Difference between pages "Using message id headers to determine if an email has been forged" and "LiveWire Investigator"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Copied from my blog)
 
(New page: '''LiveWire Investigator™''' [https://www.wetstonetech.com/cgi/shop.cgi?view,14] == == LiveWire Investigator is the ultimate tool for incident response, vulnerability assessment, co...)
 
Line 1: Line 1:
According to the RFCs for email, [http://www.faqs.org/rfcs/rfc822.html RFC 822] and [http://www.faqs.org/rfcs/rfc2822.html RFC 2822], every email [http://www.faqs.org/rfcs/rfc2119.html should] have a message id field that: "provides a unique message identifier that refers to a particular version of a particular message.  The uniqueness of the message identifier is guaranteed by the host that generates it. ... This message identifier is intended to be machine readable and not necessarily meaningful to humans.  A message identifier pertains to exactly one instantiation of a particular message; subsequent revisions to the message each receive new message identifiers."
+
'''LiveWire Investigator™'''  [https://www.wetstonetech.com/cgi/shop.cgi?view,14]
  
The message id headers can prove useful when trying to determine if a email is authentic. Although they can't always prove that message is authentic, they can often show that a message has been forged.
 
  
== Repeated Message ID ==
+
== ==
  
In this case, the forger, when creating a fake email, reuses the headers belonging to an earlier message. The examiner need only compare the Message-ID from the email in question to all of the other email messages in the world. Ok, probably not <em>all</em> of the other email messages out there. Usually just the messages on the systems in question are good enough. But finding the same message id on the "smoking gun" email <em>and</em> an old guacamole recipe can be used as evidence that a message was forged.
+
LiveWire Investigator is the ultimate tool for incident response, vulnerability assessment, compliance audits and criminal investigations.  Quickly and inconspicuously examine live running computer systems, providing the ability to assess vulnerabilities, collect evidence directly from suspect computers, and perform enterprise-wide malware scans. LiveWire does not require pre-installed software deployed on target computers. Investigators can now rapidly and easily collect      evidence on live running target systems from anywhere in the world (requires credential authentication).
  
== Impossible Message ID ==
 
  
This case is more subtle, but can be used quite effectively. Although the RFC states that the message id should be globally unique, it says nothing about how it should be constructed. Most email programs have their own format for generating the message id. For example, [[Apple Mail Header Format|Apple Mail]] uses a [[Universally Unique Identifier]] and the sender's domain. [[Thunderbird Header Format|Thunderbird]], on the other hand, uses a combination of the time the message was sent, a salt, and the sender's domain.
+
'''Key Features:'''
  
Sample Apple Mail Message ID:
+
Simultaneous enterprise wide discovery and triage, Physical memory imaging, Application and process state discovery, Windows service discovery, Active port mapping, Windows log discovery and analysis, Remote screenshots, File system blueprinting, Installed software cataloging, High assurance time stamped audit trail, Single User License
<pre>38D1C1FD-3C35-4568-925C-FC46CAC0DE8A@sendinghost.com</pre>
+
  
Sample Thunderbird Message ID:
 
<pre>41B5F981.5040504@sendinghost.com</pre>
 
  
If a message was purportedly sent by a certain email program but does not have a message id created by that program, it has obviously been forged. It would be like a round cookie-cutter making square holes; it just can't happen. Thus, if somebody claims that they received an authentic email, look at the message-id and the format of the headers. If the message id does not match the format for that program, the message has been forged!
+
'''System Recommendations:'''
  
== See Also ==
+
Microsoft Windows® 2000, XP, Vista, 230 MB free disk space, 1 GB RAM, Pentium® 2 GHz processor or better
* [[Email Headers]]
+
  
[[Category:Howtos]]
+
 
 +
'''Currently Supported Targets:'''
 +
 
 +
Microsoft® Windows®  XP Professional, Microsoft® Windows®  2000 Professional, Microsoft® Windows®  NT4, Microsoft® Windows®  Server 2003, Microsoft® Windows®  Vista
 +
 
 +
 
 +
----
 +
 
 +
Contact Information:
 +
 
 +
1-877-WETSTONE ext. 2
 +
 
 +
www.wetstonetech.com[https://www.wetstonetech.com/index.html]

Latest revision as of 09:18, 13 June 2008

LiveWire Investigator™ [1]


LiveWire Investigator is the ultimate tool for incident response, vulnerability assessment, compliance audits and criminal investigations. Quickly and inconspicuously examine live running computer systems, providing the ability to assess vulnerabilities, collect evidence directly from suspect computers, and perform enterprise-wide malware scans. LiveWire does not require pre-installed software deployed on target computers. Investigators can now rapidly and easily collect evidence on live running target systems from anywhere in the world (requires credential authentication).


Key Features:

Simultaneous enterprise wide discovery and triage, Physical memory imaging, Application and process state discovery, Windows service discovery, Active port mapping, Windows log discovery and analysis, Remote screenshots, File system blueprinting, Installed software cataloging, High assurance time stamped audit trail, Single User License


System Recommendations:

Microsoft Windows® 2000, XP, Vista, 230 MB free disk space, 1 GB RAM, Pentium® 2 GHz processor or better


Currently Supported Targets:

Microsoft® Windows® XP Professional, Microsoft® Windows® 2000 Professional, Microsoft® Windows® NT4, Microsoft® Windows® Server 2003, Microsoft® Windows® Vista



Contact Information:

1-877-WETSTONE ext. 2

www.wetstonetech.com[2]