SlideShare a Scribd company logo

E mail forensics

Download as PPTX, PDF
saddamhusain hadimani
saddamhusain hadimani

E mail forensics

Education
1 of 22
E-mail Forensics Presented By, Tania Ronald Mendonca 01FM15ECS039 M.Tech- 3rd Semester
Introduction • E-mail an application on Internet for communication of messages, delivery of documents and carrying out of transactions and is used not only from computers but many other electronic gadgets like mobile phones. • E-mail protocols have been secured through several security extensions and producers, however, cybercriminals continue to misuse it for illegitimate purposes by sending spam, phishing e-mails, distributing child pornography, and hate emails besides propagating viruses, worms, and Trojan horses. • E-mail forensic analysis is used to study the source and content of e-mail message as evidence, identifying the actual sender, recipient and date and time it was sent, etc. to collect credible evidence to take action against a criminal.
E-mail Architecture
• MUA(Mail user agent): ▫ aMUA creates messages and performs initial submission via Mail Submission Agent (MSA) ▫ rMUA processes received mail that includes displaying and disposing of the received message and closing or expanding the user communication loop by initiating replies and forwarding new messages • Message/Mail Store (MS): ▫ Long term message store for MUA which can be located on a remote server or on the machine running MUA ▫ The MUA accesses the MS either by a local mechanism or by using POP or IMAP.
• Mail Submission Agent (MSA): ▫ Accepts the message submitted by the aMUA for posting. ▫ Adds header fields such as Date and Message-ID and expanding an address to its formal Internet Mail Format (IMF) representation. The hMSA is responsible for transiting the message to MTA. • Message/Mail Transfer Agent (MTA): ▫ MTA nodes are in effect postal sorting agents that have the responsibility of retrieving the relevant Mail eXchange (MX) record from the DNS Server for each e-mail to be send and thus map the distinct e-mail addressee’s domain name with the relevant IP address information ▫ A receiving MTA can also perform the operation of delivering e-mail message to the respective mailbox of the receiver on the mail server and thus is also called Mail Delivery Agent (MDA).
• Message/Mail Delivery Agent (MDA): ▫ Both hMDA and rMDA are responsible for accepting the message for delivery to distinct addresses. ▫ hMDA functions as a SMTP server engine and rMDA performs the delivery action • Relays: ▫ Nodes that perform e-mail relaying. Relaying is the process of receiving e-mail message from one SMTP e-mail node and forward it to another one. • Gateway: ▫ Gateway nodes are used to convert e-mail messages from one application layer protocol to other • Web Server (WebServ): ▫ These nodes are the e-mail Web servers that provide the Web environment to compose, send and read an e-mail message. • Mail Server (MailServ): ▫ They represent e-mail servers providing users mail access service using IMAP or POP3 protocols.
E-mail Client attacks • Malware Distribution: Hackers with malicious intent can exploit your email client by distributing malware through email messages. • Phishing Attack: A phishing attack is generally not hazardous to the inner workings of your PC however; it is designed to trick you into revealing your personal information, passwords, or bank account information.
Contd.. • Spam Attack: Spam is unsolicited email or "junk" mail that you receive in your Inbox. Spam generally contains advertisements but it can also contain malicious files. • Denial of Service Attack: A denial of service attack occurs when the hacker sends multitudes of email messages to your email client in an effort to block you from using your email client or crashing your computer altogether.
E-mail Forensic Investigation Techniques • Header Analysis Meta data in the e-mail message in the form of control information i.e. envelope and headers including headers in the message body contain information about the sender and/or the path along which the message has traversed. Some of these may be spoofed to conceal the identity of the sender. A detailed analysis of these headers and their correlation is performed in header analysis. • Server Investigation In this investigation, copies of delivered e-mails and server logs are investigated to identify source of an e-mail message. E-mails purged from the clients (senders or receivers) whose recovery is impossible may be requested from servers (ISP) as most of them store a copy of all e-mails after their deliveries.
Contd.. • Network Device Investigation Logs maintained by the network devices such as routers, firewalls and switches are used to investigate the source of an e-mail message. This form of investigation is complex and is used only when the logs of servers ( ISP) are unavailable due to some reason, e.g. when ISP or proxy does not maintain a log or lack of cooperation by ISP’s or failure to maintain chain of evidence.
E-mail Forensics Tools • EmailTracer ▫ Traces the originating IP address and other details from e-mail header, generates detailed HTML report of email header analysis, finds the city level details of the sender, plots route traced by the mail and display the originating geographic location of the e-mail. • Aid4Mail Forensic ▫ Conversion tool, which supports various mail formats including Outlook (PST, MSG files), Windows Live Mail, Thunderbird, Eudora, and mbox. ▫ It can search mail by date, header content, and by message body content. Mail folders and files can be processed even when disconnected (unmounted) from their email client including those stored on CD, DVD, and USB drives. ▫ Aid4Mail Forensic can search PST files and all supported mail formats, by date range and by keywords in the message body or in the headers. Special Boolean operations are supported. It is able to process unpurged (deleted) e-mail from mbox files and can restore unpurged e-mail during exportation.
Preeti Mishra, Emmanuel S. Pilli and R. C. Joshi-”Forensic Analysis of E-mail Date and Time Spoofing” Overview • To detect E-mail date and time spoofing • Forensic analysis by reading header information and analysis of fields related to date and time. • If sent-date and sent-time differs from the received date and received-time by some predefined margin, the E-mail has been spoofed.
Contd.. • The E-mail header is the envelope of the E-mail containing such information as: sender’s E-mail address, receiver’s E-mail address, subject, time of creation, delivery stamps, message author, cc, bcc, etc. • The date field in a spoofed E-mail header may contain a date which is ahead or before the actual date it was sent or attacker will change the time the message is sent. • Time field of Date: header can also be manipulated by attacker and make the E-mail message to be sent on time different from actual time. This may produce vulnerable result, specifically for those receivers, whose servers’ mails are sorted according to sending date and time.
Technique • Calculates the threshold or margin which is the usual time taken to receive an E-mail(maximum of differences in time between the sending time and last server time). • This margin is used to detect E-mail date and time spoofing in an E-mail. • All the date and time fields are converted to UTC (Universal Time Coordinated) time before comparing their differences with the margin.
Algorithm to calculate margin • Takes input a normal E-mail header file and margin file (which initially contains zero as initial margin value). • Extract three fields: ▫ Date: field (containing sending date / time / UTC offset), ▫ the last Received: field from the top (containing first server’s E- mail receiving date / time / UTC offset) ▫ the first Received: field from the top (containing last server’s E- mail receiving date / time / UTC offset). • Convert the above three fields into UTC time zone so that the values are uniform across various servers. • We find out the difference between sending time and last server E-mail receiving time. • If the difference is greater the margin; it writes the difference to margin file. • Each time a New E-mail header is processed the difference between sending time and first server time is calculated and compared with the margin. If difference is greater than margin, margin is updated.
Three cases for any E-mail which is delivered to the recipient: (1) E-mail is not delivered on the same date of sending (2) E-mail is delivered on the same date but with a large variation in time and (3) E-mail is delivered on the same date and time (within an acceptable margin).
Detection of spoofing • Checks the semantics of date and time fields in the E-mail header. It generates an error message if the semantics are improper (if the hacker could not set the semantics in his or her mail client program) and proceeds further, otherwise. • Checks whether sending_date and lastser_date are same. ▫ If the dates are same, it checks whether the difference between sending_time and lastser_time is less than a set margin or threshold. ▫ If the difference is less than the margin threshold, then the E-mail is found to be legitimate (case 3) and spoofed in time, otherwise (case 2). • If the dates are not same, the algorithm checks whether the sending_date and firstser_date are same. ▫ If they are same, the E-mail is not date spoofed, but may have been delayed because of a server breakdown or over load on some intermediate servers relaying the E-mail (case 3). ▫ If the sending_date and firstser_date are not same, then the E-mail is date spoofed (case 1). • In case if first SMTP server is temporarily unavailable then E-Mail sending error will come.
References [1] Preeti Mishra, Emmanuel S. Pilli and R. C. Joshi-”Forensic Analysis of E-mail Date and Time Spoofing”-2012 Third International Conference on Computer and Communication Technology [2] M. Tariq Banday-”Techniques And Tools For Forensic Investigation Of E-mail”-International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.6, November 2011 [3] http://www.spamlaws.com/different-types- email-exploits.html
THANK YOU

Recommended

Email Forensics
Email ForensicsEmail Forensics
Email ForensicsGol D Roger
 
Email investigation
Email investigationEmail investigation
Email investigationAnimesh Shaw
 
What is Email Header - Understanding Email Anatomy
What is Email Header - Understanding Email AnatomyWhat is Email Header - Understanding Email Anatomy
What is Email Header - Understanding Email Anatomyemail_header
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Legal aspects of digital forensics
Legal aspects of digital forensics Legal aspects of digital forensics
Legal aspects of digital forensics KakshaPatel3
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensicsprimeteacher32
 
Email Headers – Expert Forensic Analysis
Email Headers – Expert Forensic AnalysisEmail Headers – Expert Forensic Analysis
Email Headers – Expert Forensic AnalysisforensicEmailAnalysis
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques أحلام انصارى
 

Recommended

Email Forensics
Email ForensicsEmail Forensics
Email ForensicsGol D Roger
 
Email investigation
Email investigationEmail investigation
Email investigationAnimesh Shaw
 
What is Email Header - Understanding Email Anatomy
What is Email Header - Understanding Email AnatomyWhat is Email Header - Understanding Email Anatomy
What is Email Header - Understanding Email Anatomyemail_header
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Legal aspects of digital forensics
Legal aspects of digital forensics Legal aspects of digital forensics
Legal aspects of digital forensics KakshaPatel3
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensicsprimeteacher32
 
Email Headers – Expert Forensic Analysis
Email Headers – Expert Forensic AnalysisEmail Headers – Expert Forensic Analysis
Email Headers – Expert Forensic AnalysisforensicEmailAnalysis
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques أحلام انصارى
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Email Analysis
Email AnalysisEmail Analysis
Email Analysisprimeteacher32
 
E mail Investigation
E mail InvestigationE mail Investigation
E mail InvestigationDr Raghu Khimani
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools Jyothishmathi Institute of Technology and Science Karimnagar
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
Password based cryptography
Password based cryptographyPassword based cryptography
Password based cryptographyIshraq Al Fataftah
 
Digital Forensic
Digital ForensicDigital Forensic
Digital ForensicCleverence Kombe
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsRamesh Ogania
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics toolSreekanth Narendran
 
how email works
how email workshow email works
how email worksharikaveeravalli
 
How e mail works
How e mail worksHow e mail works
How e mail worksMuhammad Taqi
 

More Related Content

What's hot

Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 

What's hot (20)

Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Email Analysis
Email AnalysisEmail Analysis
Email Analysis
 
E mail Investigation
E mail InvestigationE mail Investigation
E mail Investigation
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
 
Incident response process
Incident response processIncident response process
Incident response process
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
 
Password based cryptography
Password based cryptographyPassword based cryptography
Password based cryptography
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 

Similar to E mail forensics

Running header EMAIL FORENSICSEMAIL FORENSICSEmail Forens.docx
Running header EMAIL FORENSICSEMAIL FORENSICSEmail Forens.docxRunning header EMAIL FORENSICSEMAIL FORENSICSEmail Forens.docx
Running header EMAIL FORENSICSEMAIL FORENSICSEmail Forens.docxjeffsrosalyn
 
Networking presentation
Networking presentationNetworking presentation
Networking presentationPushkar Mishra
 
DSNs & X.400 assist in ensuring email reliability
DSNs & X.400 assist in ensuring email reliabilityDSNs & X.400 assist in ensuring email reliability
DSNs & X.400 assist in ensuring email reliabilityIOSR Journals
 
DSNs & X.400 assist in ensuring email reliability
DSNs & X.400 assist in ensuring email reliabilityDSNs & X.400 assist in ensuring email reliability
DSNs & X.400 assist in ensuring email reliabilityIOSR Journals
 
Final year project report on Internet And Interanet Emailing server
Final year project report on Internet And Interanet Emailing serverFinal year project report on Internet And Interanet Emailing server
Final year project report on Internet And Interanet Emailing serversachin993
 
Pop (post office protocol)e mail (electronic mail)
Pop (post office protocol)e mail (electronic mail)Pop (post office protocol)e mail (electronic mail)
Pop (post office protocol)e mail (electronic mail)MDSHABBIR12
 
Simple Mail Transfer Protocol
Simple Mail Transfer ProtocolSimple Mail Transfer Protocol
Simple Mail Transfer ProtocolUjjayanta Bhaumik
 
retrieving the mail
retrieving the mailretrieving the mail
retrieving the mailtumetr1
 
Tcpip services and applications
Tcpip services and applicationsTcpip services and applications
Tcpip services and applicationsOnline
 

Similar to E mail forensics (20)

how email works
how email workshow email works
how email works
 
How e mail works
How e mail worksHow e mail works
How e mail works
 
Running header EMAIL FORENSICSEMAIL FORENSICSEmail Forens.docx
Running header EMAIL FORENSICSEMAIL FORENSICSEmail Forens.docxRunning header EMAIL FORENSICSEMAIL FORENSICSEmail Forens.docx
Running header EMAIL FORENSICSEMAIL FORENSICSEmail Forens.docx
 
How Email Works
How Email WorksHow Email Works
How Email Works
 
Electronic mail
Electronic mailElectronic mail
Electronic mail
 
Electronic mail
Electronic mailElectronic mail
Electronic mail
 
Electronic mail
Electronic mailElectronic mail
Electronic mail
 
Application layer
Application layerApplication layer
Application layer
 
Networking presentation
Networking presentationNetworking presentation
Networking presentation
 
SNMP/SMTP/MIME
SNMP/SMTP/MIMESNMP/SMTP/MIME
SNMP/SMTP/MIME
 
DSNs & X.400 assist in ensuring email reliability
DSNs & X.400 assist in ensuring email reliabilityDSNs & X.400 assist in ensuring email reliability
DSNs & X.400 assist in ensuring email reliability
 
DSNs & X.400 assist in ensuring email reliability
DSNs & X.400 assist in ensuring email reliabilityDSNs & X.400 assist in ensuring email reliability
DSNs & X.400 assist in ensuring email reliability
 
B017211114
B017211114B017211114
B017211114
 
Final year project report on Internet And Interanet Emailing server
Final year project report on Internet And Interanet Emailing serverFinal year project report on Internet And Interanet Emailing server
Final year project report on Internet And Interanet Emailing server
 
Ch22 system administration
Ch22 system administration Ch22 system administration
Ch22 system administration
 
Internet mail server
Internet mail server Internet mail server
Internet mail server
 
Pop (post office protocol)e mail (electronic mail)
Pop (post office protocol)e mail (electronic mail)Pop (post office protocol)e mail (electronic mail)
Pop (post office protocol)e mail (electronic mail)
 
Simple Mail Transfer Protocol
Simple Mail Transfer ProtocolSimple Mail Transfer Protocol
Simple Mail Transfer Protocol
 
retrieving the mail
retrieving the mailretrieving the mail
retrieving the mail
 
Tcpip services and applications
Tcpip services and applicationsTcpip services and applications
Tcpip services and applications
 

More from saddamhusain hadimani

Linux tools for data recovery and reporting
Linux tools for data recovery and reportingLinux tools for data recovery and reporting
Linux tools for data recovery and reportingsaddamhusain hadimani
 
Beauty of open source in cyber forensics
Beauty of open source in cyber forensicsBeauty of open source in cyber forensics
Beauty of open source in cyber forensicssaddamhusain hadimani
 
User Authentication Based on Representative Users
User Authentication Based on Representative UsersUser Authentication Based on Representative Users
User Authentication Based on Representative Userssaddamhusain hadimani
 
A Novel Wireless Sensor Network Frame for Urban Transportation
A Novel Wireless Sensor Network Frame for Urban TransportationA Novel Wireless Sensor Network Frame for Urban Transportation
A Novel Wireless Sensor Network Frame for Urban Transportationsaddamhusain hadimani
 

More from saddamhusain hadimani (10)

Linux tools for data recovery and reporting
Linux tools for data recovery and reportingLinux tools for data recovery and reporting
Linux tools for data recovery and reporting
 
Deft
DeftDeft
Deft
 
Caine and dff
Caine and dffCaine and dff
Caine and dff
 
Bin carver
Bin carverBin carver
Bin carver
 
Analysis of database tampering
Analysis of database tamperingAnalysis of database tampering
Analysis of database tampering
 
pda forensics
pda forensicspda forensics
pda forensics
 
Beauty of open source in cyber forensics
Beauty of open source in cyber forensicsBeauty of open source in cyber forensics
Beauty of open source in cyber forensics
 
User Authentication Based on Representative Users
User Authentication Based on Representative UsersUser Authentication Based on Representative Users
User Authentication Based on Representative Users
 
A Novel Wireless Sensor Network Frame for Urban Transportation
A Novel Wireless Sensor Network Frame for Urban TransportationA Novel Wireless Sensor Network Frame for Urban Transportation
A Novel Wireless Sensor Network Frame for Urban Transportation
 
Li fi technology
Li fi technologyLi fi technology
Li fi technology
 

Recently uploaded

Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 

Recently uploaded (20)

Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 

E mail forensics

  • 1. E-mail Forensics Presented By, Tania Ronald Mendonca 01FM15ECS039 M.Tech- 3rd Semester
  • 2. Introduction • E-mail an application on Internet for communication of messages, delivery of documents and carrying out of transactions and is used not only from computers but many other electronic gadgets like mobile phones. • E-mail protocols have been secured through several security extensions and producers, however, cybercriminals continue to misuse it for illegitimate purposes by sending spam, phishing e-mails, distributing child pornography, and hate emails besides propagating viruses, worms, and Trojan horses. • E-mail forensic analysis is used to study the source and content of e-mail message as evidence, identifying the actual sender, recipient and date and time it was sent, etc. to collect credible evidence to take action against a criminal.
  • 4. • MUA(Mail user agent): ▫ aMUA creates messages and performs initial submission via Mail Submission Agent (MSA) ▫ rMUA processes received mail that includes displaying and disposing of the received message and closing or expanding the user communication loop by initiating replies and forwarding new messages • Message/Mail Store (MS): ▫ Long term message store for MUA which can be located on a remote server or on the machine running MUA ▫ The MUA accesses the MS either by a local mechanism or by using POP or IMAP.
  • 5. • Mail Submission Agent (MSA): ▫ Accepts the message submitted by the aMUA for posting. ▫ Adds header fields such as Date and Message-ID and expanding an address to its formal Internet Mail Format (IMF) representation. The hMSA is responsible for transiting the message to MTA. • Message/Mail Transfer Agent (MTA): ▫ MTA nodes are in effect postal sorting agents that have the responsibility of retrieving the relevant Mail eXchange (MX) record from the DNS Server for each e-mail to be send and thus map the distinct e-mail addressee’s domain name with the relevant IP address information ▫ A receiving MTA can also perform the operation of delivering e-mail message to the respective mailbox of the receiver on the mail server and thus is also called Mail Delivery Agent (MDA).
  • 6. • Message/Mail Delivery Agent (MDA): ▫ Both hMDA and rMDA are responsible for accepting the message for delivery to distinct addresses. ▫ hMDA functions as a SMTP server engine and rMDA performs the delivery action • Relays: ▫ Nodes that perform e-mail relaying. Relaying is the process of receiving e-mail message from one SMTP e-mail node and forward it to another one. • Gateway: ▫ Gateway nodes are used to convert e-mail messages from one application layer protocol to other • Web Server (WebServ): ▫ These nodes are the e-mail Web servers that provide the Web environment to compose, send and read an e-mail message. • Mail Server (MailServ): ▫ They represent e-mail servers providing users mail access service using IMAP or POP3 protocols.
  • 7. E-mail Client attacks • Malware Distribution: Hackers with malicious intent can exploit your email client by distributing malware through email messages. • Phishing Attack: A phishing attack is generally not hazardous to the inner workings of your PC however; it is designed to trick you into revealing your personal information, passwords, or bank account information.
  • 8. Contd.. • Spam Attack: Spam is unsolicited email or "junk" mail that you receive in your Inbox. Spam generally contains advertisements but it can also contain malicious files. • Denial of Service Attack: A denial of service attack occurs when the hacker sends multitudes of email messages to your email client in an effort to block you from using your email client or crashing your computer altogether.
  • 9. E-mail Forensic Investigation Techniques • Header Analysis Meta data in the e-mail message in the form of control information i.e. envelope and headers including headers in the message body contain information about the sender and/or the path along which the message has traversed. Some of these may be spoofed to conceal the identity of the sender. A detailed analysis of these headers and their correlation is performed in header analysis. • Server Investigation In this investigation, copies of delivered e-mails and server logs are investigated to identify source of an e-mail message. E-mails purged from the clients (senders or receivers) whose recovery is impossible may be requested from servers (ISP) as most of them store a copy of all e-mails after their deliveries.
  • 10. Contd.. • Network Device Investigation Logs maintained by the network devices such as routers, firewalls and switches are used to investigate the source of an e-mail message. This form of investigation is complex and is used only when the logs of servers ( ISP) are unavailable due to some reason, e.g. when ISP or proxy does not maintain a log or lack of cooperation by ISP’s or failure to maintain chain of evidence.
  • 11. E-mail Forensics Tools • EmailTracer ▫ Traces the originating IP address and other details from e-mail header, generates detailed HTML report of email header analysis, finds the city level details of the sender, plots route traced by the mail and display the originating geographic location of the e-mail. • Aid4Mail Forensic ▫ Conversion tool, which supports various mail formats including Outlook (PST, MSG files), Windows Live Mail, Thunderbird, Eudora, and mbox. ▫ It can search mail by date, header content, and by message body content. Mail folders and files can be processed even when disconnected (unmounted) from their email client including those stored on CD, DVD, and USB drives. ▫ Aid4Mail Forensic can search PST files and all supported mail formats, by date range and by keywords in the message body or in the headers. Special Boolean operations are supported. It is able to process unpurged (deleted) e-mail from mbox files and can restore unpurged e-mail during exportation.
  • 12. Preeti Mishra, Emmanuel S. Pilli and R. C. Joshi-”Forensic Analysis of E-mail Date and Time Spoofing” Overview • To detect E-mail date and time spoofing • Forensic analysis by reading header information and analysis of fields related to date and time. • If sent-date and sent-time differs from the received date and received-time by some predefined margin, the E-mail has been spoofed.
  • 13. Contd.. • The E-mail header is the envelope of the E-mail containing such information as: sender’s E-mail address, receiver’s E-mail address, subject, time of creation, delivery stamps, message author, cc, bcc, etc. • The date field in a spoofed E-mail header may contain a date which is ahead or before the actual date it was sent or attacker will change the time the message is sent. • Time field of Date: header can also be manipulated by attacker and make the E-mail message to be sent on time different from actual time. This may produce vulnerable result, specifically for those receivers, whose servers’ mails are sorted according to sending date and time.
  • 14. Technique • Calculates the threshold or margin which is the usual time taken to receive an E-mail(maximum of differences in time between the sending time and last server time). • This margin is used to detect E-mail date and time spoofing in an E-mail. • All the date and time fields are converted to UTC (Universal Time Coordinated) time before comparing their differences with the margin.
  • 15.
  • 16. Algorithm to calculate margin • Takes input a normal E-mail header file and margin file (which initially contains zero as initial margin value). • Extract three fields: ▫ Date: field (containing sending date / time / UTC offset), ▫ the last Received: field from the top (containing first server’s E- mail receiving date / time / UTC offset) ▫ the first Received: field from the top (containing last server’s E- mail receiving date / time / UTC offset). • Convert the above three fields into UTC time zone so that the values are uniform across various servers. • We find out the difference between sending time and last server E-mail receiving time. • If the difference is greater the margin; it writes the difference to margin file. • Each time a New E-mail header is processed the difference between sending time and first server time is calculated and compared with the margin. If difference is greater than margin, margin is updated.
  • 17. Three cases for any E-mail which is delivered to the recipient: (1) E-mail is not delivered on the same date of sending (2) E-mail is delivered on the same date but with a large variation in time and (3) E-mail is delivered on the same date and time (within an acceptable margin).
  • 18.
  • 19.
  • 20. Detection of spoofing • Checks the semantics of date and time fields in the E-mail header. It generates an error message if the semantics are improper (if the hacker could not set the semantics in his or her mail client program) and proceeds further, otherwise. • Checks whether sending_date and lastser_date are same. ▫ If the dates are same, it checks whether the difference between sending_time and lastser_time is less than a set margin or threshold. ▫ If the difference is less than the margin threshold, then the E-mail is found to be legitimate (case 3) and spoofed in time, otherwise (case 2). • If the dates are not same, the algorithm checks whether the sending_date and firstser_date are same. ▫ If they are same, the E-mail is not date spoofed, but may have been delayed because of a server breakdown or over load on some intermediate servers relaying the E-mail (case 3). ▫ If the sending_date and firstser_date are not same, then the E-mail is date spoofed (case 1). • In case if first SMTP server is temporarily unavailable then E-Mail sending error will come.
  • 21. References [1] Preeti Mishra, Emmanuel S. Pilli and R. C. Joshi-”Forensic Analysis of E-mail Date and Time Spoofing”-2012 Third International Conference on Computer and Communication Technology [2] M. Tariq Banday-”Techniques And Tools For Forensic Investigation Of E-mail”-International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.6, November 2011 [3] http://www.spamlaws.com/different-types- email-exploits.html