Computer Forensics 252 Email Tracing Thomas Schwarz, S.J. 2006
Preview:
Citation preview
- Slide 1
- Computer Forensics 252 Email Tracing Thomas Schwarz, S.J.
2006
- Slide 2
- Email Investigations: Overview Email has become a primary means
of communication. Email can easily be forged. Email can be abused
Spam Aid in committing a crime Threatening email,
- Slide 3
- Email Investigations: Overview Email evidence: Is in the email
itself Header Contents In logs: Left behind as the email travels
from sender to recipient. Law enforcement uses subpoenas to follow
the trace. System ads have some logs under their control. Notice:
All fakemailing that you will be learning can be easily
traced.
- Slide 4
- Email Fundamentals Email travels from originating computer to
the receiving computer through email servers. All email servers add
to the header. Use important internet services to interpret and
verify data in a header.
- Slide 5
- Email Fundamentals Typical path of an email message: Client
Mail Server Client
- Slide 6
- Email Fundamentals: Important Services Verification of IP
addresses: Regional Internet Registry oAPNIC (Asia Pacific Network
Information Centre). oARIN (American Registry of Internet Numbers).
oLACNIC Latin American and Caribbean IP address Regional Registry.
oRIPE NCC (Rseau IP Europens Network Coordination Centre).
Whois
- Slide 7
- Email Fundamentals: Important Services Domain Name System (DNS)
translates between domain names and IP address. Name to address
lookup: 1. Parses HOSTS file. 2. Asks local nameserver 3. Local
nameserver contacts nameserver responsible for domain. 4. If
necessary, contact root nameserver. 5. Remote nameserver sends data
back to local nameserver. 6. Local nameserver caches info and
informs client. HOSTS files can be altered. You can use this as a
low-tech tool to block pop-ups. Local nameservers can/could be
tricked into accepting unsolicited data to be cached. Hilary for
Senate case.
- Slide 8
- Email Fundamentals: Important Services Domain Name System (DNS)
translates between domain names and IP address. MX records in the
DNS database specify the hosts or domains mail exchanger Can have
multiple MX records, with priority attached: Email to user@scu.edu
will then be sent to user@cse.scu.edu.user@scu.eduuser@cse.scu.edu
If that site is down, then it will be sent to
user@mailhost.soe.ucsc.edu.user@mailhost.soe.ucsc.edu The mailer at
both sites needs also be set up to accept the messages. MX10cse MX
100mailhost.soe.uscs.edu
- Slide 9
- Email Fundamentals IP-Addressing Fundamentals IP Version 4 is
slowly replaced by IP Version 6. IPv4: 4 digital numbers between 0
and 255. IPv6: 8 digital numbers between 0000 and 0xffff. Static /
dynamic addresses Dynamic addresses assigned by DHCP within a local
domain (with same leading portion of IP address).
- Slide 10
- Email Fundamentals: Important Services Many organizations use
Network Address Translation. NAT boxes have a single visible IP.
Incoming I-packet analyzed according to address and port number.
Forwarded to interior network with an internal IP address.
Typically in the private use areas: 10.0.0.0 10.255.255.255
172.16.0.0 172.31.255.255 192.168.0.0-192.168.255.255 Private use
addresses are not valid addresses externally.
- Slide 11
- Email Protocols: Email program such as outlook or groupwise are
a client application. Needs to interact with an email server: Post
Office Protocol (POP) Internet Message Access Protocol (IMAP)
Microsofts Mail API (MAPI) Web-based email uses a web-page as an
interface with an email server.
- Slide 12
- Email Protocols: A mail server stores incoming mail and
distributes it to the appropriate mail box. Behavior afterwards
depends on type of protocol. Accordingly, investigation needs to be
done at server or at the workstation.
- Slide 13
- Email Protocols: Post Office ServiceProtocolCharacteristics
Stores only incoming messages. POPInvestigation must be at the
workstation. Stores all messagesIMAP MS MAPI Lotus Notes Copies of
incoming and outgoing messages might be stored on the workstation
or on the server or on both. Web-based send and receive.
HTTPIncoming and outgoing messages are stored on the server, but
there might be archived or copied messages on the workstation. Easy
to spoof identity.
- Slide 14
- Email Protocols: SMTP Neither IMAP or POP are involved relaying
messages between servers. Simple Mail Transfer Protocol: SMTP Easy.
Has several additions. Can be spoofed: By using an unsecured or
undersecured email server. By setting up your own smtp server.
- Slide 15
- Email Protocols: SMTP How to spoof email telnet
endor.engr.scu.edu 25 220 endor.engr.scu.edu ESMTP Sendmail
8.13.5/8.13.5; Wed, 28 Dec 2005 14:58:49 - 0800 helo 129.210.16.8
250 server8.engr.scu.edu Hello dhcp-19-198.engr.scu.edu
[129.210.19.198], please d to meet you mail from:
jholliday@engr.scu.edu 250 2.1.0 jholliday@engr.scu.edu... Sender
ok rcpt to: tschwarz@scu.edu 250 2.1.5 tschwarz@scu.edu...
Recipient ok data 354 Enter mail, end with "." on a line by itself
This is a spoofed message.. 250 2.0.0 jBSMwnTd023057 Message
accepted for delivery quit 221 2.0.0 endor.engr.scu.edu closing
connection
- Slide 16
- Email Protocols: SMTP Return-path: Received: from MGW2.scu.edu
[129.210.251.18] by gwcl-22.scu.edu; Wed, 28 Dec 2005 15:00:29
-0800 Received: from endor.engr.scu.edu (unverified [129.210.16.1])
by MGW2.scu.edu (Vircom SMTPRS 4.2.425.10) with ESMTP id for ; Wed,
28 Dec 2005 15:00:29 -0800 X-Modus-BlackList:
129.210.16.1=OK;jholliday@engr.scu.edu=OK X-Modus-Trusted:
129.210.16.1=NO Received: from bobadilla.engr.scu.edu
(bobadilla.engr.scu.edu [129.210.18.34]) by endor.engr.scu.edu
(8.13.5/8.13.5) with SMTP id jBSMwnTd023057 for tjschwarz@scu.edu;
Wed, 28 Dec 2005 15:00:54 -0800 Date: Wed, 28 Dec 2005 14:58:49
-0800 From: JoAnne Holliday Message-Id: this is a spoofed message.
This looks very convincing. Only hint: received line gives the name
of my machine. If I were to use a machine without a fixed IP, then
you can determine the DHCP address from the DHCP logs.
- Slide 17
- Email Protocols: SMTP How to spoof email Endor will only relay
messages from machines that have properly authenticated themselves
within the last five minutes. Subject lines etc. are part of the
data segment. However, any misspelling will put them into the body
of the message.
- Slide 18
- Email Protocols: SMTP How to spoof email telnet
endor.engr.scu.edu 25 220 endor.engr.scu.edu ESMTP Sendmail
8.13.5/8.13.5; Wed, 28 Dec 2005 15:36:13 - 0800 mail from:
plocatelli@scu.edu 250 2.1.0 plocatelli@scu.edu... Sender ok rcpt
to: tschwarz@scu.edu 250 2.1.5 tschwarz@scu.edu... Recipient ok
data 354 Enter mail, end with "." on a line by itself Date: 23 Dec
05 11:22:33 From: plocatelli@scu.edu To: tschwarz@scu.edu Subject:
Congrats You are hrby appointed the next president of Santa Clara
University, effectively immediately. Best, Paul. 250 2.0.0
jBSNaDlu023813 Message accepted for delivery quit
- Slide 19
- Email Protocols: SMTP How to spoof email
- Slide 20
- Unix Use sendmail %usr/lib/sendmail t f HolyFather@vatican.va
< test_messageHolyFather@vatican.va
- Slide 21
- Email Protocols: SMTP Things are even easier with Windows XP.
Turn on the SMTP service that each WinXP machine runs. Create a
file that follows the SMTP protocol. Place the file in
Inetpub/mailroot/Pickup
- Slide 22
- Email Protocols: SMTP To: tschwarz@engr.scu.edu From:
HolyFather@vatican.va This is a spoofed message. From
HolyFather@vatican.va Tue Dec 23 17:25:50 2003 Return-Path:
Received: from Xavier (dhcp-19-226.engr.scu.edu [129.210.19.226])
by server4.engr.scu.edu (8.12.10/8.12.10) with ESMTP id
hBO1Plpv027244 for ; Tue, 23 Dec 2003 17:25:50 -0800 Received: from
mail pickup service by Xavier with Microsoft SMTPSVC; Tue, 23 Dec
2003 17:25:33 -0800 To: tschwarz@engr.scu.edu From:
HolyFather@vatican.va Message-ID: X-OriginalArrivalTime: 24 Dec
2003 01:25:33.0942 (UTC) FILETIME=[D3B56160:01C3C9 BC] Date: 23 Dec
2003 17:25:33 -0800 X-Spam-Checker-Version: SpamAssassin 2.60-rc3
(1.202-2003-08-29-exp) on server4.engr.scu.edu X-Spam-Level:
X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME
autolearn=no version=2.60-rc3 This is a spoofed message.
- Slide 23
- Email Protocols: SMTP SMTP Headers: Each mail-server adds to
headers. Additions are being made at the top of the list.
Therefore, read the header from the bottom. To read headers, you
usually have to enable them in your mail client.
- Slide 24
- SMTP Headers To enable headers: Eudora: Use the Blah Blah Blah
button Hotmail: Options Preferences Message Headers. Juno: Options
Show Headers MS Outlook: Select message and go to options. Yahoo!:
Mail Options General Preferences Show all headers. Groupwise:
Message itself is attached to each email. You need to look at
it.
- Slide 25
- SMTP Headers Headers consists of header fields Originator
fields from, sender, reply-to Destination address fields To, cc,
bcc Identification Fields Message-ID-field is optional, but
extremely important for tracing emails through email server logs.
Informational Fields Subject, comments, keywords Resent Fields
Resent fields are strictly speaking optional, but luckily, most
servers add them. Resent-date, resent-from, resent-sender,
resent-to, resent-cc, resent-bcc, resent- msg-id
- Slide 26
- SMTP Headers Trace Fields Core of email tracing. Regulated in
RFC2821. When a SMTP server receives a message for delivery or
forwarding, it MUST insert trace information at the beginning of
the header.
- Slide 27
- SMTP Headers The FROM field, which must be supplied in an SMTP
environment, should contain both (1) the name of the source host as
presented in the EHLO command and (2) an address literal containing
the IP address of the source, determined from the TCP connection.
The ID field may contain an "@" as suggested in RFC 822, but this
is not required. The FOR field MAY contain a list of entries when
multiple RCPT commands have been given. A server making a final
delivery inserts a return-path line.
- Slide 28
- SMTP Header Spotting spoofed messages Contents usually gives a
hint. Each SMTP server application adds a different set of headers
or structures them in a different way. A good investigator knows
these formats. Use internet services in order to verify header
data. However, some companies can outsource email or use internal
IP addresses. Look for breaks / discrepancies in the Received
lines.
- Slide 29
- SMTP Header Investigation of spoofed messages Verify all IP
addresses Keeping in mind that some addresses might be internal
addresses. Make a time-line of events. Change times to universal
standard time. Look for strange behavior. Keep clock drift in
mind.
- Slide 30
- Server Logs E-mail logs usually identify email messages by:
Account received IP address from which they were sent. Time and
date (beware of clock drift) IP addresses
- Slide 31
- Server Logs Dec 31 18:26:15 endor sendmail[30597]:
k012OV1i030597: from=evil@evil.com, size=147, class=0, nrcpts=1,
msgid=, proto=SMTP, daemon=MTA, relay=c-24-
12-227-211.hsd1.il.comcast.net [24.12.227.211] Dec 31 18:26:15
endor spamd[28512]: spamd: connection from localhost [127.0.0.1] at
port 42865 Dec 31 18:26:15 endor spamd[28512]: spamd: setuid to
tschwarz succeeded Dec 31 18:26:15 endor spamd[28512]: spamd:
processing message for tschwarz:1875 Dec 31 18:26:15 endor
spamd[28512]: spamd: clean message (4.6/5.0) for tschwarz:1875 in
0.2 seconds, 525 bytes. Dec 31 18:26:15 endor spamd[28512]: spamd:
result:. 4 - MSGID_FROM_MTA_ID,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL
scantime=0.2,size=525,user=tschwarz,uid=1875,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport
=42865,mid=,autolearn=no Dec 31 18:26:15 endor spamd[21352]:
prefork: child states: II Dec 31 18:26:15 endor sendmail[30726]:
k012OV1i030597: to=tschwarz@engr.scu.edu, delay=00:01:02,
xdelay=00:00:00, mailer=local, pri=30464, dsn=2.0.0, stat=Sent
Sample log entry at endor.
- Slide 32
- Server Logs Many servers keep copies of emails. Most servers
purge logs. Law-enforcement: Vast majority of companies are very
cooperative. Dont wait for the subpoena, instead give system
administrator a heads-up of a coming subpoena. Company: Local
sys-ad needs early warning. Getting logs at other places can be
dicey.
- Slide 33
- Unix Sendmail Configuration file /etc/sendmail.cf and
/etc/syslog.conf Gives location of various logs and their rules.
maillog (often at /var/log/maillog) Logs SMTP communications Logs
POP3 events You can always use: locate *.log to find log
files.
- Slide 34
- Techniques Server Information from IP ARIN (North America,
Southern Africa) 063.x.x.x 072.x.x.x, 199.x.x.x, 204.x.x.x,
216.x.x.x APNIC (Asia, Australia) 058.x.x.x 061.x.x.x, 202.x.x.x
203.x.x.x, 210.x.x.x 211.x.x.x, 218.x.x.x 222.x.x.x RIPE NCC
(Europe, Middle East, Northern Africa) 062.x.x.x, 081.x.x.x
088.x.x.x, 193.x.x.x 195.x.x.x, 212.x.x.x 213.x.x.x, 217.x.x.x
LACNIC (South America) 200.x.x.x 201.x.x.x
- Slide 35
- Techniques Domain Names Lookup Registrars, ICANN, IANA Have
records, but some are now protected Hostname lookups dig, replacing
nslookup dig www.scu.eduwww.scu.edu dig x 129.210.2.1 (reverse
lookup) whois traceroute (basically disabled by firewalls)
- Slide 36
- Techniques Investigating email for forgery Evidentiary material
is Directly in header Indirectly in formatting headers
Timestamps
- Slide 37
- Techniques Header Investigation Lookup all host names and IP
addresses Check for inconsistencies Be aware of internal IP
addresses web hosting company Generate Timeline Be aware of clock
drift, delays, time zone differences