Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Email Tracing.

Published byLogan Higgins Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Email Tracing."— Presentation transcript:

1 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Email Tracing Procedures In general, email is also going to be one of the easiest forms to track and trace. Email service providers plan for and provide online mailbox storage of the messages, usually for the sender and the recipient. Secondly, email messages have the source and destination information encoded right into them to ensure proper routing. This encoded addressing scheme is usually not seen by the average email user.

2 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Email Headers Most users generally only see lines such as To:, From:, Re:, and the date. This information is commonly referred to as brief headers. Behind the scenes in the full email header (i.e. full headers), the actual message routing code is present. When someone views the full header, he or she can examine the source and destination information in its entirety. Additionally, as the message travels across the Internet, it will pass through other computers (routers) as it travels to the recipient. Each routing server or other PC it touches will generally also add code to the header with the IP address of the server and a timestamp for when it passed through that system.

3 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Beginning the Trace / Preserving Evidence It would stand to reason that the first step in tracing any email would be to examine the full header. There is one prior step that should be taken, however, as is the case with all other digital evidence. To ensure that we do not modify, alter, or destroy digital evidence, it should be standard operating procedure to first make an exact digital copy or clone of the evidence, or, in this case, the email message. In some major cases this will mean cloning an entire hard drive. In the case of a lower-level email case, it could mean simply saving the email to a disk or other storage device, such as a USB key. Some jurisdictions may have adopted their state’s email harassment statute as a municipal ordinance violation.

4 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Ordinance, Misdemeanor, or Felony? Cloning an entire hard drive is overkill when prosecuting an email harassment as an ordinance violation case in municipal court with a civil forfeiture penalty. Circuit Court criminal matters, on the other hand, will have a much higher standard of evidence, and the evidence in these cases should be treated accordingly.

5 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Step One for Email – View Full Headers Once we have ensured the safety of at least one exact copy, we can then begin to analyze an evidentiary copy. In our evidence copy, then, the first step is to analyze the full headers of that email address. Most email programs by default only display the brief headers (To, From, RE:, Date, etc.), but all types of email, including web-based email such as Hotmail ® and Yahoo! ® mail, can be set up to display the full email headers by selecting that option.

6 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Analyzing the Full Header Many lines of data, including names of servers, email addresses, IP addresses, and timestamps. The investigator will need to go through this material in chronological order to see how the message traveled. Generally speaking, we will work from the most recent timestamp (the recipient) backwards to the oldest timestamp (the sender). The first timestamp occurred when the sender hit the send button on his or her email application and the message first touched the email server for the sender’s Internet service provider. This will list the IP address the sender’s personal computer had at the time it connected and sent that message.

7 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Full Email Header Example

8 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Working Backwards to the Earliest The next IP address and timestamp in the line will generally be the IP address of the sender’s Internet service provider’s email server. The third will usually be the email server of the recipient’s ISP. The final IP address will be the IP address that was assigned to the recipient’s computer at the time that the recipient got the email message from the ISP server to his or her PC. Once an investigator has isolated the IP addresses and timestamps in the full header of an email, the next step is to verify who is responsible for that IP address.

9 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski WHOIS the Owner of This IP? On the Internet, domain name information and IP address information can be tracked using a WHOIS query. There are many agencies that are responsible for the sale and registration of IP addresses and domain names. One of the most wide-reaching agencies is the American Registry for Internet Numbers (ARIN), which can be accessed by going to www.arin.net.www.arin.net Investigators can type any domain name or IP address into a WHOIS search function, and the databases of the registry will give them registration information, including what company owns or maintains a given IP address or range of addresses.

10 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski WHOIS Example

11 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski One Connection – Many Email Accounts The easiest scenario would be the case where a user has his or her Internet service and email accounts with the same company. Many users will, however, have many different email accounts, used for different purposes. It is not uncommon for one person to use the cable company for Internet connection, have an email address through their cable company, and have several separate email address accounts with online mail providers such as Yahoo ®, and Hotmail ®.

12 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Once I Know WHOIS, Then What? Once the responsible email provider and Internet service provider have been determined, the investigator can draft a subpoena for records from the companies. Some companies can be served with the subpoena at the mailing address provided in their WHOIS search results. Other companies have different procedures, ranging from very strict procedures, such as AOL™, to more lax approaches. AOL subpoenas and search warrants have to be served locally in Virginia. Some other companies will accept a fax of the document and begin processing the request immediately. Each company should have a designated point of contact for questions regarding subpoenas and search warrants.

13 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Subpoenas If approved by a judge, the subpoena will compel the company to turn over any and all records it has regarding that particular user’s account. Naturally, this will include a billing name and billing address. Depending on the severity or nature of the offense, the billing information and address could then be used for drafting a search warrant for the suspect’s home, which could ultimately result in the search / seizure of a suspect’s computer.

14 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Traceable Email This works kind of like sending a registered letter via the postal service in that the sender will receive confirmation that the message was received. One example of such a service is “confirm.to.” For a modest fee, this Web site attaches a line of code to your email and then sends it on to the intended recipient. As soon as that person clicks on your email message, a message is automatically sent by confirm.to telling you the IP address, date, and time the email was opened. This is generally unrecognizable to the recipient, as they will see nothing wrong with the email.

15 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Traceable Email, con’t. Unless the offender is suspicious enough to look closely at the full email header, he or she will not realize what has occurred. By utilizing this tool, we can easily find out the IP address used by the offender on that date and time and if the offender checks his or her email from his or her usual PC, this will greatly aid the investigator in getting a subpoena for documents for ISP records, or possibly a search warrant for the suspect’s address.

16 © 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Summary of Email Tracing Steps Make an evidentiary copy of the email message. Working on an evidentiary copy, expand the email to view the full email headers, which contain routing, IP address, and timestamp information. Work backwards chronologically from the most recent timestamp to the oldest timestamp and examine the associated IP addresses. Perform a WHOIS search on the IP addresses in order to ascertain who is responsible for those IP addresses. Subpoena records from the appropriate company or entity to get user’s account information, billing address, etc.

Download ppt "© 2008 Pearson Education, Inc. Prentice Hall Upper Saddle River, NJ 07458 Investigating High-Tech Crime By Michael Knetzger and Jeremy Muraski Email Tracing."

Similar presentations

K12 WebMail http://access.k12.wv.us:1081.

K12 WebMail
Basic Communication on the Internet:

Basic Communication on the Internet:
Parents Guide to Online Admissions We suggest you read this guide before you apply for your child’s school place or have it open in a separate window to.

Parents Guide to Online Admissions We suggest you read this guide before you apply for your child’s school place or have it open in a separate window to.
6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.

6 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Electronic Mail Electronic mail has revolutionized the way people communicate.
Email Forensics. Case Study An email attached to a $20 million dollar lawsuit purported to be from the CEO of “Tech.com” to a venture capital broker.

Forensics. Case Study An attached to a $20 million dollar lawsuit purported to be from the CEO of “Tech.com” to a venture capital broker.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.

Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
Electronic Law Enforcement Interface for Acquisition of Search Warrants: “ Communication, Expediency, Justice”

Electronic Law Enforcement Interface for Acquisition of Search Warrants: “ Communication, Expediency, Justice”
ICHAT is the only public resource for non-fingerprint-based Michigan criminal history background checks.

ICHAT is the only public resource for non-fingerprint-based Michigan criminal history background checks.
ICHAT is the only public resource for non-fingerprint-based Michigan criminal history background checks.

ICHAT is the only public resource for non-fingerprint-based Michigan criminal history background checks.
XP Browser and E-mail Basics1. XP Browser and E-mail Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.

XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
Chapter Extension 7 How the Internet Works © 2008 Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 7 How the Internet Works © 2008 Prentice Hall, Experiencing MIS, David Kroenke.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.

COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
Browser and E-mail Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.

Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.
HUNTINGTON BEACH PUBLIC LIBRARY Email Basics. What is email? short for electronic mail send & receive messages over the internet.

HUNTINGTON BEACH PUBLIC LIBRARY Basics. What is ? short for electronic mail send & receive messages over the internet.
Question: What is Secure Envelope?

Question: What is Secure Envelope?
Phishing Analysis. Ojectives Phishing Internet Protocol (IP) addresses Domain Name System (DNS) names Analyse “From” addresses Analyse URL’s Trace the.

Phishing Analysis. Ojectives Phishing Internet Protocol (IP) addresses Domain Name System (DNS) names Analyse “From” addresses Analyse URL’s Trace the.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 E-mail Investigations.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
Technology ICT Option: Email. Email Electronic mail is the transmission of mainly text based messages across networks This can be within a particular.

Technology ICT Option: . Electronic mail is the transmission of mainly text based messages across networks This can be within a particular.
With Internet Explorer 8© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 Go! with Internet Explorer 8 Getting Started.

With Internet Explorer 8© 2011 Pearson Education, Inc. Publishing as Prentice Hall1 Go! with Internet Explorer 8 Getting Started.
With Windows 7 Comprehensive© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Windows 7 Comprehensive.

With Windows 7 Comprehensive© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Windows 7 Comprehensive.

Similar presentations

Ads by Google