Transcript Slide 1

Email Tracing
COEN 152 / 252
Computer Forensics
Thomas Schwarz, S.J. 2006
Email Investigations: Overview



Email has become a primary means of
communication.
Email can easily be forged.
Email can be abused



Spam
Aid in committing a crime …
Threatening email, …
Email Investigations: Overview

Email evidence:

Is in the email itself



Header
Contents
In logs:



Left behind as the email travels from sender to recipient.
Law enforcement uses subpoenas to follow the trace.
System admins have some logs under their control.

Notice: All fakemailing that you will be learning can be
easily traced.
Email Fundamentals



Email travels from originating computer to the
receiving computer through email servers.
All email servers add to the header.
Use important internet services to interpret and
verify data in a header.
Email Fundamentals

Typical path of an email message:
Mail Server
Client
Mail Server
Mail Server
Client
Internet Basics






IP Address – IPv4
IP Address – IPv6
IP Address Types
Hostnames & DNS
Email Routing
Resources
Internet Basics:
IP Address – IPv4


Dominant standard for addressing
32 bit address space


4 bytes  232 or 4.3B addresses
Typical representation is 4 octets


Ranges from 0.0.0.0 to 255.255.255.255
E.g. – 209.191.122.70



Integer representation is 3,518,986,822
Almost a 30 year old standard
>90% of all IPv4 addresses allocated
Internet Basics:
IP Address – IPv6


Next Generation of Internet addressing
128 bit address space


16 bytes  2128 or 3.4×1038

340 trillion trillion trillion

340,000,000,000,000,000,000,000,000,000,000 000,000
Represented as 8 hexadecimal numbers


Ranges from 0:0:0:0:0:0:0:0 to
FFFF:FFFF:FFFF:FFFF: FFFF:FFFF:FFFF:FFFF
Examples (with shorthand notation)



2001:db8:1f70::999:de8:7648:6e8
FF3E:40:2001:dead:beef:cafe:1234:5678
10+ years of deployment, but still maturing
Internet Basics:
IP Address Types

Public / Private




Some addresses are public or externally visible
Others are private or internal to an organization
RFC 3330 defines these ranges and their purpose
The most commonly seen “private” addresses





10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
Private addresses are unroutable externally
Proxies

Anonymizers, Satellites, International and Regional
Internet Basics:
IP Address Types (cont)

Static / Dynamic addresses

Some IP addresses are statically assigned to a
single computer



Typically infrastructure and/or servers
Some are shared by multiple computers using NAT
or DHCP within a local organization
Many organizations use Network Address
Translation (NAT)



NAT boxes – single externally visible IP address
Incoming packet examined and routed according
to the source address and port number
Forwarded to an internal, private IP address
Internet Basics:
Hostnames & DNS
DNS is the Domain Name System
Translates between human friendly
host/domain names (e.g. www.yahoo.com)
and machine friendly IP addresses
Forward DNS Lookup



“dig www.yahoo.com” or “nslookup www.yahoo.com”


www.yahoo.com  209.191.122.70
Reverse DNS Lookup

“dig –x 209.191.122.70” or “nslookup 209.191.122.70”


209.191.122.70  www.yahoo.com
Internet Basics:
Hostnames & DNS

DNS Overview

Conceptually a cached hierarchy of
host/domain name assignments and IP
addresses



Each node is a name server
Requests originate local to the user and
escalate “up” only as far as necessary,
then “down” as soon as possible – tree
traversal
DNS Root servers are at the “top”
Internet Basics:
Hostnames & DNS

DNS Overview (continued)




Searches start with the “local host” file
Missing or stale entries escalate up
Local name server is the first stop, then
usually the local ISP’s up through to the
Root Name Servers as necessary
Once an authoritative, responsible name
server is found, the search is downward
focused until the specific machine
name/address is found.
Internet Basics:
Hostnames & DNS

DNS Overview (continued)


Complete escalation is usually not required,
as caching is extensively used
The local “host file” file can be altered

Can be used to block pop-ups and bad websites




E.g., Spybot uses this as a preventative technique
Malware can use this “feature” as well
Local name servers can/could be injected
with malicious data
See the “Hillary for Senate” case
Internet Basics:
Resources

Internet Assigned Numbers Authority


Responsible for the global coordination of
the DNS Root, IP addressing, and other
Internet protocol resources
Managed resources include




Port Numbers
Autonomous Systems Numbers
Top Level Domains (TLDs)
www.iana.org
Internet Basics:
Resources (cont)

Regional Internet Registries

Five regions







APNIC – Asia and the Pacific region
ARIN – North America (the first registry, legacy entries)
LACNIC – Latin American and Caribbean
RIPE – Europe
AfriNIC – Africa
Regionally allocates IP addresses to orgs
Each provides IP address “whois” services

i.e. who is responsible for an IP address
Internet Basics:
Resources (cont)

IP address top level allocations and registry
assignments


whois




www.iana.org/assignments/ipv4-address-space
Regional Internet registries  definitive source
DNSStuff - http://www.dnsstuff.com  alternative
whois provides owner, location, contact info
Geolocation

Maxmind - www.maxmind.com
Internet Basics:
Resources (cont)

Hostname lookups




dig, replacing nslookup
“dig www.scu.edu”
“dig –x 129.210.2.1” (reverse lookup)
“traceroute” (tracert)


Great for verifying general location and
possible affiliations
Web versions are available from around
the world
Email Fundamentals:
Important Services
Domain Name System (DNS) translates between domain
names and IP address.






MX records (http://en.wikipedia.org/wiki/MX_record) in the DNS
database specify the host’s or domains mail exchanger
Can have multiple MX records, with priority attached:
MX
10
cse
MX
100
mailhost.soe.uscs.edu
Email to [email protected] will then be sent to [email protected].
If that site is down, then it will be sent to
[email protected].
The mailer at both sites needs also be set up to accept the
messages.
Email Protocols:



A mail server stores incoming mail and
distributes it to the appropriate mail
box.
Behavior afterwards depends on type of
protocol.
Accordingly, investigation needs to be
done at server or at the workstation.
Email Protocols:


Email program such as Outlook or
Groupwise are a client application.
Needs to interact with an email server:




Post Office Protocol (POP)
Internet Message Access Protocol (IMAP)
Microsoft’s Mail API (MAPI)
Web-based email uses a web-page as
an interface with an email server.
Email Protocols:
Post Office Service Protocol
Characteristics
Stores only incoming
messages.
POP
Investigation must be at the
workstation.
Stores all messages
IMAP
Copies of incoming and outgoing
messages might be stored on the
MS’ MAPI
Lotus Notes workstation or on the server or on
both.
Web-based send and HTTP
receive.
Incoming and outgoing messages
are stored on the server, but there
might be archived or copied
messages on the workstation.
Easy to spoof identity.
Email Protocols: SMTP


Neither IMAP or POP are involved
relaying messages between servers.
Simple Mail Transfer Protocol: SMTP



Easy.
Has several additions.
Can be spoofed:


By using an unsecured or undersecured email
server.
By setting up your own smtp server.
Email Protocols: SMTP
How to spoof email
telnet endor.engr.scu.edu 25
220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005
14:58:49 - 0800
helo 129.210.16.8
250 server8.engr.scu.edu Hello dhcp-19-198.engr.scu.edu [129.210.19.198], please
d to meet you
mail from: [email protected]
250 2.1.0 [email protected]... Sender ok
rcpt to: [email protected]
250 2.1.5 [email protected]... Recipient ok
data
354 Enter mail, end with "." on a line by itself
This is a spoofed message.
.
250 2.0.0 jBSMwnTd023057 Message accepted for delivery
quit
221 2.0.0 endor.engr.scu.edu closing connection
Email Protocols: SMTP
Return-path: <[email protected]>
Received: from MGW2.scu.edu [129.210.251.18]
This looks very convincing.
by gwcl-22.scu.edu; Wed, 28 Dec 2005 15:00:29 -0800
(unverified [129.210.16.1]) by
Only hint: receivedReceived:
line givesfrom
the endor.engr.scu.edu
name of my machine.
MGW2.scu.edu
(Vircom SMTPRS
If I were to use a machine
without4.2.425.10)
a fixed IP,with
thenESMTP
you id
for <[email protected]>;
can determine the <[email protected]>
DHCP address from the DHCP logs.
Wed, 28 Dec 2005 15:00:29 -0800
X-Modus-BlackList: 129.210.16.1=OK;[email protected]=OK
X-Modus-Trusted: 129.210.16.1=NO
Received: from bobadilla.engr.scu.edu (bobadilla.engr.scu.edu
[129.210.18.34])
by endor.engr.scu.edu (8.13.5/8.13.5) with SMTP id jBSMwnTd023057
for [email protected]; Wed, 28 Dec 2005 15:00:54 -0800
Date: Wed, 28 Dec 2005 14:58:49 -0800
From: JoAnne Holliday <[email protected]>
Message-Id: <[email protected]>
this is a spoofed message.
Email Protocols: SMTP
How to spoof email


Endor will only relay messages from machines that
have properly authenticated themselves within the
last five minutes.
Subject lines etc. are part of the data segment.
However, any misspelling will put them into the body
of the message.
Email Protocols: SMTP
How to spoof email
telnet endor.engr.scu.edu 25
220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005 15:36:13 0800
mail from: [email protected]
250 2.1.0 [email protected]... Sender ok
rcpt to: [email protected]
250 2.1.5 [email protected]... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Date: 23 Dec 05 11:22:33
From: [email protected]
To: [email protected]
Subject: Congrats
You are hrby appointed the next president of Santa Clara University, effectively
immediately.
Best, Paul
.
250 2.0.0 jBSNaDlu023813 Message accepted for delivery
quit
Email Protocols: SMTP
How to spoof email
Email Protocols: SMTP
How to spoof email

Unix


Use sendmail
%usr/lib/sendmail –t –f [email protected] <
test_message
Email Protocols: SMTP

Things are even easier with Windows XP.



Turn on the SMTP service that each WinXP machine runs.
Create a file that follows the SMTP protocol.
Place the file in Inetpub/mailroot/Pickup
Email Protocols: SMTP
From [email protected] Tue Dec 23 17:25:50 2003
Return-Path: <[email protected]>
To: [email protected]
Received: from Xavier (dhcp-19-226.engr.scu.edu [129.210.19.226])
From: [email protected]
by server4.engr.scu.edu (8.12.10/8.12.10) with ESMTP id hBO1Plpv027244
for <[email protected]>; Tue, 23 Dec 2003 17:25:50 -0800
Received:
from mail pickup service by Xavier with Microsoft SMTPSVC;
This is a spoofed
message.
Tue, 23 Dec 2003 17:25:33 -0800
To: [email protected]
From: [email protected]
Message-ID: <XAVIERZRTHEQXHcJcKJ00000001@Xavier>
X-OriginalArrivalTime: 24 Dec 2003 01:25:33.0942 (UTC) FILETIME=[D3B56160:01C3C9
BC]
Date: 23 Dec 2003 17:25:33 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-rc3 (1.202-2003-08-29-exp) on
server4.engr.scu.edu
X-Spam-Level:
X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=no
version=2.60-rc3
This is a spoofed message.
Email Protocols: SMTP

SMTP Headers:


Each mail-server adds to headers.
Additions are being made at the top of the
list.


Therefore, read the header from the bottom.
To read headers, you usually have to
enable them in your mail client.
SMTP Headers
To enable headers:
 Eudora:


Hotmail:


Select message and go to options.
Yahoo!:


Options  Show Headers
MS Outlook:


Options  Preferences  Message Headers.
Juno:


Use the Blah Blah Blah button
Mail Options  General Preferences  Show all headers.
Groupwise:

Message itself is “attached” to each email. You need to look at it.
SMTP Headers

Headers consists of header fields

Originator fields


Destination address fields


Message-ID-field is optional, but extremely important for
tracing emails through email server logs.
Informational Fields


To, cc, bcc
Identification Fields


from, sender, reply-to
Subject, comments, keywords
Resent Fields


Resent fields are strictly speaking optional, but luckily, most
servers add them.
Resent-date, resent-from, resent-sender, resent-to, resent-cc,
resent-bcc, resent-msg-id
SMTP Headers

Trace Fields



Core of email tracing.
Regulated in RFC2821.
When a SMTP server receives a message
for delivery or forwarding, it MUST insert
trace information at the beginning of the
header.
SMTP Headers




The FROM field, which must be supplied in an SMTP
environment, should contain both (1) the name of
the source host as presented in the EHLO command
and (2) an address literal containing the IP address
of the source, determined from the TCP connection.
The ID field may contain an "@" as suggested in RFC
822, but this is not required.
The FOR field MAY contain a list of <path> entries
when multiple RCPT commands have been given.
A server making a final delivery inserts a
return-path line.
SMTP Header

Spotting spoofed messages


Contents usually gives a hint.
Each SMTP server application adds a different set
of headers or structures them in a different way.


Use internet services in order to verify header
data.


A good investigator knows these formats.
However, some companies can outsource email or use
internal IP addresses.
Look for breaks / discrepancies in the “Received”
lines.
SMTP Header

Investigation of spoofed messages

Verify all IP addresses


Make a time-line of events.




Keeping in mind that some addresses might be
internal addresses.
Change times to universal standard time.
Look for strange behavior.
Keep clock drift in mind.
Additonal Info:
http://www.uic.edu/depts/accc/newsletter/adn29/headers.html
Server Logs

E-mail logs usually identify email
messages by:




Account received
IP address from which they were sent.
Time and date (beware of clock drift)
IP addresses
Server Logs
Dec 31 18:26:15 endor sendmail[30597]: k012OV1i030597: [email protected], size=147,
class=0, nrcpts=1, msgid=<[email protected]>,
proto=SMTP, daemon=MTA, relay=c-24-12-227-211.hsd1.il.comcast.net [24.12.227.211]
Dec 31 18:26:15 endor spamd[28512]: spamd: connection from localhost [127.0.0.1] at port
42865
Dec 31 18:26:15 endor spamd[28512]: spamd: setuid to tschwarz succeeded
Dec 31 18:26:15 endor spamd[28512]: spamd: processing message
<[email protected]> for tschwarz:1875
Dec 31 18:26:15 endor spamd[28512]: spamd: clean message (4.6/5.0) for tschwarz:1875 in
0.2 seconds, 525 bytes.
Dec 31 18:26:15 endor spamd[28512]: spamd: result: . 4 MSGID_FROM_MTA_ID,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL
scantime=0.2,size=525,user=tschwarz,uid=1875,required_score=5.0,rhost=localhost,raddr
=127.0.0.1,rport=42865,mid=<[email protected]>,aut
olearn=no
Dec 31 18:26:15 endor spamd[21352]: prefork: child states: II
Dec 31 18:26:15 endor sendmail[30726]: k012OV1i030597: [email protected],
delay=00:01:02, xdelay=00:00:00, mailer=local, pri=30464, dsn=2.0.0, stat=Sent
Sample log entry at endor.
Server Logs


Many servers keep copies of emails.
Most servers purge logs.

Law-enforcement:



Vast majority of companies are very cooperative.
Don’t wait for the subpoena, instead give system
administrator a heads-up of a coming subpoena.
Company:


Local sys-ad needs early warning.
Getting logs at other places can be dicey.
Unix Sendmail

Configuration file /etc/sendmail.cf and
/etc/syslog.conf


maillog (often at /var/log/maillog)



Gives location of various logs and their rules.
Logs SMTP communications
Logs POP3 events
You can always use: locate *.log to find log
files.
Techniques


Investigating email for forgery
Evidentiary material is




Directly in header
Indirectly in formatting headers
Timestamps
Header Trace Resource

http://www.ip-adress.com/trace_email/
Techniques

Header Investigation



Lookup all host names and IP addresses
Check for inconsistencies
Be aware of



internal IP addresses
web hosting company
Generate Timeline

Be aware of



clock drift,
delays,
time zone differences