Difference between pages "Microsoft Windows Mobile" and "Email Headers"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Tools)
 
(External Links: - Cleaned up links)
 
Line 1: Line 1:
Windows Mobile is an operating system that has both a look-and-feel and a programmer API that are similar to Microsoft Windows but which runs in a dramatically reduced footprint. Windows Mobile is the successor operating system to Windows CE.  
+
'''Email Headers''' are lines of [[metadata]] attached to each [[email]] that contain lots of useful information for a [[forensic investigator]]. However, email headers can be easily forged, so they should never be used as the only source of information.
  
== Windows Mobile Versions ==
+
== Making Sense of Headers ==
  
===Windows Mobile 2002===
+
There is no single way to make sense of email headers. Some examiners favor reading from the bottom up, some favor reading from the top down. Because information in the headers can be put there by the user's [[Mail User Agent|MUA]], a server in transit, or the recipient's [[Mail User Agent|MUA]], it can be difficult to determine when a line was added.
  
===Windows Mobile 2003===
+
=== Mail User Agents ===  
 +
{{main|List of MUA Header Formats}}
 +
Every [[Mail User Agent|MUA]] sets up the headers for a message slightly differently. Although some headers are required under the applicable [http://www.faqs.org/rfcs/rfc2822.html RFC], their format and ordering can vary by client. Almost all clients, however, add their headers in a fixed format and order.
 +
The examiner can use the format and order for each client to show that messages were forged, but not that they were legitimate. For example, if a message purports to be from [[Apple Mail]] but the order or the headers do not match the [[Apple Mail Header Format]], the message has been forged. If the headers of the message do match that format, however, it does not guarantee that the message was sent by that program.
  
===Windows Mobile 2003 Second Edition===
+
=== Servers in Transit ===  
  
===Windows Mobile 5.0===
+
Mail servers can add lines onto email headers, usually in the form of "Received" lines, like this:
The biggest difference between Windows Mobile 5.0 and previous editions is that user data in WM5 is no longer stored in volatile memory. This means that the user data saved on the mobile phone will not be erased if the battery is disconnected or has depleted. In windows Mobile 2003, if the battery depletes, or is disconnected for more than 15 minutes, all user data is lost.
+
<pre>Received: by servername.recipeienthost.com (Postfix, from userid 506)
 +
id 77C30808A; Sat, 24 Feb 2007 20:43:56 -0500 (EST)</pre>
  
===Windows Mobile 6.0===
+
== Message Id Field ==
Windows Mobile 6 is expected to be released in April 2007. Some users will be able to update their current Windows Mobile 5 to the new 6.0 version for free. WM6 will integrate tightly with Windows Vista. Challenges facing forensic investigators are the support for VoIP and advanced multimedia. While it is too early to offer details or experiences, it is touting to be more in line with the Blackberry "push" model then the previous Windows CE "pull" model.
+
{{main|Using message id headers to determine if an email has been forged}}According to the current guidelines for email [http://www.faqs.org/rfcs/rfc2822.html], every message should have a Message-ID field. These id fields can be used to determine if a message has been forged. It is harder, but sometimes possible, to show that a message is authentic using the message id field. Where known, the Message-ID algorithms for known programs are [[List of MUA Header Formats|given on the separate pages for those programs]].
  
==Tools==
+
== Sample Header ==  
; [[Jeyo Mobile Companion]]
+
http://www.jeyo.com/companion.asp
+
  
==External Links==
+
This is an (incomplete) excerpt from an email header:
* [http://en.wikipedia.org/wiki/Windows_Mobile Wikipedia entry on Windows Mobile]
+
 
* [http://www.mypocketpcmobile.com/ MyPocketPCMobile.com]
+
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
 +
        by outgoing2.securityfocus.com (Postfix) with QMQP
 +
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
 +
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
 +
Precedence: bulk
 +
List-Id: <forensics.list-id.securityfocus.com>
 +
List-Post: <mailto:forensics@securityfocus.com>
 +
List-Help: <mailto:forensics-help@securityfocus.com>
 +
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
 +
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
 +
Delivered-To: mailing list forensics@securityfocus.com
 +
Delivered-To: moderator for forensics@securityfocus.com
 +
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
 +
From: YJesus <yjesus@security-projects.com>
 +
To: forensics@securityfocus.com
 +
Subject: New Tool : Unhide
 +
User-Agent: KMail/1.9
 +
MIME-Version: 1.0
 +
Content-Disposition: inline
 +
Date: Thu, 5 Jan 2006 16:41:30 +0100
 +
Content-Type: text/plain;
 +
  charset="iso-8859-1"
 +
Content-Transfer-Encoding: quoted-printable
 +
Message-Id: <200601051641.31830.yjesus@security-projects.com>
 +
X-HE-Spam-Level: /
 +
X-HE-Spam-Score: 0.0
 +
X-HE-Virus-Scanned: yes
 +
Status: RO
 +
Content-Length: 586
 +
Lines: 26
 +
 
 +
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Computer_forensics#E-mail_Headers Wikipedia entry on email headers]

Revision as of 12:34, 21 April 2007

Email Headers are lines of metadata attached to each email that contain lots of useful information for a forensic investigator. However, email headers can be easily forged, so they should never be used as the only source of information.

Making Sense of Headers

There is no single way to make sense of email headers. Some examiners favor reading from the bottom up, some favor reading from the top down. Because information in the headers can be put there by the user's MUA, a server in transit, or the recipient's MUA, it can be difficult to determine when a line was added.

Mail User Agents

Every MUA sets up the headers for a message slightly differently. Although some headers are required under the applicable RFC, their format and ordering can vary by client. Almost all clients, however, add their headers in a fixed format and order. The examiner can use the format and order for each client to show that messages were forged, but not that they were legitimate. For example, if a message purports to be from Apple Mail but the order or the headers do not match the Apple Mail Header Format, the message has been forged. If the headers of the message do match that format, however, it does not guarantee that the message was sent by that program.

Servers in Transit

Mail servers can add lines onto email headers, usually in the form of "Received" lines, like this:

Received: by servername.recipeienthost.com (Postfix, from userid 506)
	id 77C30808A; Sat, 24 Feb 2007 20:43:56 -0500 (EST)

Message Id Field

Main article Using message id headers to determine if an email has been forgedAccording to the current guidelines for email [1], every message should have a Message-ID field. These id fields can be used to determine if a message has been forged. It is harder, but sometimes possible, to show that a message is authentic using the message id field. Where known, the Message-ID algorithms for known programs are given on the separate pages for those programs.

Sample Header

This is an (incomplete) excerpt from an email header:

Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
        by outgoing2.securityfocus.com (Postfix) with QMQP
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <forensics.list-id.securityfocus.com>
List-Post: <mailto:forensics@securityfocus.com>
List-Help: <mailto:forensics-help@securityfocus.com>
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
Delivered-To: mailing list forensics@securityfocus.com
Delivered-To: moderator for forensics@securityfocus.com
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
From: YJesus <yjesus@security-projects.com>
To: forensics@securityfocus.com
Subject: New Tool : Unhide
User-Agent: KMail/1.9
MIME-Version: 1.0
Content-Disposition: inline
Date: Thu, 5 Jan 2006 16:41:30 +0100
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-Id: <200601051641.31830.yjesus@security-projects.com>
X-HE-Spam-Level: /
X-HE-Spam-Score: 0.0
X-HE-Virus-Scanned: yes
Status: RO
Content-Length: 586
Lines: 26

External Links