Forensics Module2

35
Digital Forensics Module 2 CS 996

description

Forensics

Transcript of Forensics Module2

Page 1: Forensics Module2

Digital Forensics

Module 2

CS 996

2022004 Module 2- Investigating Email 2

Review from Module 1

Forensics Investigation in support of litigation

Proactive vs ReactivePaul Kedrosky article WSJ 1302004

Start with Internet researchwwwnamebaseorg

2022004 Module 2- Investigating Email 3

Investigating E-Mail

Increasing volume of fraudulent emailSpam costs 001 centsmessage to send

Virus propagation

Spam in the workplace

Increased successful prosecution of spammers

Deleting email

2022004 Module 2- Investigating Email 4

Characteristics of Email

Why are investigations toughldquoNoone knows you are a dog on the Internetrdquo

Must tie spam to actual sender or his agent

Why are investigations feasible

2022004 Module 2- Investigating Email 5

Sending Spam

Profile of NYC mass mailer1 million messageshourserver

Gig-E Internet connection SQL backend

Call center 45 people in Costa Rica

Product herbal viagra

Many sophisticated programmers on staff

2022004 Module 2- Investigating Email 6

Spam Tools

ldquoKeep your enemies closerdquo

Robomail mass mailer

Lencom email harvester

wwwpaulgrahamcom

2022004 Module 2- Investigating Email 7

Types of Email Exploits

Denial of Service (DOS)

Fraudulent spam

Phishing scams

Viruses

Annoyance stalking

ldquoJoe Jobbingrdquo

419 Scams Nigerian Bank AccountsStill being used

wwwscamoramacom

2022004 Module 2- Investigating Email 8

Email Phishing

Serious threat of financial loss

Newest most damaging type of spam

Rely on ldquosocial engineeringrdquo

wwwantiphishingorg

2022004 Module 2- Investigating Email 9

Message Transfer

smtpinchcom mailacmecom

mailoptonlinenet

E SMTPPOP3

SMTP

thinkpad2monarchcom

ISP = CablevisionUser1acmecom

2022004 Module 2- Investigating Email 10

Analyzing Message Headers

Envelope header informationAdded by sender

Often forged

Message HeadersAdded by receivers

Use these for analysis

Reference wwwstopspamorgemailheadershtml

Sample message header

2022004 Module 2- Investigating Email 11

Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])

by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147

Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)

Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])

by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192

Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)

Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500

Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law

2022004 Module 2- Investigating Email 12

Internet Investigations NetScanTools

wwwnwpswcom

34 tools grouped in one windows package

For emailTraceroute (ICMP TCP)

Relay testing

RBL (Real-time Block List) testing

Automated data collection across multiple tools

2022004 Module 2- Investigating Email 13

2022004 Module 2- Investigating Email 14

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 2: Forensics Module2

2022004 Module 2- Investigating Email 2

Review from Module 1

Forensics Investigation in support of litigation

Proactive vs ReactivePaul Kedrosky article WSJ 1302004

Start with Internet researchwwwnamebaseorg

2022004 Module 2- Investigating Email 3

Investigating E-Mail

Increasing volume of fraudulent emailSpam costs 001 centsmessage to send

Virus propagation

Spam in the workplace

Increased successful prosecution of spammers

Deleting email

2022004 Module 2- Investigating Email 4

Characteristics of Email

Why are investigations toughldquoNoone knows you are a dog on the Internetrdquo

Must tie spam to actual sender or his agent

Why are investigations feasible

2022004 Module 2- Investigating Email 5

Sending Spam

Profile of NYC mass mailer1 million messageshourserver

Gig-E Internet connection SQL backend

Call center 45 people in Costa Rica

Product herbal viagra

Many sophisticated programmers on staff

2022004 Module 2- Investigating Email 6

Spam Tools

ldquoKeep your enemies closerdquo

Robomail mass mailer

Lencom email harvester

wwwpaulgrahamcom

2022004 Module 2- Investigating Email 7

Types of Email Exploits

Denial of Service (DOS)

Fraudulent spam

Phishing scams

Viruses

Annoyance stalking

ldquoJoe Jobbingrdquo

419 Scams Nigerian Bank AccountsStill being used

wwwscamoramacom

2022004 Module 2- Investigating Email 8

Email Phishing

Serious threat of financial loss

Newest most damaging type of spam

Rely on ldquosocial engineeringrdquo

wwwantiphishingorg

2022004 Module 2- Investigating Email 9

Message Transfer

smtpinchcom mailacmecom

mailoptonlinenet

E SMTPPOP3

SMTP

thinkpad2monarchcom

ISP = CablevisionUser1acmecom

2022004 Module 2- Investigating Email 10

Analyzing Message Headers

Envelope header informationAdded by sender

Often forged

Message HeadersAdded by receivers

Use these for analysis

Reference wwwstopspamorgemailheadershtml

Sample message header

2022004 Module 2- Investigating Email 11

Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])

by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147

Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)

Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])

by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192

Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)

Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500

Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law

2022004 Module 2- Investigating Email 12

Internet Investigations NetScanTools

wwwnwpswcom

34 tools grouped in one windows package

For emailTraceroute (ICMP TCP)

Relay testing

RBL (Real-time Block List) testing

Automated data collection across multiple tools

2022004 Module 2- Investigating Email 13

2022004 Module 2- Investigating Email 14

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 3: Forensics Module2

2022004 Module 2- Investigating Email 3

Investigating E-Mail

Increasing volume of fraudulent emailSpam costs 001 centsmessage to send

Virus propagation

Spam in the workplace

Increased successful prosecution of spammers

Deleting email

2022004 Module 2- Investigating Email 4

Characteristics of Email

Why are investigations toughldquoNoone knows you are a dog on the Internetrdquo

Must tie spam to actual sender or his agent

Why are investigations feasible

2022004 Module 2- Investigating Email 5

Sending Spam

Profile of NYC mass mailer1 million messageshourserver

Gig-E Internet connection SQL backend

Call center 45 people in Costa Rica

Product herbal viagra

Many sophisticated programmers on staff

2022004 Module 2- Investigating Email 6

Spam Tools

ldquoKeep your enemies closerdquo

Robomail mass mailer

Lencom email harvester

wwwpaulgrahamcom

2022004 Module 2- Investigating Email 7

Types of Email Exploits

Denial of Service (DOS)

Fraudulent spam

Phishing scams

Viruses

Annoyance stalking

ldquoJoe Jobbingrdquo

419 Scams Nigerian Bank AccountsStill being used

wwwscamoramacom

2022004 Module 2- Investigating Email 8

Email Phishing

Serious threat of financial loss

Newest most damaging type of spam

Rely on ldquosocial engineeringrdquo

wwwantiphishingorg

2022004 Module 2- Investigating Email 9

Message Transfer

smtpinchcom mailacmecom

mailoptonlinenet

E SMTPPOP3

SMTP

thinkpad2monarchcom

ISP = CablevisionUser1acmecom

2022004 Module 2- Investigating Email 10

Analyzing Message Headers

Envelope header informationAdded by sender

Often forged

Message HeadersAdded by receivers

Use these for analysis

Reference wwwstopspamorgemailheadershtml

Sample message header

2022004 Module 2- Investigating Email 11

Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])

by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147

Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)

Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])

by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192

Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)

Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500

Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law

2022004 Module 2- Investigating Email 12

Internet Investigations NetScanTools

wwwnwpswcom

34 tools grouped in one windows package

For emailTraceroute (ICMP TCP)

Relay testing

RBL (Real-time Block List) testing

Automated data collection across multiple tools

2022004 Module 2- Investigating Email 13

2022004 Module 2- Investigating Email 14

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 4: Forensics Module2

2022004 Module 2- Investigating Email 4

Characteristics of Email

Why are investigations toughldquoNoone knows you are a dog on the Internetrdquo

Must tie spam to actual sender or his agent

Why are investigations feasible

2022004 Module 2- Investigating Email 5

Sending Spam

Profile of NYC mass mailer1 million messageshourserver

Gig-E Internet connection SQL backend

Call center 45 people in Costa Rica

Product herbal viagra

Many sophisticated programmers on staff

2022004 Module 2- Investigating Email 6

Spam Tools

ldquoKeep your enemies closerdquo

Robomail mass mailer

Lencom email harvester

wwwpaulgrahamcom

2022004 Module 2- Investigating Email 7

Types of Email Exploits

Denial of Service (DOS)

Fraudulent spam

Phishing scams

Viruses

Annoyance stalking

ldquoJoe Jobbingrdquo

419 Scams Nigerian Bank AccountsStill being used

wwwscamoramacom

2022004 Module 2- Investigating Email 8

Email Phishing

Serious threat of financial loss

Newest most damaging type of spam

Rely on ldquosocial engineeringrdquo

wwwantiphishingorg

2022004 Module 2- Investigating Email 9

Message Transfer

smtpinchcom mailacmecom

mailoptonlinenet

E SMTPPOP3

SMTP

thinkpad2monarchcom

ISP = CablevisionUser1acmecom

2022004 Module 2- Investigating Email 10

Analyzing Message Headers

Envelope header informationAdded by sender

Often forged

Message HeadersAdded by receivers

Use these for analysis

Reference wwwstopspamorgemailheadershtml

Sample message header

2022004 Module 2- Investigating Email 11

Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])

by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147

Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)

Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])

by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192

Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)

Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500

Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law

2022004 Module 2- Investigating Email 12

Internet Investigations NetScanTools

wwwnwpswcom

34 tools grouped in one windows package

For emailTraceroute (ICMP TCP)

Relay testing

RBL (Real-time Block List) testing

Automated data collection across multiple tools

2022004 Module 2- Investigating Email 13

2022004 Module 2- Investigating Email 14

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 5: Forensics Module2

2022004 Module 2- Investigating Email 5

Sending Spam

Profile of NYC mass mailer1 million messageshourserver

Gig-E Internet connection SQL backend

Call center 45 people in Costa Rica

Product herbal viagra

Many sophisticated programmers on staff

2022004 Module 2- Investigating Email 6

Spam Tools

ldquoKeep your enemies closerdquo

Robomail mass mailer

Lencom email harvester

wwwpaulgrahamcom

2022004 Module 2- Investigating Email 7

Types of Email Exploits

Denial of Service (DOS)

Fraudulent spam

Phishing scams

Viruses

Annoyance stalking

ldquoJoe Jobbingrdquo

419 Scams Nigerian Bank AccountsStill being used

wwwscamoramacom

2022004 Module 2- Investigating Email 8

Email Phishing

Serious threat of financial loss

Newest most damaging type of spam

Rely on ldquosocial engineeringrdquo

wwwantiphishingorg

2022004 Module 2- Investigating Email 9

Message Transfer

smtpinchcom mailacmecom

mailoptonlinenet

E SMTPPOP3

SMTP

thinkpad2monarchcom

ISP = CablevisionUser1acmecom

2022004 Module 2- Investigating Email 10

Analyzing Message Headers

Envelope header informationAdded by sender

Often forged

Message HeadersAdded by receivers

Use these for analysis

Reference wwwstopspamorgemailheadershtml

Sample message header

2022004 Module 2- Investigating Email 11

Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])

by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147

Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)

Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])

by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192

Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)

Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500

Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law

2022004 Module 2- Investigating Email 12

Internet Investigations NetScanTools

wwwnwpswcom

34 tools grouped in one windows package

For emailTraceroute (ICMP TCP)

Relay testing

RBL (Real-time Block List) testing

Automated data collection across multiple tools

2022004 Module 2- Investigating Email 13

2022004 Module 2- Investigating Email 14

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 6: Forensics Module2

2022004 Module 2- Investigating Email 6

Spam Tools

ldquoKeep your enemies closerdquo

Robomail mass mailer

Lencom email harvester

wwwpaulgrahamcom

2022004 Module 2- Investigating Email 7

Types of Email Exploits

Denial of Service (DOS)

Fraudulent spam

Phishing scams

Viruses

Annoyance stalking

ldquoJoe Jobbingrdquo

419 Scams Nigerian Bank AccountsStill being used

wwwscamoramacom

2022004 Module 2- Investigating Email 8

Email Phishing

Serious threat of financial loss

Newest most damaging type of spam

Rely on ldquosocial engineeringrdquo

wwwantiphishingorg

2022004 Module 2- Investigating Email 9

Message Transfer

smtpinchcom mailacmecom

mailoptonlinenet

E SMTPPOP3

SMTP

thinkpad2monarchcom

ISP = CablevisionUser1acmecom

2022004 Module 2- Investigating Email 10

Analyzing Message Headers

Envelope header informationAdded by sender

Often forged

Message HeadersAdded by receivers

Use these for analysis

Reference wwwstopspamorgemailheadershtml

Sample message header

2022004 Module 2- Investigating Email 11

Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])

by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147

Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)

Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])

by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192

Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)

Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500

Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law

2022004 Module 2- Investigating Email 12

Internet Investigations NetScanTools

wwwnwpswcom

34 tools grouped in one windows package

For emailTraceroute (ICMP TCP)

Relay testing

RBL (Real-time Block List) testing

Automated data collection across multiple tools

2022004 Module 2- Investigating Email 13

2022004 Module 2- Investigating Email 14

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 7: Forensics Module2

2022004 Module 2- Investigating Email 7

Types of Email Exploits

Denial of Service (DOS)

Fraudulent spam

Phishing scams

Viruses

Annoyance stalking

ldquoJoe Jobbingrdquo

419 Scams Nigerian Bank AccountsStill being used

wwwscamoramacom

2022004 Module 2- Investigating Email 8

Email Phishing

Serious threat of financial loss

Newest most damaging type of spam

Rely on ldquosocial engineeringrdquo

wwwantiphishingorg

2022004 Module 2- Investigating Email 9

Message Transfer

smtpinchcom mailacmecom

mailoptonlinenet

E SMTPPOP3

SMTP

thinkpad2monarchcom

ISP = CablevisionUser1acmecom

2022004 Module 2- Investigating Email 10

Analyzing Message Headers

Envelope header informationAdded by sender

Often forged

Message HeadersAdded by receivers

Use these for analysis

Reference wwwstopspamorgemailheadershtml

Sample message header

2022004 Module 2- Investigating Email 11

Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])

by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147

Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)

Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])

by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192

Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)

Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500

Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law

2022004 Module 2- Investigating Email 12

Internet Investigations NetScanTools

wwwnwpswcom

34 tools grouped in one windows package

For emailTraceroute (ICMP TCP)

Relay testing

RBL (Real-time Block List) testing

Automated data collection across multiple tools

2022004 Module 2- Investigating Email 13

2022004 Module 2- Investigating Email 14

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 8: Forensics Module2

2022004 Module 2- Investigating Email 8

Email Phishing

Serious threat of financial loss

Newest most damaging type of spam

Rely on ldquosocial engineeringrdquo

wwwantiphishingorg

2022004 Module 2- Investigating Email 9

Message Transfer

smtpinchcom mailacmecom

mailoptonlinenet

E SMTPPOP3

SMTP

thinkpad2monarchcom

ISP = CablevisionUser1acmecom

2022004 Module 2- Investigating Email 10

Analyzing Message Headers

Envelope header informationAdded by sender

Often forged

Message HeadersAdded by receivers

Use these for analysis

Reference wwwstopspamorgemailheadershtml

Sample message header

2022004 Module 2- Investigating Email 11

Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])

by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147

Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)

Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])

by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192

Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)

Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500

Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law

2022004 Module 2- Investigating Email 12

Internet Investigations NetScanTools

wwwnwpswcom

34 tools grouped in one windows package

For emailTraceroute (ICMP TCP)

Relay testing

RBL (Real-time Block List) testing

Automated data collection across multiple tools

2022004 Module 2- Investigating Email 13

2022004 Module 2- Investigating Email 14

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 9: Forensics Module2

2022004 Module 2- Investigating Email 9

Message Transfer

smtpinchcom mailacmecom

mailoptonlinenet

E SMTPPOP3

SMTP

thinkpad2monarchcom

ISP = CablevisionUser1acmecom

2022004 Module 2- Investigating Email 10

Analyzing Message Headers

Envelope header informationAdded by sender

Often forged

Message HeadersAdded by receivers

Use these for analysis

Reference wwwstopspamorgemailheadershtml

Sample message header

2022004 Module 2- Investigating Email 11

Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])

by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147

Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)

Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])

by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192

Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)

Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500

Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law

2022004 Module 2- Investigating Email 12

Internet Investigations NetScanTools

wwwnwpswcom

34 tools grouped in one windows package

For emailTraceroute (ICMP TCP)

Relay testing

RBL (Real-time Block List) testing

Automated data collection across multiple tools

2022004 Module 2- Investigating Email 13

2022004 Module 2- Investigating Email 14

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 10: Forensics Module2

2022004 Module 2- Investigating Email 10

Analyzing Message Headers

Envelope header informationAdded by sender

Often forged

Message HeadersAdded by receivers

Use these for analysis

Reference wwwstopspamorgemailheadershtml

Sample message header

2022004 Module 2- Investigating Email 11

Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])

by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147

Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)

Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])

by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192

Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)

Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500

Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law

2022004 Module 2- Investigating Email 12

Internet Investigations NetScanTools

wwwnwpswcom

34 tools grouped in one windows package

For emailTraceroute (ICMP TCP)

Relay testing

RBL (Real-time Block List) testing

Automated data collection across multiple tools

2022004 Module 2- Investigating Email 13

2022004 Module 2- Investigating Email 14

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 11: Forensics Module2

2022004 Module 2- Investigating Email 11

Sample SPAM Message HeaderReturn-Path ltcolemanqwestnetgtReceived from mx4inchcom (mx4inchcom [21622320858])

by utilinchcom (8121081210UTIL-INCH-3010) with ESMTP id i07AhNQs011147

Wed 7 Jan 2004 054323 -0500 (EST)(envelope-from colemanqwestnet)

Received from pool-68-163-194-196boseastverizonnet (pool-68-163-194-196boseastverizonnet [68163194196])

by mx4inchcom (8128p18128MXER-INCH-308) with SMTP id i07AhMF6071192

Wed 7 Jan 2004 054322 -0500 (EST)(envelope-from colemanqwestnet)

Received from [801110475]by pool-68-163-194-196boseastverizonnet id vnXzM8nKRZZTWed 07 Jan 2004 153511 +0500

Message-ID lt10b$9--9c$hjd7o71p28-05nm811j4aip1gtFrom Tracey Porter ltcolemanqwestnetgtReply-To Tracey Porter ltcolemanqwestnetgtTo fredsinchcomSubject SPAM The tool Law

2022004 Module 2- Investigating Email 12

Internet Investigations NetScanTools

wwwnwpswcom

34 tools grouped in one windows package

For emailTraceroute (ICMP TCP)

Relay testing

RBL (Real-time Block List) testing

Automated data collection across multiple tools

2022004 Module 2- Investigating Email 13

2022004 Module 2- Investigating Email 14

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 12: Forensics Module2

2022004 Module 2- Investigating Email 12

Internet Investigations NetScanTools

wwwnwpswcom

34 tools grouped in one windows package

For emailTraceroute (ICMP TCP)

Relay testing

RBL (Real-time Block List) testing

Automated data collection across multiple tools

2022004 Module 2- Investigating Email 13

2022004 Module 2- Investigating Email 14

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 13: Forensics Module2

2022004 Module 2- Investigating Email 13

2022004 Module 2- Investigating Email 14

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 14: Forensics Module2

2022004 Module 2- Investigating Email 14

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 15: Forensics Module2

2022004 Module 2- Investigating Email 15

Investigating Spammers on the Internet

SpamhausIP lookup on suspect domain name

The Spamhaus Project

Search on usenetnewsadminnet-abuse

Search for Scott Richtermdash2040 entries

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 16: Forensics Module2

2022004 Module 2- Investigating Email 16

URL Obfuscation

Mislead ldquovictimrdquo into clicking on attachment

Reference wwwcounterhacknet

Some exampleshttpeer5673469dwwwmonarch-infocom

httpwwwmicrosoftcom21622319336

httpwwwmicrosoftcom

777777monarch-infocom

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 17: Forensics Module2

2022004 Module 2- Investigating Email 17

Geolocation

Critical to forensic analysis on Internet

Need to find a person

Commercial businessesUse for high volume investigations

Infosplit (NYC)

Quova

Fraud prevention in credit card applications

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 18: Forensics Module2

2022004 Module 2- Investigating Email 18

Quova Geopoint Architecture

15 BILLION IP ADDRESSES

70 DATA COLLECTION SERVERS

wwwacmecom

GEOPOINT SERVER

MANUAL QUERIES

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 19: Forensics Module2

2022004 Module 2- Investigating Email 19

Quova Geolocation Data

Location DataContinent country state city zip code

Latitude + longitude

Marketing DataDMA (Nielson Media Research)

MSA (Metropolitan Statistical Area)

Internet ConnectionASN carrier organization domain

Connection type speed routing method

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 20: Forensics Module2

2022004 Module 2- Investigating Email 20

How Quova System Works

US Patent 6684250 (January 27 2004)

They use a weighted average to find best estimate of geographic location

Multiple traceroutes

DNS lookups

Whois information

Ping times

BGP tables

Regional Internet Registries (ARIN RIPE APNIC LACNIC)

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 21: Forensics Module2

2022004 Module 2- Investigating Email 21

How Quova Works cont

Local Internet Registries (KRNIC JPNIC etc)

You can learn from them and use their methods on individual addresses

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 22: Forensics Module2

2022004 Module 2- Investigating Email 22

Sample IP Addresses

668129024Registered in ARIN to Roadrunner Herndon VAHostname a66b8n129client1hawaiirrcomTraceroutes converge on

Fas1-0-kauihi-kalaheo-ubr1hawaiirrcom

24112120025Registered in ARIN to Rogers Cable TorontoHostname CPE002018d9dc11-CMO14340002240cpenetcablerogerscomTraceroutes converge on tlgw5mtwxphubnetcablerogerscom (mtwx = Scarborough ON)

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 23: Forensics Module2

2022004 Module 2- Investigating Email 23

Sample IPs cont

209198199025Registered to Interpacket Santa Monica CATraceroutes converge on Verestar router in Seattle (a satellite provider)Research uncovers hostnames ending in carecorg= Caribbean Epidemiology Centre in TrinidadampTobago

212165173024Registered to New Skies Satellites in NetherlandsNo hostnameImpossible to determine location satellite connection could be anywhere

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 24: Forensics Module2

2022004 Module 2- Investigating Email 24

Fighting Spam

wwwspamconferenceorg

Better filtering Bayesian current hot approach

Current systems cocktail approach

Stamps cost in $$$ or CPU time

Tarpits

RMX records (SPF=Sender Permitted From)

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 25: Forensics Module2

2022004 Module 2- Investigating Email 25

Filtering Spam

FALSE +

SPAM

INTERNET

HAM

FALSE -

IMPLICATIONS FOR RETAILERhellipFOR HMO

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 26: Forensics Module2

2022004 Module 2- Investigating Email 26

Use of RMX Records

Email apparently from spammerfoocom

Received from 1234

DNS query RMX record for foocom

Internet

RMX records for foocom

1232

1233

1234

CONCLUSION NOT SPAM

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 27: Forensics Module2

2022004 Module 2- Investigating Email 27

CAN-SPAM Bill New Weapon for Investigators

In effect Jan 1 2004

wwwspamhausorglegalCAN-SPAMhtml

Preempts state anti-spam laws

Applies only to commercial email

Does not require opt-in

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 28: Forensics Module2

2022004 Module 2- Investigating Email 28

CAN-SPAM Dorsquos

Accurate HeadersFrom line

Subject line

Origin routing destination

Include opt-out address

Include your real business address

Clearly note that email is advertisment

Mark sexually explicit material

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 29: Forensics Module2

2022004 Module 2- Investigating Email 29

CAN-SPAM Donrsquots

Donrsquot use harvested addresses

No dictionary attacks

No automated account signups

Donrsquot use mail relays

How much spam today is following these 9 rules

Up to 5 years in jail

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 30: Forensics Module2

2022004 Module 2- Investigating Email 30

Deleting your Own E-Mail

Your machine could be subpoenaed

Donrsquot want to leave damaging evidence

Keep personal email personal

This process can be very trickyClient storage

Exchange Server

Notes Server

Many products donrsquot workEvidence Eliminator no email delete

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 31: Forensics Module2

2022004 Module 2- Investigating Email 31

Deleting E-Mail Outlook Client

Method 1 Delete and scrub outlookpstCdocuments and settingsuserlocalsettingsapplication datamicrosoftoutlookoutlookpst

Method 2 Empty delete bin

Compact outlookpst file

Wipe remainder of disk

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 32: Forensics Module2

2022004 Module 2- Investigating Email 32

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 33: Forensics Module2

2022004 Module 2- Investigating Email 33

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 34: Forensics Module2

2022004 Module 2- Investigating Email 34

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project
Page 35: Forensics Module2

2022004 Module 2- Investigating Email 35

Interesting Lab Project

Validate email delete processClient side

Server side

Use commercial delete programs develop procedure

Try to recover deleted email using EnCase

  • Digital Forensics
  • Review from Module 1
  • Investigating E-Mail
  • Characteristics of Email
  • Sending Spam
  • Spam Tools
  • Types of Email Exploits
  • Email Phishing
  • Message Transfer
  • Analyzing Message Headers
  • Sample SPAM Message Header
  • Internet Investigations NetScan Tools
  • Investigating Spammers on the Internet
  • URL Obfuscation
  • Geolocation
  • Quova Geopoint Architecture
  • Quova Geolocation Data
  • How Quova System Works
  • How Quova Works cont
  • Sample IP Addresses
  • Sample IPs cont
  • Fighting Spam
  • Filtering Spam
  • Use of RMX Records
  • CAN-SPAM Bill New Weapon for Investigators
  • CAN-SPAM Dorsquos
  • CAN-SPAM Donrsquots
  • Deleting your Own E-Mail
  • Deleting E-Mail Outlook Client
  • Interesting Lab Project