CaseStudy-EmailForensics[1]

8/3/2019 CaseStudy-EmailForensics[1]

1/22

Email Forensics


2/22

Case Study

An email attached to a $20 milliondollar lawsuit purported to be from theCEO of Tech.com to a venture capitalbroker. The message outlinedguaranteed warrants on the next

round of funding for the broker.

Tech.com filed counterclaim andclaimed the email was a forgery. Theirlaw firm engaged us to determine the

validity of the message. We imaged all of the CEOs computers

at his office and his home. Recalled theemail server backup tapes from off-sitestorage.


3/22

Case Study

Searched all hard drives and emailserver backups for questionedmessage. Search revealed no trace ofthe message on any of the hard drivesor mail spools.

When the timestamps and message idswere compared with the server logs itwas found that the questionedmessage could not have gone through

either Tech.coms webmail or mailserver at the time indicated by thedate/time stamp on the message.

Based on our analysis Defendants filedmotion to image and examine brokerscomputers.


4/22

Case Study

Federal Judge issued subpoena andwe arrived at brokers business, but herefused to allow his system to imaged.

Brokers lawyer went into State Court,

on a companion case, and got Judge toissue an order for a new Courtappointed examiner.

The examination revealed direct proof

of the alteration of a valid messagesheader to create the questionedemail.

What follows are some of the tools andtechniques used to document theactivity.


5/22

Internet Standards (RFCs)

RFC (Request for Comment)

Standards for Internet Protocols

RFC 2821 Simple Mail Transfer Protocol (SMTP)

the objective of SMTP is to transfer mailreliability and efficiently. It is independent ofthe particular transmission subtype and

requires only a reliable ordered data streamchannel.

A mail message may pass through a numberof intermediate relay or gateway hosts on itspath from sender to ultimate recipient.(Supplements RFC 821)


6/22

The SMTPModel

Reference: RFC 2821 Section 2.1


7/22


RFC 2822

Internet Message Format the purpose ofthe standard is to establish the format of themessages. (Supplements RFC 822)

3.6.4 Identification Fields

Though optional, every message SHOULDhave a Message-ID: field. The fieldprovides a unique message identifier thatrefers to a particular version of a particularmessage. It is intended to be machinereadable and not necessarily meaningful tohumans.


8/22


Message-ID:

The composition of the message-id isrepresented by the formula:

Date/Time Integer

Can be formatted to display human readabledate/time, but is usually in a hexadecimalstring. On Unix systems, the stringrepresents the number of microsecondssince midnight, January 1, 1970, Greenwich

Mean Time. (Unix Time epoch)


9/22


Authentic Message-ID String

[email protected]

To convert to human readable change the hex todecimal and use one of the Unix time scriptsor one of the websites with a converter.

3989F5A3 = hexadecimal

965342627 = decimal

Aug 3, 2000 18:43 = Date & Time (+1 hour logs)


10/22


Unique id:

[email protected]

This is a unique identification assigned inthe SMTP process. The domain name ofthe company is also attached to help ensureglobal uniqueness.

ESMTP id:

This is also a unique identification assignedby each intermediate relay or gatewayserver. This id is also usually in ahexadecimal string that is reset each day.Resulting in an id that can be resolved to atime window on a particular server.


11/22


Suspect Message-ID String

[email protected]

To convert to human readable change the hex todecimal and use one of the Unix time scriptsor one of the websites with a converter.

3989E793 = hexadecimal

965339027 = decimal

Aug 3, 2000 17:43 = Date & Time (matches log)


12/22

Trace Header

Return-Path: CEO [email protected]: from mail.tech.com (mail.tech.com [201.10.20.152])

by hedgefund.fund.com (8.11.0/8.11.0) ESMTP ide73MfZ331592; Thu, 3 Aug 2000 15:45:31 -0400

Received: from webmail.tech.com (webmail.tech.com[10.27.30.190]) by mail.tech.com (Switch-2.0.1/Switch-2.0.1) ESMTP id e73MfW903843; Thu, 3 Aug 200014:41:32 -0500

Received: from tech.com (ostrich.tech.com [10.27.20.190])by webmail.tech.com (8.8.8+Sun/8.8.8) with ESMTPid RAA01318; Thu, 3 Aug 2000 14:41:31 -0500

content-class: urn:content-classes:messageSubject: Warrants on $25 Million FundingDate: Thu, 3 Aug 2000 14:43:47 -0500MIME-Version: 1.0Content-Type: application/ms-tnef;

name="winmail.dat"Content-Transfer-Encoding: binaryMessage-ID: X-MS-Has-Attach:X-MS-TNEF-Correlator: Thread-Topic: Warrants on $25 Million FundingThread-Index: AcHatCZUSkaLe0ajEdaelQACpYcy8A==From: "CEO [email protected]"

To: "Bad_Guy_Broker"


13/22

Server Logs

[email protected]

Typical logs kept for a week or less and thennew log spawned.

syslog. = 7/30 8/4 (current period)

syslog.0 = 7/23 7/30

syslog.1 = 7/16 7/23

syslog.2 = 7/09 7/16

syslog.3 = 7/02 7/09

syslog.4 = 6/25 7/02syslog.5 = 6/18 6/25

syslog.6 = 6/11 6/18

syslog.7 = 6/04 6/11


14/22

Server Logs

[email protected] Analysis of the webmail server logs

revealed several issues regarding thevalidity of the suspect message.

Matching trace header timestamps andESMTP ids revealed that RAA01318was issued at 17:41:31 to the authenticmessage.

Comparing the 14:41:31 timestamp ofthe suspect message with the logrevealed the server was assigningESMTP ids beginning with OAA notRRA as represented in the header.


15/22

Server Logs

[email protected] Analysis of the mail server logs confirmed

that the suspect message was notauthentic.

Matching trace header timestamps andESMTP ids revealed that the authenticMessage-ID was logged at 17:41:32 andassigned ESMTP id e73MfW903843 thenit was sent to the [email protected]

server and it was assigned a new ESMTPid e73MfZ331592.

Comparing the 14:41:32 timestamp of thesuspect message with the log revealedthe were no messages for over an hour

during that time frame.


16/22


17/22

Outlook Message Properties


18/22

Default Outlook Fields


19/22

OutlookClient Fields


20/22

Notes Message Properties


21/22

Email Spoofs

Received: from tht.com (wfarwell.ne.mediaone.net

[24.128.21.184])by chmls06.mediaone.net(8.11.1/8.11.1) with ESMTP id f1RC2GK11063;Tue, 27 Feb 2001 07:02:16 -0500 (EST)

From: Robert Lovett [[email protected]]Sent: Thursday, August 03, 2000 8:03 AMTo: Bill Farwell [[email protected]]; [email protected]: Email Spoof

Bob,

This is one way to spoof email.

Bill

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

William L. Farwell, CFE, SCERSSenior ManagerComputer Forensic Specialist

Deloitte & Touche LLPForensic Investigative Services200 Berkeley StreetBoston, MA 02116

617.437.3956 Voice617.437.5956 Direct Fax617.437.3849 Lab617.839.1998 Mobilemailto:[email protected]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


22/22

William L. Farwell, CFE, SCERS

Deloitte & Touche, LLP

Forensic Investigative Services200 Berkeley StreetBoston, MA 02116

617.437.3956

[email protected]

Questions?

CaseStudy-EmailForensics[1]

Documents