1 / 26

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 April 15, 2013

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 April 15, 2013. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Information we can gather from emails. To and from information Computer name IP address ISP Client used Time zone.

trish
Download Presentation

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 April 15, 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intro to Cyber Crime and Computer Forensics CSE 4273/6273 April 15, 2013 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  2. Information we can gather from emails. • To and from information • Computer name • IP address • ISP • Client used • Time zone

  3. Outlook, Thunderbird, Eudora, Pine, etc. Use the Simple Mail Transport Protocol (SMTP) to communicate with the user’s E-Mail server Here: mail.msstate.edu Gmail, Hotmail, Yahoo!, etc. HTTP interface to a web application that uses SMTP behind the scenes Client machine never communicates directly with the SMTP server Two different ways to get email. Email Client Web-mail

  4. Email Address UserName@mail.server.com Id of the user you wish to contact Name of mail server dampier@cse.msstate.edu

  5. SMTP • Simple Mail Transfer Protocol • Became popular in the early 1980’s • Simple text based protocol • Used by email servers to transfer emails

  6. Sample E-Mail Bob’s PC SMTP • Bob (bob@example.com) composes a message for Alice, at alice@example.org • Bob’s E-mail client is configured to use mail.example.com as an SMTP server • Message is first sent to mail.example.com via SMTP mail.example.com SMTP Internet mail.example.org POP Alice’s PC

  7. Sample E-Mail Bob’s PC SMTP • mail.example.com accepts this message for delivery and notes that the recIPient is a user at example.org • Therefore, the message must be relayed to a mailserver that can deliver it to the correct user mail.example.com SMTP Internet mail.example.org POP Alice’s PC

  8. Sample E-Mail Bob’s PC SMTP • The mail is relayed from mail.example.com to mail.example.org using SMTP mail.example.com SMTP Internet mail.example.org POP Alice’s PC

  9. Sample E-Mail Bob’s PC SMTP • Finally, Alice can use her E-Mail program to receive the E-Mail from mail.example.org using POP mail.example.com SMTP Internet mail.example.org POP Alice’s PC

  10. In Reality it Gets More Complicated • From a user at yahoo to a user at cse.msstate.edu (relayed through 4 servers!): • web35303.mail.mud.yahoo.com • canit01.its.msstate.edu • sav06.its.msstate.edu • cse.msstate.edu • Spam/Virus Scanning, Load Balancing, etc.

  11. Structure of an Email Received: From: username1@cse.msstate.edu To: username2@cse.msstate.edu Cc: Subject: Date: Message Header

  12. A “Received” line for every server Received: From: username1@cse.msstate.edu To: username2@cse.msstate.edu Cc: Subject: Date: Message Received: Received: Received:

  13. I’ve never seen these so called “Received” lines. • Most email programs hide this header information • Look for a “message source” or “view entire header” option • If you can’t find it do some online research • www.spamcop.net • https://hdc.tamu.edu/reference/documentation

  14. Things to think about.. • Always base your findings on the IP address not the hostname. • False “Received” lines can be added before the email is sent. • Be aware people can hack into machines to send email from them.

  15. Some more things to think about • Don’t forget DHCP. It’s important to include dates and times when requesting information from an ISP. • Viruses sometimes spread by emailing themselves out without the user being aware.

  16. http://cypherpunks.faithweb.com Anonymous Re-mailers :: Anon-To: final@recIPient.com ## Subject: MESSAGE

  17. Are you awake? “ping” – DOS or Unix based command that queries servers to see if they are “awake.”

  18. DNS “nslookup” – find out who an IP address belongs to or what IP address is associated with a web address.

  19. Follow the path of a packet “traceroute” – a ping that lists the servers it goes through. Unix command, but there are Window’s programs that will perform the same function.

  20. Who’s there? “whois” – queries databases to find contact and registration information on IP or web addresses. A Unix command, but there are plenty of websites that perform the searches for you. http://ws.arin.net/whois http://www.networksolutions.com/whois/

  21. Preservation (“Freeze”) Order • 18 USC Sec. 2703(f) • http://uscode.house.gov/usc.htm • (f) Requirement to Preserve Evidence. – • In general. - A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.

  22. Freeze Order cont.. (2) Period of retention. - Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.

  23. Dangers of a freeze order!!! • ISP may attempt to notify the target about your actions. • The ISP may terminate the account.

  24. Finally ISP contact list http://www.forensicsweb.com

  25. Putting it all together • Gather emails and print out headers • Compare headers to see if they contain different originating IP’s • Check email header for spoofing • Trace IP(s) back to their source to discover what ISP the suspect is using • Subpoena yahoo, hotmail, or other for user information • Subpoena ISP for user information • Make sure to include all the information you have on the user including the email account, IP, time, and date.

  26. Questions?

More Related