tracing ips a quick and e-mail reviewathena.csus.edu/~cookd/116/notes/csc 116 - summer... · •...

1

Tracing IPs and E-Mail

Week 4

A Quick Review

Sorry CSC 8 Students…

The following slides are a review of CSC 8 material

Some students took this class a while ago, so we need to review some concepts

Sorry, CSC 8 students. This will be redundant.

7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 3

A Quick Review…

Internet uses Internet Protocol (IP) to identify computers on the network

Benefits:

• easy to implement and extensible

• public and free

• allows all the different networks to communicate

Internet Addresses - IP Address

• format of addresses used by the Internet

• every device on the Internet has one


Internet Protocol

Originally, the 4 bytes, used in IPv4, were structured into 3 different “classes”

Each allows different number of owners ("networks") and hosts ("addresses")

Different organizations could get a Class A, B or C block


Original IPv4 Address Format

The classes:

• Class A – 254 networks with 16 millions hosts

• Class B – 16,384 networks with 65,536 hosts

• Class C – 2 million networks with 255 hosts

So, there are 16,384 Class B's each of which have 65,536 unique address that they can use at their leisure


Original IPv4 Address Format

2

Class A includes the large NSPs such as AT&T

Class B typically contains large business and universities

Class C is everyone else

Main IP Classes

Class A 1.0.0.0 … 127.255.255.255

Class B 128.0.0.0 … 191.255.255.255

Class C 192.0.0.0 … 223.255.255.255


IP Addresses Classes

How can you have more that one device at home or business use the Internet?

NAT (Network Address Translation)

• allows multiple computers to use private IP addresses and all share one public IP address

• it basically implements your own private Internet


Network Address Translation

Local network uses just one public IP

The outside world only sees one!

Allows…

• small business and individual users get Internet access at a low cost

• a range of addresses not needed to be bought for an from an ISP – just one

• how most “coffee-shop” wireless networks work


Sharing an IP

In each “class”…

• there is a special internal use only address

• anyone can use these

These are not used on any public computer

• hence, there is no confusion in the Internal network between the outside world and internal

• this feature has allowed the Internet stay up long after IPv4 address space was exhausted


How do they pull this off?

Special Internal use only (RFC 1918 Non-routable)

Also 127.ANY Loopback (127.0.0.1)

Internal Use IP Addresses

Class A 10.0.0.0 … 10.255.255.255

Class B 172.16.0.0 … 172.31.255.255

Class C 192.168.0.0 … 192.168.255.255


IP Addresses Revisited

Outgoing packets of data...

• source address (the computer that sent it) is replaced with the shared NAT IP address

• so, sender (internal) address Shared NAT IP

• responses will be sent to the Shared NAT IP

Incoming packets of data

• NAT IP address is replaced by the internal address

• So, Shared NAT IP internal address

• hence, the data reaches the correct internal computer


How it Works

3

The Internet


Example:(S = Sender, D = Destination)

10.0.0.1

10.0.0.3

10.0.0.2

218.76.29.7130.86.12.66

S 130.86.12.66

D 218.76.29.7

S 130.86.12.66

D 10.0.0.3

S 218.76.29.7

D 130.86.12.66

S 10.0.0.3

D 130.86.12.66

Home network

Programs that provide a service, are called “Servers”

We use the term synonymously with computers designed to provide services (which gets

confusing)


Servers and Ports

Each service has unique # called a port

• similar to the concept of the physical ports on your computer – USB, etc…

• but, it only exists in software

Ports are a 16-bit number

• which gives a total of 65536 ports

• built into TCP/UDP – so it is part of the Internet


Servers and Ports

The special software, on the server computer, that “listens” to on a port is called a daemon

It is important to understand how this works

• each service represents a different type of connection between two computers

• it is vital to interpreting server logs


Servers and Ports

Port Name Notes

20 FTP – Data Data for File Transfer Protocol

21 FTP – Control Control commands for FTP

25 SMTP Simple Mail Transfer Protocol

54 DNS Domain Name Service

80 HTTP Hypertext Transfer Protocol

110 POP3 Post Office Protocol

443 HTTPS Secure HTTP


Some Common Network Ports

IP Tracing

Finding who owns an IP Address

4

So who controls IP Addresses anyways?

IP addresses are allocated to organizations by Regional Internet Registries (RIRs)

Currently, there are 5 RIRs Worldwide


Who Controls IP Addresses?

Responsible for:

• the administration and registration of IP addresses for the entire global Internet.

• each RIR controls different geographical areas

Each RIR maintains a public database that identifies the organizations that have received addresses

Often they are ISPs and large corporations



Organizations can …

• sub-delegate blocks of their IP addresses to other organizations

• this information is also entered into the RIR databases

• so, IP addresses are sold and resold

• … yes, they are an International commodity!



African Network Information

Asia Pacific Network Information

American Registry for Internet Number

Latin American and Caribbean Internet Addresses Registry

Réseaux IP Européens Network Coordination Centre


The Five RIRs

RIR Website Service Region

ARIN www.arin.net North America

APNIC www.apnic.net Asia and Pacific Region

RIPE NCC www.db.ripe.netEurope, Russia, Middle East

LACNIC www.lacnic.org South & Central America

AfriNIC www.afrinc.net Africa


5 Regional Internet Registries


Regional Internet Registries

5

Access to the RIR databases is provided through the WHOIS internet service

Can search for point-of-contact and registration information based on an IP address.

Easiest when

• done through one of the RIR web sites.

• some specialized software and command line utilities available to do searches.

• accuracy is best assured when searches are done through the web site


IP Address Tracing


IP Address Tracing

The ARIN database is a good place to start for investigators in North America.

It will report which database contains the record if it does not belong to ARIN.

http://ws.arin.net/whois


Step 1: Go to RIR Website

Enter the IP address in the “SEARCH WHOIS” text box

Click on the “SEARCH WHOIS” text.


Step 2: Enter the IP address

130.86.75.26

The information returned may be in a hierarchical tree, or…

May show the name of the organization without contact information.

Either of these two results require additional steps.


Step 3: Locate the Point-of-Contact

The organization on the bottom of the tree has obtained its IP address from the organization listed above it.


Hierarchical Tree

TheISPfor

6


Hierarchical Tree

Click on the link to the right of the organization’s name that begins with “NET” (the Net Handle link)

TheISPfor

The next screen will show the organization’s point-of-contact information.

Phone numbers or web sites for the organizations listed can often be found with Google, etc...


Hierarchical Tree

How to find your home IP Address:

• click on Start Run type “cmd”

• in new Window type “ipconfig /all”

• If you have a home router then you will need to use your Browser to login to the Router and lookup the IP Address that your ISP has assigned to you


Finding a Computer’s IP Address

E-Mail Overview

It is the dominant way we communicate

E-Mail is not new and has existed since the 1970’s

It was traditionally accessed using specialized software

However, the birth of the World Wide Web and webmail... e-mail is accessible to everyone


Introduction

As the Internet revolutionized society, e-mail followed

Today, e-mail is one of the most common forms of communication

• … from normal messages, to corporation communications to criminal activities

• incriminating evidence and other activities can be found in e-mail


Introduction

7

E-mail evidence typically used to corroborate or refute other testimony or evidence

People see e-mail as informal and tend to be “less guarded”

As a result, e-mail may contain …

• personal thoughts and desires

• incriminating information that the suspect would have never written down


Importance of E-Mail as Evidence

The e-mail server may have archived copies of messages

As a result, you can get a discover request for received and sent e-mail

Different companies have different E-mail retention policies


Importance of Mail Servers

Many cases provide examples of the use of e-mail as evidence

• Knox v. State of Indiana

• Harley v. McCoach

• Nardinelli et al. v. Chevron

• Adelyn Lee v. Oracle Corporation

• Enron


Importance of E-Mail as Evidence

Adelyn Lee had been fired from the Oracle Corporation

She filed suit claiming wrongful termination• she claimed she was fired, by her

supervisor, for not having sex with CEO Larry Ellison

• discovery found an e-mail from her supervisor to the CEO stating “I have terminated Adelyn per your request.”


Adelyn Lee v. Oracle Corporation

She was awarded $100,000in a settlement

However…

• supervisor was adamant that he never sent the e-mail and no crime had been committed

• forensic analysis was performed on the e-mail and found out it was a forgery!



Oracle was able to show:

• she had logged onto her supervisor’s computer, using his password, and forged the e-mail

• she, then, had planted the e-mail to be “discovered”

• Oracle sued for perjury and falsification of evidence



8

CFO Andrew Fastow and other executives were able to hide billions in debt from failed deals and projects from the investors

Financial institutions helped Enron manipulate its numbers and mislead investors


Enron

Investigation found “explosive” e-mails

• from Arthur Andersen (Enron’s accounting firm) and J.P. Morgan Chase (bank)

• proved that they knew how Enron was hiding its debt


Enron


E-Mail Retention….

Two standard methods of sending/receiving e-mail:• client / server applications

• webmail

Both methods are actually identical “behind the scenes”

Special protocols are used on the Internet to send/receive e-mail


E-Mail Technical Basics

E-Mail uses SMTP to send messages and POP (or IMAP) to retrieve them

Even if you use webmail, these are being implemented behind the scene


E-Mail Technical Basics

SMTP • Simple Mail Transfer Protocol

• used to send e-mail

• like dropping a letter in a mailbox

POP• Post Office Protocol

• used to retrieve e-mail

• like picking up a letter from the post office


E-Mail Protocols

9

IMAP

• Internet Message Access Protocol

• newer standard that is used to retrieve e-mail

• Most e-mail servers support both IMAP and POP


E-Mail Protocols

User opens a browser, logs in to the webmail

Webmail server has already placed mail in Inbox

User uses the compose function followed by the send function to create and send mail

Web client communicates behind the scenes to the webmail server to send the message

No e-mails are stored on the local PC; the webmail provider houses all e-mail


Webmail Data Flow

E-Mail Server contain the software necessary to handle e-mail protocols and services

Contains logs…

• E-mail content

• Sending IP address

• Receiving and reading date and time

• System-specific information7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 51

Working with Mail Servers

51

Contact suspect’s network e-mail admin as soon as possible

Different companies have different e-mail retention policies

Company’s best interest is to archive as little as possible

• less evidence if the did something

• less work for e-Discovery


Working with Mail Servers


E-Mail Retention….

E-MailFormat

There is order to the chaos

10

Only a small part of an e-mail is normally visible to the user

Messages contain two parts:

• body contains the message that you write and read

• header contains information about the message


E-Mail Headers

Header contains obvious information such as who the e-mail is from and sent to

Header also contains information about:• type of contents – plain text, HTML, etc…

• when it was sent

• hash values

• all the servers it passes along the way

Most e-mail clients • only show a few items in the header

• most have an option to show complete details


E-Mail Headers

Most common parts of the e-mail header are logical addresses of senders and receivers

Logical address is composed of two parts

• mailbox, which comes before the @ sign

• hostname that comes after the @ sign


E-Mail Addresses

Originally e-mail was a text-only

Of course, in the 1970’s and 80’s computers only really displayed text

But, with multimedia, users wanted to make text bold, add pictures, etc…

RFC 2045 … RFC 2049

• extended to carry attachments and contain HTML and other markup formatting

• together these are called the Multipurpose Internet Mail Extensions (MIME)


The Move to Multimedia

E-Mail Headers

E-Mail never loses its head

The E-Mail header is broken into a number of different “fields” that contain information about the e-mail itself

These can include information how the e-mail moved over the Internet,, and more…. its format


Header

11

When collecting e-mail, investigators MUST also get the header information

Otherwise…

• vast amount of forensic data is lost

• impossible to prove it is unaltered


Header

Field What is Does

To The main recipient of the e-mail

From The “official” source. Commonly forged.

CC Carbon Copy – copies sent to each recipient

BCC Blind Carbon Copy – each sent separately

Subject The subject of the e-mail


Some Visible Fields

Field What is Does

Content-TypeThis is the last field in the e-mail. It tells the e-mail viewer the format used by the message.

Message-ID Unique identifier created by the server

ReceivedEvery server that receives the message, appends a received field to the header

X-PriorityUsed by server software to mark if something that is spam, high-priority, etc….


Some Hidden (but important) Fields X-MSK: CML=2.771000

Return-Path: [email protected]

Received: from mx69.stngva01.us.mxservers.net (204.202.242.140)

by mail11a.verio-web.com (RS ver 1.0.95vs) with SMTP

id 0-0444218450

for <[email protected]>; Sun, 28 Mar 2010 22:07:31 -0400 (EDT)

Received: from unknown [202.75.49.135] (EHLO alorakar.cynethost.com)

by va1-mx69.stngva01.us.mxservers.net (mxl_mta-3.1.0-05)

with ESMTP id 16b00bb4.2587503520.346007.00-007.va1

mx69.stngva01.us.mxservers.net (envelope-from

<[email protected]>);

Sun, 28 Mar 2010 22:07:29 -0400 (EDT)

Received: from 214.187.50.60.cbj01-home.tm.net.my ([60.50.187.214] helo=CEC)

by alorakar.cynethost.com with esmtpa (Exim 4.69)

(envelope-from <[email protected]>)

id 1Nw4Nw-0001yz-Om

for [email protected]; Mon, 29 Mar 2010 10:07:25 +0800

Reply-To: [email protected]

Message-ID: <[email protected]>

From: "Seminar" <[email protected]>

To: <[email protected]>

Subject: Mini Workshop : Create Your Own Website For Free

Date: Mon, 29 Mar 2010 10:01:26 -0800

MIME-Version: 1.0

Content-Type: text/html;

charset="US-ASCII"


A "Received" field is appended to the top of the message by every server that handles the e-mail

It records the computer the message was received from and the time/date

This is vital to showing how:

• the message got from Point A to Point B

• and often can be used to prove a forgery!


Received Field


Received Field

Received C

Received B

Received A

Received B

Received A

Received AA

B

C

12

X-MSK: CML=2.501000

Received: from smtp1.csus.edu (130.86.90.248) by

smtp.saclink.csus.edu (130.86.80.131) with Microsoft

SMTP Server id 8.2.247.2; Tue,6 Apr 2013 19:39:55 -0700

Received: from col0-omc2-s13.col0.hotmail.com ([65.55.34.87])

by mail1.csus.edu with ESMTP; 06 Apr 2013 19:39:54 -0700

Received: from COL107-W21 ([65.55.34.71]) by

col0-omc2-s13.col0.hotmail.com with Microsoft

SMTPSVC(6.0.3790.3959); Tue, 6 Apr 2013 19:39:54 -0700

From: Devin Cook <[email protected]>

To: "[email protected]" <[email protected]>

Date: Tue, 6 Apr 2013 19:39:54 -0700

Subject: Hackers and Crackers

Thread-Topic: Hackers and Crackers

Thread-Index: AcrV+5tSX+fzEPJKQVqqwYkpDbgncg==


Accept-Language: en-US

Content-Language: en-US


Example

X-MSK: CML=2.501000








SMTPSVC(6.0.3790.3959); Tue, 6 Apr 2013 19:39:54 -0700



Date: Tue, 6 Apr 2013 19:39:54 -0700








Example

X-MSK: CML=2.501000








SMTPSVC(6.0.3790.3959); Tue, 6 Apr 2013 19:39:54 -0700



Date: Tue, 6 Apr 2013 19:39:54 -0700








Example

X-MSK: CML=2.501000








SMTPSVC(6.0.3790.3959); Tue, 6 Apr 2013 19:39:54 -0700



Date: Tue, 6 Apr 2013 19:39:54 -0700








Example

Sometimes, a gateway will create an additional hash value when it appends the Received field to the message header

This is in addition to the original Message-ID – it is not related

Every server may a use different format:

• often, this is hexadecimal value that resets every day

• it can be used to further give information about the time-window that the message passed through


Received Field Received: from mx69.stngva01.us.mxservers.net

(204.202.242.140) by mail11a.verio-web.com (RS ver

1.0.95vs) with SMTP id 0-0444218450 for

<[email protected]>; Sun, 28 Mar 2010 22:07:31

-0400 (EDT)

Received: from unknown [202.75.49.135] (EHLO

alorakar.cynethost.com)

by va1-mx69.stngva01.us.mxservers.net (mxl_mta-3.1.0-05)

with ESMTP id 16b00bb4.2587503520.346007.00-007.va1

mx69.stngva01.us.mxservers.net (envelope-from

<[email protected]>); Sun, 28 Mar 2010

22:07:29 -0400 (EDT)

Received: from 214.187.50.60.cbj01-home.tm.net.my

([60.50.187.214] helo=CEC)

by alorakar.cynethost.com with esmtpa (Exim 4.69)

(envelope-from <[email protected]>)

id 1Nw4Nw-0001yz-Om for [email protected];

Mon, 29 Mar 2010 10:07:25 +0800


13

Message-ID field is used to uniquely identify a specific copy of a specific e-mail

• “provides a unique message identifier that refers to a particular version of a particular message”

• “Though optional, every message SHOULD have a ‘Message-ID:’ field”

The Message-ID is created by the first server that receives the e-mail

Server logs can look up this ID and find out additional information


Message-ID Field

Contents of the ID is determined by the server software

• it usually contains the date/time in some form, but this is not always the case

• the ID is computer-friendly, not human-friendly: “machine readable and not necessarily meaningful to humans”

ID might be a number displayed in either decimal or hexadecimal


Message-ID Field


Date: Tue, 6 Apr 2013 19:39:54 -0700

Subject: Bowties are cool!

Thread-Topic: Bowties are cool!






Message-ID Example


<date/time integer> . <server> . <domain>

Example:Message-ID on UNIX Servers

UNIX E-Mail servers use a integer that represents the date/time

It is stored as "number of microseconds since midnight, January 1, 1970, Greenwich Mean

Time"


Example UNIX Message-ID

3989F5A3 Hex


965,342,627 Decimal

Aug 3, 2000 18:43

Let's look at the raw text of a rather interesting SPAM e-mail I received

It appears that – none other than Bill Gates

himself – is giving me money!

All I have to do is send him my personal data


Example

14

I BILL GATES and my wife decided to donate the sum of

$5,000,000,00 USD to you as part of our charity project to

improve the 10 lucky individuals all over the world from

our $65 Billion Usd I and My Wife Mapped out to help

people. We prayed and searched over the internet for

assistance and i saw your profile on Microsoft email owners

list and picked you. Melinda my wife and i have decided to

make sure this is put on the internet for the world to see.

as you could see from the webpage above,am not getting any

younger and you can imagine having no much time to live.

although am a Billionaire investor and we have helped some

charity organizations from our Fund.


An Actual Mail – Snippet of Body

Delivered-To: [email protected]

Received: by 10.200.53.157 with SMTP id k29csp1646889qtb;

Tue, 31 May 2016 13:53:58 -0700 (PDT)

X-Received: by 10.98.95.197 with SMTP id t188mr111239pfb.162.1464728038931;

Tue, 31 May 2016 13:53:58 -0700 (PDT)

Return-Path: <[email protected]>

Received: from APC01-PU1-obe.outbound.protection.outlook.com (mail-

pu1apc01hn0208.outbound.protection.outlook.com. [104.47.126.208])

by mx.google.com with ESMTPS id ag11si13199508pac.34.2016.05.31.13.53.57

(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);

Tue, 31 May 2016 13:53:58 -0700 (PDT)

Received-SPF: neutral (google.com: 104.47.126.208 is neither permitted nor denied by best guess

record for domain of [email protected]) client-ip=104.47.126.208;

Authentication-Results: mx.google.com;

spf=neutral (google.com: 104.47.126.208 is neither permitted nor denied by best guess

record for domain of [email protected]) [email protected]

Authentication-Results: gmail.com; dkim=none (message not signed)

header.d=none;gmail.com; dmarc=none action=none header.from=tthfghfhf.ma.tn;

Received: from [100.65.94.64] (116.203.77.121) by

ME1PR01MB0787.ausprd01.prod.outlook.com (10.169.165.11) with Microsoft SMTP

Server (TLS) id 15.1.506.9; Tue, 31 May 2016 20:53:47 +0000

Content-Type: text/plain; charset="iso-8859-1"


Phishing Header

E-Mail Attachments

But, wait, isn't email just text?

E-Mail is simply ASCII text –that’s it!

But, we often attach binary files such as images, MP3s (that we have legally), etc….

So, how do you send attachments?


Attachments

MIME standard specifies a standard for sending binary files as text using “Base64”

It is easy to recognize and you can find attachments in unallocated or slack space


Attachments

Base64 is a clever way of re-encoding bytes into plain text

It is done in such as way, that it does not conflict with the rest of the e-mail message

The “64” comes from that fact that binary value of the byte is displayed as a base-64 number


Base64

15

In binary (base 2)…

• we just need two different symbols

• so, we use 1 and 0

In hexadecimal (base 16)…

• each digit has 16 distinct values

• we use A…F to represent the values 10…15

• this gives a total of 16 symbols


All Your Base….

For Base-64, we need 64 symbols

Using 0…9, a…z, A…Z gives a total of 62 characters. Almost there!

The MIME specification uses + and / for

the last 2 characters.


Representing Base-64 Numbers


Base64 Index Table

Note: 64 = 26

So, each base-64 symbol, we

can store 6 bits

That's almost a full byte…

Base-64 uses a math trick:

• 3 × 8 = 24 and 4 × 6 = 24

• so, 3 bytes can be stored using 4 six-bit numbers


How it works

As a result…

• attachments are a stored as a long series of 6-bit characters in groups of 4

• characters that are not needed for the last 4-character group are padded with =


How it works

ASCII S a c

Byte 83 97 99

Bits 0 1 0 1 0 0 1 1 0 1 1 0 0 0 0 1 0 1 1 0 0 0 1 1

6 Bit value 20 54 5 35

Base64 U 2 F j


Base64 Encoding Example

16


Sac State Logo.bmp (16×27 pixel) in Base-64

Qk2qAAAAAAAAAD4AAAAoAAAAEAAAABsAAAABAAEAAAAAAGwA

AADEDgAAxA4AAAAAAAAAAAAAAAAAAP///wD4PwAA/48AAPhH

AADhxwAAw8MAAMeFAACPhAAAnwQAAD4MAAD8GAAA+DgAAPBw

AADg4QAAwcEAAIODAACHBwAADg8AABwfAAA4PwAAMH8AADD/

AACh/wAAo/8AAOP/AADz/wAA+f8AAPx/AAA=


"Banks of Sacramento" in Base-64

And it's blow, winds, blow, for Californio!

For there's plenty of gold,

So I've been told, On the banks of the Sacramento!

QW5kIGl0J3MgYmxvdywgd2luZHMsIGJsb3csIA0KZm9yIENhb

Glmb3JuaW8hDQpGb3IgdGhlcmUncyBwbGVudHkgb2YgZ29sZC

wgDQpTbyBJJ3ZlIGJlZW4gdG9sZCwgDQpPbiB0aGUgYmFua3M

gb2YgdGhlIFNhY3JhbWVudG8hIA==

tracing ips a quick and e-mail reviewathena.csus.edu/~cookd/116/notes/csc 116 - summer... · •...

Documents