saddamhusain hadimani, profile picture
Uploaded bysaddamhusain hadimani
PPTX, PDF4,144 views

E mail forensics

The document discusses e-mail forensics. It begins by describing the architecture of e-mail systems, including mail user agents, message stores, mail submission and transfer agents, and mail delivery agents. It then discusses common e-mail client attacks like malware distribution, phishing, spam, and denial-of-service attacks. The document outlines techniques for e-mail forensic investigation such as header analysis and server investigation. It also presents tools that can be used for e-mail forensics and summarizes a research paper on detecting e-mail date and time spoofing through analysis of header fields.

Embed presentation

Downloaded 166 times
E-mail Forensics Presented By, Tania Ronald Mendonca 01FM15ECS039 M.Tech- 3rd Semester
Introduction • E-mail an application on Internet for communication of messages, delivery of documents and carrying out of transactions and is used not only from computers but many other electronic gadgets like mobile phones. • E-mail protocols have been secured through several security extensions and producers, however, cybercriminals continue to misuse it for illegitimate purposes by sending spam, phishing e-mails, distributing child pornography, and hate emails besides propagating viruses, worms, and Trojan horses. • E-mail forensic analysis is used to study the source and content of e-mail message as evidence, identifying the actual sender, recipient and date and time it was sent, etc. to collect credible evidence to take action against a criminal.
E-mail Architecture
• MUA(Mail user agent): ▫ aMUA creates messages and performs initial submission via Mail Submission Agent (MSA) ▫ rMUA processes received mail that includes displaying and disposing of the received message and closing or expanding the user communication loop by initiating replies and forwarding new messages • Message/Mail Store (MS): ▫ Long term message store for MUA which can be located on a remote server or on the machine running MUA ▫ The MUA accesses the MS either by a local mechanism or by using POP or IMAP.
• Mail Submission Agent (MSA): ▫ Accepts the message submitted by the aMUA for posting. ▫ Adds header fields such as Date and Message-ID and expanding an address to its formal Internet Mail Format (IMF) representation. The hMSA is responsible for transiting the message to MTA. • Message/Mail Transfer Agent (MTA): ▫ MTA nodes are in effect postal sorting agents that have the responsibility of retrieving the relevant Mail eXchange (MX) record from the DNS Server for each e-mail to be send and thus map the distinct e-mail addressee’s domain name with the relevant IP address information ▫ A receiving MTA can also perform the operation of delivering e-mail message to the respective mailbox of the receiver on the mail server and thus is also called Mail Delivery Agent (MDA).
• Message/Mail Delivery Agent (MDA): ▫ Both hMDA and rMDA are responsible for accepting the message for delivery to distinct addresses. ▫ hMDA functions as a SMTP server engine and rMDA performs the delivery action • Relays: ▫ Nodes that perform e-mail relaying. Relaying is the process of receiving e-mail message from one SMTP e-mail node and forward it to another one. • Gateway: ▫ Gateway nodes are used to convert e-mail messages from one application layer protocol to other • Web Server (WebServ): ▫ These nodes are the e-mail Web servers that provide the Web environment to compose, send and read an e-mail message. • Mail Server (MailServ): ▫ They represent e-mail servers providing users mail access service using IMAP or POP3 protocols.
E-mail Client attacks • Malware Distribution: Hackers with malicious intent can exploit your email client by distributing malware through email messages. • Phishing Attack: A phishing attack is generally not hazardous to the inner workings of your PC however; it is designed to trick you into revealing your personal information, passwords, or bank account information.
Contd.. • Spam Attack: Spam is unsolicited email or "junk" mail that you receive in your Inbox. Spam generally contains advertisements but it can also contain malicious files. • Denial of Service Attack: A denial of service attack occurs when the hacker sends multitudes of email messages to your email client in an effort to block you from using your email client or crashing your computer altogether.
E-mail Forensic Investigation Techniques • Header Analysis Meta data in the e-mail message in the form of control information i.e. envelope and headers including headers in the message body contain information about the sender and/or the path along which the message has traversed. Some of these may be spoofed to conceal the identity of the sender. A detailed analysis of these headers and their correlation is performed in header analysis. • Server Investigation In this investigation, copies of delivered e-mails and server logs are investigated to identify source of an e-mail message. E-mails purged from the clients (senders or receivers) whose recovery is impossible may be requested from servers (ISP) as most of them store a copy of all e-mails after their deliveries.
Contd.. • Network Device Investigation Logs maintained by the network devices such as routers, firewalls and switches are used to investigate the source of an e-mail message. This form of investigation is complex and is used only when the logs of servers ( ISP) are unavailable due to some reason, e.g. when ISP or proxy does not maintain a log or lack of cooperation by ISP’s or failure to maintain chain of evidence.
E-mail Forensics Tools • EmailTracer ▫ Traces the originating IP address and other details from e-mail header, generates detailed HTML report of email header analysis, finds the city level details of the sender, plots route traced by the mail and display the originating geographic location of the e-mail. • Aid4Mail Forensic ▫ Conversion tool, which supports various mail formats including Outlook (PST, MSG files), Windows Live Mail, Thunderbird, Eudora, and mbox. ▫ It can search mail by date, header content, and by message body content. Mail folders and files can be processed even when disconnected (unmounted) from their email client including those stored on CD, DVD, and USB drives. ▫ Aid4Mail Forensic can search PST files and all supported mail formats, by date range and by keywords in the message body or in the headers. Special Boolean operations are supported. It is able to process unpurged (deleted) e-mail from mbox files and can restore unpurged e-mail during exportation.
Preeti Mishra, Emmanuel S. Pilli and R. C. Joshi-”Forensic Analysis of E-mail Date and Time Spoofing” Overview • To detect E-mail date and time spoofing • Forensic analysis by reading header information and analysis of fields related to date and time. • If sent-date and sent-time differs from the received date and received-time by some predefined margin, the E-mail has been spoofed.
Contd.. • The E-mail header is the envelope of the E-mail containing such information as: sender’s E-mail address, receiver’s E-mail address, subject, time of creation, delivery stamps, message author, cc, bcc, etc. • The date field in a spoofed E-mail header may contain a date which is ahead or before the actual date it was sent or attacker will change the time the message is sent. • Time field of Date: header can also be manipulated by attacker and make the E-mail message to be sent on time different from actual time. This may produce vulnerable result, specifically for those receivers, whose servers’ mails are sorted according to sending date and time.
Technique • Calculates the threshold or margin which is the usual time taken to receive an E-mail(maximum of differences in time between the sending time and last server time). • This margin is used to detect E-mail date and time spoofing in an E-mail. • All the date and time fields are converted to UTC (Universal Time Coordinated) time before comparing their differences with the margin.
Algorithm to calculate margin • Takes input a normal E-mail header file and margin file (which initially contains zero as initial margin value). • Extract three fields: ▫ Date: field (containing sending date / time / UTC offset), ▫ the last Received: field from the top (containing first server’s E- mail receiving date / time / UTC offset) ▫ the first Received: field from the top (containing last server’s E- mail receiving date / time / UTC offset). • Convert the above three fields into UTC time zone so that the values are uniform across various servers. • We find out the difference between sending time and last server E-mail receiving time. • If the difference is greater the margin; it writes the difference to margin file. • Each time a New E-mail header is processed the difference between sending time and first server time is calculated and compared with the margin. If difference is greater than margin, margin is updated.
Three cases for any E-mail which is delivered to the recipient: (1) E-mail is not delivered on the same date of sending (2) E-mail is delivered on the same date but with a large variation in time and (3) E-mail is delivered on the same date and time (within an acceptable margin).
Detection of spoofing • Checks the semantics of date and time fields in the E-mail header. It generates an error message if the semantics are improper (if the hacker could not set the semantics in his or her mail client program) and proceeds further, otherwise. • Checks whether sending_date and lastser_date are same. ▫ If the dates are same, it checks whether the difference between sending_time and lastser_time is less than a set margin or threshold. ▫ If the difference is less than the margin threshold, then the E-mail is found to be legitimate (case 3) and spoofed in time, otherwise (case 2). • If the dates are not same, the algorithm checks whether the sending_date and firstser_date are same. ▫ If they are same, the E-mail is not date spoofed, but may have been delayed because of a server breakdown or over load on some intermediate servers relaying the E-mail (case 3). ▫ If the sending_date and firstser_date are not same, then the E-mail is date spoofed (case 1). • In case if first SMTP server is temporarily unavailable then E-Mail sending error will come.
References [1] Preeti Mishra, Emmanuel S. Pilli and R. C. Joshi-”Forensic Analysis of E-mail Date and Time Spoofing”-2012 Third International Conference on Computer and Communication Technology [2] M. Tariq Banday-”Techniques And Tools For Forensic Investigation Of E-mail”-International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.6, November 2011 [3] http://www.spamlaws.com/different-types- email-exploits.html
THANK YOU

More Related Content

PDF
Email Forensics
byGol D Roger
 
PPTX
Email investigation
byAnimesh Shaw
 
PPT
Email Headers – Expert Forensic Analysis
byforensicEmailAnalysis
 
PPTX
E-mail Investigation
byedwardbel
 
PDF
Current Forensic Tools
byJyothishmathi Institute of Technology and Science Karimnagar
 
PPTX
Email recovery
byPalash Mehar
 
PDF
Cyber Forensics Module 2
byManu Mathew Cherian
 
PPT
Cyber forensic standard operating procedures
bySoumen Debgupta
 
Email Forensics
byGol D Roger
 
Email investigation
byAnimesh Shaw
 
Email Headers – Expert Forensic Analysis
byforensicEmailAnalysis
 
E-mail Investigation
byedwardbel
 
Current Forensic Tools
byJyothishmathi Institute of Technology and Science Karimnagar
 
Email recovery
byPalash Mehar
 
Cyber Forensics Module 2
byManu Mathew Cherian
 
Cyber forensic standard operating procedures
bySoumen Debgupta
 

What's hot

PPTX
E mail Investigation
byDr Raghu Khimani
 
PPTX
Mobile Forensics
byprimeteacher32
 
PPTX
Email Forensics
byprimeteacher32
 
PPTX
Memory forensics.pptx
by9905234521
 
PPTX
Network forensics and investigating logs
byanilinvns
 
PPTX
Network Forensics
byprimeteacher32
 
PDF
A brief Intro to Digital Forensics
byManik Bhola
 
PPTX
Network forensic
byManjushree Mashal
 
PPT
Malware forensics
bySameera Amjad
 
PPTX
Analysis of digital evidence
byrakesh mishra
 
PPTX
Cyber Security(Password Cracking Presentation).pptx
byVASUOFFICIAL
 
PPTX
Digital forensic tools
byParsons Corporation
 
PPTX
Mobile Forensics
byabdullah roomi
 
PPTX
Network security
byMadhumithah Ilango
 
PPTX
Password craking techniques
byأحلام انصارى
 
PDF
CS6004 Cyber Forensics
byKathirvel Ayyaswamy
 
PDF
Network Forensic
bySujeet Kumar
 
PPT
Mobile forensics
bynoorashams
 
PPTX
Web application attacks
byhruth
 
PPTX
Password Cracking
bySina Manavi
 
E mail Investigation
byDr Raghu Khimani
 
Mobile Forensics
byprimeteacher32
 
Email Forensics
byprimeteacher32
 
Memory forensics.pptx
by9905234521
 
Network forensics and investigating logs
byanilinvns
 
Network Forensics
byprimeteacher32
 
A brief Intro to Digital Forensics
byManik Bhola
 
Network forensic
byManjushree Mashal
 
Malware forensics
bySameera Amjad
 
Analysis of digital evidence
byrakesh mishra
 
Cyber Security(Password Cracking Presentation).pptx
byVASUOFFICIAL
 
Digital forensic tools
byParsons Corporation
 
Mobile Forensics
byabdullah roomi
 
Network security
byMadhumithah Ilango
 
Password craking techniques
byأحلام انصارى
 
CS6004 Cyber Forensics
byKathirvel Ayyaswamy
 
Network Forensic
bySujeet Kumar
 
Mobile forensics
bynoorashams
 
Web application attacks
byhruth
 
Password Cracking
bySina Manavi
 

Similar to E mail forensics

PPTX
Email Security: The Threat Landscape
byNuspire Networks
 
PPTX
Electronic mail
byBhojak Rajendra(rahul)
 
PPTX
Forensics Analysis of Email cyber forensics
bySrinivas Kanakala
 
PPT
cyber forensics Email Investigations.ppt
bymcjaya2024
 
PPTX
cyber forensics, of email analysis using
bySrinivas Kanakala
 
PDF
Electronic_Mail_Attacks-1-35.pdf by xploit
byniftliyevhuseyn
 
PPT
Email
byRoy Thomas
 
PPT
Email Forensics presentations and quality stuffs
bydeqow140
 
PPT
EmailTracing.ppt
bygovindanonymous143
 
PPT
ch12.ppt which is very good forensics of email
bygadisagemechu1
 
PPTX
Email forensic and social media forienc.pptx
bypriyankajaroli1
 
PDF
Email forensic
bySakib Khan
 
PDF
E-Mail Header- A Forensic Key to Examine an E-Mail
byIRJET Journal
 
PPT
Ch 11 E-mail and Social Media Investigations.ppt
bywhbwi21Basri
 
PPT
E-mail Investigations in computer forensics.ppt
byChSamson2
 
DOCX
Running header EMAIL FORENSICSEMAIL FORENSICSEmail Forens.docx
byjeffsrosalyn
 
PDF
TECHNIQUES AND TOOLS FOR FORENSIC INVESTIGATION OF E-MAIL
byIJNSA Journal
 
PDF
Electronic Mail Security (University of Jeddah, Saudi Arabia)
byIJCSIS Research Publications
 
DOCX
Chapter 10Email Forensics1Email is Often the Bes.docx
byketurahhazelhurst
 
DOCX
Chapter 10Email Forensics1Email is Often the Bes.docx
bybartholomeocoombs
 
Email Security: The Threat Landscape
byNuspire Networks
 
Electronic mail
byBhojak Rajendra(rahul)
 
Forensics Analysis of Email cyber forensics
bySrinivas Kanakala
 
cyber forensics Email Investigations.ppt
bymcjaya2024
 
cyber forensics, of email analysis using
bySrinivas Kanakala
 
Electronic_Mail_Attacks-1-35.pdf by xploit
byniftliyevhuseyn
 
Email
byRoy Thomas
 
Email Forensics presentations and quality stuffs
bydeqow140
 
EmailTracing.ppt
bygovindanonymous143
 
ch12.ppt which is very good forensics of email
bygadisagemechu1
 
Email forensic and social media forienc.pptx
bypriyankajaroli1
 
Email forensic
bySakib Khan
 
E-Mail Header- A Forensic Key to Examine an E-Mail
byIRJET Journal
 
Ch 11 E-mail and Social Media Investigations.ppt
bywhbwi21Basri
 
E-mail Investigations in computer forensics.ppt
byChSamson2
 
Running header EMAIL FORENSICSEMAIL FORENSICSEmail Forens.docx
byjeffsrosalyn
 
TECHNIQUES AND TOOLS FOR FORENSIC INVESTIGATION OF E-MAIL
byIJNSA Journal
 
Electronic Mail Security (University of Jeddah, Saudi Arabia)
byIJCSIS Research Publications
 
Chapter 10Email Forensics1Email is Often the Bes.docx
byketurahhazelhurst
 
Chapter 10Email Forensics1Email is Often the Bes.docx
bybartholomeocoombs
 

More from saddamhusain hadimani

PPTX
pda forensics
bysaddamhusain hadimani
 
PPTX
Analysis of database tampering
bysaddamhusain hadimani
 
PPTX
Deft
bysaddamhusain hadimani
 
PPTX
Linux tools for data recovery and reporting
bysaddamhusain hadimani
 
PPT
Bin carver
bysaddamhusain hadimani
 
PPTX
Caine and dff
bysaddamhusain hadimani
 
PPTX
Beauty of open source in cyber forensics
bysaddamhusain hadimani
 
PPT
User Authentication Based on Representative Users
bysaddamhusain hadimani
 
PPTX
A Novel Wireless Sensor Network Frame for Urban Transportation
bysaddamhusain hadimani
 
PPTX
Li fi technology
bysaddamhusain hadimani
 
pda forensics
bysaddamhusain hadimani
 
Analysis of database tampering
bysaddamhusain hadimani
 
Deft
bysaddamhusain hadimani
 
Linux tools for data recovery and reporting
bysaddamhusain hadimani
 
Bin carver
bysaddamhusain hadimani
 
Caine and dff
bysaddamhusain hadimani
 
Beauty of open source in cyber forensics
bysaddamhusain hadimani
 
User Authentication Based on Representative Users
bysaddamhusain hadimani
 
A Novel Wireless Sensor Network Frame for Urban Transportation
bysaddamhusain hadimani
 
Li fi technology
bysaddamhusain hadimani
 

Recently uploaded

DOCX
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
PDF
Toward Massive, Ultrareliable, and Low-Latency Wireless Communication With Sh...
byMan_Ebook
 
PPTX
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PPTX
Unit I — Introduction to Anatomical Terms and Organization of the Human Body
byRAKESH SAJJAN
 
PPTX
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
PPTX
Campfens "The Data Qualify Challenge: Publishers, institutions, and funders r...
byNational Information Standards Organization (NISO)
 
PDF
Current Electricity for first year physiotherapy
byGanesh Jadhav
 
PDF
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
PDF
BỘ TEST KIỂM TRA CUỐI HỌC KÌ 1 - TIẾNG ANH 6-7-8-9 GLOBAL SUCCESS - PHIÊN BẢN...
byNguyen Thanh Tu Collection
 
PDF
Unit-III pdf (Basic listening Skill, Effective Writing Communication & Writin...
bySayyadTarannum
 
PPTX
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
PDF
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
PDF
Projecte de la porta d'i5B: Els animals marins
byeduardrubio1
 
PPTX
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
PPTX
ELEMENTS OF COMMUNICATION (UNIT 2) .pptx
byPOOJA KARVANDE
 
PDF
Digital Wellness in University Communities: Libraries as Guardians of Healthy...
bySylvester Ebhonu
 
PPTX
PURPOSIVE SAMPLING IN EDUCATIONAL RESEARCH RACHITHRA RK.pptx
byssuser047b711
 
PPTX
How to Manage Line Discounts in Odoo 18 POS
byCeline George
 
PPTX
Semester 6 unit 2 Atopic dermatitis.pptx
bysachin7989
 
PPTX
ATTENTION -PART 2.pptx Shilpa Hotakar for I semester BSc students
bySHILPA HOTAKAR
 
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
Toward Massive, Ultrareliable, and Low-Latency Wireless Communication With Sh...
byMan_Ebook
 
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
Unit I — Introduction to Anatomical Terms and Organization of the Human Body
byRAKESH SAJJAN
 
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
Campfens "The Data Qualify Challenge: Publishers, institutions, and funders r...
byNational Information Standards Organization (NISO)
 
Current Electricity for first year physiotherapy
byGanesh Jadhav
 
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
BỘ TEST KIỂM TRA CUỐI HỌC KÌ 1 - TIẾNG ANH 6-7-8-9 GLOBAL SUCCESS - PHIÊN BẢN...
byNguyen Thanh Tu Collection
 
Unit-III pdf (Basic listening Skill, Effective Writing Communication & Writin...
bySayyadTarannum
 
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
Projecte de la porta d'i5B: Els animals marins
byeduardrubio1
 
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
ELEMENTS OF COMMUNICATION (UNIT 2) .pptx
byPOOJA KARVANDE
 
Digital Wellness in University Communities: Libraries as Guardians of Healthy...
bySylvester Ebhonu
 
PURPOSIVE SAMPLING IN EDUCATIONAL RESEARCH RACHITHRA RK.pptx
byssuser047b711
 
How to Manage Line Discounts in Odoo 18 POS
byCeline George
 
Semester 6 unit 2 Atopic dermatitis.pptx
bysachin7989
 
ATTENTION -PART 2.pptx Shilpa Hotakar for I semester BSc students
bySHILPA HOTAKAR
 

E mail forensics

  • 1.
    E-mail Forensics Presented By, TaniaRonald Mendonca 01FM15ECS039 M.Tech- 3rd Semester
  • 2.
    Introduction • E-mail anapplication on Internet for communication of messages, delivery of documents and carrying out of transactions and is used not only from computers but many other electronic gadgets like mobile phones. • E-mail protocols have been secured through several security extensions and producers, however, cybercriminals continue to misuse it for illegitimate purposes by sending spam, phishing e-mails, distributing child pornography, and hate emails besides propagating viruses, worms, and Trojan horses. • E-mail forensic analysis is used to study the source and content of e-mail message as evidence, identifying the actual sender, recipient and date and time it was sent, etc. to collect credible evidence to take action against a criminal.
  • 3.
  • 4.
    • MUA(Mail useragent): ▫ aMUA creates messages and performs initial submission via Mail Submission Agent (MSA) ▫ rMUA processes received mail that includes displaying and disposing of the received message and closing or expanding the user communication loop by initiating replies and forwarding new messages • Message/Mail Store (MS): ▫ Long term message store for MUA which can be located on a remote server or on the machine running MUA ▫ The MUA accesses the MS either by a local mechanism or by using POP or IMAP.
  • 5.
    • Mail SubmissionAgent (MSA): ▫ Accepts the message submitted by the aMUA for posting. ▫ Adds header fields such as Date and Message-ID and expanding an address to its formal Internet Mail Format (IMF) representation. The hMSA is responsible for transiting the message to MTA. • Message/Mail Transfer Agent (MTA): ▫ MTA nodes are in effect postal sorting agents that have the responsibility of retrieving the relevant Mail eXchange (MX) record from the DNS Server for each e-mail to be send and thus map the distinct e-mail addressee’s domain name with the relevant IP address information ▫ A receiving MTA can also perform the operation of delivering e-mail message to the respective mailbox of the receiver on the mail server and thus is also called Mail Delivery Agent (MDA).
  • 6.
    • Message/Mail DeliveryAgent (MDA): ▫ Both hMDA and rMDA are responsible for accepting the message for delivery to distinct addresses. ▫ hMDA functions as a SMTP server engine and rMDA performs the delivery action • Relays: ▫ Nodes that perform e-mail relaying. Relaying is the process of receiving e-mail message from one SMTP e-mail node and forward it to another one. • Gateway: ▫ Gateway nodes are used to convert e-mail messages from one application layer protocol to other • Web Server (WebServ): ▫ These nodes are the e-mail Web servers that provide the Web environment to compose, send and read an e-mail message. • Mail Server (MailServ): ▫ They represent e-mail servers providing users mail access service using IMAP or POP3 protocols.
  • 7.
    E-mail Client attacks •Malware Distribution: Hackers with malicious intent can exploit your email client by distributing malware through email messages. • Phishing Attack: A phishing attack is generally not hazardous to the inner workings of your PC however; it is designed to trick you into revealing your personal information, passwords, or bank account information.
  • 8.
    Contd.. • Spam Attack: Spamis unsolicited email or "junk" mail that you receive in your Inbox. Spam generally contains advertisements but it can also contain malicious files. • Denial of Service Attack: A denial of service attack occurs when the hacker sends multitudes of email messages to your email client in an effort to block you from using your email client or crashing your computer altogether.
  • 9.
    E-mail Forensic InvestigationTechniques • Header Analysis Meta data in the e-mail message in the form of control information i.e. envelope and headers including headers in the message body contain information about the sender and/or the path along which the message has traversed. Some of these may be spoofed to conceal the identity of the sender. A detailed analysis of these headers and their correlation is performed in header analysis. • Server Investigation In this investigation, copies of delivered e-mails and server logs are investigated to identify source of an e-mail message. E-mails purged from the clients (senders or receivers) whose recovery is impossible may be requested from servers (ISP) as most of them store a copy of all e-mails after their deliveries.
  • 10.
    Contd.. • Network DeviceInvestigation Logs maintained by the network devices such as routers, firewalls and switches are used to investigate the source of an e-mail message. This form of investigation is complex and is used only when the logs of servers ( ISP) are unavailable due to some reason, e.g. when ISP or proxy does not maintain a log or lack of cooperation by ISP’s or failure to maintain chain of evidence.
  • 11.
    E-mail Forensics Tools •EmailTracer ▫ Traces the originating IP address and other details from e-mail header, generates detailed HTML report of email header analysis, finds the city level details of the sender, plots route traced by the mail and display the originating geographic location of the e-mail. • Aid4Mail Forensic ▫ Conversion tool, which supports various mail formats including Outlook (PST, MSG files), Windows Live Mail, Thunderbird, Eudora, and mbox. ▫ It can search mail by date, header content, and by message body content. Mail folders and files can be processed even when disconnected (unmounted) from their email client including those stored on CD, DVD, and USB drives. ▫ Aid4Mail Forensic can search PST files and all supported mail formats, by date range and by keywords in the message body or in the headers. Special Boolean operations are supported. It is able to process unpurged (deleted) e-mail from mbox files and can restore unpurged e-mail during exportation.
  • 12.
    Preeti Mishra, EmmanuelS. Pilli and R. C. Joshi-”Forensic Analysis of E-mail Date and Time Spoofing” Overview • To detect E-mail date and time spoofing • Forensic analysis by reading header information and analysis of fields related to date and time. • If sent-date and sent-time differs from the received date and received-time by some predefined margin, the E-mail has been spoofed.
  • 13.
    Contd.. • The E-mailheader is the envelope of the E-mail containing such information as: sender’s E-mail address, receiver’s E-mail address, subject, time of creation, delivery stamps, message author, cc, bcc, etc. • The date field in a spoofed E-mail header may contain a date which is ahead or before the actual date it was sent or attacker will change the time the message is sent. • Time field of Date: header can also be manipulated by attacker and make the E-mail message to be sent on time different from actual time. This may produce vulnerable result, specifically for those receivers, whose servers’ mails are sorted according to sending date and time.
  • 14.
    Technique • Calculates thethreshold or margin which is the usual time taken to receive an E-mail(maximum of differences in time between the sending time and last server time). • This margin is used to detect E-mail date and time spoofing in an E-mail. • All the date and time fields are converted to UTC (Universal Time Coordinated) time before comparing their differences with the margin.
  • 16.
    Algorithm to calculatemargin • Takes input a normal E-mail header file and margin file (which initially contains zero as initial margin value). • Extract three fields: ▫ Date: field (containing sending date / time / UTC offset), ▫ the last Received: field from the top (containing first server’s E- mail receiving date / time / UTC offset) ▫ the first Received: field from the top (containing last server’s E- mail receiving date / time / UTC offset). • Convert the above three fields into UTC time zone so that the values are uniform across various servers. • We find out the difference between sending time and last server E-mail receiving time. • If the difference is greater the margin; it writes the difference to margin file. • Each time a New E-mail header is processed the difference between sending time and first server time is calculated and compared with the margin. If difference is greater than margin, margin is updated.
  • 17.
    Three cases forany E-mail which is delivered to the recipient: (1) E-mail is not delivered on the same date of sending (2) E-mail is delivered on the same date but with a large variation in time and (3) E-mail is delivered on the same date and time (within an acceptable margin).
  • 20.
    Detection of spoofing •Checks the semantics of date and time fields in the E-mail header. It generates an error message if the semantics are improper (if the hacker could not set the semantics in his or her mail client program) and proceeds further, otherwise. • Checks whether sending_date and lastser_date are same. ▫ If the dates are same, it checks whether the difference between sending_time and lastser_time is less than a set margin or threshold. ▫ If the difference is less than the margin threshold, then the E-mail is found to be legitimate (case 3) and spoofed in time, otherwise (case 2). • If the dates are not same, the algorithm checks whether the sending_date and firstser_date are same. ▫ If they are same, the E-mail is not date spoofed, but may have been delayed because of a server breakdown or over load on some intermediate servers relaying the E-mail (case 3). ▫ If the sending_date and firstser_date are not same, then the E-mail is date spoofed (case 1). • In case if first SMTP server is temporarily unavailable then E-Mail sending error will come.
  • 21.
    References [1] Preeti Mishra,Emmanuel S. Pilli and R. C. Joshi-”Forensic Analysis of E-mail Date and Time Spoofing”-2012 Third International Conference on Computer and Communication Technology [2] M. Tariq Banday-”Techniques And Tools For Forensic Investigation Of E-mail”-International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.6, November 2011 [3] http://www.spamlaws.com/different-types- email-exploits.html
  • 22.