Download presentation
Presentation is loading. Please wait.
Published byDarrell Watts Modified over 9 years ago
1
Understanding Technology Crime Investigation for Managers
2
Session 3 A grounding in technology concepts (Tracing e-mail & Instant Messages)
3
How e-mail works E-mail cannot be sent directly from computer to computer (think about what would happen if the destination computer was turned off?) It works in a similar way to real mail – it passes through a series of servers (post offices) until it is near the destination. Then when it is appropriate (ie the end user requests to download the mail), it is delivered to the recipient.
4
Tracing e-mail – breadcrumbs! Every time an e-mail is received by a server it stamps the message with details of the server that it received the mail from. This effectively leaves a trail which can be used to return to the e-mail originator Confused……?
5
Mail Server with IP: 218.102.20.130 User sends e-mail from IP address:123.45.67.89 Mail server stamps the e-mail header with originating IP: 123.45.67.89 Recipient downloads e- mail: the last stamp contains the IP of the Mail Server
6
Tracing e-mail – e-mail headers Why can’t you see this information in an e- mail? Information is stored in extended e-mail headers We need to know how to access (and read) these headers…. Demo!
7
Simple e-mail faking It’s very easy to create a (superficially) fake e-mail E-mail software does not check that you have entered the correct identity information when you set up an e-mail account Demo!
8
Simple e-mail faking Exercise Use the e-mail client Outlook Express to create a new account on your computer You must use the correct mail server settings, but you can choose a fake identity Send a e-mail to your neighbour Open the e-mail that you receive & see how it looks – view the e-mail header and then trace the originating IP address.
9
E-mail content Of course, being able to trace the e-mail is extremely important. However, we also need to understand the nature of the e-mail content E-mails can be received in two ways –Plain text –HTML encoded with multimedia addins
10
E-mail content Of course, being able to trace the e-mail is extremely important. However, we also need to understand the nature of the e-mail content E-mails can be received in two ways –Plain text –HTML encoded with multimedia addins
11
E-mail content If you receive an e-mail in plain text, then wysiwyg However, e-mails in HTML coding can be used to hide true content and location of any hyperlinks Thus they are commonly used to perpetrate frauds
12
E-mail Fraud A good example is in your manual (P.59) This involves a case where a large US ISP’s website was faked The fraudsters then sent out a huge volume of e-mails hoping that at least some of them would be received by Earthlink customers The e-mails directed victims to the fake website and instructed them to submit personal details
13
E-mail Fraud
15
<a href="https://www.earthlink.net%00@211.154.171.106/li_pin/verifica tion/step1_e.htm"> https://earthlink.net/payment/verification.cgi
16
<a href=“https://www.earthlink.net%00@211.154.171.106/li_pin/veri fication/step1_e.htm”> https://earthlink.net/payment/verification.cgi
17
<a href="https://www.earthlink.net%00@211.154.171.106/li_pin/verifica tion/step1_e.htm"> https://earthlink.net/payment/verification.cgi
18
<a href=“https://www.earthlink.net%00@211.154.171.106/li_pin/verific ation/step1_e.htm”> https://earthlink.net/payment/verification.cgi
19
<a href=“https://www.earthlink.net%00@211.154.171.106/li_pin/verific ation/step1_e.htm”> https://earthlink.net/payment/verification.cgi
20
E-mail Fraud
22
Instant Messaging Real time text chat facilities Many people (especially youngsters) use as a complement or replacement for e-mail Therefore may contain criminal communications
23
Instant Messaging Real time text chat facilities Many people (especially youngsters) use as a complement or replacement for e-mail Therefore may contain criminal communications
24
Instant Messaging Example of when a trace of instant messaging may be required Example (see page 65 of manual)
25
E-Mail as a Spy Tool or for undercover work (extra topic)
26
Normal E-mail Tracing After receiving the e-mail, we view the header and use the information to trace the originating IP address BUT… What if you are conducting an undercover operation and want to trace a suspect e-mail address without receiving an e-mail from the suspect?
27
Tracking E-mails How to spy on someone using e-mails? Commercial services are available which claim to: –Prove the e-mail was opened –Show the time that the e-mail was opened –Show the IP address of the computer used –Show if any links were clicked in the message –Show if the e-mail was forwarded…
28
ReadNotify.com
29
How does it Work? Readnotify allows a short free trial Using this it is possible to analyse how it works A freemail account with www.hongkong.com was used to register www.hongkong.com To send tracked mail, we just need to add.readnotify.com to the end of the target e-mail address
30
Demo A Test E-mail was sent using the freemail account hkjacko@mail.hongkong.comhkjacko@mail.hongkong.com Addressed to paj@hongkong.compaj@hongkong.com When received, it looks like this…
31
Demo
32
The e-mail was received by MS Outlook and viewed using the preview pane A check was then made at realnotify website to see if this had been recorded…
33
Demo
34
A new demo – this time to PEN
37
Once again, we check with the ReadNotify website to see if they have a record… This time though, it has no record to report – even though the e-mail has been opened. However, if “launch” is selected instead of file viewer, this opens ‘Netscape’ web browser
38
A new demo – this time to PEN
39
This time, the ReadNotify website tells us that the e-mail has been opened.
40
A new demo – this time to PEN
41
So, what is happening? We now know that the e-mail tracking will only work in web-enabled e-mail clients. Therefore, if the e-mail is html, we need to look at the code behind it…
42
So, what is happening?
44
Final example in a non- html e-mail client (Linux)
53
Conclusions (from an investigation p.o.v.) This method is a very good way of tracing e-mail addresses in a covert way The user must be using html enabled e-mail, but nowadays it is very unusual not to be This includes web-mail as well as POP mail Unfortunately, need to subscribe if using for a long period
54
Conclusions (from a personal p.o.v.) This tool shows how easy it is for spammers to know if you receiving and viewing their mail Others can know if you are forwarding the mail and to whom! Privacy is being compromised This is why many people are insisting on using non-html e-mail
55
Summary
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.