Email Evidence - Santa Clara University

advertisement
Email Tracing
Computer Forensics 252
Thomas Schwarz, S.J. 2006
Email Investigations: Overview
 Email has become a primary means of communication.
 Email can easily be forged.
 Email can be abused
 Spam
 Aid in committing a crime …
 Threatening email, …
Email Investigations: Overview
 Email evidence:
 Is in the email itself
 Header
 Contents
 In logs:
 Left behind as the email travels from sender to recipient.
 Law enforcement uses subpoenas to follow the trace.
 System ads have some logs under their control.

Notice: All fakemailing that you will be learning can be easily traced.
Email Fundamentals
 Email travels from originating computer to the receiving
computer through email servers.
 All email servers add to the header.
 Use important internet services to interpret and verify data in a
header.
Email Fundamentals
 Typical path of an email message:
Mail Server
Client
Mail Server
Mail Server
Client
Email Fundamentals:
Important Services
 Verification of IP addresses:
 Regional Internet Registry
o
APNIC (Asia Pacific Network Information Centre).
o
ARIN (American Registry of Internet Numbers).
o
LACNIC Latin American and Caribbean IP address Regional Registry.
o
RIPE NCC (Réseau IP Européens Network Coordination Centre).
 Whois
Email Fundamentals:
Important Services
Domain Name System (DNS) translates between domain names and IP
address.


Name to address lookup:
1.
2.
3.
4.
5.
6.

HOSTS files can be altered.


Parses HOSTS file.
Asks local nameserver
Local nameserver contacts nameserver responsible for domain.
If necessary, contact root nameserver.
Remote nameserver sends data back to local nameserver.
Local nameserver caches info and informs client.
You can use this as a low-tech tool to block pop-ups.
Local nameservers can/could be tricked into accepting unsolicited data to be
cached.

“Hilary for Senate” – case.
Email Fundamentals:
Important Services
Domain Name System (DNS) translates between domain names and IP
address.



MX records in the DNS database specify the host’s or domains mail exchanger
Can have multiple MX records, with priority attached:
MX



10
cse
MX
100
mailhost.soe.uscs.edu
Email to user@scu.edu will then be sent to user@cse.scu.edu.
If that site is down, then it will be sent to user@mailhost.soe.ucsc.edu.
The mailer at both sites needs also be set up to accept the messages.
Email Fundamentals
 IP-Addressing Fundamentals
 IP Version 4 is slowly replaced by IP Version 6.
 IPv4: 4 digital numbers between 0 and 255.
 IPv6: 8 digital numbers between 0000 and 0xffff.
 Static / dynamic addresses
 Dynamic addresses assigned by DHCP within a local domain (with same
leading portion of IP address).
Email Fundamentals:
Important Services
 Many organizations use Network Address Translation.
 NAT boxes have a single visible IP.
 Incoming I-packet analyzed according to address and port
number.
 Forwarded to interior network with an internal IP address.
 Typically in the “private use areas”:
 10.0.0.0 – 10.255.255.255
 172.16.0.0 – 172.31.255.255
 192.168.0.0-192.168.255.255
 Private use addresses are not valid addresses externally.
Email Protocols:
 Email program such as outlook or groupwise are a client
application.
 Needs to interact with an email server:
 Post Office Protocol (POP)
 Internet Message Access Protocol (IMAP)
 Microsoft’s Mail API (MAPI)
 Web-based email uses a web-page as an interface with an
email server.
Email Protocols:
 A mail server stores incoming mail and distributes it to the
appropriate mail box.
 Behavior afterwards depends on type of protocol.
 Accordingly, investigation needs to be done at server or at
the workstation.
Email Protocols:
Post Office Service Protocol
Characteristics
Stores only incoming
messages.
POP
Investigation must be at the
workstation.
Stores all messages
IMAP
Copies of incoming and outgoing
messages might be stored on the
MS’ MAPI
Lotus Notes workstation or on the server or on
both.
Web-based send and HTTP
receive.
Incoming and outgoing messages
are stored on the server, but there
might be archived or copied
messages on the workstation.
Easy to spoof identity.
Email Protocols: SMTP
 Neither IMAP or POP are involved relaying messages
between servers.
 Simple Mail Transfer Protocol: SMTP
 Easy.
 Has several additions.
 Can be spoofed:
 By using an unsecured or undersecured email server.
 By setting up your own smtp server.
Email Protocols: SMTP
How to spoof email
telnet endor.engr.scu.edu 25
220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005 14:58:49 - 0800
helo 129.210.16.8
250 server8.engr.scu.edu Hello dhcp-19-198.engr.scu.edu [129.210.19.198], please
d to meet you
mail from: jholliday@engr.scu.edu
250 2.1.0 jholliday@engr.scu.edu... Sender ok
rcpt to: tschwarz@scu.edu
250 2.1.5 tschwarz@scu.edu... Recipient ok
data
354 Enter mail, end with "." on a line by itself
This is a spoofed message.
.
250 2.0.0 jBSMwnTd023057 Message accepted for delivery
quit
221 2.0.0 endor.engr.scu.edu closing connection
Email Protocols: SMTP
Return-path: <jholliday@engr.scu.edu>
Received: from MGW2.scu.edu [129.210.251.18]
This looks very convincing.
by gwcl-22.scu.edu; Wed, 28 Dec 2005 15:00:29 -0800
(unverified [129.210.16.1]) by
Only hint: receivedReceived:
line givesfrom
the endor.engr.scu.edu
name of my machine.
MGW2.scu.edu
(Vircom SMTPRS
If I were to use a machine
without4.2.425.10)
a fixed IP,with
thenESMTP
you id
for <tjschwarz@scu.edu>;
can determine the <C0066443608@MGW2.scu.edu>
DHCP address from the DHCP logs.
Wed, 28 Dec 2005 15:00:29 -0800
X-Modus-BlackList: 129.210.16.1=OK;jholliday@engr.scu.edu=OK
X-Modus-Trusted: 129.210.16.1=NO
Received: from bobadilla.engr.scu.edu (bobadilla.engr.scu.edu
[129.210.18.34])
by endor.engr.scu.edu (8.13.5/8.13.5) with SMTP id jBSMwnTd023057
for tjschwarz@scu.edu; Wed, 28 Dec 2005 15:00:54 -0800
Date: Wed, 28 Dec 2005 14:58:49 -0800
From: JoAnne Holliday <jholliday@engr.scu.edu>
Message-Id: <200512282300.jBSMwnTd023057@endor.engr.scu.edu>
this is a spoofed message.
Email Protocols: SMTP
How to spoof email
 Endor will only relay messages from machines that have properly
authenticated themselves within the last five minutes.
 Subject lines etc. are part of the data segment. However, any
misspelling will put them into the body of the message.
Email Protocols: SMTP
How to spoof email
telnet endor.engr.scu.edu 25
220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005 15:36:13 0800
mail from: plocatelli@scu.edu
250 2.1.0 plocatelli@scu.edu... Sender ok
rcpt to: tschwarz@scu.edu
250 2.1.5 tschwarz@scu.edu... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Date: 23 Dec 05 11:22:33
From: plocatelli@scu.edu
To: tschwarz@scu.edu
Subject: Congrats
You are hrby appointed the next president of Santa Clara University, effectively
immediately.
Best, Paul
.
250 2.0.0 jBSNaDlu023813 Message accepted for delivery
quit
Email Protocols: SMTP
How to spoof email
Email Protocols: SMTP
How to spoof email
 Unix
 Use sendmail
 %usr/lib/sendmail –t –f HolyFather@vatican.va <
test_message
Email Protocols: SMTP
 Things are even easier with Windows XP.
 Turn on the SMTP service that each WinXP machine runs.
 Create a file that follows the SMTP protocol.
 Place the file in Inetpub/mailroot/Pickup
Email Protocols: SMTP
From HolyFather@vatican.va Tue Dec 23 17:25:50 2003
Return-Path: <HolyFather@vatican.va>
To: tschwarz@engr.scu.edu
Received: from Xavier (dhcp-19-226.engr.scu.edu [129.210.19.226])
From: HolyFather@vatican.va
by server4.engr.scu.edu (8.12.10/8.12.10) with ESMTP id hBO1Plpv027244
for <tschwarz@engr.scu.edu>; Tue, 23 Dec 2003 17:25:50 -0800
Received:
from mail pickup service by Xavier with Microsoft SMTPSVC;
This is a spoofed
message.
Tue, 23 Dec 2003 17:25:33 -0800
To: tschwarz@engr.scu.edu
From: HolyFather@vatican.va
Message-ID: <XAVIERZRTHEQXHcJcKJ00000001@Xavier>
X-OriginalArrivalTime: 24 Dec 2003 01:25:33.0942 (UTC) FILETIME=[D3B56160:01C3C9
BC]
Date: 23 Dec 2003 17:25:33 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-rc3 (1.202-2003-08-29-exp) on
server4.engr.scu.edu
X-Spam-Level:
X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=no
version=2.60-rc3
This is a spoofed message.
Email Protocols: SMTP
 SMTP Headers:
 Each mail-server adds to headers.
 Additions are being made at the top of the list.
 Therefore, read the header from the bottom.
 To read headers, you usually have to enable them in your mail
client.
SMTP Headers
To enable headers:
 Eudora:
 Use the Blah Blah Blah button
 Hotmail:
 Options  Preferences  Message Headers.
 Juno:
 Options  Show Headers
 MS Outlook:
 Select message and go to options.
 Yahoo!:
 Mail Options  General Preferences  Show all headers.
 Groupwise:
 Message itself is “attached” to each email. You need to look at it.
SMTP Headers
 Headers consists of header fields
 Originator fields
 from, sender, reply-to
 Destination address fields
 To, cc, bcc
 Identification Fields
 Message-ID-field is optional, but extremely important for tracing emails through
email server logs.
 Informational Fields
 Subject, comments, keywords
 Resent Fields
 Resent fields are strictly speaking optional, but luckily, most servers add them.
 Resent-date, resent-from, resent-sender, resent-to, resent-cc, resent-bcc, resent-
msg-id
SMTP Headers
 Trace Fields
 Core of email tracing.
 Regulated in RFC2821.
 When a SMTP server receives a message for delivery or
forwarding, it MUST insert trace information at the beginning
of the header.
SMTP Headers
 The FROM field, which must be supplied in an SMTP
environment, should contain both (1) the name of the source host
as presented in the EHLO command and (2) an address literal
containing the IP address of the source, determined from the TCP
connection.
 The ID field may contain an "@" as suggested in RFC 822, but
this is not required.
 The FOR field MAY contain a list of <path> entries when
multiple RCPT commands have been given.
 A server making a final delivery inserts a return-path
line.
SMTP Header
 Spotting spoofed messages
 Contents usually gives a hint.
 Each SMTP server application adds a different set of headers or
structures them in a different way.
 A good investigator knows these formats.
 Use internet services in order to verify header data.
 However, some companies can outsource email or use internal IP
addresses.
 Look for breaks / discrepancies in the “Received” lines.
SMTP Header
 Investigation of spoofed messages
 Verify all IP addresses
 Keeping in mind that some addresses might be internal addresses.
 Make a time-line of events.
 Change times to universal standard time.
 Look for strange behavior.
 Keep clock drift in mind.
Server Logs
 E-mail logs usually identify email messages by:
 Account received
 IP address from which they were sent.
 Time and date (beware of clock drift)
 IP addresses
Server Logs
Dec 31 18:26:15 endor sendmail[30597]: k012OV1i030597: from=evil@evil.com, size=147, class=0, nrcpts=1,
msgid=<200601010225.k012OV1i030597@endor.engr.scu.edu>, proto=SMTP, daemon=MTA, relay=c-2412-227-211.hsd1.il.comcast.net [24.12.227.211]
Dec 31 18:26:15 endor spamd[28512]: spamd: connection from localhost [127.0.0.1] at port 42865
Dec 31 18:26:15 endor spamd[28512]: spamd: setuid to tschwarz succeeded
Dec 31 18:26:15 endor spamd[28512]: spamd: processing message
<200601010225.k012OV1i030597@endor.engr.scu.edu> for tschwarz:1875
Dec 31 18:26:15 endor spamd[28512]: spamd: clean message (4.6/5.0) for tschwarz:1875 in 0.2 seconds, 525 bytes.
Dec 31 18:26:15 endor spamd[28512]: spamd: result: . 4 MSGID_FROM_MTA_ID,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL
scantime=0.2,size=525,user=tschwarz,uid=1875,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport
=42865,mid=<200601010225.k012OV1i030597@endor.engr.scu.edu>,autolearn=no
Dec 31 18:26:15 endor spamd[21352]: prefork: child states: II
Dec 31 18:26:15 endor sendmail[30726]: k012OV1i030597: to=tschwarz@engr.scu.edu, delay=00:01:02,
xdelay=00:00:00, mailer=local, pri=30464, dsn=2.0.0, stat=Sent
Sample log entry at endor.
Server Logs
 Many servers keep copies of emails.
 Most servers purge logs.
 Law-enforcement:
 Vast majority of companies are very cooperative.
 Don’t wait for the subpoena, instead give system administrator a heads-up
of a coming subpoena.
 Company:
 Local sys-ad needs early warning.
 Getting logs at other places can be dicey.
Unix Sendmail
 Configuration file /etc/sendmail.cf and /etc/syslog.conf
 Gives location of various logs and their rules.
 maillog (often at /var/log/maillog)
 Logs SMTP communications
 Logs POP3 events
 You can always use: locate *.log to find log files.
Techniques
 Server Information from IP
 ARIN (North America, Southern Africa)
 063.x.x.x – 072.x.x.x, 199.x.x.x, 204.x.x.x, 216.x.x.x
 APNIC (Asia, Australia)
 058.x.x.x – 061.x.x.x, 202.x.x.x – 203.x.x.x, 210.x.x.x – 211.x.x.x,
218.x.x.x – 222.x.x.x
 RIPE NCC (Europe, Middle East, Northern Africa)
 062.x.x.x, 081.x.x.x – 088.x.x.x, 193.x.x.x – 195.x.x.x, 212.x.x.x –
213.x.x.x, 217.x.x.x
 LACNIC (South America)
 200.x.x.x – 201.x.x.x
Techniques
 Domain Names Lookup
 Registrars, ICANN, IANA
 Have records, but some are now protected
 Hostname lookups
 dig, replacing nslookup
 “dig www.scu.edu”
 “dig –x 129.210.2.1” (reverse lookup)
 “whois”
 “traceroute” (basically disabled by firewalls)
Techniques
 Investigating email for forgery
 Evidentiary material is
 Directly in header
 Indirectly in formatting headers
 Timestamps
Techniques
 Header Investigation
 Lookup all host names and IP addresses
 Check for inconsistencies
 Be aware of
 internal IP addresses
 web hosting company
 Generate Timeline
 Be aware of
 clock drift,
 delays,
 time zone differences
Download