Email Tracing COEN 152 / 252 Computer Forensics Thomas Schwarz, S.J. 2006.
-
Upload
elizabeth-goodman -
Category
Documents
-
view
227 -
download
5
Transcript of Email Tracing COEN 152 / 252 Computer Forensics Thomas Schwarz, S.J. 2006.
Email Tracing
COEN 152 / 252Computer Forensics
Thomas Schwarz, S.J. 2006
Email Investigations: Overview
Email has become a primary means of communication.
Email can easily be forged. Email can be abused
Spam Aid in committing a crime … Threatening email, …
Email Investigations: Overview Email evidence:
Is in the email itself Header Contents
In logs: Left behind as the email travels from sender to
recipient. Law enforcement uses subpoenas to follow the
trace. System admins have some logs under their control.
Notice: All fakemailing that you will be learning can be easily traced.
Email Fundamentals Email travels from originating computer to the
receiving computer through email servers. All email servers add to the header. Use important internet services to interpret
and verify data in a header.
Email Fundamentals
Typical path of an email message:
ClientMail Server
Mail Server
Mail Server
Client
Internet Basics
IP Address – IPv4 IP Address – IPv6 IP Address Types Hostnames & DNS Email Routing Resources
Internet Basics:IP Address – IPv4 Dominant standard for addressing 32 bit address space
4 bytes 232 or 4.3B addresses Typical representation is 4 octets
Ranges from 0.0.0.0 to 255.255.255.255 E.g. – 209.191.122.70
Integer representation is 3,518,986,822 Almost a 30 year old standard >90% of all IPv4 addresses allocated
Internet Basics:IP Address – IPv6 Next Generation of Internet addressing 128 bit address space
16 bytes 2128 or 3.4×1038 340 trillion trillion trillion 340,000,000,000,000,000,000,000,000,000,000 000,000
Represented as 8 hexadecimal numbers Ranges from 0:0:0:0:0:0:0:0 to
FFFF:FFFF:FFFF:FFFF: FFFF:FFFF:FFFF:FFFF Examples (with shorthand notation)
2001:db8:1f70::999:de8:7648:6e8 FF3E:40:2001:dead:beef:cafe:1234:5678
10+ years of deployment, but still maturing
Internet Basics:IP Address Types Public / Private
Some addresses are public or externally visible Others are private or internal to an organization RFC 3330 defines these ranges and their purpose The most commonly seen “private” addresses
10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255
Private addresses are unroutable externally Proxies
Anonymizers, Satellites, International and Regional
Internet Basics:IP Address Types (cont) Static / Dynamic addresses
Some IP addresses are statically assigned to a single computer
Typically infrastructure and/or servers Some are shared by multiple computers using
NAT or DHCP within a local organization Many organizations use Network Address
Translation (NAT) NAT boxes – single externally visible IP address Incoming packet examined and routed
according to the source address and port number
Forwarded to an internal, private IP address
Internet Basics:Hostnames & DNS DNS is the Domain Name System Translates between human friendly
host/domain names (e.g. www.yahoo.com) and machine friendly IP addresses
Forward DNS Lookup “dig www.yahoo.com” or “nslookup
www.yahoo.com” www.yahoo.com 209.191.122.70
Reverse DNS Lookup “dig –x 209.191.122.70” or “nslookup
209.191.122.70” 209.191.122.70 www.yahoo.com
Internet Basics:Hostnames & DNS
DNS Overview Conceptually a cached hierarchy of
host/domain name assignments and IP addresses
Each node is a name server Requests originate local to the user and
escalate “up” only as far as necessary, then “down” as soon as possible – tree traversal
DNS Root servers are at the “top”
Internet Basics:Hostnames & DNS DNS Overview (continued)
Searches start with the “local host” file Missing or stale entries escalate up Local name server is the first stop, then
usually the local ISP’s up through to the Root Name Servers as necessary
Once an authoritative, responsible name server is found, the search is downward focused until the specific machine name/address is found.
Internet Basics:Hostnames & DNS DNS Overview (continued)
Complete escalation is usually not required, as caching is extensively used
The local “host file” file can be altered Can be used to block pop-ups and bad websites
E.g., Spybot uses this as a preventative technique Malware can use this “feature” as well
Local name servers can/could be injected with malicious data
See the “Hillary for Senate” case
Internet Basics:Resources
Internet Assigned Numbers Authority Responsible for the global coordination
of the DNS Root, IP addressing, and other Internet protocol resources
Managed resources include Port Numbers Autonomous Systems Numbers Top Level Domains (TLDs)
www.iana.org
Internet Basics:Resources (cont) Regional Internet Registries
Five regions APNIC – Asia and the Pacific region ARIN – North America (the first registry, legacy entries) LACNIC – Latin American and Caribbean RIPE – Europe AfriNIC – Africa
Regionally allocates IP addresses to orgs Each provides IP address “whois”
services i.e. who is responsible for an IP address
Internet Basics:Resources (cont) IP address top level allocations and registry
assignments www.iana.org/assignments/ipv4-address-space
whois Regional Internet registries definitive source DNSStuff - http://www.dnsstuff.com
alternative whois provides owner, location, contact info
Geolocation Maxmind - www.maxmind.com
Internet Basics:Resources (cont)
Hostname lookups dig, replacing nslookup “dig www.scu.edu” “dig –x 129.210.2.1” (reverse lookup)
“traceroute” (tracert) Great for verifying general location and
possible affiliations Web versions are available from around
the world
Email Fundamentals: Important Services Domain Name System (DNS) translates between
domain names and IP address. MX records (http://en.wikipedia.org/wiki/MX_record) in
the DNS database specify the host’s or domains mail exchanger
Can have multiple MX records, with priority attached:
Email to [email protected] will then be sent to [email protected].
If that site is down, then it will be sent to [email protected].
The mailer at both sites needs also be set up to accept the messages.
MX 10 cse
MX 100 mailhost.soe.uscs.edu
Email Protocols:
A mail server stores incoming mail and distributes it to the appropriate mail box.
Behavior afterwards depends on type of protocol.
Accordingly, investigation needs to be done at server or at the workstation.
Email Protocols: Email program such as Outlook or
Groupwise are a client application. Needs to interact with an email
server: Post Office Protocol (POP) Internet Message Access Protocol (IMAP) Microsoft’s Mail API (MAPI)
Web-based email uses a web-page as an interface with an email server.
Email Protocols:
Post Office Service
Protocol Characteristics
Stores only incoming messages.
POP Investigation must be at the workstation.
Stores all messages
IMAPMS’ MAPILotus Notes
Copies of incoming and outgoing messages might be stored on the workstation or on the server or on both.
Web-based send and receive.
HTTP Incoming and outgoing messages are stored on the server, but there might be archived or copied messages on the workstation. Easy to spoof identity.
Email Protocols: SMTP Neither IMAP or POP are involved
relaying messages between servers. Simple Mail Transfer Protocol: SMTP
Easy. Has several additions. Can be spoofed:
By using an unsecured or undersecured email server.
By setting up your own smtp server.
Email Protocols: SMTPHow to spoof emailtelnet endor.engr.scu.edu 25220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005
14:58:49 - 0800
helo 129.210.16.8250 server8.engr.scu.edu Hello dhcp-19-198.engr.scu.edu
[129.210.19.198], pleased to meet you
mail from: [email protected] 2.1.0 [email protected]... Sender ok
rcpt to: [email protected] 2.1.5 [email protected]... Recipient ok
data354 Enter mail, end with "." on a line by itself
This is a spoofed message.. 250 2.0.0 jBSMwnTd023057 Message accepted for delivery
quit 221 2.0.0 endor.engr.scu.edu closing connection
Email Protocols: SMTPReturn-path: <[email protected]>Received: from MGW2.scu.edu [129.210.251.18]by gwcl-22.scu.edu; Wed, 28 Dec 2005 15:00:29 -0800Received: from endor.engr.scu.edu (unverified [129.210.16.1]) by MGW2.scu.edu(Vircom SMTPRS 4.2.425.10) with ESMTP id <[email protected]> for <[email protected]>;Wed, 28 Dec 2005 15:00:29 -0800X-Modus-BlackList: 129.210.16.1=OK;[email protected]=OKX-Modus-Trusted: 129.210.16.1=NOReceived: from bobadilla.engr.scu.edu (bobadilla.engr.scu.edu [129.210.18.34])by endor.engr.scu.edu (8.13.5/8.13.5) with SMTP id jBSMwnTd023057for [email protected]; Wed, 28 Dec 2005 15:00:54 -0800Date: Wed, 28 Dec 2005 14:58:49 -0800From: JoAnne Holliday <[email protected]>Message-Id: <[email protected]>
this is a spoofed message.
This looks very convincing.
Only hint: received line gives the name of my machine.
If I were to use a machine without a fixed IP, then you can determine the DHCP address from the DHCP logs.
Email Protocols: SMTPHow to spoof email Endor will only relay messages from machines
that have properly authenticated themselves within the last five minutes.
Subject lines etc. are part of the data segment. However, any misspelling will put them into the body of the message.
Email Protocols: SMTPHow to spoof emailtelnet endor.engr.scu.edu 25220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005 15:36:13 -0800mail from: [email protected] 2.1.0 [email protected]... Sender okrcpt to: [email protected] 2.1.5 [email protected]... Recipient okdata354 Enter mail, end with "." on a line by itselfDate: 23 Dec 05 11:22:33From: [email protected]: [email protected]: Congrats
You are hrby appointed the next president of Santa Clara University, effectively
immediately.
Best, Paul.250 2.0.0 jBSNaDlu023813 Message accepted for deliveryquit
Email Protocols: SMTPHow to spoof email
Email Protocols: SMTPHow to spoof email
Unix Use sendmail %usr/lib/sendmail –t –f
[email protected] < test_message
Email Protocols: SMTP
Things are even easier with Windows XP.
Turn on the SMTP service that each WinXP machine runs. Create a file that follows the SMTP protocol. Place the file in Inetpub/mailroot/Pickup
Email Protocols: SMTP
To: [email protected]: [email protected]
This is a spoofed message.
From [email protected] Tue Dec 23 17:25:50 2003Return-Path: <[email protected]>Received: from Xavier (dhcp-19-226.engr.scu.edu [129.210.19.226])by server4.engr.scu.edu (8.12.10/8.12.10) with ESMTP id hBO1Plpv027244for <[email protected]>; Tue, 23 Dec 2003 17:25:50 -0800Received: from mail pickup service by Xavier with Microsoft SMTPSVC;Tue, 23 Dec 2003 17:25:33 -0800To: [email protected]: [email protected]: <XAVIERZRTHEQXHcJcKJ00000001@Xavier>X-OriginalArrivalTime: 24 Dec 2003 01:25:33.0942 (UTC) FILETIME=[D3B56160:01C3C9BC]Date: 23 Dec 2003 17:25:33 -0800X-Spam-Checker-Version: SpamAssassin 2.60-rc3 (1.202-2003-08-29-exp) onserver4.engr.scu.eduX-Spam-Level:X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=noversion=2.60-rc3
This is a spoofed message.
Email Protocols: SMTP
SMTP Headers: Each mail-server adds to headers. Additions are being made at the top
of the list. Therefore, read the header from the
bottom.
To read headers, you usually have to enable them in your mail client.
SMTP HeadersTo enable headers: Eudora:
Use the Blah Blah Blah button Hotmail:
Options Preferences Message Headers. Juno:
Options Show Headers MS Outlook:
Select message and go to options. Yahoo!:
Mail Options General Preferences Show all headers. Groupwise:
Message itself is “attached” to each email. You need to look at it.
SMTP Headers Headers consists of header fields
Originator fields from, sender, reply-to
Destination address fields To, cc, bcc
Identification Fields Message-ID-field is optional, but extremely important
for tracing emails through email server logs. Informational Fields
Subject, comments, keywords Resent Fields
Resent fields are strictly speaking optional, but luckily, most servers add them.
Resent-date, resent-from, resent-sender, resent-to, resent-cc, resent-bcc, resent-msg-id
SMTP Headers
Trace Fields Core of email tracing. Regulated in RFC2821. When a SMTP server receives a
message for delivery or forwarding, it MUST insert trace information at the beginning of the header.
SMTP Headers The FROM field, which must be supplied in an
SMTP environment, should contain both (1) the name of the source host as presented in the EHLO command and (2) an address literal containing the IP address of the source, determined from the TCP connection.
The ID field may contain an "@" as suggested in RFC 822, but this is not required.
The FOR field MAY contain a list of <path> entries when multiple RCPT commands have been given.
A server making a final delivery inserts a return-path line.
SMTP Header Spotting spoofed messages
Contents usually gives a hint. Each SMTP server application adds a different
set of headers or structures them in a different way.
A good investigator knows these formats. Use internet services in order to verify header
data. However, some companies can outsource email or
use internal IP addresses. Look for breaks / discrepancies in the
“Received” lines.
SMTP Header
Investigation of spoofed messages Verify all IP addresses
Keeping in mind that some addresses might be internal addresses.
Make a time-line of events. Change times to universal standard time. Look for strange behavior. Keep clock drift in mind.
Additonal Info: http://www.uic.edu/depts/accc/newsletter/adn29/headers.html
Server Logs
E-mail logs usually identify email messages by: Account received IP address from which they were sent. Time and date (beware of clock drift) IP addresses
Server LogsDec 31 18:26:15 endor sendmail[30597]: k012OV1i030597: [email protected],
size=147, class=0, nrcpts=1, msgid=<[email protected]>, proto=SMTP, daemon=MTA, relay=c-24-12-227-211.hsd1.il.comcast.net [24.12.227.211]
Dec 31 18:26:15 endor spamd[28512]: spamd: connection from localhost [127.0.0.1] at port 42865
Dec 31 18:26:15 endor spamd[28512]: spamd: setuid to tschwarz succeeded Dec 31 18:26:15 endor spamd[28512]: spamd: processing message
<[email protected]> for tschwarz:1875 Dec 31 18:26:15 endor spamd[28512]: spamd: clean message (4.6/5.0) for
tschwarz:1875 in 0.2 seconds, 525 bytes. Dec 31 18:26:15 endor spamd[28512]: spamd: result: . 4 -
MSGID_FROM_MTA_ID,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL scantime=0.2,size=525,user=tschwarz,uid=1875,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=42865,mid=<[email protected]>,autolearn=no
Dec 31 18:26:15 endor spamd[21352]: prefork: child states: II Dec 31 18:26:15 endor sendmail[30726]: k012OV1i030597:
[email protected], delay=00:01:02, xdelay=00:00:00, mailer=local, pri=30464, dsn=2.0.0, stat=Sent
Sample log entry at endor.
Server Logs Many servers keep copies of emails. Most servers purge logs.
Law-enforcement: Vast majority of companies are very cooperative. Don’t wait for the subpoena, instead give system
administrator a heads-up of a coming subpoena. Company:
Local sys-ad needs early warning. Getting logs at other places can be dicey.
Unix Sendmail Configuration file /etc/sendmail.cf
and /etc/syslog.conf Gives location of various logs and their
rules. maillog (often at /var/log/maillog)
Logs SMTP communications Logs POP3 events
You can always use: locate *.log to find log files.
Techniques
Investigating email for forgery Evidentiary material is
Directly in header Indirectly in formatting headers Timestamps
Header Trace Resource http://www.ip-adress.com/
trace_email/
Techniques Header Investigation
Lookup all host names and IP addresses Check for inconsistencies Be aware of
internal IP addresses web hosting company
Generate Timeline Be aware of
clock drift, delays, time zone differences