Intro to Cyber Crime and Computer Forensics CSE 4273/6273 November 9, 2009 - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 November 9, 2009

Description:

Gmail, Hotmail, Yahoo!, etc. ... Be aware people can hack into machines to send email from them. 15 ... Subpoena yahoo, hotmail, or other for user information ... – PowerPoint PPT presentation

Number of Views:200
Avg rating:3.0/5.0
Slides: 27
Provided by: rayva9
Category:

less

Transcript and Presenter's Notes

Title: Intro to Cyber Crime and Computer Forensics CSE 4273/6273 November 9, 2009


1
Intro to Cyber Crime and Computer Forensics CSE
4273/6273 November 9, 2009
MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF
COMPUTER SCIENCE
2
Information we can gather from emails.
  • To and from information
  • Computer name
  • IP address
  • ISP
  • Client used
  • Time zone

3
Two different ways to get email.
  • Outlook, Thunderbird, Eudora, Pine, etc.
  • Use the Simple Mail Transport Protocol (SMTP) to
    communicate with the users E-Mail server
  • Here mail.msstate.edu
  • Gmail, Hotmail, Yahoo!, etc.
  • HTTP interface to a web application that uses
    SMTP behind the scenes
  • Client machine never communicates directly with
    the SMTP server

Email Client
Web-mail
4
Email Address
  • UserName_at_mail.server.com

Id of the user you wish to contact
Name of mail server
dampier_at_cse.msstate.edu
5
SMTP
  • Simple Mail Transfer Protocol
  • Became popular in the early 1980s
  • Simple text based protocol
  • Used by email servers to transfer emails

6
Sample E-Mail
Bobs PC
  • Bob (bob_at_example.com) composes a message for
    Alice, at alice_at_example.org
  • Bobs E-mail client is configured to use
    mail.example.com as an SMTP server
  • Message is first sent to mail.example.com via
    SMTP

SMTP
mail.example.com
SMTP
Internet
Alices PC
mail.example.org
POP
7
Sample E-Mail
  • mail.example.com accepts this message for
    delivery and notes that the recIPient is a user
    at example.org
  • Therefore, the message must be relayed to a
    mailserver that can deliver it to the correct user

Bobs PC
SMTP
mail.example.com
SMTP
Internet
Alices PC
mail.example.org
POP
8
Sample E-Mail
  • The mail is relayed from mail.example.com to
    mail.example.org using SMTP

Bobs PC
SMTP
mail.example.com
SMTP
Internet
mail.example.org
Alices PC
POP
9
Sample E-Mail
  • Finally, Alice can use her E-Mail program to
    receive the E-Mail from mail.example.org using POP

Bobs PC
SMTP
mail.example.com
SMTP
Internet
Alices PC
mail.example.org
POP
10
In Reality it Gets More Complicated
  • From a user at yahoo to a user at cse.msstate.edu
    (relayed through 4 servers!)
  • web35303.mail.mud.yahoo.com
  • canit01.its.msstate.edu
  • sav06.its.msstate.edu
  • cse.msstate.edu
  • Spam/Virus Scanning, Load Balancing, etc.

11
Structure of an Email
Received From username1_at_cse.msstate.edu To
username2_at_cse.msstate.edu Cc Subject
Date Message
Header
12
A Received line for every server
Received From username1_at_cse.msstate.edu To
username2_at_cse.msstate.edu Cc Subject
Date Message
Received
Received
Received
13
Ive never seen these so called Received lines.
  • Most email programs hide this header information
  • Look for a message source or view entire
    header option
  • If you cant find it do some online research
  • www.spamcop.net
  • https//hdc.tamu.edu/reference/documentation

14
Things to think about..
  • Always base your findings on the IP address not
    the hostname.
  • False Received lines can be added before the
    email is sent.
  • Be aware people can hack into machines to send
    email from them.

15
Some more things to think about
  • Dont forget DHCP. Its important to include
    dates and times when requesting information from
    an ISP.
  • Viruses sometimes spread by emailing themselves
    out without the user being aware.

16
Anonymous Re-mailers
Anon-To final_at_recIPient.com
Subject MESSAGE
17
Are you awake?
  • ping DOS or Unix based command that
    queries servers to see if they are awake.

18
DNS
  • nslookup find out who an IP address
    belongs to or what IP address is associated with
    a web address.

19
Follow the path of a packet
  • traceroute a ping that lists the servers
    it goes through. Unix command, but there are
    Windows programs that will perform the same
    function.

20
Whos there?
  • whois queries databases to find contact
    and registration information on IP or web
    addresses.
  • A Unix command, but there are plenty of
    websites that perform the searches for you.

http//ws.arin.net/whois http//www.networksolutio
ns.com/whois/
21
Preservation (Freeze) Order
  • 18 USC Sec. 2703(f)
  • http//uscode.house.gov/usc.htm
  • (f) Requirement to Preserve Evidence.
  • In general. - A provider of wire or electronic
    communication services or a remote computing
    service, upon the request of a governmental
    entity, shall take all necessary steps to
    preserve records and other evidence in its
    possession pending the issuance of a court order
    or other process.

22
Freeze Order cont..
(2) Period of retention. - Records referred to in
paragraph (1) shall be retained for a period of
90 days, which shall be extended for an
additional 90-day period upon a renewed request
by the governmental entity.
23
Dangers of a freeze order!!!
  • ISP may attempt to notify the target about your
    actions.
  • The ISP may terminate the account.

24
Finally ISP contact list
http//www.forensicsweb.com
25
Putting it all together
  • Gather emails and print out headers
  • Compare headers to see if they contain different
    originating IPs
  • Check email header for spoofing
  • Trace IP(s) back to their source to discover what
    ISP the suspect is using
  • Subpoena yahoo, hotmail, or other for user
    information
  • Subpoena ISP for user information
  • Make sure to include all the information you have
    on the user including the email account, IP,
    time, and date.

26
Questions?
Write a Comment
User Comments (0)
About PowerShow.com