basic e mail forensics
play

Basic e-mail forensics John R. Levine & Neil Schwartzman - PowerPoint PPT Presentation

Nov 08, 2022 •32 likes •942 views

1 Coalition Against Unsolicited Commercial Email Basic e-mail forensics John R. Levine & Neil Schwartzman Underground Economy#13 September 2013 2 Where is everything? These Slides : http://www.taugh.com/ue13/ Resources :

  1. 1 Coalition Against Unsolicited Commercial Email Basic e-mail forensics John R. Levine & Neil Schwartzman Underground Economy#13 September 2013

  2. 2 Where is everything? These Slides : http://www.taugh.com/ue13/ Resources : http://www.cauce.org/ue2013.html

  3. 3 Our goals for today  Understand the parts of a mail message  Headers (delivery)  Body (payload)  Tell truth from fiction  Identify responsible parties (Follow the $)  Look for patterns in spam campaigns

  4. 4 Coalition Against Unsolicited Commercial Email Basic e-mail forensics Part I : The Basics Neil Schwartzman Executive Director, CAUCE

  5. 5 What is an IP Address?

  6. 6 What is an IP Address?  213.248.117.66 www.interpol.int

  7. 7 What is an IP Address?  213.248.117.66 www.interpol.int  64.57.183.103 cauce.org

  8. 8 What is an IP Address?  213.248.117.66 www.interpol.int  64.57.183.103 cauce.org  Hotmail.nl  157.55.43.17  157.55.43.18  157.55.43.19  157.55.43.16

  9. 9 What is an IP Address? Private numbers: 192.168.xxx.yyy • 10.1.xxx.yyy • 172.16.xxx.yyy  172.31.xxx.yyy • 127.zzz.xxx.yyy • 169.254.xxx.yyy •

  10. 10 What is an IP Address? Oh No! They ran out of traditional IP version four (IPv4) addresses!

  11. 11 What is an IP Address? IPv6 New (since 2000) • Many of the tools we are using today don’t • yet work with it It will run in parallel with V4 for a while • Here’s what an IPV6 Address looks like •

  12. 12 What is an IPv6 Address? Here’s what an IPV6 Address looks like: www.google.com 2a00:1450:4009:808::1011

  13. 13 What is a Domain?

  14. 14 Domains  CNN.com  hotmail.nl  J.ANSIETA@ interpol.int  Neil@ cauce.org  John.levine@ cauce.org

  15. 15 What is the Domain Name Service (DNS)?

  16. 16 Browser: “CNN.com, please”

  17. 17 ISP DNS: Browser I know CNN.com! CNN, please It is at 157.166.249.11

  18. 18 ISP DNS: Browser I know CNN.com! CNN, please It is at 157.166.249.11

  19. 19 Browser CNN, please

  20. 20 Browser ISP DNS: CNN, please I Don’t know CNN.com … Let me ask around!

  21. 21 Browser ISP DNS: “CNN, please” .COM Authoritative Name-server (NS) I Don’t know CNN.com … CNN’s NS tells us it is at 157.166.249.11 Let me ask around! CNN Nameservers ns1.p42.dynect.net ns1.timewarner.net www.cnn.com is at 157.166.249.11

  22. 22 Browser : ISP DNS: “CNN, please” I now know CNN.com and I’ll remember it for later

  23. 23 Coalition Against Unsolicited Commercial Email Lab Time! • Dig • WHOIS • nslookup

  24. 24 Coalition Against Unsolicited Commercial Email Lab #1 Dig 157.166.249.11

  25. 25 Coalition Against Unsolicited Commercial Email Lab #1 WHOIS CNN.com WHOIS CAUCE.ORG WHOIS YourOrg.tld WHOIS 64.57.183.103

  26. 26 Coalition Against Unsolicited Commercial Email Lab #1 NSlookup CNN.com NSlookup CAUCE.ORG NSlookup YourOrg.tld

  27. 27 Coalition Against Unsolicited Commercial Email Basic e-mail forensics Part II : Message Delivery John R. Levine President, CAUCE

  28. 28 Part I Topics  The route that mail takes  Names and addresses  Parts of a mail message  Tracing a message's path  Telling fact from fiction  What's in a message: MIME and attachments

  29. 29 SMTP mail Submit User PC Sending MTA SMTP POP User PC Recipient MTA IMAP

  30. 30 SMTP mail MX lookup Sending MTA DNS MX result SMTP Recipient MTA

  31. 31 SMTP Session Connect from 64.57.183.34 220 mail1.iecc.com ESMTP HELO leila.iecc.com 250 mail1.iecc.com MAIL FROM:<johnl@iecc.com> 250 2.1.0 Sender ok. RCPT TO:<comments@cauce.org> 250 2.1.5 Recipient ok. DATA 354 Send your message. Blah blah . 250 2.6.0 Accepted. QUIT 221 2.0.0 Good bye.

  32. 32 SMTP Session Connect from 64.57.183.34 220 mail1.iecc.com ESMTP HELO leila.iecc.com 250 mail1.iecc.com MAIL FROM:<johnl@iecc.com> 250 2.1.0 Sender ok. RCPT TO:<comments@cauce.org> 250 2.1.5 Recipient ok. DATA 354 Send your message. Blah blah . 250 2.6.0 Accepted. QUIT 221 2.0.0 Good bye.

  33. 33 Parts of a mail message Date: Mon, 4 Apr 2011 09:20:34 -0400 • Header From: Andre.Leduc@ic.gc.ca To: johnl@taugh.com – Manual parts Subject: proposal for "Basics of E-Mail Forensics" – Automatic parts Hi John, • Body Our session starts at ...

  34. 34 Manual vs. Automatic Header • Manual headers Automatic headers – Created by sender Added by mail system – To:, From:, Subject:, Real ones are reliable Date:, … Spammers add fake – All easily faked ones

  35. 35 Regular vs. Trace Headers  Regular headers Trace headers - Created when Added at the top when message is first sent message passes - Or maybe when through a mail delivered system Analogous to a postmark All automatic

  36. 36 SMTP and Automatic Headers  Headers created from SMTP session info  Tells you how they got there  Each hop adds headers at the top of the message - Creates a chain of custody - Well, if you're lucky

  37. 37 SMTP Session Connect from 64.57.183.34 220 mail1.iecc.com ESMTP HELO leila.iecc.com 250 mail1.iecc.com MAIL FROM:<johnl@iecc.com> 250 2.1.0 Sender ok. RCPT TO:<comments@cauce.org> 250 2.1.5 Recipient ok. DATA 354 Send your message. Blah blah . 250 2.6.0 Accepted. QUIT 221 2.0.0 Good bye.

  38. 38 HELO and EHLO  Sending host identifies itself - In theory, at least - Useful to check name if no rDNS EHLO scmze001.ssan.egs-seg.gc.ca HELO yahoo.com HELO oemcomputer

  39. 39 Header types  Familiar visible ones - From: Sender: - To: Cc: Bcc: Reply-To: - Subject: Date: - Resent-From: Resent-To: ...  Less familiar: - Message-ID: From_ - Return-Path: Delivered-To: - Mime-Version: Content-Type: Content-Transfer-Encoding: - Received:

  40. 40 Received headers  Usually added each trip through a mail server  Often records SMTP sessions  Spammers often add fake ones Received: from scmze001.ssan.egs-seg.gc.ca (scmze001.ssan.egs-seg.gc.ca [205.194.19.85]) by mail1.iecc.com ([64.57.183.56]) with ESMTP via TCP id 169741201; 04 Apr 2011 13:21:23 -0000

  41. 41 Typical received headers - From host / IP - For user - By host - With - Id  SMTP/ESMTP  Internal stuff - Date HELO IP Received: from mail06.o2online.de ([82.113.101.34]) by mail.davjam.org with ESMTP id m9CEoHsu019439 for <blacklist-me@davjam.org>; Sun, 12 Oct 2010 15:50:25 +0100 Received: from User ([193.120.116.182]) by mail06.o2online.de (8.12.11.20060308/8.12.11) with ESMTP id m9CElgXf009277; Sun, 12 Oct 2010 16:47:47 +0200

  42. 42 Following the header chain  Look for matching hosts and IP addresses - But remember that bad guys can do that too Received: from avas-mr01.fibertel.com.ar (avas-mr01.fibertel.com.ar [24.232.0.214]) by tarpit2.thrush.com (8.14.1/8.14.1) with ESMTP id l9448OYJ014492 for <spamvictim@target.site>; Thu, 4 Oct 2007 00:08:26 -0400 (EDT) Received: from pc97.telecentro.com.ar ([200.115.245.97]:3577 "EHLO andres“ smtp-auth: "manuelcastillo@fibertel.com.ar“ rhost-flags-OK-FAIL-OK-FAIL) by avas-mr01.fibertel.com.ar with ESMTPA id S866473AbXJDDPY convert rfc822-to-8bit; Thu, 4 Oct 2007 00:15:24 -0300

  43. 43 A more complex chain Received: from QMTA10.emeryville.ca.mail.comcast.net (qmta10.emeryville.ca.mail.comcast.net [76.96.30.17]) by mail2.panix.com (Postfix) with ESMTP id 4824334814 for <sethb@panix.com>; Sun, 12 Oct 2008 10:21:01 -0400 (EDT) Received: from OMTA01.emeryville.ca.mail.comcast.net ([76.96.30.11]) by QMTA10.emeryville.ca.mail.comcast.net with comcast id RqKP1a00E0EPchoAAqM0i7; Sun, 12 Oct 2008 14:21:00 +0000 Received: from smailcenter45.comcast.net ([204.127.205.145]) by OMTA01.emeryville.ca.mail.comcast.net with comcast id RqLa1a00638kpyc8MqLaBp; Sun, 12 Oct 2008 14:21:00 +0000 X-Authority-Analysis: v=1.0 c=1 a=eb9NMfVVeg676gYa4jgA:9 a=iUq6S4YwdhfTmiOFdj4A:7 a=Lu_SeRBmK5rpI5pj6iEf5i01hLwA:4 a=EfJqPEOeqlMA:10 a=zxxVM3CWV3sA:10 Received: from [41.220.75.3] by smailcenter45.comcast.net; Sun, 12 Oct 2008 14:20:33 +0000 From: 2muchego@comcast.net (ROBERT INVESTMENT) Subject: Risk Free Loan==Apply Now

  44. 44 But sometimes ... Return-Path: <decal1calamitous@gmail.com> Received: (qmail 13007 invoked from network); 15 Oct 2008 23:50:09 -0000 Received: from confoco.com (confoco.com [157.100.193.238]) by mail1.iecc.com ([208.31.42.56]) with ESMTP via TCP id 66347408; 15 Oct 2008 23:50:06 -0000 Received: from DM (unknown [125.116.102.46]) by confoco.com (Postfix) with SMTP id 764B3DA14F9; Wed, 15 Oct 2008 18:43:29 -0500 (ECT) Received: from prance-podge.gmail.com (HELO Delldim5150) ([157.100.193.238]) by colorimeter-noaa.gmail.com with ESMTP; Fri, 17 Oct 2008 06:44:02 +0300 Date: Fri, 17 Oct 2008 04:46:02 +0100 From: "Miranda T Pat" <decal1calamitous@gmail.com> To: webmaster@about-the-web.com Subject: D e ntists List for the United States

  45. 45 To and From addresses  Visible headers are just comments - From: Sender: Reply-To: - To: Cc: Bcc:  Less visible headers show SMTP addresses - From_ - Return-Path: Delivered-To:

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Email System Components User agents / Webmail: Composing, editing, and reading mail messages. Mail

687 views • 49 slides
Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to collect and analyze (digital) evidence Three basic phases Data collection, Analysis, Reporting Triage Various sources of information

307 views • 20 slides
A Novel Approach of Mining Write-Prints for Authorship Attribution in E-mail Forensics Farkhund

A Novel Approach of Mining Write-Prints for Authorship Attribution in E-mail Forensics Farkhund

A Novel Approach of Mining Write-Prints for Authorship Attribution in E-mail Forensics Farkhund Iqbal Rachid Hadjidj Benjamin C. M. Fung Mourad Debbabi Computer Security Lab Concordia Institute for Information Systems Engineering Concordia

373 views • 26 slides
Mining E-mail Content for Author Identification Forensics O. de Vel, A. Anderson, M. Corney and G.

Mining E-mail Content for Author Identification Forensics O. de Vel, A. Anderson, M. Corney and G.

Mining E-mail Content for Author Identification Forensics O. de Vel, A. Anderson, M. Corney and G. Mohay A presentation by Fabian Duffhau Reasons for Author Identification of E-mails Everyday 200 billions of e-mails are sent 90 % spam

630 views • 12 slides
About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
Carney Forensics How to Keep a Network Safe at Little to No Cost Minnesota CLE: Paralegal Program

Carney Forensics How to Keep a Network Safe at Little to No Cost Minnesota CLE: Paralegal Program

Carney Forensics How to Keep a Network Safe at Little to No Cost Minnesota CLE: Paralegal Program September 18, 2018 John J. Carney, Esq. Carney Forensics Cybersecurity &amp; Legal Ethics Four Basic ABA Model Rules that Govern Rule 1.1

510 views • 27 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Forensics for Graphics Files Types of graphics file formats Type of data compression How to locate

362 views • 25 slides
2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

884 views • 70 slides
Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Overview of Mobile Forensics Originated in Europe and focused on the GSM SIM card. Roaming of Devices

694 views • 17 slides
Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics &amp; Watermarking P. J. Bateman, A. T. S. Ho, and J. A. Briffa This research is sponsored by an EPSRC/Charteris CASE Award Image Forensics

703 views • 38 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de la A N S S I scurit des systmes dinformation Introduction Forensics: context Forensics: memory Forensics: filesystem Reverse

545 views • 36 slides
Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

FloCon 2015 Conference January 15, 2015 Portland, Oregon Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively Resolve Computer Security Incidents in Organizations JESUS RAMIREZ PICHARDO (PMP, GCFA,

333 views • 30 slides
CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics What is The Cloud? A computing storage system that provides on-demand network access for

613 views • 25 slides
Modeling Experts and Novices in Citizen Science Data Jun Yu, Weng-Keen Wong, Rebecca Hutchinson

Modeling Experts and Novices in Citizen Science Data Jun Yu, Weng-Keen Wong, Rebecca Hutchinson

Modeling Experts and Novices in Citizen Science Data Jun Yu, Weng-Keen Wong, Rebecca Hutchinson {yuju,wong,rah}@eecs.oregonstate.edu Introduction Species Distribution Modeling important for: Understanding species- habitat relationships

395 views • 17 slides
Learning frameworks Self-supervised learning: (Auto)encoder networks Supervised learning Network

Learning frameworks Self-supervised learning: (Auto)encoder networks Supervised learning Network

Learning frameworks Self-supervised learning: (Auto)encoder networks Supervised learning Network must copy inputs to outputs through Assumes environment specifies correct output (targets) for each input a bottleneck (fewer hidden units)

407 views • 5 slides
TIME TO GET HIP October 27, 2016 Obstetrics &amp; Gynecology Update: What Does The

TIME TO GET HIP October 27, 2016 Obstetrics &amp; Gynecology Update: What Does The

10/27/2016 DISCLOSURES H YPERTENSION I N P REGNANCY None TIME TO GET HIP October 27, 2016 Obstetrics &amp; Gynecology Update: What Does The Evidence Tell Us? Lena H. Kim, MD UCSF Assistant Clinical Professor HYPERTENSIVE DISORDERS

695 views • 11 slides
Disclosures United Therapeutics funding Not approved by the FDA for use in children

Disclosures United Therapeutics funding Not approved by the FDA for use in children

4/21/2018 Disclosures United Therapeutics funding Not approved by the FDA for use in children Therapy Update: Prostanoids Stephanie Handler, MD Childrens Hospital of Wisconsin Medical College of Wisconsin Other Disclosures

311 views • 9 slides
Logic and Knowledge Representation K n o w l e d g e r e p r e s e n t a t i

Logic and Knowledge Representation K n o w l e d g e r e p r e s e n t a t i

Logic and Knowledge Representation K n o w l e d g e r e p r e s e n t a t i o n , O n t o l o g i e s , S e m a n t i c We b 2 4 M a y 2 0 1 7 g s i l e n o @e n s t . f r G i

977 views • 63 slides
Statistical Classification with Fisher Zantedeschi Introduction Kernel Topic Models LDA PLSM

Statistical Classification with Fisher Zantedeschi Introduction Kernel Topic Models LDA PLSM

Statistical Classification with Fisher Kernel Valentina Statistical Classification with Fisher Zantedeschi Introduction Kernel Topic Models LDA PLSM Fisher Kernel Valentina Zantedeschi Results Supervisors: R emi Emonet, Marc Sebban

878 views • 22 slides
Scripting Apache OpenOffice Introductory Nutshell Programs (Writer, Calc, Impress) Rony G.

Scripting Apache OpenOffice Introductory Nutshell Programs (Writer, Calc, Impress) Rony G.

Scripting Apache OpenOffice Introductory Nutshell Programs (Writer, Calc, Impress) Rony G. Flatscher Overview Overview of AOO Bird eye's view of AOO's architecture Scripting AOO Nutshell examples swriter (word

1.07k views • 84 slides
Reading Because They Want To, Not Because They Have To: Supporting Reading Motivation in

Reading Because They Want To, Not Because They Have To: Supporting Reading Motivation in

Reading Because They Want To, Not Because They Have To: Supporting Reading Motivation in Elementary School Angela McRae University of Maryland Department of Human Development Concept-Oriented Reading Instruction Lesson (Week One, Day

532 views • 16 slides

More recommend