cse 469 computer and network forensics
play

CSE 469: Computer and Network Forensics Topic 6: Email Forensics - PowerPoint PPT Presentation

Aug 14, 2023 •184 likes •687 views

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Email System Components User agents / Webmail: Composing, editing, and reading mail messages. Mail

  1. CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics

  2. Email System Components ● User agents / Webmail: ● Composing, editing, and reading mail messages. ● Mail servers: ● Send and receive email on user’s behalf. ● Protocols: ● SMTP: Simple mail transfer protocol. ● POP3: Post Office Protocol. ● IMAP4: Internet Message Access Protocol. 2 CSE 469: Computer and Network Forensics

  3. Application Layer Protocols ● SMTP: Simple mail transfer protocol, Port 25 ● POP3: Post Office Protocol, Port 110 ● IMAP4: Internet Message Access Protocol, Port 143 3 CSE 469: Computer and Network Forensics

  4. User Agents / Email Client ● Standalone application: ● Use POP3 or IMAP4 to receive/download emails from a mail server. ● Use SMTP to transmit outgoing emails to a mail server. 4 CSE 469: Computer and Network Forensics

  5. Configuring Email Clients (1) 5 CSE 469: Computer and Network Forensics

  6. Configuring Email Clients (2) 6 CSE 469: Computer and Network Forensics

  7. Email Client and Server Roles ● Email used in two environments: Open (Internet). ● Controlled (LAN, WAN). ● ● Both use client-server architecture: Central server distributes email... ● To many distributed clients . ● 7 CSE 469: Computer and Network Forensics

  8. Email Client and Server Roles ● Client’s email software: May be installed separately from OS: ● ● Have their own directories and data files. May use existing elements: ● ● Browsers. ● Servers typically run specialized software. 8 CSE 469: Computer and Network Forensics

  9. Email Client and Server Roles 9 CSE 469: Computer and Network Forensics

  10. User Agents / Email Client 10 CSE 469: Computer and Network Forensics

  11. Webmail Visit using browser 11 CSE 469: Computer and Network Forensics

  12. Webmail 12 CSE 469: Computer and Network Forensics

  13. Format of Email 13 CSE 469: Computer and Network Forensics

  14. Transmission of Email (SMTP) 14 CSE 469: Computer and Network Forensics

  15. Corporate vs Public Email ● Tracing corporate emails is easier: Standard names. ● Assigned by local administrator. ● ● Contrast with public email: Non-standard names. ● Usually not informative. ● 15 CSE 469: Computer and Network Forensics

  16. Identifying Email Crimes/Violations ● “Crime” may depend on jurisdiction: Spam: ● ● Illegal in Washington state ● Elsewhere? ● Email crime is becoming commonplace: Narcotics trafficking ● Sexual harassment ● Child pornography ● Fraud ● Terrorism ● 16 CSE 469: Computer and Network Forensics

  17. Examining Email Messages ● Access the victim’s computer and retrieve evidence. ● Use the victim’s email client: Find and copy evidence in the email. ● Access protected or encrypted material. ● Carve emails: ● ● Including header. ● Why? 17 CSE 469: Computer and Network Forensics

  18. Examining Email Messages 18 CSE 469: Computer and Network Forensics

  19. Viewing Email Headers ● Learn how to find email headers: GUI clients. ● Command-line clients. ● Web-based clients. ● ● Headers contain useful information. 19 CSE 469: Computer and Network Forensics

  20. Viewing Email Headers 20 CSE 469: Computer and Network Forensics

  21. Viewing Email Headers 21 CSE 469: Computer and Network Forensics

  22. Email Headers ● From : Who the message is from. This is the easiest to forge, and thus the least reliable. ● Reply-To : The address to which replies should be sent. Often absent from the message, and very easily forgeable. ● Return-Path : The email address for return mail. Same as Reply-To: ● Message-ID : A unique string assigned by the mail system when the message is first created. The format of a Message-ID: field is <uniquestring>@<sitename> ● Received : They form a list of all sites (MTA) through which the message traveled in order to reach you. 22 CSE 469: Computer and Network Forensics

  23. Examining Email Headers ● Gather supporting evidence and track suspect: Return path. ● Recipient’s email address. ● Type of sending email service. ● IP address of sending server. ● Name of the email server. ● Unique message number. ● Date and time email was sent. ● Attachment files information. ● 23 CSE 469: Computer and Network Forensics

  24. Email Header ● Received : from string ( hostname [ host IP address ]) by recipient host with protocol id message ID for recipient ; timestamp ● Received : from cidse.asu.edu ( cidse.asu.edu [ 201.12.16.3 ]) by gateway.asu.edu (8.11.6/8.11.6) with ESMTP id j21IBV720506 for <ABC@asu.edu> ; Mon, 20 Feb 2019 10:11:31 -0700 24 CSE 469: Computer and Network Forensics

  25. Examining Additional Email Files ● Email messages are saved on the client side or left at the server: Microsoft Outlook .pst and .ost files ● .pst – Sent, received, deleted, draft ● .ost – Offline files ● ● Personal address book also has valuable information. 25 CSE 469: Computer and Network Forensics

  26. Tracing an Email Message ● Preliminary Steps: Examine each field in the email header, especially the recorded IP address of ● sender. Content analysis on suspicious email(s): ● Determine if crime/violation of policy has been committed. ● Investigate attachments. ● ● Verification and validation Email route - may include clues about sender’s origin, location, methods. ● Analyze domain name’s point of contact. ● Aggregate suspect’s contact information. ● Acquire attributes against network logs. ● 26 CSE 469: Computer and Network Forensics

  27. Using Network Email Logs 27 CSE 469: Computer and Network Forensics

  28. Understanding Email Servers ● Log information: Email content. ● Sending IP address. ● Receiving and reading date and time. ● System-specific information. ● ● Servers can recover deleted emails: Similar to deletion of files on a hard drive. ● 28 CSE 469: Computer and Network Forensics

  29. Examining UNIX Email Server Logs ● /etc/sendmail.cf Configuration information for Sendmail ● ● /etc/syslog.conf Specifies how and which events Sendmail logs ● ● /var/log/maillog SMTP and POP3 communications ● ● IP address and time stamp 29 CSE 469: Computer and Network Forensics

  30. Using Specialized Email Forensics Tools ● FINALeMAIL Scans email database files ● Recovers deleted emails ● Search computer for lost or delete emails ● ● FTK All-purpose program ● Filters and finds files specific to email clients and servers ● ● InBoxer Systematic analysis of emails ● 30 CSE 469: Computer and Network Forensics

  31. Using Specialized Email Forensics Tools 31 CSE 469: Computer and Network Forensics

  32. 32 CSE 469: Computer and Network Forensics

  33. Carving Email Messages ● Very few vendors have products for analyzing email in systems other than Microsoft ● mbox format Stores emails in flat plaintext files ● ● Multipurpose Internet Mail Extensions (MIME) format Used by vendor-unique email file systems, such as ● Microsoft .pst or .ost 33 CSE 469: Computer and Network Forensics

  34. What other information can be extracted from emails? ● Buddygraph Social network analysis based on emails ● ● Enron investigation Email visualization in Enron investigations: ● 34 CSE 469: Computer and Network Forensics

  35. 35 CSE 469: Computer and Network Forensics

  36. 36 CSE 469: Computer and Network Forensics

  37. All one way emails to Tim Belden 37 CSE 469: Computer and Network Forensics

  38. Slides from Previous Years 38 CSE 469: Computer and Network Forensics

  39. Examining Email Headers Return Path – easily spoofed 1. Return Path: <forensics@yahoo.com> 2. Delivered To: badguy@jailhouse.com Recipient’s email address 3. Received (qmail 12780 invoked by uid 0); 08 Dec 2015 08:23:37 -0000 4. Received from unknown (HELO smtp.jailhouse.com) (192.152.64.20) by Identifies: mail.jailhouse.com with SMTP; 08 Dec 2015 08:23:37 -0000 - Email service that sender used (qmail) Name and IP address of sending email server 5. Received from Web4009.mail.yahoo.com (Web4009.mail.yahoo.com [192.218.78.27]) - ID number (12780) by smtp.jailhouse.com (16.12.6/16/12/6) with SMTP id gBC8[]_AJ005229 for badguy@jailhouse.com; Wed 08 Dec 2015 00:18:21 -0800 6. Message-ID: 20121212082330.40429.qmail@web4009.mail.yahoo.com Email servers through which this 7. Received from [10.187.241.199] by Web4009.mail.yahoo.com via HTTP; Web 08 Dec message passed Unique message number 2015 00:23:30 PST IP address of sending server and Date: Wed, 08 Dec 2015 00:23:30 -0800 (PST) | date/time sent MIME-Version: 1.0 39 CSE 469: Computer and Network Forensics

  40. Examining Email Headers Attachments may be identified as well 40 CSE 469: Computer and Network Forensics

  41. Network Protocols Related to Email ● SMTP: Simple Mail Transfer Protocol. ● POP: Post Office Protocol. ● IMAP: Internet Message Access Protocol. 41 CSE 469: Computer and Network Forensics

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Forensics for Graphics Files Types of graphics file formats Type of data compression How to locate

362 views • 25 slides
CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Overview of Mobile Forensics Originated in Europe and focused on the GSM SIM card. Roaming of Devices

694 views • 17 slides
CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics What is The Cloud? A computing storage system that provides on-demand network access for

613 views • 25 slides
CSE 469: Computer and Network Forensics Topic 1: Forensics Intro Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 1: Forensics Intro Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 1: Forensics Intro Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics General Forensic Science CSE 469: Computer and Network Forensics Definition Forensic Science is the

1.32k views • 90 slides
CSE 469: Computer and Network Forensics Topic 3: Drives, Volumes, and Files Dr. Mike Mabey |

CSE 469: Computer and Network Forensics Topic 3: Drives, Volumes, and Files Dr. Mike Mabey |

CSE 469: Computer and Network Forensics Topic 3: Drives, Volumes, and Files Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Review: Base Conversion, Endianness, and Data Structures 2 CSE 469: Computer and Network

974 views • 84 slides
CSE 469: Computer and Network Forensics Topic 0: Course Overview Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 0: Course Overview Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 0: Course Overview Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Instructor Dr. Mike Mabey Alumnus of ASU (MS &amp; PhD) Adjunct / Faculty Associate Full time

585 views • 25 slides
CSE 469: Computer and Network Forensics Topic 2: Evidence Acquisition Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 2: Evidence Acquisition Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 2: Evidence Acquisition Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Acquisition First step in the forensic process: Copy the evidence/data without altering or

629 views • 26 slides
2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

884 views • 70 slides
CSE 469: Computer and Network Forensics Topic 4: File Systems Dr. Mike Mabey | Spring 2019 CSE

CSE 469: Computer and Network Forensics Topic 4: File Systems Dr. Mike Mabey | Spring 2019 CSE

CSE 469: Computer and Network Forensics Topic 4: File Systems Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics My Sources https://smile.amazon.com/Underst https://smile.amazon.com/System-

697 views • 46 slides
CSE 469: Computer and Network Forensics Topic 9: Semester Review Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 9: Semester Review Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 9: Semester Review Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Review: Topic 1: Forensics Intro Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics

1.75k views • 142 slides
When We Need Audit Logs Computer forensics in courts Recovering from an attack

When We Need Audit Logs Computer forensics in courts Recovering from an attack

Systematic and Practical Methods for Computer Attack Analysis and Forensics Dr. Sean Peisert UC Davis Computer Science Dept. NSF I/UCRC Meeting ~ Davis, CA June 17, 2008 1 When We Need Audit Logs Computer forensics in courts

524 views • 11 slides
Team Cymru Cymru Team Network Forensics Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Network Forensics Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Network Forensics Ryan Connolly, ryan@cymru.com &lt;http://www.cymru.com&gt; Network Forensics what does it mean? network forensics is the analysis of network events in order to discover the source of problem

997 views • 43 slides
Nuix Workshop Introduction to Forensics W HAT IS C OMPUTER F ORENSICS ? Computer

Nuix Workshop Introduction to Forensics W HAT IS C OMPUTER F ORENSICS ? Computer

Nuix Workshop Introduction to Forensics W HAT IS C OMPUTER F ORENSICS ? Computer forensics, also called cyber forensics, is the applica6on of scien6fic method to computer

464 views • 33 slides
The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley /

The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley /

The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Bro Workshop 2011 NCSA, Champaign-Urbana, IL Outline 1. The Bro Difference 2. Abstract Use Cases 3. From Post-Facto to

530 views • 23 slides
Carney Forensics How to Keep a Network Safe at Little to No Cost Minnesota CLE: Paralegal Program

Carney Forensics How to Keep a Network Safe at Little to No Cost Minnesota CLE: Paralegal Program

Carney Forensics How to Keep a Network Safe at Little to No Cost Minnesota CLE: Paralegal Program September 18, 2018 John J. Carney, Esq. Carney Forensics Cybersecurity &amp; Legal Ethics Four Basic ABA Model Rules that Govern Rule 1.1

510 views • 27 slides
Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer

Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer

Introduction to Digital Forensics Introduction Why is the Study of Digital Forensics Relevant? What is Digital/Computer Forensics? What do you Need for a Careers in Computer Digital Forensics? Educational Background

509 views • 29 slides
Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Best Practices for Using CDNs Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS Protection As your principle, CDNs distribute traffic around the world to the closest pop for client, using anycast

915 views • 11 slides
du Chtelets ontology: element, corpuscle, body Aim and method To pinpoint her metaphysics

du Chtelets ontology: element, corpuscle, body Aim and method To pinpoint her metaphysics

du Chtelets ontology: element, corpuscle, body Aim and method To pinpoint her metaphysics on the map of early-modern positions. Specifically, her doctrine of substance and body. Approach: strongly internalist. I seek to reconstruct

201 views • 18 slides
Using Contextual Security Policies for Threat Response Yohann THOMAS - Herv DEBAR France

Using Contextual Security Policies for Threat Response Yohann THOMAS - Herv DEBAR France

Using Contextual Security Policies for Threat Response Yohann THOMAS - Herv DEBAR France Tlcom R&amp;D - Caen, France Frdric CUPPENS - Nora CUPPENS-BOULAHIA ENST Bretagne - Rennes, France Research &amp; Development DIMVA06 - July

570 views • 27 slides
Resurgence out of the (literal) box Aleksey Cherman INT, University of Washington work in

Resurgence out of the (literal) box Aleksey Cherman INT, University of Washington work in

Resurgence out of the (literal) box Aleksey Cherman INT, University of Washington work in progress with M. Unsal and D. Dorigoni Resurgence for QFT Belief: QFT observables are transseries in the couplings Generically, all series are separately

585 views • 35 slides
The Crusades What are the Crusades Crusades ? military expeditions initiated by the Church

The Crusades What are the Crusades Crusades ? military expeditions initiated by the Church

The Crusades What are the Crusades Crusades ? military expeditions initiated by the Church to recover the Holy Lands from the Moslems The Crusades What are the Crusades Crusades ? they occurred across several centuries called the

1.2k views • 91 slides
Information Extraction with GATE Angus Roberts University of Sheffield, NLP Recap Installed

Information Extraction with GATE Angus Roberts University of Sheffield, NLP Recap Installed

University of Sheffield, NLP Information Extraction with GATE Angus Roberts University of Sheffield, NLP Recap Installed and run GATE Language Resources - LRs documents corpora Looked at annotations Processing resources -

737 views • 58 slides
$17 Billion for NYC $375 billion total for counties and localities $34 Billion for NY State $500

$17 Billion for NYC $375 billion total for counties and localities $34 Billion for NY State $500

HOUSE HOUSE FEDERAL FEDERAL ST STIMULUS IMULUS BILL BILL Direct State and Local Aid $17 Billion for NYC $375 billion total for counties and localities $34 Billion for NY State $500 billion for states HOUSE HOUSE FEDERAL FEDERAL ST

527 views • 18 slides
Why data mining? The world is awash with digital data; trillions of gigabytes and growing

Why data mining? The world is awash with digital data; trillions of gigabytes and growing

Why data mining? The world is awash with digital data; trillions of gigabytes and growing A trillion gigabytes is a zettabyte , or 1 000 000 000 000 000 000 000 bytes Computational Thinking ct.cs.ubc.ca Why data mining? More and more,

1.26k views • 60 slides

More recommend