Slide 1

Computer Forensics 252Email Tracing

Thomas Schwarz, S.J. 2006Email Investigations: OverviewEmail has become a primary means of communication.Email can easily be forged.Email can be abusedSpamAid in committing a crime Threatening email, Email Investigations: OverviewEmail evidence:Is in the email itselfHeaderContentsIn logs:Left behind as the email travels from sender to recipient.Law enforcement uses subpoenas to follow the trace.System ads have some logs under their control.Notice: All fakemailing that you will be learning can be easily traced.Email FundamentalsEmail travels from originating computer to the receiving computer through email servers.All email servers add to the header.Use important internet services to interpret and verify data in a header.

Email FundamentalsTypical path of an email message:ClientMail ServerMail ServerMail ServerClient

Email Fundamentals:Important ServicesVerification of IP addresses:Regional Internet RegistryAPNIC (Asia Pacific Network Information Centre).ARIN (American Registry of Internet Numbers).LACNIC Latin American and Caribbean IP address Regional Registry. RIPE NCC (Rseau IP Europens Network Coordination Centre).WhoisEmail Fundamentals: Important ServicesDomain Name System (DNS) translates between domain names and IP address.Name to address lookup:Parses HOSTS file.Asks local nameserverLocal nameserver contacts nameserver responsible for domain.If necessary, contact root nameserver.Remote nameserver sends data back to local nameserver.Local nameserver caches info and informs client.HOSTS files can be altered.You can use this as a low-tech tool to block pop-ups.Local nameservers can/could be tricked into accepting unsolicited data to be cached.Hilary for Senate case.Email Fundamentals: Important ServicesDomain Name System (DNS) translates between domain names and IP address.MX records in the DNS database specify the hosts or domains mail exchangerCan have multiple MX records, with priority attached:

Email to user@scu.edu will then be sent to user@cse.scu.edu.If that site is down, then it will be sent to user@mailhost.soe.ucsc.edu.The mailer at both sites needs also be set up to accept the messages.MX10cseMX 100mailhost.soe.uscs.eduEmail FundamentalsIP-Addressing FundamentalsIP Version 4 is slowly replaced by IP Version 6.IPv4: 4 digital numbers between 0 and 255.IPv6: 8 digital numbers between 0000 and 0xffff.Static / dynamic addressesDynamic addresses assigned by DHCP within a local domain (with same leading portion of IP address).Email Fundamentals: Important ServicesMany organizations use Network Address Translation.NAT boxes have a single visible IP.Incoming I-packet analyzed according to address and port number.Forwarded to interior network with an internal IP address.Typically in the private use areas:10.0.0.0 10.255.255.255172.16.0.0 172.31.255.255192.168.0.0-192.168.255.255Private use addresses are not valid addresses externally.Email Protocols:Email program such as outlook or groupwise are a client application.Needs to interact with an email server:Post Office Protocol (POP)Internet Message Access Protocol (IMAP)Microsofts Mail API (MAPI)Web-based email uses a web-page as an interface with an email server.Email Protocols:A mail server stores incoming mail and distributes it to the appropriate mail box.Behavior afterwards depends on type of protocol.Accordingly, investigation needs to be done at server or at the workstation.Email Protocols:Post Office ServiceProtocolCharacteristicsStores only incoming messages.POPInvestigation must be at the workstation.Stores all messagesIMAPMS MAPILotus NotesCopies of incoming and outgoing messages might be stored on the workstation or on the server or on both.Web-based send and receive.HTTPIncoming and outgoing messages are stored on the server, but there might be archived or copied messages on the workstation. Easy to spoof identity.Email Protocols: SMTPNeither IMAP or POP are involved relaying messages between servers.Simple Mail Transfer Protocol: SMTPEasy.Has several additions.Can be spoofed:By using an unsecured or undersecured email server.By setting up your own smtp server.Email Protocols: SMTPHow to spoof emailtelnet endor.engr.scu.edu 25220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005 14:58:49 - 0800helo 129.210.16.8250 server8.engr.scu.edu Hello dhcp-19-198.engr.scu.edu [129.210.19.198], pleased to meet youmail from: jholliday@engr.scu.edu250 2.1.0 jholliday@engr.scu.edu... Sender okrcpt to: tschwarz@scu.edu250 2.1.5 tschwarz@scu.edu... Recipient okdata354 Enter mail, end with "." on a line by itselfThis is a spoofed message.. 250 2.0.0 jBSMwnTd023057 Message accepted for deliveryquit 221 2.0.0 endor.engr.scu.edu closing connectionEmail Protocols: SMTPReturn-path: Received: from MGW2.scu.edu [129.210.251.18]by gwcl-22.scu.edu; Wed, 28 Dec 2005 15:00:29 -0800Received: from endor.engr.scu.edu (unverified [129.210.16.1]) by MGW2.scu.edu(Vircom SMTPRS 4.2.425.10) with ESMTP id for ;Wed, 28 Dec 2005 15:00:29 -0800X-Modus-BlackList: 129.210.16.1=OK;jholliday@engr.scu.edu=OKX-Modus-Trusted: 129.210.16.1=NOReceived: from bobadilla.engr.scu.edu (bobadilla.engr.scu.edu [129.210.18.34])by endor.engr.scu.edu (8.13.5/8.13.5) with SMTP id jBSMwnTd023057for tjschwarz@scu.edu; Wed, 28 Dec 2005 15:00:54 -0800Date: Wed, 28 Dec 2005 14:58:49 -0800From: JoAnne Holliday Message-Id:

this is a spoofed message.This looks very convincing. Only hint: received line gives the name of my machine.If I were to use a machine without a fixed IP, then you can determine the DHCP address from the DHCP logs.Email Protocols: SMTPHow to spoof emailEndor will only relay messages from machines that have properly authenticated themselves within the last five minutes.Subject lines etc. are part of the data segment. However, any misspelling will put them into the body of the message.

Email Protocols: SMTPHow to spoof emailtelnet endor.engr.scu.edu 25220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005 15:36:13 -0800mail from: plocatelli@scu.edu250 2.1.0 plocatelli@scu.edu... Sender okrcpt to: tschwarz@scu.edu250 2.1.5 tschwarz@scu.edu... Recipient okdata354 Enter mail, end with "." on a line by itselfDate: 23 Dec 05 11:22:33From: plocatelli@scu.eduTo: tschwarz@scu.eduSubject: Congrats

You are hrby appointed the next president of Santa Clara University, effectivelyimmediately.

Best, Paul.250 2.0.0 jBSNaDlu023813 Message accepted for deliveryquitEmail Protocols: SMTPHow to spoof email

Email Protocols: SMTPHow to spoof emailUnixUse sendmail%usr/lib/sendmail t f HolyFather@vatican.va < test_messageEmail Protocols: SMTPThings are even easier with Windows XP.Turn on the SMTP service that each WinXP machine runs.Create a file that follows the SMTP protocol.Place the file in Inetpub/mailroot/Pickup

Email Protocols: SMTPTo: tschwarz@engr.scu.eduFrom: HolyFather@vatican.va

This is a spoofed message.From HolyFather@vatican.va Tue Dec 23 17:25:50 2003Return-Path: Received: from Xavier (dhcp-19-226.engr.scu.edu [129.210.19.226])by server4.engr.scu.edu (8.12.10/8.12.10) with ESMTP id hBO1Plpv027244for ; Tue, 23 Dec 2003 17:25:50 -0800Received: from mail pickup service by Xavier with Microsoft SMTPSVC;Tue, 23 Dec 2003 17:25:33 -0800To: tschwarz@engr.scu.eduFrom: HolyFather@vatican.vaMessage-ID: X-OriginalArrivalTime: 24 Dec 2003 01:25:33.0942 (UTC) FILETIME=[D3B56160:01C3C9BC]Date: 23 Dec 2003 17:25:33 -0800X-Spam-Checker-Version: SpamAssassin 2.60-rc3 (1.202-2003-08-29-exp) onserver4.engr.scu.eduX-Spam-Level:X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=noversion=2.60-rc3

This is a spoofed message.Email Protocols: SMTPSMTP Headers:Each mail-server adds to headers. Additions are being made at the top of the list.Therefore, read the header from the bottom.To read headers, you usually have to enable them in your mail client. SMTP HeadersTo enable headers:Eudora:Use the Blah Blah Blah button Hotmail:Options Preferences Message Headers.Juno:Options Show HeadersMS Outlook:Select message and go to options.Yahoo!:Mail Options General Preferences Show all headers.Groupwise:Message itself is attached to each email. You need to look at it.

SMTP HeadersHeaders consists of header fieldsOriginator fieldsfrom, sender, reply-toDestination address fieldsTo, cc, bccIdentification FieldsMessage-ID-field is optional, but extremely important for tracing emails through email server logs.Informational FieldsSubject, comments, keywordsResent FieldsResent fields are strictly speaking optional, but luckily, most servers add them.Resent-date, resent-from, resent-sender, resent-to, resent-cc, resent-bcc, resent-msg-idSMTP HeadersTrace FieldsCore of email tracing.Regulated in RFC2821.When a SMTP server receives a message for delivery or forwarding, it MUST insert trace information at the beginning of the header.SMTP HeadersThe FROM field, which must be supplied in an SMTP environment, should contain both (1) the name of the source host as presented in the EHLO command and (2) an address literal containing the IP address of the source, determined from the TCP connection.The ID field may contain an "@" as suggested in RFC 822, but this is not required. The FOR field MAY contain a list of entries when multiple RCPT commands have been given. A server making a final delivery inserts a return-path line.SMTP HeaderSpotting spoofed messagesContents usually gives a hint.Each SMTP server application adds a different set of headers or structures them in a different way.A good investigator knows these formats.Use internet services in order to verify header data.However, some companies can outsource email or use internal IP addresses.Look for breaks / discrepancies in the Received lines.

SMTP HeaderInvestigation of spoofed messagesVerify all IP addressesKeeping in mind that some addresses might be internal addresses.Make a time-line of events.Change times to universal standard time.Look for strange behavior.Keep clock drift in mind.

Server LogsE-mail logs usually identify email messages by:Account receivedIP address from which they were sent.Time and date (beware of clock drift)IP addressesServer LogsDec 31 18:26:15 endor sendmail[30597]: k012OV1i030597: from=evil@evil.com, size=147, class=0, nrcpts=1, msgid=, proto=SMTP, daemon=MTA, relay=c-24-12-227-211.hsd1.il.comcast.net [24.12.227.211]Dec 31 18:26:15 endor spamd[28512]: spamd: connection from localhost [127.0.0.1] at port 42865 Dec 31 18:26:15 endor spamd[28512]: spamd: setuid to tschwarz succeeded Dec 31 18:26:15 endor spamd[28512]: spamd: processing message for tschwarz:1875 Dec 31 18:26:15 endor spamd[28512]: spamd: clean message (4.6/5.0) for tschwarz:1875 in 0.2 seconds, 525 bytes. Dec 31 18:26:15 endor spamd[28512]: spamd: result: . 4 - MSGID_FROM_MTA_ID,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL scantime=0.2,size=525,user=tschwarz,uid=1875,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=42865,mid=,autolearn=no Dec 31 18:26:15 endor spamd[21352]: prefork: child states: II Dec 31 18:26:15 endor sendmail[30726]: k012OV1i030597: to=tschwarz@engr.scu.edu, delay=00:01:02, xdelay=00:00:00, mailer=local, pri=30464, dsn=2.0.0, stat=Sent

Sample log entry at endor.Server LogsMany servers keep copies of emails.Most servers purge logs.Law-enforcement:Vast majority of companies are very cooperative.Dont wait for the subpoena, instead give system administrator a heads-up of a coming subpoena.Company:Local sys-ad needs early warning.Getting logs at other places can be dicey.Unix SendmailConfiguration file /etc/sendmail.cf and /etc/syslog.confGives location of various logs and their rules.maillog (often at /var/log/maillog)Logs SMTP communicationsLogs POP3 eventsYou can always use: locate *.log to find log files.

TechniquesServer Information from IPARIN (North America, Southern Africa)063.x.x.x 072.x.x.x, 199.x.x.x, 204.x.x.x, 216.x.x.xAPNIC (Asia, Australia)058.x.x.x 061.x.x.x, 202.x.x.x 203.x.x.x, 210.x.x.x 211.x.x.x, 218.x.x.x 222.x.x.xRIPE NCC (Europe, Middle East, Northern Africa)062.x.x.x, 081.x.x.x 088.x.x.x, 193.x.x.x 195.x.x.x, 212.x.x.x 213.x.x.x, 217.x.x.xLACNIC (South America)200.x.x.x 201.x.x.xTechniquesDomain Names LookupRegistrars, ICANN, IANAHave records, but some are now protected Hostname lookupsdig, replacing nslookupdig www.scu.edudig x 129.210.2.1 (reverse lookup)whoistraceroute (basically disabled by firewalls)TechniquesInvestigating email for forgeryEvidentiary material isDirectly in headerIndirectly in formatting headersTimestamps

TechniquesHeader InvestigationLookup all host names and IP addressesCheck for inconsistenciesBe aware of internal IP addressesweb hosting companyGenerate TimelineBe aware of clock drift, delays, time zone differences