2. Introduction
• E-mail an application on Internet for communication of messages,
delivery of documents and carrying out of transactions and is used not only
from computers but many other electronic gadgets like mobile phones.
• E-mail protocols have been secured through several security extensions
and producers, however, cybercriminals continue to misuse it for
illegitimate purposes by sending spam, phishing e-mails, distributing child
pornography, and hate emails besides propagating viruses, worms, and
Trojan horses.
• E-mail forensic analysis is used to study the source and
content of e-mail message as evidence, identifying the actual sender,
recipient and date and time it was sent, etc. to collect credible evidence to
take action against a criminal.
4. • MUA(Mail user agent):
▫ aMUA creates messages and performs initial submission
via Mail Submission Agent (MSA)
▫ rMUA processes received mail that includes displaying and
disposing of the received message and closing or expanding
the user communication loop by initiating replies and
forwarding new messages
• Message/Mail Store (MS):
▫ Long term message store for MUA which can be located on
a remote server or on the machine running MUA
▫ The MUA accesses the MS either by a local mechanism or
by using POP or IMAP.
5. • Mail Submission Agent (MSA):
▫ Accepts the message submitted by the aMUA for posting.
▫ Adds header fields such as Date and Message-ID and
expanding an address to its formal Internet Mail Format
(IMF) representation. The hMSA is responsible for
transiting the message to MTA.
• Message/Mail Transfer Agent (MTA):
▫ MTA nodes are in effect postal sorting agents that have the
responsibility of retrieving the relevant Mail eXchange
(MX) record from the DNS Server for each e-mail to be
send and thus map the distinct e-mail addressee’s domain
name with the relevant IP address information
▫ A receiving MTA can also perform the operation of
delivering e-mail message to the respective mailbox of the
receiver on the mail server and thus is also called Mail
Delivery Agent (MDA).
6. • Message/Mail Delivery Agent (MDA):
▫ Both hMDA and rMDA are responsible for accepting the message
for delivery to distinct addresses.
▫ hMDA functions as a SMTP server engine and rMDA performs
the delivery action
• Relays:
▫ Nodes that perform e-mail relaying. Relaying is the process of
receiving e-mail message from one SMTP e-mail node and
forward it to another one.
• Gateway:
▫ Gateway nodes are used to convert e-mail messages from one
application layer protocol to other
• Web Server (WebServ):
▫ These nodes are the e-mail Web servers that provide the Web
environment to compose, send and read an e-mail message.
• Mail Server (MailServ):
▫ They represent e-mail servers providing users mail access service using
IMAP or POP3 protocols.
7. E-mail Client attacks
• Malware Distribution:
Hackers with malicious intent can exploit your email
client by distributing malware through email
messages.
• Phishing Attack:
A phishing attack is generally not hazardous to the
inner workings of your PC however; it is designed to
trick you into revealing your personal information,
passwords, or bank account information.
8. Contd..
• Spam Attack:
Spam is unsolicited email or "junk" mail that you
receive in your Inbox. Spam generally contains
advertisements but it can also contain malicious
files.
• Denial of Service Attack:
A denial of service attack occurs when the hacker
sends multitudes of email messages to your email
client in an effort to block you from using your email
client or crashing your computer altogether.
9. E-mail Forensic Investigation Techniques
• Header Analysis
Meta data in the e-mail message in the form of control
information i.e. envelope and headers including headers in
the message body contain information about the sender
and/or the path along which the message has traversed. Some
of these may be spoofed to conceal the identity of the sender.
A detailed analysis of these headers and their correlation is
performed in header analysis.
• Server Investigation
In this investigation, copies of delivered e-mails and server
logs are investigated to identify source of an e-mail message.
E-mails purged from the clients (senders or receivers) whose
recovery is impossible may be requested from servers (ISP) as
most of them store a copy of all e-mails after their deliveries.
10. Contd..
• Network Device Investigation
Logs maintained by the network devices such as routers,
firewalls and switches are used to investigate the source of an
e-mail message. This form of investigation is complex and is
used only when the logs of servers ( ISP) are unavailable due
to some reason, e.g. when ISP or proxy does not maintain a
log or lack of cooperation by ISP’s or failure to maintain
chain of evidence.
11. E-mail Forensics Tools
• EmailTracer
▫ Traces the originating IP address and other details from e-mail
header, generates detailed HTML report of email header analysis,
finds the city level details of the sender, plots route traced by the mail
and display the originating geographic location of the e-mail.
• Aid4Mail Forensic
▫ Conversion tool, which supports various mail formats including
Outlook (PST, MSG files), Windows Live Mail, Thunderbird,
Eudora, and mbox.
▫ It can search mail by date, header content, and by message body
content. Mail folders and files can be processed even when
disconnected (unmounted) from their email client including those
stored on CD, DVD, and USB drives.
▫ Aid4Mail Forensic can search PST files and all supported mail
formats, by date range and by keywords in the message body or in
the headers. Special Boolean operations are supported. It is able to
process unpurged (deleted) e-mail from mbox files and can restore
unpurged e-mail during exportation.
12. Preeti Mishra, Emmanuel S. Pilli and R.
C. Joshi-”Forensic Analysis of E-mail
Date and Time Spoofing”
Overview
• To detect E-mail date and time spoofing
• Forensic analysis by reading header information
and analysis of fields related to date and time.
• If sent-date and sent-time differs from the
received date and received-time by some
predefined margin, the E-mail has been spoofed.
13. Contd..
• The E-mail header is the envelope of the E-mail
containing such information as: sender’s E-mail
address, receiver’s E-mail address, subject, time of
creation, delivery stamps, message author, cc, bcc, etc.
• The date field in a spoofed E-mail header may contain
a date which is ahead or before the actual date it was
sent or attacker will change the time the message is
sent.
• Time field of Date: header can also be manipulated by
attacker and make the E-mail message to be sent on
time different from actual time. This may produce
vulnerable result, specifically for those receivers, whose
servers’ mails are sorted according to sending date and
time.
14. Technique
• Calculates the threshold or margin which is the
usual time taken to receive an E-mail(maximum
of differences in time between the sending time
and last server time).
• This margin is used to detect E-mail date and
time spoofing in an E-mail.
• All the date and time fields are converted to UTC
(Universal Time Coordinated) time before
comparing their differences with the margin.
15.
16. Algorithm to calculate margin
• Takes input a normal E-mail header file and margin file
(which initially contains zero as initial margin value).
• Extract three fields:
▫ Date: field (containing sending date / time / UTC offset),
▫ the last Received: field from the top (containing first server’s E-
mail receiving date / time / UTC offset)
▫ the first Received: field from the top (containing last server’s E-
mail receiving date / time / UTC offset).
• Convert the above three fields into UTC time zone so that the
values are uniform across various servers.
• We find out the difference between sending time and last
server E-mail receiving time.
• If the difference is greater the margin; it writes the difference
to margin file.
• Each time a New E-mail header is processed the difference
between sending time and first server time is calculated and
compared with the margin. If difference is greater than
margin, margin is updated.
17. Three cases for any E-mail which is delivered to
the recipient:
(1) E-mail is not delivered on the same date of
sending
(2) E-mail is delivered on the same date but with a
large variation in time and
(3) E-mail is delivered on the same date and time
(within an acceptable margin).
18.
19.
20. Detection of spoofing
• Checks the semantics of date and time fields in the E-mail header. It
generates an error message if the semantics are improper (if the
hacker could not set the semantics in his or her mail client program)
and proceeds further, otherwise.
• Checks whether sending_date and lastser_date are same.
▫ If the dates are same, it checks whether the difference between
sending_time and lastser_time is less than a set margin or threshold.
▫ If the difference is less than the margin threshold, then the E-mail is
found to be legitimate (case 3) and spoofed in time, otherwise (case 2).
• If the dates are not same, the algorithm checks whether
the sending_date and firstser_date are same.
▫ If they are same, the E-mail is not date spoofed, but may have been
delayed because of a server breakdown or over load on some
intermediate servers relaying the E-mail (case 3).
▫ If the sending_date and firstser_date are not same, then the E-mail is
date spoofed (case 1).
• In case if first SMTP server is temporarily unavailable then E-Mail
sending error will come.
21. References
[1] Preeti Mishra, Emmanuel S. Pilli and R. C.
Joshi-”Forensic Analysis of E-mail Date and
Time Spoofing”-2012 Third International
Conference on Computer and Communication
Technology
[2] M. Tariq Banday-”Techniques And Tools For
Forensic Investigation Of E-mail”-International
Journal of Network Security & Its Applications
(IJNSA), Vol.3, No.6, November 2011
[3] http://www.spamlaws.com/different-types-
email-exploits.html