Download - WebMail Forensics - Black Hat | Home
![Page 1: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/1.jpg)
WebMail Forensics
Thomas Akin, CISSPDirector, Southeast Cybercrime Institute
Kennesaw State University
![Page 2: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/2.jpg)
Overview
• Web Browser Forensics– Internet Explorer
– Netscape
• WebMail Services– Cookies, History, &
Cache, oh my…
• WebMail Headers
• Obscuring WebMailHeaders
• Yahoo! Mail– History, Cache, URLs
• Hotmail– History, Cache, URLs
• Helpful Tools
• Other Services– Hushmail
– Ziplip
![Page 3: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/3.jpg)
Web Browser Forensics
Internet Explorer
• Internet Favorites
• Cookies
• History
• Typed URLs
• Temporary InternetFiles
• Autocompletion
Netscape
• Bookmarks
• Contacts
• History
• Preferences
• Typed URLs
• Cookies
• Cache
![Page 4: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/4.jpg)
Favorites
![Page 5: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/5.jpg)
Cookies
![Page 6: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/6.jpg)
History
![Page 7: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/7.jpg)
Typed URLs
![Page 8: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/8.jpg)
Temporary InternetFiles
![Page 9: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/9.jpg)
Auto-completion
![Page 10: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/10.jpg)
WebMail Clients
Web based email clients are susceptible to thesame problems of all clients that utilize webbrowsers:
Browsers store tons of data on the local harddrive….
![Page 11: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/11.jpg)
Key to WebMailForensics
The user must perform some action thatcauses the page to be cached on the
system…
i.e. Reading a Message bring the message up inthe browser and causes it to be cached. Sendinga message does not since the browser doesn’t
display the sent message...
![Page 12: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/12.jpg)
WebMail Headers
In addition to standard email headers, most webmail clientscontain useful information on their origin:
![Page 13: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/13.jpg)
Obscuring WebMailHeaders
• Open Relay
• False Received From Headers
• Anonymizer
• Open Proxy
• SSH Tunnel (or port redirector)
![Page 14: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/14.jpg)
Open Relays
• Spoofers use Open Relays to attempt to hidethe person and IP address of the system thatsent the email.
• By itself, email sent through open relays stillcontains the IP address of the actual sender.
• Combined with other techniques, open relayscan be a hindrance to investigations.
![Page 15: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/15.jpg)
Open Relay
• Where to look for evidence:
• Email Header will contain the originating IPaddress.
• Open Relay log files will also contain theoriginating IP address.
![Page 16: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/16.jpg)
False Received FromHeader
• Leads the investigator to the wrong server byadding a seemingly valid Received: fromheader.
• To avoid detection, the spoofer’s real addresswill be recorded somewhere in the Received:from headers, but the investigator will notknow which one.
![Page 17: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/17.jpg)
False Received FromHeader
![Page 18: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/18.jpg)
False Received FromHeader
![Page 19: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/19.jpg)
False Received FromHeader
Where to look for evidence• Email Received: from headers will contain the
actual IP address of the originating system,you just won’t know which Received: fromheader is correct.
• Trace backwards by looking at the log files ofthe servers the email claims to have passedthrough. Once you get to a server the has norecord of the email, the previous system is theoriginating IP.
![Page 20: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/20.jpg)
Anonymizer (Web)
![Page 21: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/21.jpg)
Anonymizer (Web)
Email sent from IP address 64.32.161.244
![Page 22: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/22.jpg)
Anonymizer (Web)
Where to look for evidence:
• The email headers and web mail log files will pointback to the anonymizer.
• You will need to look at the anonymizer’s log files todetermine what IP address accessed the web emailaccount at the specific time the email was sent.
• If the anonymizer is a paying service then you canalso request subscriber information for the accountthat was using the anonymizer to send the web basedemail.
![Page 23: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/23.jpg)
Open Proxy
![Page 24: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/24.jpg)
Open Proxy
Email sent from IP address 64.32.161.244
![Page 25: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/25.jpg)
Open Proxy
Where to look for evidence:
• The email headers and web based email logswill contain the IP address of the open proxy.
• The Open Proxy log files will contain the IPaddress of the originating system.
![Page 26: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/26.jpg)
Anon SSH Tunnel
![Page 27: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/27.jpg)
Anon SSH Tunnel
Email sent from IP address 64.32.161.244
![Page 28: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/28.jpg)
Anon SSH Tunnel
Where to look for evidence:
• The email headers will contain the IP address of theSSH server the person was logged into.
• SSH servers, by default, do not record what tunnelsare created through them.
• SSH servers do record login information so you willneed to determine who was logged into the systemthrough ssh at the time the email was sent. One ofthese log entries will be the originating IP.
![Page 29: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/29.jpg)
Combining Techniques:Tunnels with an Open
Proxy• Spoofer uses a SSH Client connects to a SSH Server
creating a tunnel to an Open Proxy port 80 (usually)
• Spoofer then reconfigures their browser to connect tothe SSH Tunnel which is redirected to the OpenProxy port 80.
• They then browse to a web based email system andsend their email.
• The headers record the IP address of the Open Proxy,not the originating system.
![Page 30: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/30.jpg)
Combining Techniques:Tunnel with an Open Proxy
Where to look for evidence:• The email headers and web based email logs
will contain the IP address of the Open Proxy.• The Open Proxy logs files will contain the IP
address of the SSH server used.• SSH tunnels are not logged, so you will have
to determine who was logged into the serverthrough ssh at the time the email was sent. Oneof these will be the originating IP.
![Page 31: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/31.jpg)
Local Analysis
![Page 32: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/32.jpg)
Yahoo! Mail & HotMail
• Index.dat & fat.db
• Cache Files
• Typed URLs
• Auto-completion
• Cookies
• History Files
![Page 33: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/33.jpg)
Examples
• Live Examples: Cookies
• Live Example: History Files
• Live Example: URL interpretation
• Live Example: Manually Parsing index.dat
![Page 34: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/34.jpg)
Tools to make your lifeeasier
• Web Cache Illuminator (www.nstarsolutions.com)
• Cache Monitor (www.webattack.com)
• Cache Auditor (www.webattack.com)
• Internet Cache Explorer (www.webattack.com)
• STG Cache Audit (www.webattack.com)
![Page 35: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/35.jpg)
My Favorites
Internet Explorer
• Cache Auditor
• Internet Cache Explorer
Netscape
• Web Cache Illuminator
![Page 36: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/36.jpg)
IE’s Cache (InternetCache Explorer)
![Page 37: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/37.jpg)
IE Cache for Yahoo!Mail
Specifically look for yahoo URLs containing:
• Compose
• ShowFolder
• ShowLetter
• Preferences
• Options
• Login
• Examples…
![Page 38: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/38.jpg)
IE’s Cache (InternetCache Explorer)
![Page 39: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/39.jpg)
Web Cache Illuminator& Netscape
![Page 40: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/40.jpg)
Web Cache Illuminator& Netscape
![Page 41: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/41.jpg)
Live Examples…
• Live examples of retrieving WebMailinformation:– Received emails
– Sent emails
– Folders
– Address books
![Page 42: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/42.jpg)
Network Forensics
• Using Sniffers to capture webmail data…– Clear http
– Encryped https
– Login & Password recovery
– Capturing both incoming & outgoing email text
![Page 43: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/43.jpg)
Other Options
How clients such as Hushmail, ZipLip, andAnonymous Remalers are attempting toenhance email privacy:
• Hushmail
• ZipLip
• Anonymizers
• Etc…
![Page 44: WebMail Forensics - Black Hat | Home](https://reader030.vdocuments.mx/reader030/viewer/2022012011/613d4798736caf36b75b738b/html5/thumbnails/44.jpg)
Thank you
Questions?
Thomas AkinSoutheast Cybercrime Institute
Kennesaw State University1000 Chastain Road #3301Kennesaw, GA 30144-5591