Investigating Email

Tracing & Recovery

Overview

• Email has become a primary means of communication.

• Email can easily be forged. • Email can be abused

– Spam – Aid in committing a crime … – Threatening email, …

Email & Crime

• Locate potential victims for other crimes • Used to initiate a hack of the pc • Defame a person or organization • Create an alibi • Anonymous communication regarding illegal

activity

Email Investigations: Overview

• Email evidence: – Is in the email itself (header) – Left behind as the email travels from sender to

recipient. • Contained in the various logs.

– Law enforcement can use subpoenas – System ads have some logs.

Email Fundamentals

• Email travels from originating computer to the receiving computer through email servers.

• All email servers add to the header. • Use important internet services to interpret and verify

data in a header.

How Email Works

• Breakdown of an email address • mantei@dgp.utoronto.ca

– ca = country - Canada – utoronto = gateway - University of Toronto – dgp = local host - dynamic graphics project – mantei = recipient of email - e.g., mantei tremaine

• Mail is passed from host to host until it arrives

Email Fundamentals

• Typical path of an email message:

Client Mail Server

Mail Server

Mail Server Client

Email Protocols:

Post Office Service Protocol Characteristics

Stores only incoming messages.

POP Investigation must be at the workstation.

Stores all messages IMAP MS’ MAPI Lotus Notes

Copies of incoming and outgoing messages might be stored on the workstation or on the server or on both.

Web-based send and receive.

HTTP Incoming and outgoing messages are stored on the server, but there might be archived or copied messages on the workstation. Easy to spoof identity.

Email Protocols: SMTP

• Neither IMAP or POP are involved relaying messages between servers.

• Simple Mail Transfer Protocol: SMTP – Easy, but can be spoofed easily.

SMTP Headers To enable headers: • Eudora:

– Use the Blah Blah Blah button • Hotmail:

– Options Preferences Message Headers. • Juno:

– Options Show Headers • MS Outlook:

– Select message and go to options. • Yahoo!:

– Mail Options General Preferences Show all headers.

SMTP Headers

• Headers consists of header fields – Originator fields

• from, sender, reply-to – Destination address fields

• To, cc, bcc – Identification Fields

• Message-ID-field is optional, but extremely important for tracing emails through email server logs.

– Informational Fields • Subject, comments, keywords

– Resent Fields • Resent fields are strictly speaking optional, but luckily, most servers

add them. • Resent-date, resent-from, resent-sender, resent-to, resent-cc, resent-

bcc, resent-msg-id

SMTP Headers

• Trace Fields – Core of email tracing. – Regulated in RFC2821. – When a SMTP server receives a message for

delivery or forwarding, it MUST insert trace information at the beginning of the header.

SMTP Headers • The FROM field, which must be supplied in an SMTP

environment, should contain both (1) the name of the source host as presented in the EHLO command and (2) an address literal containing the IP address of the source, determined from the TCP connection.

• The ID field may contain an "@" as suggested in RFC 822, but this is not required.

• The FOR field MAY contain a list of <path> entries when multiple RCPT commands have been given.

• A server making a final delivery inserts a return-path line.

SMTP Header

• Spotting spoofed messages – Contents usually gives a hint. – Each SMTP server application adds a different set of

headers or structures them in a different way. • A good investigator knows these formats.

– Use internet services in order to verify header data. • However, some companies can outsource email or use internal IP

addresses. – Look for breaks / discrepancies in the “Received” lines.

Sample SMTP Session S: HELO host.my R: 250 OK S: MAIL FROM:<name@host.my> R: 250 OK S: RCPT TO:<user@to.go> R: 250 OK S: DATA R: 354 send the mail data, end with . S: [mail data (including mail header)] S: . R: 250 OK S: QUIT R: 221 closing connection

Sample Mail Message From: “My Name” <foo@my.from> To: “Your Name” <bar@you.to> Date: Tue, 7 Dec 1999 14:25:20 +0800 Subject: This is sample mail This is my mail body Ends here

Headers – What they mean

• Ask • Who is it from? • Where is it from? • Never depend on the From: line • Verify the first Received: header • The Message-ID: matches the e-mail address

in the From: line of the header

Received: from SpoolDir by FLEMING0 (Mercury 1.48); 10 Oct 02 15:11:27 -0400 (EDT) Return-path: <grance@prhc.on.ca> Received: from daneeka.flemingc.on.ca (192.197.148.227) by fleming0.flemingc.on.ca (Mercury 1.48); 10 Oct 02 15:11:24 -0400 (EDT) Received: (qmail 30587 invoked by alias); 10 Oct 2002 19:11:15 -0000 Delivered-To: alias-blbrown@flemingc.on.ca Received: (qmail 30582 invoked by uid 504); 10 Oct 2002 19:11:15 -0000 Received: from grance@prhc.on.ca by daneeka.flemingc.on.ca by uid 0 with qmail-scanner-1.12 (csav: version 4.64.1/SIGN.DEF created on Oct 1 2002/SIGN2.DEF created on Oct 2 2002/MACRO.DEF created on Sep 23 2002/. Clear:. Processed in 0.137783 secs); 10 Oct 2002 19:11:15 -0000 X-Qmail-Scanner-Mail-From: grance@prhc.on.ca via daneeka.flemingc.on.ca X-Qmail-Scanner: 1.12 (Clear:. Processed in 0.137783 secs) Received: from unknown (HELO mail.prhc.on.ca) (204.187.140.10) by daneeka.flemingc.on.ca with SMTP; 10 Oct 2002 19:11:15 -0000 Received: from [127.0.0.1] (grance@prhc.on.ca) by mail.prhc.on.ca; Thu, 10 Oct 2002 15:11:06 -0400 X-WM-Posted-At: mail.prhc.on.ca; Thu, 10 Oct 02 15:11:06 -0400 Date: Thu, 10 Oct 2002 14:36:10 -0400 From: Gord Rance <grance@prhc.on.ca> To: blbrown@flemingc.on.ca

The Message-Id

• A Unique identifier in the header • Added to the message by the mail server

when the message was sent. • System administrator could tell you who sent

the associated message. • Message-Id is not always from the originating

computer

Received headers

• One of the most informative parts of the e-mail header

• Often contain the e-mail address of the person who sent the message

• Each MTA that handles a message adds a Received header to the top of the e-mail header.

• A Stack of pancakes

Server Logs

• E-mail logs usually identify email messages by: – Account received – IP address from which they were sent. – Time and date (beware of clock drift) – IP addresses

Investigation

• Copy the messages • Print hard copies • View the headers • Outlook = Options - Details • Outlook Express = Properties - Details • Eudora = Blah Blah Blah button • Pine = S – C – header option • Hotmail = Options – preferences – Mail display • Copy headers if necessary

Tracing Email

Tracking an Email

The two main goals are: • To find the computer that was used to send

the e-mail message and • To find the person who was using that

computer when the e-mail was sent.

Important Services

• Verification of IP addresses: – Regional Internet Registry

» APNIC (Asia Pacific Network Information Centre). » ARIN (American Registry of Internet Numbers). » LACNIC Latin American and Caribbean IP address Regional Registry. » RIPE NCC (Réseau IP Européens Network Coordination Centre).

– Whois – www.samspade.org – Numerous other websites. My Favorite.

Important Services • Domain Name System (DNS) translates between domain names and IP

address. – Name to address lookup:

1. Parses HOSTS file. 2. Asks local nameserver 3. Local nameserver contacts nameserver responsible for domain. 4. If necessary, contact root nameserver. 5. Remote nameserver sends data back to local nameserver. 6. Local nameserver caches info and informs client.

– HOSTS files can be altered. • You can use this as a low-tech tool to block pop-ups.

– Local nameservers can/could be tricked into accepting unsolicited data to be cached.

• “Hilary for Senate” – case.

1) Do the domain names in the first Received: header and the From: line match?

2)Attempt to "finger user@host.domain" to find any information about the user.

3)Use whois to find out where the host is located and who runs it.

4)Perform a thorough search

5)Address and phone number

If you have the person's name or e-mail address, search Switchboard

• Finger – address to find user info • Whois – to determine org info • Traceroute – location of org and IP • Telnet – verify valid users

– http://www.switchboard.com/ – http://www.middlebury.edu/cgi-

bin/WebPh?other_ph_servers – http://www.traceroute.org/

telnet fserv2.bu.edu 25

vrfy james

252 <james@acs.bu.edu>

vrfy xxdd9201

252 <xxdd9201@acs.bu.edu>

vrfy bogus2321

252 <bogus2321@acs.bu.edu>

helo from.me

250 fserv2.bu.edu Hello xxxxx-a.xx.on.wave.home.com [xx.xxx.xx.xx], pleased to meet you

mail from: me

250 me... Sender ok

rcpt to: james

250 james... Recipient ok

rcpt to: bogus

250 bogus... Recipient ok

rcpt to: bogus2321

250 bogus2321... Recipient ok

quit

221 fserv2.bu.edu closing connection

6)Last resort • Contact your own ISP with the information and

they might be able to help you. • If the forger logged into an innocent domain, you

could inform the owners that they are being abused.

• If you have found the forger's ISP you can contact them to get more information about the forger.

• Send the ISP a description of your complaint • Search Dejanews to determine if anyone else

have received similar messages or if the sender left any rough edges

References • Whois Searching

Network Solutions - http://www.network solutions.com/cgi-bin/whois/whois/ Internic - http://www.internic.net/whois.html The DOD - http://www.nic.mil.dodnic/ The European index - http://www.arin.net/whois/index.html

The Asia Pacific index - http://www.apnic.net/search/

• Practice, practice, practice. • Practice forging methods • Don't separate e-mail and Usenet tracking from

searching the Web, Dejanews and IRC. • For the best results, track e-mail while it is still fresh. • People can always deny that they sent an e-mail

message, so you will probably need more evidence than a single e-mail or Usenet message to tie them to a crime.

• They are a starting point not an end point in an investigation.

• If you do not have an actual e-mail, but only have an e-mail address, you can use the eMailTracker tool in VisualRoute to track the user to their e-mail server.

• An added benefit is that you are able to see what SMTP software the mail server is running (many times with version information as well).

Email Analysis Tools

•eMailTrackerPro, http://www.visualware.com/personal/products/emailtrackerpro/index.html

•Neotrace – tracing tool •SamSpade – excellent tracing tool

Forged Email

• Forging e-mail allows the sender to customize the information that the recipient sees.

• This approach to anonymity is less effective than anonymous re-mailers because forgeries still contain the sender's IP address.

• Forged e-mail gives the receiver a false impression.

Forging Email

• SMTP enables mail communication • Many SMTP servers are “OPEN” • They do not care who connects and uses them • You use these servers to send your fake or

forged email

SMTP Commands(Minimum Implementation)

• HELO Identify which host is sending mail

• MAIL Specify where the mail comes from

• RCPT Specify where the mail to go

• DATA Give the mail data

• RSET Reset all transaction status

• QUIT • Terminate SMTP connection