Forensics Module2
-
Upload
spiderman86 -
Category
Documents
-
view
22 -
download
2
description
Transcript of Forensics Module2
Digital Forensics
Module 2
CS 996
2022004 Module 2- Investigating Email 2
Review from Module 1
Forensics Investigation in support of litigation
Proactive vs ReactivePaul Kedrosky article WSJ 1302004
Start with Internet researchwwwnamebaseorg
2022004 Module 2- Investigating Email 3
Investigating E-Mail
Increasing volume of fraudulent emailSpam costs 001 centsmessage to send
Virus propagation
Spam in the workplace
Increased successful prosecution of spammers
Deleting email
2022004 Module 2- Investigating Email 4
Characteristics of Email
Why are investigations toughldquoNoone knows you are a dog on the Internetrdquo
Must tie spam to actual sender or his agent
Why are investigations feasible
2022004 Module 2- Investigating Email 5
Sending Spam
Profile of NYC mass mailer1 million messageshourserver
Gig-E Internet connection SQL backend
Call center 45 people in Costa Rica
Product herbal viagra
Many sophisticated programmers on staff
2022004 Module 2- Investigating Email 6
Spam Tools
ldquoKeep your enemies closerdquo
Robomail mass mailer
Lencom email harvester
wwwpaulgrahamcom
2022004 Module 2- Investigating Email 7
Types of Email Exploits
Denial of Service (DOS)
Fraudulent spam
Phishing scams
Viruses
Annoyance stalking
ldquoJoe Jobbingrdquo
419 Scams Nigerian Bank AccountsStill being used
wwwscamoramacom
2022004 Module 2- Investigating Email 8
Email Phishing
Serious threat of financial loss
Newest most damaging type of spam
Rely on ldquosocial engineeringrdquo
wwwantiphishingorg
2022004 Module 2- Investigating Email 9
Message Transfer
smtpinchcom mailacmecom
mailoptonlinenet
E SMTPPOP3
SMTP
thinkpad2monarchcom
ISP = CablevisionUser1acmecom
2022004 Module 2- Investigating Email 10
Analyzing Message Headers
Envelope header informationAdded by sender
Often forged
Message HeadersAdded by receivers
Use these for analysis
Reference wwwstopspamorgemailheadershtml
Sample message header
2022004 Module 2- Investigating Email 11
Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])
by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147
Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)
Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])
by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192
Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)
Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500
Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law
2022004 Module 2- Investigating Email 12
Internet Investigations NetScanTools
wwwnwpswcom
34 tools grouped in one windows package
For emailTraceroute (ICMP TCP)
Relay testing
RBL (Real-time Block List) testing
Automated data collection across multiple tools
2022004 Module 2- Investigating Email 13
2022004 Module 2- Investigating Email 14
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 2
Review from Module 1
Forensics Investigation in support of litigation
Proactive vs ReactivePaul Kedrosky article WSJ 1302004
Start with Internet researchwwwnamebaseorg
2022004 Module 2- Investigating Email 3
Investigating E-Mail
Increasing volume of fraudulent emailSpam costs 001 centsmessage to send
Virus propagation
Spam in the workplace
Increased successful prosecution of spammers
Deleting email
2022004 Module 2- Investigating Email 4
Characteristics of Email
Why are investigations toughldquoNoone knows you are a dog on the Internetrdquo
Must tie spam to actual sender or his agent
Why are investigations feasible
2022004 Module 2- Investigating Email 5
Sending Spam
Profile of NYC mass mailer1 million messageshourserver
Gig-E Internet connection SQL backend
Call center 45 people in Costa Rica
Product herbal viagra
Many sophisticated programmers on staff
2022004 Module 2- Investigating Email 6
Spam Tools
ldquoKeep your enemies closerdquo
Robomail mass mailer
Lencom email harvester
wwwpaulgrahamcom
2022004 Module 2- Investigating Email 7
Types of Email Exploits
Denial of Service (DOS)
Fraudulent spam
Phishing scams
Viruses
Annoyance stalking
ldquoJoe Jobbingrdquo
419 Scams Nigerian Bank AccountsStill being used
wwwscamoramacom
2022004 Module 2- Investigating Email 8
Email Phishing
Serious threat of financial loss
Newest most damaging type of spam
Rely on ldquosocial engineeringrdquo
wwwantiphishingorg
2022004 Module 2- Investigating Email 9
Message Transfer
smtpinchcom mailacmecom
mailoptonlinenet
E SMTPPOP3
SMTP
thinkpad2monarchcom
ISP = CablevisionUser1acmecom
2022004 Module 2- Investigating Email 10
Analyzing Message Headers
Envelope header informationAdded by sender
Often forged
Message HeadersAdded by receivers
Use these for analysis
Reference wwwstopspamorgemailheadershtml
Sample message header
2022004 Module 2- Investigating Email 11
Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])
by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147
Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)
Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])
by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192
Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)
Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500
Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law
2022004 Module 2- Investigating Email 12
Internet Investigations NetScanTools
wwwnwpswcom
34 tools grouped in one windows package
For emailTraceroute (ICMP TCP)
Relay testing
RBL (Real-time Block List) testing
Automated data collection across multiple tools
2022004 Module 2- Investigating Email 13
2022004 Module 2- Investigating Email 14
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 3
Investigating E-Mail
Increasing volume of fraudulent emailSpam costs 001 centsmessage to send
Virus propagation
Spam in the workplace
Increased successful prosecution of spammers
Deleting email
2022004 Module 2- Investigating Email 4
Characteristics of Email
Why are investigations toughldquoNoone knows you are a dog on the Internetrdquo
Must tie spam to actual sender or his agent
Why are investigations feasible
2022004 Module 2- Investigating Email 5
Sending Spam
Profile of NYC mass mailer1 million messageshourserver
Gig-E Internet connection SQL backend
Call center 45 people in Costa Rica
Product herbal viagra
Many sophisticated programmers on staff
2022004 Module 2- Investigating Email 6
Spam Tools
ldquoKeep your enemies closerdquo
Robomail mass mailer
Lencom email harvester
wwwpaulgrahamcom
2022004 Module 2- Investigating Email 7
Types of Email Exploits
Denial of Service (DOS)
Fraudulent spam
Phishing scams
Viruses
Annoyance stalking
ldquoJoe Jobbingrdquo
419 Scams Nigerian Bank AccountsStill being used
wwwscamoramacom
2022004 Module 2- Investigating Email 8
Email Phishing
Serious threat of financial loss
Newest most damaging type of spam
Rely on ldquosocial engineeringrdquo
wwwantiphishingorg
2022004 Module 2- Investigating Email 9
Message Transfer
smtpinchcom mailacmecom
mailoptonlinenet
E SMTPPOP3
SMTP
thinkpad2monarchcom
ISP = CablevisionUser1acmecom
2022004 Module 2- Investigating Email 10
Analyzing Message Headers
Envelope header informationAdded by sender
Often forged
Message HeadersAdded by receivers
Use these for analysis
Reference wwwstopspamorgemailheadershtml
Sample message header
2022004 Module 2- Investigating Email 11
Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])
by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147
Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)
Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])
by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192
Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)
Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500
Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law
2022004 Module 2- Investigating Email 12
Internet Investigations NetScanTools
wwwnwpswcom
34 tools grouped in one windows package
For emailTraceroute (ICMP TCP)
Relay testing
RBL (Real-time Block List) testing
Automated data collection across multiple tools
2022004 Module 2- Investigating Email 13
2022004 Module 2- Investigating Email 14
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 4
Characteristics of Email
Why are investigations toughldquoNoone knows you are a dog on the Internetrdquo
Must tie spam to actual sender or his agent
Why are investigations feasible
2022004 Module 2- Investigating Email 5
Sending Spam
Profile of NYC mass mailer1 million messageshourserver
Gig-E Internet connection SQL backend
Call center 45 people in Costa Rica
Product herbal viagra
Many sophisticated programmers on staff
2022004 Module 2- Investigating Email 6
Spam Tools
ldquoKeep your enemies closerdquo
Robomail mass mailer
Lencom email harvester
wwwpaulgrahamcom
2022004 Module 2- Investigating Email 7
Types of Email Exploits
Denial of Service (DOS)
Fraudulent spam
Phishing scams
Viruses
Annoyance stalking
ldquoJoe Jobbingrdquo
419 Scams Nigerian Bank AccountsStill being used
wwwscamoramacom
2022004 Module 2- Investigating Email 8
Email Phishing
Serious threat of financial loss
Newest most damaging type of spam
Rely on ldquosocial engineeringrdquo
wwwantiphishingorg
2022004 Module 2- Investigating Email 9
Message Transfer
smtpinchcom mailacmecom
mailoptonlinenet
E SMTPPOP3
SMTP
thinkpad2monarchcom
ISP = CablevisionUser1acmecom
2022004 Module 2- Investigating Email 10
Analyzing Message Headers
Envelope header informationAdded by sender
Often forged
Message HeadersAdded by receivers
Use these for analysis
Reference wwwstopspamorgemailheadershtml
Sample message header
2022004 Module 2- Investigating Email 11
Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])
by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147
Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)
Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])
by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192
Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)
Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500
Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law
2022004 Module 2- Investigating Email 12
Internet Investigations NetScanTools
wwwnwpswcom
34 tools grouped in one windows package
For emailTraceroute (ICMP TCP)
Relay testing
RBL (Real-time Block List) testing
Automated data collection across multiple tools
2022004 Module 2- Investigating Email 13
2022004 Module 2- Investigating Email 14
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 5
Sending Spam
Profile of NYC mass mailer1 million messageshourserver
Gig-E Internet connection SQL backend
Call center 45 people in Costa Rica
Product herbal viagra
Many sophisticated programmers on staff
2022004 Module 2- Investigating Email 6
Spam Tools
ldquoKeep your enemies closerdquo
Robomail mass mailer
Lencom email harvester
wwwpaulgrahamcom
2022004 Module 2- Investigating Email 7
Types of Email Exploits
Denial of Service (DOS)
Fraudulent spam
Phishing scams
Viruses
Annoyance stalking
ldquoJoe Jobbingrdquo
419 Scams Nigerian Bank AccountsStill being used
wwwscamoramacom
2022004 Module 2- Investigating Email 8
Email Phishing
Serious threat of financial loss
Newest most damaging type of spam
Rely on ldquosocial engineeringrdquo
wwwantiphishingorg
2022004 Module 2- Investigating Email 9
Message Transfer
smtpinchcom mailacmecom
mailoptonlinenet
E SMTPPOP3
SMTP
thinkpad2monarchcom
ISP = CablevisionUser1acmecom
2022004 Module 2- Investigating Email 10
Analyzing Message Headers
Envelope header informationAdded by sender
Often forged
Message HeadersAdded by receivers
Use these for analysis
Reference wwwstopspamorgemailheadershtml
Sample message header
2022004 Module 2- Investigating Email 11
Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])
by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147
Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)
Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])
by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192
Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)
Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500
Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law
2022004 Module 2- Investigating Email 12
Internet Investigations NetScanTools
wwwnwpswcom
34 tools grouped in one windows package
For emailTraceroute (ICMP TCP)
Relay testing
RBL (Real-time Block List) testing
Automated data collection across multiple tools
2022004 Module 2- Investigating Email 13
2022004 Module 2- Investigating Email 14
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 6
Spam Tools
ldquoKeep your enemies closerdquo
Robomail mass mailer
Lencom email harvester
wwwpaulgrahamcom
2022004 Module 2- Investigating Email 7
Types of Email Exploits
Denial of Service (DOS)
Fraudulent spam
Phishing scams
Viruses
Annoyance stalking
ldquoJoe Jobbingrdquo
419 Scams Nigerian Bank AccountsStill being used
wwwscamoramacom
2022004 Module 2- Investigating Email 8
Email Phishing
Serious threat of financial loss
Newest most damaging type of spam
Rely on ldquosocial engineeringrdquo
wwwantiphishingorg
2022004 Module 2- Investigating Email 9
Message Transfer
smtpinchcom mailacmecom
mailoptonlinenet
E SMTPPOP3
SMTP
thinkpad2monarchcom
ISP = CablevisionUser1acmecom
2022004 Module 2- Investigating Email 10
Analyzing Message Headers
Envelope header informationAdded by sender
Often forged
Message HeadersAdded by receivers
Use these for analysis
Reference wwwstopspamorgemailheadershtml
Sample message header
2022004 Module 2- Investigating Email 11
Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])
by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147
Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)
Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])
by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192
Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)
Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500
Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law
2022004 Module 2- Investigating Email 12
Internet Investigations NetScanTools
wwwnwpswcom
34 tools grouped in one windows package
For emailTraceroute (ICMP TCP)
Relay testing
RBL (Real-time Block List) testing
Automated data collection across multiple tools
2022004 Module 2- Investigating Email 13
2022004 Module 2- Investigating Email 14
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 7
Types of Email Exploits
Denial of Service (DOS)
Fraudulent spam
Phishing scams
Viruses
Annoyance stalking
ldquoJoe Jobbingrdquo
419 Scams Nigerian Bank AccountsStill being used
wwwscamoramacom
2022004 Module 2- Investigating Email 8
Email Phishing
Serious threat of financial loss
Newest most damaging type of spam
Rely on ldquosocial engineeringrdquo
wwwantiphishingorg
2022004 Module 2- Investigating Email 9
Message Transfer
smtpinchcom mailacmecom
mailoptonlinenet
E SMTPPOP3
SMTP
thinkpad2monarchcom
ISP = CablevisionUser1acmecom
2022004 Module 2- Investigating Email 10
Analyzing Message Headers
Envelope header informationAdded by sender
Often forged
Message HeadersAdded by receivers
Use these for analysis
Reference wwwstopspamorgemailheadershtml
Sample message header
2022004 Module 2- Investigating Email 11
Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])
by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147
Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)
Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])
by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192
Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)
Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500
Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law
2022004 Module 2- Investigating Email 12
Internet Investigations NetScanTools
wwwnwpswcom
34 tools grouped in one windows package
For emailTraceroute (ICMP TCP)
Relay testing
RBL (Real-time Block List) testing
Automated data collection across multiple tools
2022004 Module 2- Investigating Email 13
2022004 Module 2- Investigating Email 14
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 8
Email Phishing
Serious threat of financial loss
Newest most damaging type of spam
Rely on ldquosocial engineeringrdquo
wwwantiphishingorg
2022004 Module 2- Investigating Email 9
Message Transfer
smtpinchcom mailacmecom
mailoptonlinenet
E SMTPPOP3
SMTP
thinkpad2monarchcom
ISP = CablevisionUser1acmecom
2022004 Module 2- Investigating Email 10
Analyzing Message Headers
Envelope header informationAdded by sender
Often forged
Message HeadersAdded by receivers
Use these for analysis
Reference wwwstopspamorgemailheadershtml
Sample message header
2022004 Module 2- Investigating Email 11
Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])
by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147
Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)
Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])
by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192
Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)
Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500
Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law
2022004 Module 2- Investigating Email 12
Internet Investigations NetScanTools
wwwnwpswcom
34 tools grouped in one windows package
For emailTraceroute (ICMP TCP)
Relay testing
RBL (Real-time Block List) testing
Automated data collection across multiple tools
2022004 Module 2- Investigating Email 13
2022004 Module 2- Investigating Email 14
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 9
Message Transfer
smtpinchcom mailacmecom
mailoptonlinenet
E SMTPPOP3
SMTP
thinkpad2monarchcom
ISP = CablevisionUser1acmecom
2022004 Module 2- Investigating Email 10
Analyzing Message Headers
Envelope header informationAdded by sender
Often forged
Message HeadersAdded by receivers
Use these for analysis
Reference wwwstopspamorgemailheadershtml
Sample message header
2022004 Module 2- Investigating Email 11
Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])
by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147
Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)
Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])
by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192
Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)
Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500
Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law
2022004 Module 2- Investigating Email 12
Internet Investigations NetScanTools
wwwnwpswcom
34 tools grouped in one windows package
For emailTraceroute (ICMP TCP)
Relay testing
RBL (Real-time Block List) testing
Automated data collection across multiple tools
2022004 Module 2- Investigating Email 13
2022004 Module 2- Investigating Email 14
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 10
Analyzing Message Headers
Envelope header informationAdded by sender
Often forged
Message HeadersAdded by receivers
Use these for analysis
Reference wwwstopspamorgemailheadershtml
Sample message header
2022004 Module 2- Investigating Email 11
Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])
by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147
Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)
Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])
by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192
Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)
Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500
Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law
2022004 Module 2- Investigating Email 12
Internet Investigations NetScanTools
wwwnwpswcom
34 tools grouped in one windows package
For emailTraceroute (ICMP TCP)
Relay testing
RBL (Real-time Block List) testing
Automated data collection across multiple tools
2022004 Module 2- Investigating Email 13
2022004 Module 2- Investigating Email 14
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 11
Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])
by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147
Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)
Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])
by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192
Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)
Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500
Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law
2022004 Module 2- Investigating Email 12
Internet Investigations NetScanTools
wwwnwpswcom
34 tools grouped in one windows package
For emailTraceroute (ICMP TCP)
Relay testing
RBL (Real-time Block List) testing
Automated data collection across multiple tools
2022004 Module 2- Investigating Email 13
2022004 Module 2- Investigating Email 14
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 12
Internet Investigations NetScanTools
wwwnwpswcom
34 tools grouped in one windows package
For emailTraceroute (ICMP TCP)
Relay testing
RBL (Real-time Block List) testing
Automated data collection across multiple tools
2022004 Module 2- Investigating Email 13
2022004 Module 2- Investigating Email 14
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 13
2022004 Module 2- Investigating Email 14
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 14
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 15
Investigating Spammers on the Internet
SpamhausIP lookup on suspect domain name
The Spamhaus Project
Search on usenetnewsadminnet-abuse
Search for Scott Richtermdash2040 entries
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 16
URL Obfuscation
Mislead ldquovictimrdquo into clicking on attachment
Reference wwwcounterhacknet
Some exampleshttpeer5673469dwwwmonarch-infocom
httpwwwmicrosoftcom21622319336
httpwwwmicrosoftcom
777777monarch-infocom
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 17
Geolocation
Critical to forensic analysis on Internet
Need to find a person
Commercial businessesUse for high volume investigations
Infosplit (NYC)
Quova
Fraud prevention in credit card applications
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 18
Quova Geopoint Architecture
15 BILLION IP ADDRESSES
70 DATA COLLECTION SERVERS
wwwacmecom
GEOPOINT SERVER
MANUAL QUERIES
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 19
Quova Geolocation Data
Location DataContinent country state city zip code
Latitude + longitude
Marketing DataDMA (Nielson Media Research)
MSA (Metropolitan Statistical Area)
Internet ConnectionASN carrier organization domain
Connection type speed routing method
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 20
How Quova System Works
US Patent 6684250 (January 27 2004)
They use a weighted average to find best estimate of geographic location
Multiple traceroutes
DNS lookups
Whois information
Ping times
BGP tables
Regional Internet Registries (ARIN RIPE APNIC LACNIC)
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 21
How Quova Works cont
Local Internet Registries (KRNIC JPNIC etc)
You can learn from them and use their methods on individual addresses
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 22
Sample IP Addresses
668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on
Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom
24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 23
Sample IPs cont
209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago
212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 24
Fighting Spam
wwwspamconferenceorg
Better filtering Bayesian current hot approach
Current systems cocktail approach
Stamps cost in $$$ or CPU time
Tarpits
RMX records (SPF=Sender Permitted From)
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 25
Filtering Spam
FALSE +
SPAM
INTERNET
HAM
FALSE -
IMPLICATIONS FOR RETAILERhellipFOR HMO
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 26
Use of RMX Records
Email apparently from spammerfoocom
Received from 1234
DNS query RMX record for foocom
Internet
RMX records for foocom
1232
1233
1234
CONCLUSION NOT SPAM
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 27
CAN-SPAM Bill New Weapon for Investigators
In effect Jan 1 2004
wwwspamhausorglegalCAN-SPAMhtml
Preempts state anti-spam laws
Applies only to commercial email
Does not require opt-in
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 28
CAN-SPAM Dorsquos
Accurate HeadersFrom line
Subject line
Origin routing destination
Include opt-out address
Include your real business address
Clearly note that email is advertisment
Mark sexually explicit material
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 29
CAN-SPAM Donrsquots
Donrsquot use harvested addresses
No dictionary attacks
No automated account signups
Donrsquot use mail relays
How much spam today is following these 9 rules
Up to 5 years in jail
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 30
Deleting your Own E-Mail
Your machine could be subpoenaed
Donrsquot want to leave damaging evidence
Keep personal email personal
This process can be very trickyClient storage
Exchange Server
Notes Server
Many products donrsquot workEvidence Eliminator no email delete
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 31
Deleting E-Mail Outlook Client
Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst
Method 2 Empty delete bin
Compact outlookpst file
Wipe remainder of disk
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 32
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 33
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 34
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-
2022004 Module 2- Investigating Email 35
Interesting Lab Project
Validate email delete processClient side
Server side
Use commercial delete programs develop procedure
Try to recover deleted email using EnCase
- Digital Forensics
- Review from Module 1
- Investigating E-Mail
- Characteristics of Email
- Sending Spam
- Spam Tools
- Types of Email Exploits
- Email Phishing
- Message Transfer
- Analyzing Message Headers
- Sample SPAM Message Header
- Internet Investigations NetScan Tools
- Investigating Spammers on the Internet
- URL Obfuscation
- Geolocation
- Quova Geopoint Architecture
- Quova Geolocation Data
- How Quova System Works
- How Quova Works cont
- Sample IP Addresses
- Sample IPs cont
- Fighting Spam
- Filtering Spam
- Use of RMX Records
- CAN-SPAM Bill New Weapon for Investigators
- CAN-SPAM Dorsquos
- CAN-SPAM Donrsquots
- Deleting your Own E-Mail
- Deleting E-Mail Outlook Client
- Interesting Lab Project
-