Intro to Cyber Crime and Computer Forensics CSE 4273/6273 November 9, 2009

1
Intro to Cyber Crime and Computer Forensics CSE
4273/6273 November 9, 2009
MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF
COMPUTER SCIENCE
2
Information we can gather from emails.

• To and from information
• Computer name
• IP address
• ISP
• Client used
• Time zone

3
Two different ways to get email.

• Outlook, Thunderbird, Eudora, Pine, etc.
• Use the Simple Mail Transport Protocol (SMTP) to
  communicate with the users E-Mail server
• Here mail.msstate.edu

• Gmail, Hotmail, Yahoo!, etc.
• HTTP interface to a web application that uses
  SMTP behind the scenes
• Client machine never communicates directly with
  the SMTP server

Email Client
Web-mail
4
Email Address

• UserName_at_mail.server.com

Id of the user you wish to contact
Name of mail server
dampier_at_cse.msstate.edu
5
SMTP

• Simple Mail Transfer Protocol
• Became popular in the early 1980s
• Simple text based protocol
• Used by email servers to transfer emails

6
Sample E-Mail
Bobs PC

• Bob (bob_at_example.com) composes a message for
  Alice, at alice_at_example.org
• Bobs E-mail client is configured to use
  mail.example.com as an SMTP server
• Message is first sent to mail.example.com via
  SMTP

SMTP
mail.example.com
SMTP
Internet
Alices PC
mail.example.org
POP
7
Sample E-Mail

• mail.example.com accepts this message for
  delivery and notes that the recIPient is a user
  at example.org
• Therefore, the message must be relayed to a
  mailserver that can deliver it to the correct user

Bobs PC
SMTP
mail.example.com
SMTP
Internet
Alices PC
mail.example.org
POP
8
Sample E-Mail

• The mail is relayed from mail.example.com to
  mail.example.org using SMTP

Bobs PC
SMTP
mail.example.com
SMTP
Internet
mail.example.org
Alices PC
POP
9
Sample E-Mail

• Finally, Alice can use her E-Mail program to
  receive the E-Mail from mail.example.org using POP

Bobs PC
SMTP
mail.example.com
SMTP
Internet
Alices PC
mail.example.org
POP
10
In Reality it Gets More Complicated

• From a user at yahoo to a user at cse.msstate.edu
  (relayed through 4 servers!)
• web35303.mail.mud.yahoo.com
• canit01.its.msstate.edu
• sav06.its.msstate.edu
• cse.msstate.edu
• Spam/Virus Scanning, Load Balancing, etc.

11
Structure of an Email
Received From username1_at_cse.msstate.edu To
username2_at_cse.msstate.edu Cc Subject
Date Message
Header
12
A Received line for every server
Received From username1_at_cse.msstate.edu To
username2_at_cse.msstate.edu Cc Subject
Date Message
Received
Received
Received
13
Ive never seen these so called Received lines.

• Most email programs hide this header information
• Look for a message source or view entire
  header option
• If you cant find it do some online research
• www.spamcop.net
• https//hdc.tamu.edu/reference/documentation

14
Things to think about..

• Always base your findings on the IP address not
  the hostname.
• False Received lines can be added before the
  email is sent.
• Be aware people can hack into machines to send
  email from them.

15
Some more things to think about

• Dont forget DHCP. Its important to include
  dates and times when requesting information from
  an ISP.
• Viruses sometimes spread by emailing themselves
  out without the user being aware.

16
Anonymous Re-mailers
Anon-To final_at_recIPient.com
Subject MESSAGE
17
Are you awake?

• ping DOS or Unix based command that
  queries servers to see if they are awake.

18
DNS

• nslookup find out who an IP address
  belongs to or what IP address is associated with
  a web address.

19
Follow the path of a packet

• traceroute a ping that lists the servers
  it goes through. Unix command, but there are
  Windows programs that will perform the same
  function.

20
Whos there?

• whois queries databases to find contact
  and registration information on IP or web
  addresses.
• A Unix command, but there are plenty of
  websites that perform the searches for you.

http//ws.arin.net/whois http//www.networksolutio
ns.com/whois/
21
Preservation (Freeze) Order

• 18 USC Sec. 2703(f)
• http//uscode.house.gov/usc.htm

• (f) Requirement to Preserve Evidence.
• In general. - A provider of wire or electronic
  communication services or a remote computing
  service, upon the request of a governmental
  entity, shall take all necessary steps to
  preserve records and other evidence in its
  possession pending the issuance of a court order
  or other process.

22
Freeze Order cont..
(2) Period of retention. - Records referred to in
paragraph (1) shall be retained for a period of
90 days, which shall be extended for an
additional 90-day period upon a renewed request
by the governmental entity.
23
Dangers of a freeze order!!!

• ISP may attempt to notify the target about your
  actions.
• The ISP may terminate the account.

24
Finally ISP contact list
http//www.forensicsweb.com
25
Putting it all together

• Gather emails and print out headers
• Compare headers to see if they contain different
  originating IPs
• Check email header for spoofing
• Trace IP(s) back to their source to discover what
  ISP the suspect is using
• Subpoena yahoo, hotmail, or other for user
  information
• Subpoena ISP for user information
• Make sure to include all the information you have
  on the user including the email account, IP,
  time, and date.

26
Questions?