Grover Kearns, PhD, CPA, CFE
Class 11
1
Email Videos
2
How email workshttp://www.youtube.com/watch?v=YBzLPmx3xTUEmail Spoofinghttp://lybio.net/household-hacker-hacking-email-spoofing-101/science-technology/SMTP Spoofinghttp://www.youtube.com/watch?v=Up6XcxEilp4&feature=relatedTracing an emailhttp://www.youtube.com/watch?v=hSvswzSy3oA
Reading Email Headers
From <<my-work-address>> Sat Aug 17 16:00:24 2002Return-Path: <<my-work-address>>Received: from exanpcn4.arinc.com ([144.243.4.70]) by mta009.verizon.net (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP id <[email protected]> for <<my-home-address>>; Sat, 17 Aug 2002 15:00:09 -0500Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com (Content Technologies SMTPRS 4.1.5) with ESMTP id <[email protected]> for <<my-home-address>>; Sat, 17 Aug 2002 16:02:15 -0400Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19) \tid <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400Message-ID: <[email protected]>From: "Conner, Richard C. \\(RCONNER\\)" <<my-work-address>>To: "my-home-address" <<my-home-address>>Subject: HelloDate: Sat, 17 Aug 2002 16:00:26 -0400MIME-Version: 1.0X-Mailer: Internet Mail Service (5.5.2653.19)Content-Type: text/plain
3
From <<my-work-address>> Sat Aug 17 16:00:24 2002Return-Path: <<my-work-address>>Received: from exanpcn4.arinc.com ([144.243.4.70]) by mta009.verizon.net (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP id <[email protected]> for <<my-home-address>>; Sat, 17 Aug 2002 15:00:09 -0500Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com (Content Technologies SMTPRS 4.1.5) with ESMTP id <[email protected]> for <<my-home-address>>; Sat, 17 Aug 2002 16:02:15 -0400Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19) \tid <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400Message-ID: <[email protected]>
From: "Conner, Richard C. \\(RCONNER\\)" <<my-work-address>>To: "my-home-address" <<my-home-address>>Subject: HelloDate: Sat, 17 Aug 2002 16:00:26 -0400MIME-Version: 1.0X-Mailer: Internet Mail Service (5.5.2653.19)Content-Type: text/plain
Not required by SMTP
From <<my-work-address>> Sat Aug 17 16:00:24 2002Return-Path: <<my-work-address>>Received: from exanpcn4.arinc.com ([144.243.4.70]) by mta009.verizon.net (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP id <[email protected]> for <<my-home-address>>; Sat, 17 Aug 2002 15:00:09 -0500Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com (Content Technologies SMTPRS 4.1.5) with ESMTP id <[email protected]> for <<my-home-address>>; Sat, 17 Aug 2002 16:02:15 -0400Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19) \tid <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400
Message-ID: <[email protected]>From: "Conner, Richard C. \\(RCONNER\\)" <<my-work-address>>To: "my-home-address" <<my-home-address>>Subject: HelloDate: Sat, 17 Aug 2002 16:00:26 -0400MIME-Version: 1.0X-Mailer: Internet Mail Service (5.5.2653.19)Content-Type: text/plain
unique message ID
From <<my-work-address>> Sat Aug 17 16:00:24 2002Return-Path: <<my-work-address>>Received: from exanpcn4.arinc.com ([144.243.4.70]) by mta009.verizon.net (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP id <[email protected]> for <<my-home-address>>; Sat, 17 Aug 2002 15:00:09 -0500Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com (Content Technologies SMTPRS 4.1.5) with ESMTP id <[email protected]> for <<my-home-address>>; Sat, 17 Aug 2002 16:02:15 -0400
Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19) \tid <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400Message-ID: <[email protected]>From: "Conner, Richard C. \\(RCONNER\\)" <<my-work-address>>To: "my-home-address" <<my-home-address>>Subject: HelloDate: Sat, 17 Aug 2002 16:00:26 -0400MIME-Version: 1.0X-Mailer: Internet Mail Service (5.5.2653.19)Content-Type: text/plain
7
From <<my-work-address>> Sat Aug 17 16:00:24 2002Return-Path: <<my-work-address>>Received: from exanpcn4.arinc.com ([144.243.4.70]) by mta009.verizon.net (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP id <[email protected]> for <<my-home-address>>; Sat, 17 Aug 2002 15:00:09 -0500
Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com (Content Technologies SMTPRS 4.1.5) with ESMTP id <[email protected]> for <<my-home-address>>; Sat, 17 Aug 2002 16:02:15 -0400Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19) \tid <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400Message-ID: <[email protected]>From: "Conner, Richard C. \\(RCONNER\\)" <<my-work-address>>To: "my-home-address" <<my-home-address>>Subject: HelloDate: Sat, 17 Aug 2002 16:00:26 -0400MIME-Version: 1.0X-Mailer: Internet Mail Service (5.5.2653.19)Content-Type: text/plain
8
From <<my-work-address>> Sat Aug 17 16:00:24 2002Return-Path: <<my-work-address>>
Received: from exanpcn4.arinc.com ([144.243.4.70]) by mta009.verizon.net (InterMail vM.5.01.05.09
201-253-122-126-109-20020611) with ESMTP id <20020817200009.CWZT20372.mta009.
[email protected]> for <<my-home-address>>; Sat, 17 Aug 2002 15:00:09 -0500Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com (Content Technologies SMTPRS 4.1.5) with ESMTP id <[email protected]> for <<my-home-address>>; Sat, 17 Aug 2002 16:02:15 -0400Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19) \tid <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400Message-ID: <[email protected]>From: "Conner, Richard C. \\(RCONNER\\)" <<my-work-address>>To: "my-home-address" <<my-home-address>>Subject: HelloDate: Sat, 17 Aug 2002 16:00:26 -0400MIME-Version: 1.0X-Mailer: Internet Mail Service (5.5.2653.19)Content-Type: text/plain
From <<my-work-address>> Sat Aug 17 16:00:24 2002Return-Path: <<my-work-address>>Received: from exanpcn4.arinc.com ([144.243.4.70]) by mta009.verizon.net (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP id <[email protected]> for <<my-home-address>>; Sat, 17 Aug 2002 15:00:09 -0500Received: from exanpcn2.arinc.com (unverified) by exanpcn4.arinc.com (Content Technologies SMTPRS 4.1.5) with ESMTP id <[email protected]> for <<my-home-address>>; Sat, 17 Aug 2002 16:02:15 -0400Received: by exanpcn2.arinc.com with Internet Mail Service (5.5.2653.19) \tid <QRZ549XW>; Sat, 17 Aug 2002 16:00:27 -0400Message-ID: <[email protected]>From: "Conner, Richard C. \\(RCONNER\\)" <<my-work-address>>To: "my-home-address" <<my-home-address>>Subject: HelloDate: Sat, 17 Aug 2002 16:00:26 -0400MIME-Version: 1.0X-Mailer: Internet Mail Service (5.5.2653.19)Content-Type: text/plain
9
Another Example – Partial Header
Delivered-To: [email protected] Received: by 10.68.58.39 with SMTP id n7cs40710pbq; …Return-Path: <[email protected]> …Received: from [127.0.0.1] by omp1017.mail.bf1.yahoo.com with NNFMP;
20 Jun …Received: (qmail 38143 invoked by uid 60001); 20 Jun 2011 19:58:58 -
0000 Message-ID: <[email protected]> Received: from [70.126.236.236] by web161204.mail.bf1.yahoo.com via
HTTP; Mon, 20 Jun 2011 12:58:58 PDT X-Mailer: YahooMailClassic/14.0.3 YahooMailWebService/0.8.111.304355 Date: Mon, 20 Jun 2011 12:58:58 -0700 (PDT)
From: Grover Kearns <[email protected]> Subject: Be Alert To: [email protected] MIME-Version: 1.0 Content-
Type: text/plain; charset=us-ascii
Now get to work!
Mobile Phone Forensics
Unauthorized photos, videos, audio recording
Digital fraud and data duplication
Industrial espionage Acceptable use policy
12
Mobile Phone Forensics
SIM Cards- Subscriber Identity Module
SD Cards- Secure Digital13
Mobile Phone Forensics
International Mobile Subscriber Identity
Integrated Circuit Card Identifier (ICC-ID)
Authentication Key (Ki)
Location Area Identity SMS Message /
Contacts
Stored Data on SIM Cards
14
Mobile Phone Forensics
Stored Data on SD Cards
Call logs Text Messages Electronic documents Phonebooks Videos Music Photos Calendar
15
Smart Phone Videos How to Save Data to a Phone's Micro SD
Memory Cardhttp://www.ehow.com/video_4756774_save-micro-sd-memory-card.html SIM Card Reader
http://www.proofpronto.com/cell-phone-spy.html?gclid=CIfqu8zqwqkCFYgW2god9AZacw
Hacking the iPhone
http://www.youtube.com/watch?v=ZgITSfrEILQ
16
Problems with Mobile Forensics
Lack of single standards How cell phones store messages
Multitude of models Generations: analog, PCS, 3G,
4G, ???
Remote Phone Wipes
18
All smart phones can be “wiped” remotely. Check the web for instructions for each phone.
Securing Mobile Phones
Securing the mobile phone is the first action
Turning it off will lose RAM If on it can be wiped remotely Wrap multiple times in foil or Place in empty paint bucket
21
SIMCon
Reads SIM files Analyzes file content Recovers deleted text messages Manages PIN codes Exports data to spreadsheet files
22
Comparing 3G to 4G 3G Average download
speed is 1 to 100 Mbps
Allowed email and Internet access
Allows apps with music downloads and video calling
Applies to all smartphones
4G A set of standards that
hasn't really been clearly defined
Average download speeds are about twice as fast as 3G at 4-6 Mbps
More apps, More secure
Digital Networks
CDMA – Uses full radio frequency spectrum. Sprint and Verizon use this.
GSM – Used by AT&T and T-Mobile and standard in Europe and Asia. You can switch your SIM card with GSM!
OFDM – Probably will be the chosen technology for 4G.
Smart Phones
Contain: RAM, ROM, microprocessor, radio module, hardware interfaces.
Many have memory cards (SIM). Store system data in EEPROM. OS is stored in ROM.
26
28
29
30
31
Jailbreaking & Unlocking
Unlocking allows owner to switch SIM cards
Could void warranty
Jailbreaking allows owner to add apps that are not supported by vendor
Not illegal
32
Recovering Deleted Files
http://www.youtube.com/watch?v=5ShSIYRQnZY&feature=related
33
Web Sites - Email Email Spoofinghttp://lybio.net/household-hacker-hacking-email-
spoofing-101/science-technology/ Tracing an emailhttp://www.youtube.com/watch?v=hSvswzSy3oA How to find IP address and shutdown network
computerhttp://www.youtube.com/watch?v=fFLd0EQR-
uE&feature=related Restoring deleted fileshttp://www.youtube.com/watch?
v=5ShSIYRQnZY&feature=related
Web Sites – Mobile Phones
SIM Card Readerhttp://www.proofpronto.com/cell-phone-
spy.html?gclid=CIfqu8zqwqkCFYgW2god9AZacw
Hacking iPhone http://www.youtube.com/watch?v=ZgITSfrEILQ How to Save Data to a Phone's Micro SD
Memory Cardhttp://www.ehow.com/video_4756774_save-
micro-sd-memory-card.html