Removing the Mystery from Email Tracing

1
Removing theMystery from EmailTracing
2
Email Tracing

• In order to determine the sender of an email, an
  investigator will want to have the emails header
  information.
• An email header is the information added to the
  beginning and/or end of the electronic message.
• By default, email clients and services only show
  you an abbreviated form of the header such as

3
Email Tracing
Outlook 2000
Netscape Communicator
Hotmail
AOL 6.0
Outlook Express
Yahoo!
4
Email Tracing

• Received from search.org (64.162.18.2) by
  sgiserver1.search.org with SMTP (Microsoft
  Exchange Internet Mail Service Version
  5.5.2650.21)
• id K9HBB4C4 Mon, 21 May 2001 094701 -0700
• Received from web14506.mail.yahoo.com
  (216.136.224.69) by SEARCH.ORG
• with SMTP (IPAD 2.52) id 3579700 Mon, 21 May
  2001 084723 -0800
• Message-ID lt20010521164640.85785.qmail_at_web14506.m
  ail.yahoo.comgt
• Received from 216.104.228.118 by
  web14506.mail.yahoo.com Mon, 21 May 2001
  094640 PDT
• Date Mon, 21 May 2001 094640 -0700 (PDT)
• From Can Do ltcan_do1_at_yahoo.comgt
• Subject check out this email header
• To todd_at_search.org
• MIME-Version 1.0
• Content-Type text/plain charsetus-ascii

5
What is MIME

• Short for Multipurpose Internet Mail Extensions,
  a specification for formatting non-ASCII messages
  so that they can be sent over the Internet. Many
  e-mail-clients now support MIME, which enables
  them to send and receive graphics, audio, and
  video files via the Internet mail system. In
  addition, MIME supports messages in character
  sets other than ASCII.

6
Email Tracing

• The information needed from an email header to
  identify the sender can be broken into 3 blocks
  of information
• Senders email address
• Internet routing information
• Senders IP address
• Email server information
• The Message ID

7
Email Tracing

• To find this information, start at the bottom of
  the email header and work up.

• Email header information is organized in a bottom
  to top sequence.

8
Message Transfer Agents

• Electronic mail is just like regular mail
• It is handled by various sorts of Post Offices
  called Message Transfer Agents (MTA)
• As each message passes through the local or
  relevant MTA it puts header info on the message
  like the regular Post Office does a postmark
• Called a Received header
• Similar to stack of pancakes. Newest are
• placed ON TOP.
• (Last MTA to touch it will be at the TOP)

9
Email Tracing

• Step 1 Finding the Senders Email Address

10
Email Tracing

• What can you do with the senders email address?
• Depends on what type of email address it is
• Hotmail, Yahoo!, etc (free services)
• AOL, Earthlink (pay for service)
• Business/Organization email addresses
• e.g., todd.colvin_at_search.org

11
Finding the Senders Email Address

• Received from search.org (64.162.18.2) by
  sgiserver1.search.org with SMTP (Microsoft
  Exchange Internet Mail Service Version
  5.5.2650.21)
• id K9HBB5S8 Wed, 30 May 2001 171939 -0700
• Received from web12601.mail.yahoo.com
  (216.136.173.224) by SEARCH.ORG
• with SMTP (IPAD 2.52) id 3099300 Wed, 30 May
  2001 162111 -0800
• Message-ID lt20010531001928.11843.qmail_at_web12601.m
  ail.yahoo.comgt
• Received from 64.162.18.156 by
  web12601.mail.yahoo.com Wed, 30 May 2001
  171928 PDT
• Date Wed, 30 May 2001 171928 -0700 (PDT)
• From Data Grab ltdatagrab_at_yahoo.comgt
• Subject You too can be a winner!!!
• To todd.colvin_at_search.org, datagrab_at_aol.com
• MIME-Version 1.0
• Content-Type text/plain charsetus-ascii

12
Email Tracing

• Step 2 Finding the Senders
• IP Address

13
Finding the Senders IP Address

• Goal
• Determine senders Internet Service Provider
  (ISP) based on the IP address
• Yahoo! is not an ISP
• Obtain subscriber information from the ISP about
  the sender by linking the sender to that IP
  address
• Requires subscriber-activity logs

14
Finding the Senders IP Address

• Potential problem
• IP addresses can be statically or dynamically
  assigned
• Static assigned to you and you only
• e.g., businesses, cable and DSL
  subscribers
• Dynamic you borrow it and its shared
  among several users
• e.g., dial-up subscribers and
  organizations running DHCP
• User activity logs can quickly disappear

15
Preservation (Freeze) Order

• 18 USC Sec. 2703 (f) Requirement to Preserve
  Evidence http//uscode.house.gov/usc.htm
• Valid for 90 days
• Use with caution
• Some ISPs will notify the target about what has
  happened
• The ISP may terminate the account

16
Finding the Senders IP Address

• First, locate the Internet routing information
• This is an abbreviated listing of the route the
  message took from the senders computer to the
  destination
• Indicated by lines beginning with Received

17
Finding the Senders IP Address

• Received from search.org (64.162.18.2) by
  sgiserver1.search.org with SMTP (Microsoft
  Exchange Internet Mail Service Version
  5.5.2650.21)
• id K9HBB5S8 Wed, 30 May 2001 171939 -0700
• Received from web12601.mail.yahoo.com
  (216.136.173.224) by SEARCH.ORG
• with SMTP (IPAD 2.52) id 3099300 Wed, 30 May
  2001 162111 -0800
• Message-ID lt20010531001928.11843.qmail_at_web12601.m
  ail.yahoo.comgt
• Received from 64.162.18.156 by
  web12601.mail.yahoo.com Wed, 30 May 2001
  171928 PDT
• Date Wed, 30 May 2001 171928 -0700 (PDT)
• From Data Grab ltdatagrab_at_yahoo.comgt
• Subject You too can be a winner!!!
• To todd.colvin_at_search.org, datagrab_at_aol.com
• MIME-Version 1.0
• Content-Type text/plain charsetus-ascii

18
Finding the Senders IP Address

• Received from search.org (64.162.18.2) by
  sgiserver1.search.org with SMTP (Microsoft
  Exchange Internet Mail Service Version
  5.5.2650.21)
• id K9HBB5S8 Wed, 30 May 2001 171939 -0700
• Received from web12601.mail.yahoo.com
  (216.136.173.224) by SEARCH.ORG
• with SMTP (IPAD 2.52) id 3099300 Wed, 30 May
  2001 162111 -0800
• Message-ID lt20010531001928.11843.qmail_at_web12601.m
  ail.yahoo.comgt
• Received from 64.162.18.156 by
  web12601.mail.yahoo.com Wed, 30 May 2001
  171928 PDT
• Date Wed, 30 May 2001 171928 -0700 (PDT)
• From Data Grab ltdatagrab_at_yahoo.comgt
• Subject You too can be a winner!!!
• To todd.colvin_at_search.org, datagrab_at_aol.com
• MIME-Version 1.0
• Content-Type text/plain charsetus-ascii

19
Finding the Senders IP Address

• Once you locate the routing information, find the
  first line (the bottom line) beginning with
  Received
• If present, the senders IP address will be here

20
Finding the Senders IP Address

• Received from search.org (64.162.18.2) by
  sgiserver1.search.org with SMTP (Microsoft
  Exchange Internet Mail Service Version
  5.5.2650.21)
• id K9HBB5S8 Wed, 30 May 2001 171939 -0700
• Received from web12601.mail.yahoo.com
  (216.136.173.224) by SEARCH.ORG
• with SMTP (IPAD 2.52) id 3099300 Wed, 30 May
  2001 162111 -0800
• Message-ID lt20010531001928.11843.qmail_at_web12601.m
  ail.yahoo.comgt
• Received from 64.162.18.156 by
  web12601.mail.yahoo.com Wed, 30 May 2001
  171928 PDT
• Date Wed, 30 May 2001 171928 -0700 (PDT)
• From Data Grab ltdatagrab_at_yahoo.comgt
• Subject You too can be a winner!!!
• To todd.colvin_at_search.org, datagrab_at_aol.com
• MIME-Version 1.0
• Content-Type text/plain charsetus-ascii

21
Finding the Senders IP Address

• Received from search.org (64.162.18.2) by
  sgiserver1.search.org with SMTP (Microsoft
  Exchange Internet Mail Service Version
  5.5.2650.21)
• id K9HBB5S8 Wed, 30 May 2001 171939 -0700
• Received from web12601.mail.yahoo.com
  (216.136.173.224) by SEARCH.ORG
• with SMTP (IPAD 2.52) id 3099300 Wed, 30 May
  2001 162111 -0800
• Message-ID lt20010531001928.11843.qmail_at_web12601.m
  ail.yahoo.comgt
• Received from 64.162.18.156 by
  web12601.mail.yahoo.com Wed, 30 May 2001
  171928 PDT

22
Finding the Senders IP Address

• Received from search.org (64.162.18.2) by
  sgiserver1.search.org with SMTP (Microsoft
  Exchange Internet Mail Service Version
  5.5.2650.21)
• id K9HBB5S8 Wed, 30 May 2001 171939 -0700
• Received from web12601.mail.yahoo.com
  (216.136.173.224) by SEARCH.ORG
• with SMTP (IPAD 2.52) id 3099300 Wed, 30 May
  2001 162111 -0800
• Message-ID lt20010531001928.11843.qmail_at_web12601.m
  ail.yahoo.comgt
• Received from 64.162.18.156 by
  web12601.mail.yahoo.com Wed, 30 May 2001
  171928 PDT

• Locate the Internet routing information
• Find the first line (start at the bottom) that
  begins with Received
• If the IP address is present, it should be just
  to the right the word Received

23
Finding the Senders IP Address

• Subject New Streaming ShockWave Casino - No
  Software downloads !
• Mime-Version 1.0
• Content-Type text/html charset"us-ascii
• Date Fri, 3 Mar 2000 032544
• MIME-Version 1.0
• Content-Type text/plain charsetus-ascii
• Content-Transfer-Encoding 7bit
• X-Priority Normal
• X-Indiv y353940d1ae42d1f61
• X-JobID 51334-CD
• X-Return-Path DEHEtN_at_AOL.COM
• X-OriginalArrivalTime Fri, 03 Mar 2000 032544
  (UTC) FILETIMEB67F3B3001C060E6
• X-Oringinating-IP (208.61.34.133)
• X-Mailer Windows AOL sub 129
• X-Apparently-From Brianiorlooi_at_aol.com

X-Originating-IP line not present in all email
headers
24
Finding the Senders IP Address

• Perform a WHOIS on the IP address

25
Move to your computers

• Three groups
• On the internet please go to www.arin.net/whois
• Look up the following IP and report the name,
  contact, address, and phone.
• 207.46.197.100
• 129.48.129.9
• 192.233.80.9
• 64.12.149.24

26
Now what do you do?

• Find the Internet Service Provider
• Acquire proper court documents
• Pursue the User name, address, and necessary
  account info
• But how??

27
Finding The ISP!!
Write this web site down!!!

• http//www.infobin.org/cfid/isplist.htm

28
Finding the Senders IP Address

• What if there is not an IP address?
• Newsgroups
• Listserves
• For example
• High Tech Crime Consortium (HTCC)
• http//www.hightechcrimecops.org/
• High Technology Crime Investigation Association
  (HTCIA)
• http//htcia.org/

29
Finding the Senders IP Address

• What if there is not an IP address?

Received by sgiserver1.search.org with Internet
Mail Service (5.5.2650.21)
30
Finding the Senders IP Address

• What if there is not an IP address?

• Every email gets an ID that identifies it and the
  email server that handled the message
• The message ID is assigned by the email server

• Get the Message ID

31
Finding the Message ID

• By finding the Message ID you can
• Determine the exact email server that handled the
  message
• Find the IP address of the sender from the email
  servers logs
• Caveat logs may not be present or last only a
  short time

32
Finding the Message ID

• Received from search.org (64.162.18.2) by
  sgiserver1.search.org with SMTP (Microsoft
  Exchange Internet Mail Service Version
  5.5.2650.21)
• id K9HBB5S8 Wed, 30 May 2001 171939 -0700
• Received from web12601.mail.yahoo.com
  (216.136.173.224) by SEARCH.ORG
• with SMTP (IPAD 2.52) id 3099300 Wed, 30 May
  2001 162111 -0800
• Message-ID lt20010531001928.11843.qmail_at_web12601.m
  ail.yahoo.comgt
• Received from 64.162.18.156 by
  web12601.mail.yahoo.com Wed, 30 May 2001
  171928 PDT
• Date Wed, 30 May 2001 171928 -0700 (PDT)
• From Data Grab ltdatagrab_at_yahoo.comgt
• Subject You too can be a winner!!!
• To todd.colvin_at_search.org, datagrab_at_aol.com
• MIME-Version 1.0
• Content-Type text/plain charsetus-ascii

33
Email Tracing
Message-ID lt20010531001928.11843.qmail_at_web12601.m
ail.yahoo.comgt
34
Email Tracing
web12601.mail.yahoo.comgt
_at_
Message-ID lt20010531001928.11843.qmail
35
Email Tracing
web12601.mail.yahoo.com
_at_
20010531001928.11843.qmail
36
Email Tracing
web12601.mail.yahoo.com
_at_
20010531001928.11843.qmail
37
Email Tracing
web12601.mail.yahoo.com
_at_
20010531001928.11843.qmail
Is this a date? May 31, 2001?
38
Email Tracing
Received from search.org (64.162.18.2) by
sgiserver1.search.org with SMTP (Microsoft
Exchange Internet Mail Service Version
5.5.2650.21) id K9HBB5S8 Wed, 30 May 2001
171939 -0700 Received from web12601.mail.yahoo.
com (216.136.173.224) by SEARCH.ORG with SMTP
(IPAD 2.52) id 3099300 Wed, 30 May 2001 162111
-0800 Message-ID lt20010531001928.11843.qmail_at_web
12601.mail.yahoo.comgt Received from
64.162.18.156 by web12601.mail.yahoo.com Wed,
30 May 2001 171928 PDT Date Wed, 30 May 2001
171928 -0700 (PDT) From Data Grab
ltdatagrab_at_yahoo.comgt Subject You too can be a
winner!!! To todd.colvin_at_search.org,
datagrab_at_aol.com MIME-Version 1.0 Content-Type
text/plain charsetus-ascii
Always provide the full email header!
39
Email Tracing
web12601.mail.yahoo.com
_at_
20010531001928.11843.qmail
Is this a date? May 31, 2001? Incorrect
clock? Different time zone?
40
Email Tracing

• Great, you know how to trace an email, but how do
  you view an email header in the first place?

41
Viewing Email Headers

• Hotmail
• 1. Login and choose Options

42
Viewing Email Headers

• Hotmail
• 2. Choose Preferences

43
Viewing Email Headers

• Hotmail
• 3. Scroll down the list to Message Headers and
  choose Advanced

44
Viewing Email Headers

• Hotmail
• 4. Scroll back to the top or bottom and choose
  OK

45
Viewing Email Headers

• Yahoo!
• Login and choose Options

46
Viewing Email Headers

• Yahoo!
• Choose Mail Preferences

47
Viewing Email Headers

• Yahoo!
• Scroll down and choose all at the Message
  Headers option

48
Viewing Email Headers

• Yahoo!
• Scroll back up or down and choose Save

49
Viewing Email Headers

• Outlook 2000
• Open the email, select View, then Options

50
Viewing Email Headers

• Outlook 2000
• In the window that opens, at the bottom, is the
  header

51
Viewing Email Headers

• Outlook Express 5.5
• Open or select the email
• Select File and choose Properties

52
Viewing Email Headers

• Outlook Express 5.5
• Choose the Details tab

53
Viewing Email Headers

• Netscape Communicator 4.77
• Open the email
• Select View, highlight Headers and select
  All

54
Email Tracing

• Other issues
• Not all emails will have full header information
• Internal emails
• Anonymizers
• Anonymizer.com
• http//www.anonymizer.com
• zerØknowledge
• http//www.zeroknowledge.com

55
IP Address Tracing

• Going back to the WHOIS process

56
IP Address Tracing

• To determine who is responsible for an IP
  address, perform a WHOIS lookup on it
• The information obtained will be the point of
  contact
• e.g., email address, mailing address, phone
  number
• More likely than not, it will be a service
  provider (e.g., ISP or Web hosting company), not
  your bad guy

57
IP Address Tracing

• Remember, the Internet is a big place!
• IP addresses belong to organizations all around
  the world
• Different countries/regions have separate IP
  address databases for WHOIS lookup

58
IP Address Tracing

• ARIN (American Registry of Internet Numbers)
  http//www.arin.net/whois/arinwhois.html
• RIPE (European Network Coordination Centre)
  http//www.ripe.net/cgi-bin/whois
• APNIC (Asia Pacific Network Information Centre)
  http//www.apnic.net/

59
IP Address Tracing

• ARIN is a good place to start
• It will usually tell you which database to go to
  if the IP address does not belong to its own

60
IP Address Tracing

• ARIN is a good place to start

61
IP Address Tracing

• Example WHOIS lookup 208.200.248.4

62
IP Address Tracing

• Go to ARIN web site
• Enter IP address in WHOIS window

63
IP Address Tracing

• Go to ARIN web site
• Enter IP address in WHOIS window

• Click on Submit

208.200.248.4
64
IP Address Tracing

• The results

• This is a partial hierarchy
• UUNET Technologies is leasing IP addresses to
  Olypen, Inc.

65
IP Address Tracing

• The results

• To find out more about Olypen, Inc., click on the
  Netblock hyperlink

66
IP Address Tracing

• This is the Netblock information

From this we get
Address
Name
Email address
Phone numbers
67
IP Address Tracing

• This is the Netblock information

68
IP Address Tracing

• This is the Netblock information

69
IP Address Tracing

• Result of clicking on PB121-ARIN

Basically the same info
Still do not know much about Olypen, Inc. What do
they do?
70
IP Address Tracing

• Result of clicking on PB121-ARIN

One way to find out is to see if they have a web
site.
www.olypen.com ?
71
IP Address Tracing

• http//www.olypen.com

They are an Internet Service Provider
Additional phone number, too!
72
IP Address Tracing

• By doing a WHOIS lookup on the IP address we got
• Name of company responsible
• Address
• Phone numbers
• Name to contact
• Email address
• Web site info
• Company info ISP
• Additional phone number
• Location verification

73
Summary

• To trace an email get
• Senders email address
• Senders IP address
• Message ID

74
Summary

• Senders email address
• Subscriber information is not always reliable
  (e.g., Yahoo!)
• IP address
• Not always present (e.g., Newsgroup)
• Message ID
• If IP address not present, the Message ID might
  help you get it through email server logs

75
Summary

• To trace an IP address do a WHOIS lookup
• Contact information
• Sometimes company information