computer forensics

didosld

forensic3e_ppt_ch07.pptx

Home >Information Systems homework help >computer forensics

System Forensics, Investigation, and Response

Lesson 7

Email Forensics

www.jblearning.com

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Learning Objective

Summarize various types of digital forensics.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Key Concepts

Email clients and servers

Email headers

Email tracing

Email server forensic examination

Laws related to email investigations

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

How Email Works

Sender uses a mail client to send a message

Message travels to multiple mail servers

Each mail server sends the message closer to its destination

Destination mail server stores the message

Receiver uses a mail client to retrieve the message from mail server

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

How Email Works

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Emails are generated by different types of devices and methods. Most commonly, a user composes a message on his or her computer and then sends it to his or her mail server. At this point, the user’s computer is finished with the job, but the mail server still has to deliver the message. The mail server sends and receives electronic mail. Most of the time, the mail server is separate from the computer where the mail was composed.

The sender’s mail server forwards the message through the organization’s network and/or the Internet to the recipient’s mail server. The message then resides on that second mail server and is available to the recipient. The software program used to compose and read email messages is the email client.

On the Internet, an email message can travel through many servers, referred to as "hops," that relay the message from the sender to the recipient.

7/2/2017

What an Email Review Can Reveal

Email messages related to the investigation

Email addresses related to the investigation

Sender and recipient information

Information about those copied on the email

Content of the communications

Internet Protocol (IP) addresses

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

What an Email Review Can Reveal (Cont.)

Date and time information

User information

Attachments

Passwords

Application logs that show evidence of spoofing

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

Email Protocols

Simple Mail Transfer Protocol (SMTP)

Used to send email from a client to a mail server, and between servers

Typically operates on port 25

SMTPS (secure) operates on port 465

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

Email Protocols (Cont.)

Post Office Protocol version 3 (POP3)

Used to receive email

Operates on port 110, or 995 (secure)

Designed to delete email on server as soon as user downloads email

Internet Message Access Protocol (IMAP)

Used to receive email

Operates on port 143

User views email on the server, decides whether to download the mail; email is retained on server

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Latest version of IMAP is similar to POP3 but supports more features

7/2/2017

Email Protocol Process

SMTP

Internet

SMTP

Internet

SMTP

Server

User

Server

POP3/ IMAP

User

Outbound Email

Inbound Email

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

Faking Emails

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

Spoofing

Anonymous remailing

"Valid" emails

Spoofing

Making an email message appear to come from someone or someplace other than the real sender or location

First machine to receive spoofed message records machine’s real IP address

Header contains both the faked IP and the real IP address

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Spoofing involves making an email message appear to come from someone or someplace other than the real sender or location. The email sender uses a software tool to cut out his or her IP address and replace it with someone else’s IP address.

However, the first machine to receive the spoofed message records the machine’s real IP address. Thus, the header contains both the faked IP and the real IP address—unless, of course, the perpetrator is clever enough to have also spoofed his or her actual IP address.

7/2/2017

Anonymous Remailing

Suspect sends an email message to an anonymizer

Anonymizer is email server that strips identifying information from message before forwarding it with anonymous mailing computer’s IP address

To find out who sent remailed email, must examine logs maintained by remailer or anonymizer companies

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

This is an attempt to throw tracing or tracking attempts off the trail. A suspect using this technique sends an email message to an anonymizer, an email server that strips identifying information from an email message before forwarding it with the anonymous mailing computer’s IP address.

To find out who sent remailed email, look at any logs maintained by these remailer or anonymizer companies. Unfortunately, these services usually do not maintain logs. You can also closely analyze the message for embedded information that might give clues to the user or system that sent the message. Often the remailing servers are outside of the jurisdiction of U.S. law enforcement and may even be on another continent.

7/2/2017

"Valid" Emails

Appears as through mail is from trusted source

Message content is suspicious

Content may contain URL that points to malicious site

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Emails may appear to be from a trusted source and seem to be valid in every respect, except for the content of the message. The email passes all of the normal validity checks such as header structure and content, and even comes from a good known nonspam email server. However, the message is suspicious. The website uniform resource locator (URL) pointed to in the message may be a hacker or phishing site. These messages usually contain no hidden URL, pictures, or attachments and are very short. However, clicking the URL can unleash malicious software or other negative results.

7/2/2017

How to Fake an Email

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Find a free public Wi-Fi in an area at least one hour from your home.

Spoof both your IP address and MAC address.

Send the email through an anonymous email account set up for that purpose.

It is, however, very common for criminals to actually send emails from their own computers without even bothering to spoof their IP address or MAC address. Even computer-savvy criminals, who think to spoof their IP addresses, might not think to spoof the MAC address.

Email address spoofing is only one kind of spoofing.

7/2/2017

Use free public Wi-Fi

Spoof IP address and MAC address

Send email through anonymous email account

Email Message Components

Header

Addressing information

Source and destination

Body

Contents of the message

Attachments

External data that travels along with each message

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

Email Message Components

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

Email Headers

RFC 2822

Standard for email format, including headers

All email programs use the same email format, regardless of operating system

Email from Outlook on a Windows 10 PC can be read by recipient using Hotmail on Android phone

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

Email Headers (Cont.)

Header keeps record of the message’s journey networks and mail servers

Each server adds information to the header

Each network device has an Internet Protocol (IP) address

Identifies device

Can be resolved to a location address

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The header for an email message tells you a great deal about the email. The header keeps a record of the message’s journey as it travels through the communications network. As the message is routed through one or more mail servers, each server adds its own information to the message header. Each device in a network has an Internet Protocol (IP) address that identifies the device and can be resolved to a location address. A forensic investigator may be able to identify IP addresses from a message header and use this information to determine who sent the message. So, the message header provides an audit trail of every machine through which the email has passed.

7/2/2017

RFC 2822 Specifications for Email Headers

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

Message header must include:

From field The email address and, optionally, the name of the sender

Date field The local time and date when the message was written

RFC 2822 Specifications for Email Headers (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

In-Reply-To field: The message-ID of the message that this is a reply to; used to link related messages together

7/2/2017

Message header should include:

Message-ID field An automatically generated field

In-Reply-To field The message-ID of the message that this is a reply to

Email Header Fields (RFC 3864)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

RFC 3864 describes message header field names. Common header fields for email include:

• To—The email address and, optionally, name of the message’s primary recipient(s)

• Subject—A brief summary of the topic of the message

• Cc—Carbon copy; a copy is sent to secondary recipients

• Bcc—Blind carbon copy; a copy is sent to addresses added to the SMTP delivery list while the Bcc address remains invisible to other recipients

• Content-Type—Information about how the message is to be displayed, usually

a Multipurpose Internet Mail Extensions (MIME) type

• Precedence—Commonly with values “bulk,” “junk,” or “list”; used to indicate that automated “vacation” or “out of office” responses should not be returned for this mail, for example, to prevent vacation notices from being sent to all other subscribers of a mailing list

• Received—Tracking information generated by mail servers that have previously handled a message, in reverse order (last handler first)

• References—Message-ID of the message to which this is a reply

• Reply-To—Address that should be used to reply to the message

• Sender—Address of the actual sender acting on behalf of the author listed in the From field

7/2/2017

Subject

Cc/Bcc

Content-Type

Precedence

Received

References

Reply-To

Sender

Find Microsoft Outlook 2010 Headers

Step 1

Used with permission from Microsoft

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

It is relatively easy to view the headers using Outlook.

With a specific message open, select File and then Info. Then select Properties and you will be able to view the headers.

Older versions of Outlook have a different method to get to headers. With Outlook 2000/2003/2007, there are two methods:

Method #1—Right-click the message in the folder view, and then choose Options.

Method #2—In an open message, choose View and then Options.

With either method, you will see the Internet headers portion of the Message Options dialog box.

7/2/2017

View Outlook 2010 Headers

Step 2

Used with permission from Microsoft

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

It is relatively easy to view the headers using Outlook.

With a specific message open, select File and then Info. Then select Properties and you will be able to view the headers.

Older versions of Outlook have a different method to get to headers. With Outlook 2000/2003/2007, there are two methods:

Method #1—Right-click the message in the folder view, and then choose Options.

Method #2—In an open message, choose View and then Options.

With either method, you will see the Internet headers portion of the Message Options dialog box.

7/2/2017

Microsoft Outlook 2010 Headers

Used with permission from Microsoft

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

It is relatively easy to view the headers using Outlook.

With a specific message open, select File and then Info. Then select Properties and you will be able to view the headers.

Older versions of Outlook have a different method to get to headers. With Outlook 2000/2003/2007, there are two methods:

Method #1—Right-click the message in the folder view, and then choose Options.

Method #2—In an open message, choose View and then Options.

With either method, you will see the Internet headers portion of the Message Options dialog box.

7/2/2017

Find Yahoo! Headers

Courtesy of Yahoo!

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

First open the message. On the lower right, there is a link named Full Headers. Clicking on that link allows you to see the headers for that email.

7/2/2017

View Yahoo! Headers

Courtesy of Yahoo!

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

Find Gmail Headers

Google and the Google logo are registered trademarks of Google Inc.,

used with permission

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Viewing email headers in Gmail is fairly simple. Follow these steps:

1. Log on to Gmail.

2. Open the message for which you want to view headers.

3. Click the down arrow next to Reply, at the top of the message pane.

4. Select Show Original.

The headers appear in a separate window.

7/2/2017

View Gmail Headers

Google and the Google logo are registered trademarks of Google Inc.,

used with permission

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The headers appear in a separate window.

7/2/2017

View Hotmail Email Headers

Select Inbox from the menu on the left.

Right-click the message for which you want to view headers, and select View Message Source.

The full headers will appear in a new window.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

View Apple Mail Email Headers

Open Apple Mail.

Click on the message for which you want to view headers.

Go to the View menu.

Select Message, then Long Headers.

The full headers will appear in the window below your Inbox.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

Email Files

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

.pst

(Outlook)

.ost

(Offline Outlook Storage)

.mbx or .dbx

(Outlook Express)

.mbx

(Eudora)

.emi

(common to several email clients)

Paraben’s Email Examiner

Exclusively for email forensics

Works like the more complete forensic suites (Forensic Toolkit and EnCase) in that evidence is grouped by case

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/2/2017

Creating a Paraben Case

Courtesy of Paraben Corporation

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

When you first start Paraben, you select New and then create a new case.

7/2/2017

Adding the Investigator

Courtesy of Paraben Corporation

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Paraben will associate information about the investigator along with the case information.

7/2/2017

Selecting an Email Database

Courtesy of Paraben Corporation

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Next, select the type of email database you are going to be working with. The major email clients are all represented.

At this point, you select the database you want to work with, and it is added to the case.

From within Paraben, you can sort, search, scan, and otherwise work with the email data.

7/2/2017

Tracing Email

Looking at each point through which an email passed and working step by step back to the originating computer

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Tracing email In some ways, forensic email tracing is similar to traditional detective work. Tracing email involves looking at each point through which an email passed and working step by step back to the originating computer and, eventually, the perpetrator.

Email header information is typically examined to look for clues about where a message has been. Investigators often use audits or paper trails of email traffic as evidence in court. Many investigators recommend use of the tracert command. However, because of the dynamic nature of the Internet, tracert does not provide reliable, consistent, or accurate routing information for an email.

It may also be useful to determine the ownership of the source email server for a message. A number of whois databases are available on the Web that an investigator can use to find out to whom a given IP address is registered.

7/2/2017

Email Server Forensics

Examining email servers

Searching through deleted emails retained by the server

Many servers have a retention policy

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

At some point, you will need to check the email server. Even if the sender and the recipient have deleted the relevant emails, there is a good chance a copy is still on the email server. Many servers have a retention policy, which may be governed by law in certain industries. There are a variety of email server programs that could be in use. Microsoft Exchange is a very common server. Lotus Notes and Novell GroupWise are also popular email server products.

7/2/2017

Email Laws

The Fourth Amendment to the U.S. Constitution

The Electronic Communications Privacy Act (ECPA)

The CAN-SPAM Act

18 U.S.C. 2252B

Communication Assistance for Law Enforcement Act (CALEA)

Foreign Intelligence Surveillance Act (FISA)

The USA PATRIOT Act

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The Fourth Amendment to the U.S. Constitution

The Fourth Amendment to the U.S. Constitution as well as state requirements govern the seizure and collection of any email messages that reside on a sender’s or recipient’s computer or other device. Does the person on whose computer the evidence resides have a reasonable expectation of privacy on that computer? If so, the Fourth Amendment requires a search warrant or one of the recognized exceptions to the search warrant requirements, such as consent from the device owner.

The Electronic Communications Privacy Act

If an Internet service provider (ISP) or any other communications network stores an email, retrieval of that evidence must be analyzed under the Electronic Communications Privacy Act (ECPA). The ECPA creates statutory restrictions on government access to such evidence from ISPs or other electronic communications service providers.

The ECPA requires different legal processes to obtain specific types of information:

Basic subscriber information—This information includes name, address, billing information, telephone number, etc. An investigator can obtain this type of information with a subpoena, court order, or search warrant.

Transactional information—This information includes websites visited, email addresses of others with whom the subscriber exchanged email, and buddy lists. An investigator can obtain this type of information with a court order or search warrant.

Content information—An investigator who has a search warrant can obtain content information from retrieved email messages and also acquire unretrieved stored emails.

Real-time access—To intercept traffic as it is sent or received, an investigator needs to obtain a wiretap order.

The CAN-SPAM Act

This was the first law meant to curtail unsolicited email, referred to as spam. However, the law has loopholes.

You do not need permission before sending email. This means that unsolicited email is not prohibited.

It applies only to commercial emails—emails that are trying to sell some product or service. Therefore, mass emailings for political, religious, or ideological purposes are not covered by the Act.

The only requirement of CAN-SPAM is that the sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out.

Restrictions on how the sender can acquire the recipient’s email address and how the sender can actually transmit the email:

A message cannot be sent through an open relay.

A message cannot be sent to a harvested email address.

A message cannot contain a false header.

These methods are often used by people who send spam email. Tracking down the original sender of the email is the first step in investigating spam. Unfortunately, the email is sometimes sent from offshore sites or relayed through an innocent third party’s servers. This makes prosecuting spam very difficult and enforcing a judgment almost impossible in most cases.

18 U.S.C. 2252B

This law is about perpetrators who attempt to hide the pornographic nature of their website, often to make it more accessible to minors.

This is a very serious concern, and one that sometimes arises in child predator cases.

Communication Assistance for Law Enforcement Act (CALEA)

CALEA is a U.S. wiretapping law. Its purpose is to allow law enforcement and intelligence agencies to lawfully conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband Internet, and VoIP traffic in real time.

Foreign Intelligence Surveillance Act (FISA)

This U.S. law prescribes procedures for the physical and electronic surveillance and collection of “foreign intelligence information” between foreign powers and agents of foreign powers, which may include American citizens and permanent residents suspected of espionage or terrorism.

The law does not apply outside the United States but may be encountered by a forensic investigator in researching intelligence even if it does not specifically regard espionage or terrorism. The law is an important part of many agencies’ approaches to information gathering. It has been amended frequently so it is important to stay current on the latest revisions and court cases.

The USA PATRIOT Act

The USA PATRIOT Act of 2001 was passed into law as a response to the terrorist attacks of September 11, 2001. The Act:

Reduced restrictions on law enforcement agencies’ intelligence gathering within the United States

Expanded the Secretary of the Treasury’s authority to regulate financial transactions

Broadened the discretion of law enforcement and immigration authorities in detaining and/or deporting immigrants suspected of terrorism and related acts

Expanded the definition of terrorism to include domestic terrorism, thus enlarging the number of activities to which the PATRIOT Act’s extended law enforcement powers can be applied

In May of 2011, President Barack Obama signed a four-year extension of three key provisions in the USA PATRIOT Act: roving wiretaps, searches of business records, and conducting surveillance of individuals suspected of terrorist-related activities not linked to terrorist groups.

The PATRIOT Act gives law enforcement dramatically enhanced powers for information gathering and should be a part of the knowledge base for any forensic investigator.

7/2/2017

Summary

Email clients and servers

Email headers

Email tracing

Email server forensic examination

Laws related to email investigations

Page ‹#›

System Forensics, Investigation, and Response