct Marketing
STEP 7. DESCRIBE YOUR SALES AND DISTRIBUTION PROCESS
STEP 7. DESCRIBE YOUR SALES AND DISTRIBUTION PROCESS
Slide 1
Slide 1