E-mail ForensicsPresented By,Tania Ronald Mendonca01FM15ECS039M.Tech- 3rd Semester

Introduction•E-mail an application on Internet for communication of messages,

delivery of documents and carrying out of transactions and is used not only from computers but many other electronic gadgets like mobile phones.

• E-mail protocols have been secured through several security extensions and producers, however, cybercriminals continue to misuse it for illegitimate purposes by sending spam, phishing e-mails, distributing child pornography, and hate emails besides propagating viruses, worms, and Trojan horses.

•E-mail forensic analysis is used to study the source and content of e-mail message as evidence, identifying the actual sender, recipient and date and time it was sent, etc. to collect credible evidence to take action against a criminal.

E-mail Architecture

• MUA(Mail user agent):▫ aMUA creates messages and performs initial

submission via Mail Submission Agent (MSA)▫ rMUA processes received mail that includes

displaying and disposing of the received message and closing or expanding the user communication loop by initiating replies and forwarding new messages

• Message/Mail Store (MS):▫ Long term message store for MUA which can be

located on a remote server or on the machine running MUA

▫ The MUA accesses the MS either by a local mechanism or by using POP or IMAP.

• Mail Submission Agent (MSA):▫ Accepts the message submitted by the aMUA for posting.▫ Adds header fields such as Date and Message-ID and

expanding an address to its formal Internet Mail Format (IMF) representation. The hMSA is responsible for transiting the message to MTA.

• Message/Mail Transfer Agent (MTA):▫ MTA nodes are in effect postal sorting agents that have the

responsibility of retrieving the relevant Mail eXchange (MX) record from the DNS Server for each e-mail to be send and thus map the distinct e-mail addressee’s domain name with the relevant IP address information

▫ A receiving MTA can also perform the operation of delivering e-mail message to the respective mailbox of the receiver on the mail server and thus is also called Mail Delivery Agent (MDA).

• Message/Mail Delivery Agent (MDA): ▫ Both hMDA and rMDA are responsible for accepting the

message for delivery to distinct addresses.▫ hMDA functions as a SMTP server engine and rMDA

performs the delivery action• Relays:

▫ Nodes that perform e-mail relaying. Relaying is the process of receiving e-mail message from one SMTP e-mail node and forward it to another one.

• Gateway: ▫ Gateway nodes are used to convert e-mail messages

from one application layer protocol to other• Web Server (WebServ):

▫ These nodes are the e-mail Web servers that provide the Web environment to compose, send and read an e-mail message.

• Mail Server (MailServ): ▫ They represent e-mail servers providing users mail access

service using IMAP or POP3 protocols.

E-mail Client attacks•Malware Distribution: 

Hackers with malicious intent can exploit your email client by distributing malware through email messages.

•Phishing Attack: A phishing attack is generally not hazardous to the inner workings of your PC however; it is designed to trick you into revealing your personal information, passwords, or bank account information.

Contd..•Spam Attack: 

Spam is unsolicited email or "junk" mail that you receive in your Inbox. Spam generally contains advertisements but it can also contain malicious files.

•Denial of Service Attack: A denial of service attack occurs when the hacker sends multitudes of email messages to your email client in an effort to block you from using your email client or crashing your computer altogether.

E-mail Forensic Investigation Techniques

•Header Analysis Meta data in the e-mail message in the form of control information i.e. envelope and headers including headers in the message body contain information about the sender and/or the path along which the message has traversed. Some of these may be spoofed to conceal the identity of the sender. A detailed analysis of these headers and their correlation is performed in header analysis.

•Server Investigation In this investigation, copies of delivered e-mails and server logs are investigated to identify source of an e-mail message. E-mails purged from the clients (senders or receivers) whose recovery is impossible may be requested from servers (ISP) as most of them store a copy of all e-mails after their deliveries.

Contd..•Network Device Investigation

Logs maintained by the network devices such as routers, firewalls and switches are used to investigate the source of an e-mail message. This form of investigation is complex and is used only when the logs of servers ( ISP) are unavailable due to some reason, e.g. when ISP or proxy does not maintain a log or lack of cooperation by ISP’s or failure to maintain chain of evidence.

E-mail Forensics Tools• EmailTracer

▫ Traces the originating IP address and other details from e-mail header, generates detailed HTML report of email header analysis, finds the city level details of the sender, plots route traced by the mail and display the originating geographic location of the e-mail.

• Aid4Mail Forensic ▫ Conversion tool, which supports various mail formats

including Outlook (PST, MSG files), Windows Live Mail, Thunderbird, Eudora, and mbox.

▫ It can search mail by date, header content, and by message body content. Mail folders and files can be processed even when disconnected (unmounted) from their email client including those stored on CD, DVD, and USB drives.

▫ Aid4Mail Forensic can search PST files and all supported mail formats, by date range and by keywords in the message body or in the headers. Special Boolean operations are supported. It is able to process unpurged (deleted) e-mail from mbox files and can restore unpurged e-mail during exportation.

Preeti Mishra, Emmanuel S. Pilli and R. C. Joshi-”Forensic Analysis of E-mail Date and Time Spoofing”Overview•To detect E-mail date and time spoofing

•Forensic analysis by reading header information and analysis of fields related to date and time.

•If sent-date and sent-time differs from the received date and received-time by some predefined margin, the E-mail has been spoofed.

Contd..• The E-mail header is the envelope of the E-mail

containing such information as: sender’s E-mail address, receiver’s E-mail address, subject, time of creation, delivery stamps, message author, cc, bcc, etc.

• The date field in a spoofed E-mail header may contain a date which is ahead or before the actual date it was sent or attacker will change the time the message is sent.

• Time field of Date: header can also be manipulated by attacker and make the E-mail message to be sent on time different from actual time. This may produce vulnerable result, specifically for those receivers, whose servers’ mails are sorted according to sending date and time.

Technique•Calculates the threshold or margin which

is the usual time taken to receive an E-mail(maximum of differences in time between the sending time and last server time).

•This margin is used to detect E-mail date and time spoofing in an E-mail.

•All the date and time fields are converted to UTC (Universal Time Coordinated) time before comparing their differences with the margin.

Algorithm to calculate margin

• Takes input a normal E-mail header file and margin file (which initially contains zero as initial margin value).

• Extract three fields: ▫ Date: field (containing sending date / time / UTC offset),▫ the last Received: field from the top (containing first server’s E-

mail receiving date / time / UTC offset) ▫ the first Received: field from the top (containing last server’s E-

mail receiving date / time / UTC offset). • Convert the above three fields into UTC time zone so that the

values are uniform across various servers.• We find out the difference between sending time and last

server E-mail receiving time. • If the difference is greater the margin; it writes the difference

to margin file. • Each time a New E-mail header is processed the difference

between sending time and first server time is calculated and compared with the margin. If difference is greater than margin, margin is updated.

Three cases for any E-mail which is delivered to the recipient:

(1) E-mail is not delivered on the same date of sending

(2) E-mail is delivered on the same date but with a large variation in time and

(3) E-mail is delivered on the same date and time (within an acceptable margin).

Detection of spoofing• Checks the semantics of date and time fields in the E-mail header. It

generates an error message if the semantics are improper (if the hacker could not set the semantics in his or her mail client program) and proceeds further, otherwise.

• Checks whether sending_date and lastser_date are same. ▫ If the dates are same, it checks whether the difference between

sending_time and lastser_time is less than a set margin or threshold. ▫ If the difference is less than the margin threshold, then the E-mail is

found to be legitimate (case 3) and spoofed in time, otherwise (case 2).• If the dates are not same, the algorithm checks whether the

sending_date and firstser_date are same. ▫ If they are same, the E-mail is not date spoofed, but may have been

delayed because of a server breakdown or over load on some intermediate servers relaying the E-mail (case 3).

▫ If the sending_date and firstser_date are not same, then the E-mail is date spoofed (case 1).

• In case if first SMTP server is temporarily unavailable then E-Mail sending error will come.

References[1] Preeti Mishra, Emmanuel S. Pilli and R. C.

Joshi-”Forensic Analysis of E-mail Date and Time Spoofing”-2012 Third International Conference on Computer and Communication Technology

[2] M. Tariq Banday-”Techniques And Tools For Forensic Investigation Of E-mail”-International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.6, November 2011

[3] http://www.spamlaws.com/different-types-email-exploits.html

THANK YOU