Grover Kearns, PhD, CPA, CFE

Class 11

1

Email Videos

2

How email workshttp://www.youtube.com/watch?v=YBzLPmx3xTUEmail Spoofinghttp://lybio.net/household-hacker-hacking-email-spoofing-101/science-technology/SMTP Spoofinghttp://www.youtube.com/watch?v=Up6XcxEilp4&feature=relatedTracing an emailhttp://www.youtube.com/watch?v=hSvswzSy3oA

Reading Email Headers

From <<my-work-address>> Sat Aug 17 16:00:24 2002Return-Path: <<my-work-address>>Received: from exanpcn4.arinc.com ([144.243.4.70]) by mta009.verizon.net     (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP     id <20020817200009.CWZT20372.mta009.verizon.net@exanpcn4.arinc.com>     for <<my-home-address>>; Sat, 17 Aug 2002 15:00:09 -0500Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com     (Content Technologies SMTPRS 4.1.5) with ESMTP id <T90f3203cca5cc55c0da9@exanpcn4.arinc.com> for <<my-home-address>>;    Sat, 17 Aug 2002 16:02:15 -0400Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19)     \tid <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400Message-ID: <09328AED5429D311A3000008C7911B100778B52C@exanpmb1.arinc.com>From: "Conner, Richard C. \\(RCONNER\\)" <<my-work-address>>To: "my-home-address" <<my-home-address>>Subject: HelloDate: Sat, 17 Aug 2002 16:00:26 -0400MIME-Version: 1.0X-Mailer: Internet Mail Service (5.5.2653.19)Content-Type: text/plain

3

From <<my-work-address>> Sat Aug 17 16:00:24 2002Return-Path: <<my-work-address>>Received: from exanpcn4.arinc.com ([144.243.4.70]) by mta009.verizon.net     (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP     id <20020817200009.CWZT20372.mta009.verizon.net@exanpcn4.arinc.com>     for <<my-home-address>>; Sat, 17 Aug 2002 15:00:09 -0500Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com     (Content Technologies SMTPRS 4.1.5) with ESMTP id <T90f3203cca5cc55c0da9@exanpcn4.arinc.com> for <<my-home-address>>;    Sat, 17 Aug 2002 16:02:15 -0400Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19)     \tid <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400Message-ID: <09328AED5429D311A3000008C7911B100778B52C@exanpmb1.arinc.com>

From: "Conner, Richard C. \\(RCONNER\\)" <<my-work-address>>To: "my-home-address" <<my-home-address>>Subject: HelloDate: Sat, 17 Aug 2002 16:00:26 -0400MIME-Version: 1.0X-Mailer: Internet Mail Service (5.5.2653.19)Content-Type: text/plain

Not required by SMTP

From <<my-work-address>> Sat Aug 17 16:00:24 2002Return-Path: <<my-work-address>>Received: from exanpcn4.arinc.com ([144.243.4.70]) by mta009.verizon.net     (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP     id <20020817200009.CWZT20372.mta009.verizon.net@exanpcn4.arinc.com>     for <<my-home-address>>; Sat, 17 Aug 2002 15:00:09 -0500Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com     (Content Technologies SMTPRS 4.1.5) with ESMTP id <T90f3203cca5cc55c0da9@exanpcn4.arinc.com> for <<my-home-address>>;    Sat, 17 Aug 2002 16:02:15 -0400Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19)     \tid <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400

Message-ID: <09328AED5429D311A3000008C7911B100778B52C@exanpmb1.arinc.com>From: "Conner, Richard C. \\(RCONNER\\)" <<my-work-address>>To: "my-home-address" <<my-home-address>>Subject: HelloDate: Sat, 17 Aug 2002 16:00:26 -0400MIME-Version: 1.0X-Mailer: Internet Mail Service (5.5.2653.19)Content-Type: text/plain

unique message ID

From <<my-work-address>> Sat Aug 17 16:00:24 2002Return-Path: <<my-work-address>>Received: from exanpcn4.arinc.com ([144.243.4.70]) by mta009.verizon.net     (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP     id <20020817200009.CWZT20372.mta009.verizon.net@exanpcn4.arinc.com>     for <<my-home-address>>; Sat, 17 Aug 2002 15:00:09 -0500Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com     (Content Technologies SMTPRS 4.1.5) with ESMTP id <T90f3203cca5cc55c0da9@exanpcn4.arinc.com> for <<my-home-address>>;    Sat, 17 Aug 2002 16:02:15 -0400

Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19)     \tid <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400Message-ID: <09328AED5429D311A3000008C7911B100778B52C@exanpmb1.arinc.com>From: "Conner, Richard C. \\(RCONNER\\)" <<my-work-address>>To: "my-home-address" <<my-home-address>>Subject: HelloDate: Sat, 17 Aug 2002 16:00:26 -0400MIME-Version: 1.0X-Mailer: Internet Mail Service (5.5.2653.19)Content-Type: text/plain

7

From <<my-work-address>> Sat Aug 17 16:00:24 2002Return-Path: <<my-work-address>>Received: from exanpcn4.arinc.com ([144.243.4.70]) by mta009.verizon.net     (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP     id <20020817200009.CWZT20372.mta009.verizon.net@exanpcn4.arinc.com>     for <<my-home-address>>; Sat, 17 Aug 2002 15:00:09 -0500

Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com     (Content Technologies SMTPRS 4.1.5) with ESMTP id <T90f3203cca5cc55c0da9@exanpcn4.arinc.com> for <<my-home-address>>;    Sat, 17 Aug 2002 16:02:15 -0400Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19)     \tid <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400Message-ID: <09328AED5429D311A3000008C7911B100778B52C@exanpmb1.arinc.com>From: "Conner, Richard C. \\(RCONNER\\)" <<my-work-address>>To: "my-home-address" <<my-home-address>>Subject: HelloDate: Sat, 17 Aug 2002 16:00:26 -0400MIME-Version: 1.0X-Mailer: Internet Mail Service (5.5.2653.19)Content-Type: text/plain

8

From <<my-work-address>> Sat Aug 17 16:00:24 2002Return-Path: <<my-work-address>>

Received: from exanpcn4.arinc.com ([144.243.4.70]) by mta009.verizon.net (InterMail vM.5.01.05.09

201-253-122-126-109-20020611) with ESMTP id <20020817200009.CWZT20372.mta009.

verizon.net@exanpcn4.arinc.com> for <<my-home-address>>; Sat, 17 Aug 2002 15:00:09 -0500Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com     (Content Technologies SMTPRS 4.1.5) with ESMTP id <T90f3203cca5cc55c0da9@exanpcn4.arinc.com> for <<my-home-address>>;    Sat, 17 Aug 2002 16:02:15 -0400Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19)     \tid <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400Message-ID: <09328AED5429D311A3000008C7911B100778B52C@exanpmb1.arinc.com>From: "Conner, Richard C. \\(RCONNER\\)" <<my-work-address>>To: "my-home-address" <<my-home-address>>Subject: HelloDate: Sat, 17 Aug 2002 16:00:26 -0400MIME-Version: 1.0X-Mailer: Internet Mail Service (5.5.2653.19)Content-Type: text/plain

From <<my-work-address>> Sat Aug 17 16:00:24 2002Return-Path: <<my-work-address>>Received: from exanpcn4.arinc.com ([144.243.4.70]) by mta009.verizon.net     (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP     id <20020817200009.CWZT20372.mta009.verizon.net@exanpcn4.arinc.com>     for <<my-home-address>>; Sat, 17 Aug 2002 15:00:09 -0500Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com     (Content Technologies SMTPRS 4.1.5) with ESMTP id <T90f3203cca5cc55c0da9@exanpcn4.arinc.com> for <<my-home-address>>;    Sat, 17 Aug 2002 16:02:15 -0400Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19)     \tid <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400Message-ID: <09328AED5429D311A3000008C7911B100778B52C@exanpmb1.arinc.com>From: "Conner, Richard C. \\(RCONNER\\)" <<my-work-address>>To: "my-home-address" <<my-home-address>>Subject: HelloDate: Sat, 17 Aug 2002 16:00:26 -0400MIME-Version: 1.0X-Mailer: Internet Mail Service (5.5.2653.19)Content-Type: text/plain

9

Another Example – Partial Header

Delivered-To: gkearns@mail.usf.edu Received: by 10.68.58.39 with SMTP id n7cs40710pbq; …Return-Path: <stpetebay@yahoo.com> …Received: from [127.0.0.1] by omp1017.mail.bf1.yahoo.com with NNFMP;

20 Jun …Received: (qmail 38143 invoked by uid 60001); 20 Jun 2011 19:58:58 -

0000 Message-ID: <391707.15764.qm@web161204.mail.bf1.yahoo.com> Received: from [70.126.236.236] by web161204.mail.bf1.yahoo.com via

HTTP; Mon, 20 Jun 2011 12:58:58 PDT X-Mailer: YahooMailClassic/14.0.3 YahooMailWebService/0.8.111.304355 Date: Mon, 20 Jun 2011 12:58:58 -0700 (PDT)

From: Grover Kearns <stpetebay@yahoo.com> Subject: Be Alert To: gkearns@mail.usf.edu MIME-Version: 1.0 Content-

Type: text/plain; charset=us-ascii

Now get to work!

Mobile Phone Forensics

Unauthorized photos, videos, audio recording

Digital fraud and data duplication

Industrial espionage Acceptable use policy

12

Mobile Phone Forensics

SIM Cards- Subscriber Identity Module

SD Cards- Secure Digital13

Mobile Phone Forensics

International Mobile Subscriber Identity

Integrated Circuit Card Identifier (ICC-ID)

Authentication Key (Ki)

Location Area Identity SMS Message /

Contacts

Stored Data on SIM Cards

14

Mobile Phone Forensics

Stored Data on SD Cards

Call logs Text Messages Electronic documents Phonebooks Videos Music Photos Calendar

15

Smart Phone Videos How to Save Data to a Phone's Micro SD

Memory Cardhttp://www.ehow.com/video_4756774_save-micro-sd-memory-card.html SIM Card Reader 

http://www.proofpronto.com/cell-phone-spy.html?gclid=CIfqu8zqwqkCFYgW2god9AZacw

Hacking the iPhone  

http://www.youtube.com/watch?v=ZgITSfrEILQ

16

Problems with Mobile Forensics

Lack of single standards How cell phones store messages

Multitude of models Generations: analog, PCS, 3G,

4G, ???

Remote Phone Wipes

18

All smart phones can be “wiped” remotely. Check the web for instructions for each phone.

Securing Mobile Phones

Securing the mobile phone is the first action

Turning it off will lose RAM If on it can be wiped remotely Wrap multiple times in foil or Place in empty paint bucket

21

SIMCon

Reads SIM files Analyzes file content Recovers deleted text messages Manages PIN codes Exports data to spreadsheet files

22

Comparing 3G to 4G 3G Average download

speed is 1 to 100 Mbps

Allowed email and Internet access

Allows apps with music downloads and video calling

Applies to all smartphones

4G A set of standards that

hasn't really been clearly defined

Average download speeds are about twice as fast as 3G at 4-6 Mbps

More apps, More secure

Digital Networks

CDMA – Uses full radio frequency spectrum. Sprint and Verizon use this.

GSM – Used by AT&T and T-Mobile and standard in Europe and Asia. You can switch your SIM card with GSM!

OFDM – Probably will be the chosen technology for 4G.

Smart Phones

Contain: RAM, ROM, microprocessor, radio module, hardware interfaces.

Many have memory cards (SIM). Store system data in EEPROM. OS is stored in ROM.

26

28

29

30

31

Jailbreaking & Unlocking

Unlocking allows owner to switch SIM cards

Could void warranty

Jailbreaking allows owner to add apps that are not supported by vendor

Not illegal

32

Recovering Deleted Files

http://www.youtube.com/watch?v=5ShSIYRQnZY&feature=related

33

Web Sites - Email Email Spoofinghttp://lybio.net/household-hacker-hacking-email-

spoofing-101/science-technology/ Tracing an emailhttp://www.youtube.com/watch?v=hSvswzSy3oA How to find IP address and shutdown network

computerhttp://www.youtube.com/watch?v=fFLd0EQR-

uE&feature=related Restoring deleted fileshttp://www.youtube.com/watch?

v=5ShSIYRQnZY&feature=related

Web Sites – Mobile Phones

SIM Card Readerhttp://www.proofpronto.com/cell-phone-

spy.html?gclid=CIfqu8zqwqkCFYgW2god9AZacw

Hacking iPhone http://www.youtube.com/watch?v=ZgITSfrEILQ How to Save Data to a Phone's Micro SD

Memory Cardhttp://www.ehow.com/video_4756774_save-

micro-sd-memory-card.html