Tracing IPs A Quick and E-Mail Reviewathena.csus.edu/~cookd/116/notes/CSc 116 - Summer... · •...
Transcript of Tracing IPs A Quick and E-Mail Reviewathena.csus.edu/~cookd/116/notes/CSc 116 - Summer... · •...
1
Tracing IPs and E-Mail
Week 4
A Quick Review
Sorry CSC 8 Students…
The following slides are a review of CSC 8 material
Some students took this class a while ago, so we need to review some concepts
Sorry, CSC 8 students. This will be redundant.
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 3
A Quick Review…
Internet uses Internet Protocol (IP) to identify computers on the network
Benefits:
• easy to implement and extensible
• public and free
• allows all the different networks to communicate
Internet Addresses - IP Address
• format of addresses used by the Internet
• every device on the Internet has one
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 4
Internet Protocol
Originally, the 4 bytes, used in IPv4, were structured into 3 different “classes”
Each allows different number of owners ("networks") and hosts ("addresses")
Different organizations could get a Class A, B or C block
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 5
Original IPv4 Address Format
The classes:
• Class A – 254 networks with 16 millions hosts
• Class B – 16,384 networks with 65,536 hosts
• Class C – 2 million networks with 255 hosts
So, there are 16,384 Class B's each of which have 65,536 unique address that they can use at their leisure
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 6
Original IPv4 Address Format
2
Class A includes the large NSPs such as AT&T
Class B typically contains large business and universities
Class C is everyone else
Main IP Classes
Class A 1.0.0.0 … 127.255.255.255
Class B 128.0.0.0 … 191.255.255.255
Class C 192.0.0.0 … 223.255.255.255
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 7
IP Addresses Classes
How can you have more that one device at home or business use the Internet?
NAT (Network Address Translation)
• allows multiple computers to use private IP addresses and all share one public IP address
• it basically implements your own private Internet
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 8
Network Address Translation
Local network uses just one public IP
The outside world only sees one!
Allows…
• small business and individual users get Internet access at a low cost
• a range of addresses not needed to be bought for an from an ISP – just one
• how most “coffee-shop” wireless networks work
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 9
Sharing an IP
In each “class”…
• there is a special internal use only address
• anyone can use these
These are not used on any public computer
• hence, there is no confusion in the Internal network between the outside world and internal
• this feature has allowed the Internet stay up long after IPv4 address space was exhausted
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 10
How do they pull this off?
Special Internal use only (RFC 1918 Non-routable)
Also 127.ANY Loopback (127.0.0.1)
Internal Use IP Addresses
Class A 10.0.0.0 … 10.255.255.255
Class B 172.16.0.0 … 172.31.255.255
Class C 192.168.0.0 … 192.168.255.255
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 11
IP Addresses Revisited
Outgoing packets of data...
• source address (the computer that sent it) is replaced with the shared NAT IP address
• so, sender (internal) address Shared NAT IP
• responses will be sent to the Shared NAT IP
Incoming packets of data
• NAT IP address is replaced by the internal address
• So, Shared NAT IP internal address
• hence, the data reaches the correct internal computer
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 12
How it Works
3
The Internet
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 13
Example:(S = Sender, D = Destination)
10.0.0.1
10.0.0.3
10.0.0.2
218.76.29.7130.86.12.66
S 130.86.12.66
D 218.76.29.7
S 130.86.12.66
D 10.0.0.3
S 218.76.29.7
D 130.86.12.66
S 10.0.0.3
D 130.86.12.66
Home network
Programs that provide a service, are called “Servers”
We use the term synonymously with computers designed to provide services (which gets
confusing)
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 14
Servers and Ports
Each service has unique # called a port
• similar to the concept of the physical ports on your computer – USB, etc…
• but, it only exists in software
Ports are a 16-bit number
• which gives a total of 65536 ports
• built into TCP/UDP – so it is part of the Internet
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 15
Servers and Ports
The special software, on the server computer, that “listens” to on a port is called a daemon
It is important to understand how this works
• each service represents a different type of connection between two computers
• it is vital to interpreting server logs
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 16
Servers and Ports
Port Name Notes
20 FTP – Data Data for File Transfer Protocol
21 FTP – Control Control commands for FTP
25 SMTP Simple Mail Transfer Protocol
54 DNS Domain Name Service
80 HTTP Hypertext Transfer Protocol
110 POP3 Post Office Protocol
443 HTTPS Secure HTTP
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 17
Some Common Network Ports
IP Tracing
Finding who owns an IP Address
4
So who controls IP Addresses anyways?
IP addresses are allocated to organizations by Regional Internet Registries (RIRs)
Currently, there are 5 RIRs Worldwide
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 19
Who Controls IP Addresses?
Responsible for:
• the administration and registration of IP addresses for the entire global Internet.
• each RIR controls different geographical areas
Each RIR maintains a public database that identifies the organizations that have received addresses
Often they are ISPs and large corporations
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 20
Who Controls IP Addresses?
Organizations can …
• sub-delegate blocks of their IP addresses to other organizations
• this information is also entered into the RIR databases
• so, IP addresses are sold and resold
• … yes, they are an International commodity!
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 21
Who Controls IP Addresses?
African Network Information
Asia Pacific Network Information
American Registry for Internet Number
Latin American and Caribbean Internet Addresses Registry
Réseaux IP Européens Network Coordination Centre
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 22
The Five RIRs
RIR Website Service Region
ARIN www.arin.net North America
APNIC www.apnic.net Asia and Pacific Region
RIPE NCC www.db.ripe.netEurope, Russia, Middle East
LACNIC www.lacnic.org South & Central America
AfriNIC www.afrinc.net Africa
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 23
5 Regional Internet Registries
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 24
Regional Internet Registries
5
Access to the RIR databases is provided through the WHOIS internet service
Can search for point-of-contact and registration information based on an IP address.
Easiest when
• done through one of the RIR web sites.
• some specialized software and command line utilities available to do searches.
• accuracy is best assured when searches are done through the web site
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 25
IP Address Tracing
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 26
IP Address Tracing
The ARIN database is a good place to start for investigators in North America.
It will report which database contains the record if it does not belong to ARIN.
http://ws.arin.net/whois
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 27
Step 1: Go to RIR Website
Enter the IP address in the “SEARCH WHOIS” text box
Click on the “SEARCH WHOIS” text.
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 28
Step 2: Enter the IP address
130.86.75.26
The information returned may be in a hierarchical tree, or…
May show the name of the organization without contact information.
Either of these two results require additional steps.
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 29
Step 3: Locate the Point-of-Contact
The organization on the bottom of the tree has obtained its IP address from the organization listed above it.
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 30
Hierarchical Tree
TheISPfor
6
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 31
Hierarchical Tree
Click on the link to the right of the organization’s name that begins with “NET” (the Net Handle link)
TheISPfor
The next screen will show the organization’s point-of-contact information.
Phone numbers or web sites for the organizations listed can often be found with Google, etc...
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 32
Hierarchical Tree
How to find your home IP Address:
• click on Start Run type “cmd”
• in new Window type “ipconfig /all”
• If you have a home router then you will need to use your Browser to login to the Router and lookup the IP Address that your ISP has assigned to you
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 33
Finding a Computer’s IP Address
E-Mail Overview
It is the dominant way we communicate
E-Mail is not new and has existed since the 1970’s
It was traditionally accessed using specialized software
However, the birth of the World Wide Web and webmail... e-mail is accessible to everyone
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 35
Introduction
As the Internet revolutionized society, e-mail followed
Today, e-mail is one of the most common forms of communication
• … from normal messages, to corporation communications to criminal activities
• incriminating evidence and other activities can be found in e-mail
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 36
Introduction
7
E-mail evidence typically used to corroborate or refute other testimony or evidence
People see e-mail as informal and tend to be “less guarded”
As a result, e-mail may contain …
• personal thoughts and desires
• incriminating information that the suspect would have never written down
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 37
Importance of E-Mail as Evidence
The e-mail server may have archived copies of messages
As a result, you can get a discover request for received and sent e-mail
Different companies have different E-mail retention policies
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 38
Importance of Mail Servers
Many cases provide examples of the use of e-mail as evidence
• Knox v. State of Indiana
• Harley v. McCoach
• Nardinelli et al. v. Chevron
• Adelyn Lee v. Oracle Corporation
• Enron
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 39
Importance of E-Mail as Evidence
Adelyn Lee had been fired from the Oracle Corporation
She filed suit claiming wrongful termination• she claimed she was fired, by her
supervisor, for not having sex with CEO Larry Ellison
• discovery found an e-mail from her supervisor to the CEO stating “I have terminated Adelyn per your request.”
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 40
Adelyn Lee v. Oracle Corporation
She was awarded $100,000in a settlement
However…
• supervisor was adamant that he never sent the e-mail and no crime had been committed
• forensic analysis was performed on the e-mail and found out it was a forgery!
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 41
Adelyn Lee v. Oracle Corporation
Oracle was able to show:
• she had logged onto her supervisor’s computer, using his password, and forged the e-mail
• she, then, had planted the e-mail to be “discovered”
• Oracle sued for perjury and falsification of evidence
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 42
Adelyn Lee v. Oracle Corporation
8
CFO Andrew Fastow and other executives were able to hide billions in debt from failed deals and projects from the investors
Financial institutions helped Enron manipulate its numbers and mislead investors
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 43
Enron
Investigation found “explosive” e-mails
• from Arthur Andersen (Enron’s accounting firm) and J.P. Morgan Chase (bank)
• proved that they knew how Enron was hiding its debt
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 44
Enron
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 45
E-Mail Retention….
Two standard methods of sending/receiving e-mail:• client / server applications
• webmail
Both methods are actually identical “behind the scenes”
Special protocols are used on the Internet to send/receive e-mail
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 46
E-Mail Technical Basics
E-Mail uses SMTP to send messages and POP (or IMAP) to retrieve them
Even if you use webmail, these are being implemented behind the scene
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 47
E-Mail Technical Basics
SMTP • Simple Mail Transfer Protocol
• used to send e-mail
• like dropping a letter in a mailbox
POP• Post Office Protocol
• used to retrieve e-mail
• like picking up a letter from the post office
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 48
E-Mail Protocols
9
IMAP
• Internet Message Access Protocol
• newer standard that is used to retrieve e-mail
• Most e-mail servers support both IMAP and POP
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 49
E-Mail Protocols
User opens a browser, logs in to the webmail
Webmail server has already placed mail in Inbox
User uses the compose function followed by the send function to create and send mail
Web client communicates behind the scenes to the webmail server to send the message
No e-mails are stored on the local PC; the webmail provider houses all e-mail
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 50
Webmail Data Flow
E-Mail Server contain the software necessary to handle e-mail protocols and services
Contains logs…
• E-mail content
• Sending IP address
• Receiving and reading date and time
• System-specific information7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 51
Working with Mail Servers
51
Contact suspect’s network e-mail admin as soon as possible
Different companies have different e-mail retention policies
Company’s best interest is to archive as little as possible
• less evidence if the did something
• less work for e-Discovery
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 52
Working with Mail Servers
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 53
E-Mail Retention….
E-MailFormat
There is order to the chaos
10
Only a small part of an e-mail is normally visible to the user
Messages contain two parts:
• body contains the message that you write and read
• header contains information about the message
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 55
E-Mail Headers
Header contains obvious information such as who the e-mail is from and sent to
Header also contains information about:• type of contents – plain text, HTML, etc…
• when it was sent
• hash values
• all the servers it passes along the way
Most e-mail clients • only show a few items in the header
• most have an option to show complete details
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 56
E-Mail Headers
Most common parts of the e-mail header are logical addresses of senders and receivers
Logical address is composed of two parts
• mailbox, which comes before the @ sign
• hostname that comes after the @ sign
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 57
E-Mail Addresses
Originally e-mail was a text-only
Of course, in the 1970’s and 80’s computers only really displayed text
But, with multimedia, users wanted to make text bold, add pictures, etc…
RFC 2045 … RFC 2049
• extended to carry attachments and contain HTML and other markup formatting
• together these are called the Multipurpose Internet Mail Extensions (MIME)
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 58
The Move to Multimedia
E-Mail Headers
E-Mail never loses its head
The E-Mail header is broken into a number of different “fields” that contain information about the e-mail itself
These can include information how the e-mail moved over the Internet,, and more…. its format
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 60
Header
11
When collecting e-mail, investigators MUST also get the header information
Otherwise…
• vast amount of forensic data is lost
• impossible to prove it is unaltered
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 61
Header
Field What is Does
To The main recipient of the e-mail
From The “official” source. Commonly forged.
CC Carbon Copy – copies sent to each recipient
BCC Blind Carbon Copy – each sent separately
Subject The subject of the e-mail
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 62
Some Visible Fields
Field What is Does
Content-TypeThis is the last field in the e-mail. It tells the e-mail viewer the format used by the message.
Message-ID Unique identifier created by the server
ReceivedEvery server that receives the message, appends a received field to the header
X-PriorityUsed by server software to mark if something that is spam, high-priority, etc….
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 63
Some Hidden (but important) Fields X-MSK: CML=2.771000
Return-Path: [email protected]
Received: from mx69.stngva01.us.mxservers.net (204.202.242.140)
by mail11a.verio-web.com (RS ver 1.0.95vs) with SMTP
id 0-0444218450
for <[email protected]>; Sun, 28 Mar 2010 22:07:31 -0400 (EDT)
Received: from unknown [202.75.49.135] (EHLO alorakar.cynethost.com)
by va1-mx69.stngva01.us.mxservers.net (mxl_mta-3.1.0-05)
with ESMTP id 16b00bb4.2587503520.346007.00-007.va1
mx69.stngva01.us.mxservers.net (envelope-from
Sun, 28 Mar 2010 22:07:29 -0400 (EDT)
Received: from 214.187.50.60.cbj01-home.tm.net.my ([60.50.187.214] helo=CEC)
by alorakar.cynethost.com with esmtpa (Exim 4.69)
(envelope-from <[email protected]>)
id 1Nw4Nw-0001yz-Om
for [email protected]; Mon, 29 Mar 2010 10:07:25 +0800
Reply-To: [email protected]
Message-ID: <[email protected]>
From: "Seminar" <[email protected]>
To: <[email protected]>
Subject: Mini Workshop : Create Your Own Website For Free
Date: Mon, 29 Mar 2010 10:01:26 -0800
MIME-Version: 1.0
Content-Type: text/html;
charset="US-ASCII"
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 64
A "Received" field is appended to the top of the message by every server that handles the e-mail
It records the computer the message was received from and the time/date
This is vital to showing how:
• the message got from Point A to Point B
• and often can be used to prove a forgery!
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 65
Received Field
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 66
Received Field
Received C
Received B
Received A
Received B
Received A
Received AA
B
C
12
X-MSK: CML=2.501000
Received: from smtp1.csus.edu (130.86.90.248) by
smtp.saclink.csus.edu (130.86.80.131) with Microsoft
SMTP Server id 8.2.247.2; Tue,6 Apr 2013 19:39:55 -0700
Received: from col0-omc2-s13.col0.hotmail.com ([65.55.34.87])
by mail1.csus.edu with ESMTP; 06 Apr 2013 19:39:54 -0700
Received: from COL107-W21 ([65.55.34.71]) by
col0-omc2-s13.col0.hotmail.com with Microsoft
SMTPSVC(6.0.3790.3959); Tue, 6 Apr 2013 19:39:54 -0700
From: Devin Cook <[email protected]>
To: "[email protected]" <[email protected]>
Date: Tue, 6 Apr 2013 19:39:54 -0700
Subject: Hackers and Crackers
Thread-Topic: Hackers and Crackers
Thread-Index: AcrV+5tSX+fzEPJKQVqqwYkpDbgncg==
Message-ID: <[email protected]>
Accept-Language: en-US
Content-Language: en-US
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 67
Example
X-MSK: CML=2.501000
Received: from smtp1.csus.edu (130.86.90.248) by
smtp.saclink.csus.edu (130.86.80.131) with Microsoft
SMTP Server id 8.2.247.2; Tue,6 Apr 2013 19:39:55 -0700
Received: from col0-omc2-s13.col0.hotmail.com ([65.55.34.87])
by mail1.csus.edu with ESMTP; 06 Apr 2013 19:39:54 -0700
Received: from COL107-W21 ([65.55.34.71]) by
col0-omc2-s13.col0.hotmail.com with Microsoft
SMTPSVC(6.0.3790.3959); Tue, 6 Apr 2013 19:39:54 -0700
From: Devin Cook <[email protected]>
To: "[email protected]" <[email protected]>
Date: Tue, 6 Apr 2013 19:39:54 -0700
Subject: Hackers and Crackers
Thread-Topic: Hackers and Crackers
Thread-Index: AcrV+5tSX+fzEPJKQVqqwYkpDbgncg==
Message-ID: <[email protected]>
Accept-Language: en-US
Content-Language: en-US
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 68
Example
X-MSK: CML=2.501000
Received: from smtp1.csus.edu (130.86.90.248) by
smtp.saclink.csus.edu (130.86.80.131) with Microsoft
SMTP Server id 8.2.247.2; Tue,6 Apr 2013 19:39:55 -0700
Received: from col0-omc2-s13.col0.hotmail.com ([65.55.34.87])
by mail1.csus.edu with ESMTP; 06 Apr 2013 19:39:54 -0700
Received: from COL107-W21 ([65.55.34.71]) by
col0-omc2-s13.col0.hotmail.com with Microsoft
SMTPSVC(6.0.3790.3959); Tue, 6 Apr 2013 19:39:54 -0700
From: Devin Cook <[email protected]>
To: "[email protected]" <[email protected]>
Date: Tue, 6 Apr 2013 19:39:54 -0700
Subject: Hackers and Crackers
Thread-Topic: Hackers and Crackers
Thread-Index: AcrV+5tSX+fzEPJKQVqqwYkpDbgncg==
Message-ID: <[email protected]>
Accept-Language: en-US
Content-Language: en-US
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 69
Example
X-MSK: CML=2.501000
Received: from smtp1.csus.edu (130.86.90.248) by
smtp.saclink.csus.edu (130.86.80.131) with Microsoft
SMTP Server id 8.2.247.2; Tue,6 Apr 2013 19:39:55 -0700
Received: from col0-omc2-s13.col0.hotmail.com ([65.55.34.87])
by mail1.csus.edu with ESMTP; 06 Apr 2013 19:39:54 -0700
Received: from COL107-W21 ([65.55.34.71]) by
col0-omc2-s13.col0.hotmail.com with Microsoft
SMTPSVC(6.0.3790.3959); Tue, 6 Apr 2013 19:39:54 -0700
From: Devin Cook <[email protected]>
To: "[email protected]" <[email protected]>
Date: Tue, 6 Apr 2013 19:39:54 -0700
Subject: Hackers and Crackers
Thread-Topic: Hackers and Crackers
Thread-Index: AcrV+5tSX+fzEPJKQVqqwYkpDbgncg==
Message-ID: <[email protected]>
Accept-Language: en-US
Content-Language: en-US
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 70
Example
Sometimes, a gateway will create an additional hash value when it appends the Received field to the message header
This is in addition to the original Message-ID – it is not related
Every server may a use different format:
• often, this is hexadecimal value that resets every day
• it can be used to further give information about the time-window that the message passed through
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 71
Received Field Received: from mx69.stngva01.us.mxservers.net
(204.202.242.140) by mail11a.verio-web.com (RS ver
1.0.95vs) with SMTP id 0-0444218450 for
<[email protected]>; Sun, 28 Mar 2010 22:07:31
-0400 (EDT)
Received: from unknown [202.75.49.135] (EHLO
alorakar.cynethost.com)
by va1-mx69.stngva01.us.mxservers.net (mxl_mta-3.1.0-05)
with ESMTP id 16b00bb4.2587503520.346007.00-007.va1
mx69.stngva01.us.mxservers.net (envelope-from
<[email protected]>); Sun, 28 Mar 2010
22:07:29 -0400 (EDT)
Received: from 214.187.50.60.cbj01-home.tm.net.my
([60.50.187.214] helo=CEC)
by alorakar.cynethost.com with esmtpa (Exim 4.69)
(envelope-from <[email protected]>)
id 1Nw4Nw-0001yz-Om for [email protected];
Mon, 29 Mar 2010 10:07:25 +0800
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 72
13
Message-ID field is used to uniquely identify a specific copy of a specific e-mail
• “provides a unique message identifier that refers to a particular version of a particular message”
• “Though optional, every message SHOULD have a ‘Message-ID:’ field”
The Message-ID is created by the first server that receives the e-mail
Server logs can look up this ID and find out additional information
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 73
Message-ID Field
Contents of the ID is determined by the server software
• it usually contains the date/time in some form, but this is not always the case
• the ID is computer-friendly, not human-friendly: “machine readable and not necessarily meaningful to humans”
ID might be a number displayed in either decimal or hexadecimal
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 74
Message-ID Field
To: "[email protected]" <[email protected]>
Date: Tue, 6 Apr 2013 19:39:54 -0700
Subject: Bowties are cool!
Thread-Topic: Bowties are cool!
Thread-Index: AcrV+5tSX+fzEPJKQVqqwYkpDbgncg==
Message-ID: <[email protected]>
Accept-Language: en-US
Content-Language: en-US
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 75
Message-ID Example
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 76
<date/time integer> . <server> . <domain>
Example:Message-ID on UNIX Servers
UNIX E-Mail servers use a integer that represents the date/time
It is stored as "number of microseconds since midnight, January 1, 1970, Greenwich Mean
Time"
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 77
Example UNIX Message-ID
3989F5A3 Hex
Message-ID: <[email protected]>
965,342,627 Decimal
Aug 3, 2000 18:43
Let's look at the raw text of a rather interesting SPAM e-mail I received
It appears that – none other than Bill Gates
himself – is giving me money!
All I have to do is send him my personal data
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 78
Example
14
I BILL GATES and my wife decided to donate the sum of
$5,000,000,00 USD to you as part of our charity project to
improve the 10 lucky individuals all over the world from
our $65 Billion Usd I and My Wife Mapped out to help
people. We prayed and searched over the internet for
assistance and i saw your profile on Microsoft email owners
list and picked you. Melinda my wife and i have decided to
make sure this is put on the internet for the world to see.
as you could see from the webpage above,am not getting any
younger and you can imagine having no much time to live.
although am a Billionaire investor and we have helped some
charity organizations from our Fund.
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 79
An Actual Mail – Snippet of Body
Delivered-To: [email protected]
Received: by 10.200.53.157 with SMTP id k29csp1646889qtb;
Tue, 31 May 2016 13:53:58 -0700 (PDT)
X-Received: by 10.98.95.197 with SMTP id t188mr111239pfb.162.1464728038931;
Tue, 31 May 2016 13:53:58 -0700 (PDT)
Return-Path: <[email protected]>
Received: from APC01-PU1-obe.outbound.protection.outlook.com (mail-
pu1apc01hn0208.outbound.protection.outlook.com. [104.47.126.208])
by mx.google.com with ESMTPS id ag11si13199508pac.34.2016.05.31.13.53.57
(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Tue, 31 May 2016 13:53:58 -0700 (PDT)
Received-SPF: neutral (google.com: 104.47.126.208 is neither permitted nor denied by best guess
record for domain of [email protected]) client-ip=104.47.126.208;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 104.47.126.208 is neither permitted nor denied by best guess
record for domain of [email protected]) [email protected]
Authentication-Results: gmail.com; dkim=none (message not signed)
header.d=none;gmail.com; dmarc=none action=none header.from=tthfghfhf.ma.tn;
Received: from [100.65.94.64] (116.203.77.121) by
ME1PR01MB0787.ausprd01.prod.outlook.com (10.169.165.11) with Microsoft SMTP
Server (TLS) id 15.1.506.9; Tue, 31 May 2016 20:53:47 +0000
Content-Type: text/plain; charset="iso-8859-1"
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 80
Phishing Header
E-Mail Attachments
But, wait, isn't email just text?
E-Mail is simply ASCII text –that’s it!
But, we often attach binary files such as images, MP3s (that we have legally), etc….
So, how do you send attachments?
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 82
Attachments
MIME standard specifies a standard for sending binary files as text using “Base64”
It is easy to recognize and you can find attachments in unallocated or slack space
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 83
Attachments
Base64 is a clever way of re-encoding bytes into plain text
It is done in such as way, that it does not conflict with the rest of the e-mail message
The “64” comes from that fact that binary value of the byte is displayed as a base-64 number
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 84
Base64
15
In binary (base 2)…
• we just need two different symbols
• so, we use 1 and 0
In hexadecimal (base 16)…
• each digit has 16 distinct values
• we use A…F to represent the values 10…15
• this gives a total of 16 symbols
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 85
All Your Base….
For Base-64, we need 64 symbols
Using 0…9, a…z, A…Z gives a total of 62 characters. Almost there!
The MIME specification uses + and / for
the last 2 characters.
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 86
Representing Base-64 Numbers
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 87
Base64 Index Table
Note: 64 = 26
So, each base-64 symbol, we
can store 6 bits
That's almost a full byte…
Base-64 uses a math trick:
• 3 × 8 = 24 and 4 × 6 = 24
• so, 3 bytes can be stored using 4 six-bit numbers
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 88
How it works
As a result…
• attachments are a stored as a long series of 6-bit characters in groups of 4
• characters that are not needed for the last 4-character group are padded with =
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 89
How it works
ASCII S a c
Byte 83 97 99
Bits 0 1 0 1 0 0 1 1 0 1 1 0 0 0 0 1 0 1 1 0 0 0 1 1
6 Bit value 20 54 5 35
Base64 U 2 F j
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 90
Base64 Encoding Example
16
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 91
Sac State Logo.bmp (16×27 pixel) in Base-64
Qk2qAAAAAAAAAD4AAAAoAAAAEAAAABsAAAABAAEAAAAAAGwA
AADEDgAAxA4AAAAAAAAAAAAAAAAAAP///wD4PwAA/48AAPhH
AADhxwAAw8MAAMeFAACPhAAAnwQAAD4MAAD8GAAA+DgAAPBw
AADg4QAAwcEAAIODAACHBwAADg8AABwfAAA4PwAAMH8AADD/
AACh/wAAo/8AAOP/AADz/wAA+f8AAPx/AAA=
7/27/2018 Sacramento State - Cook - CSc 116 - Summer 2018 92
"Banks of Sacramento" in Base-64
And it's blow, winds, blow, for Californio!
For there's plenty of gold,
So I've been told, On the banks of the Sacramento!
QW5kIGl0J3MgYmxvdywgd2luZHMsIGJsb3csIA0KZm9yIENhb
Glmb3JuaW8hDQpGb3IgdGhlcmUncyBwbGVudHkgb2YgZ29sZC
wgDQpTbyBJJ3ZlIGJlZW4gdG9sZCwgDQpPbiB0aGUgYmFua3M
gb2YgdGhlIFNhY3JhbWVudG8hIA==