Difference between pages "Vendors" and "Email Headers"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Training)
 
m (Mail User Agents: - Fixed typo)
 
Line 1: Line 1:
= Software Vendors =
+
'''Email Headers''' are lines of [[metadata]] attached to each [[email]] that contain lots of useful information for a [[forensic investigator]]. However, email headers can be easily forged, so they should never be used as the only source of information.
  
; [[X-Ways Software]]
+
== Making Sense of Headers ==
: http://www.x-ways.net/
+
  
; [[Tech Assist, Inc.]]
+
There is no single way to make sense of email headers. Some examiners favor reading from the bottom up, some favor reading from the top down. Because information in the headers can be put there by the user's [[Mail User Agent|MUA]], a server in transit, or the recipient's [[Mail User Agent|MUA]], it can be difficult to determine when a line was added.
: http://www.toolsthatwork.com/
+
  
; [[MaresWare Software]]
+
=== Mail User Agents ===
: http://www.maresware.com/maresware/software.htm
+
{{main|List of MUA Header Formats}}
 +
Every [[Mail User Agent|MUA]] sets up the headers for a message slightly differently. The format and order of the entries can vary slightly under the [http://www.faqs.org/rfcs/rfc2822.html RFC 2822]. The examiner can use this to show that messages were forged, but not that they were legitimate. For example, if a message purports to be from [[Apple Mail]] but the order or the headers do not match the [[Apple Mail Header Format]], the message has been forged. If the headers of the message do match that format, however, it does not guarantee that the message was sent by that program.
  
; [[ASRData - SMART]]
+
=== Servers in Transit ===
: http://www.asrdata.com/SMART/
+
  
; [[AccessData - Forensics ToolKit]]
+
Mail servers can add lines onto email headers, usually in the form of "Received" lines, like this:
: http://www.accessdata.com/products/
+
<pre>Received: by servername.recipeienthost.com (Postfix, from userid 506)
 +
id 77C30808A; Sat, 24 Feb 2007 20:43:56 -0500 (EST)</pre>
  
; [[Guidance Software - EnCase]]
+
== Message Id Field ==
: http://www.guidancesoftware.com/products/index.asp
+
  
; [[Paraben Forensics]]
+
According to the current guidelines for email [http://www.faqs.org/rfcs/rfc2822.html RFC 2822]), every email should have a Message-ID field:
: http://www.paraben-forensics.com/
+
<pre>  The "Message-ID:" field provides a unique message identifier that
 +
  refers to a particular version of a particular message.  The
 +
  uniqueness of the message identifier is guaranteed by the host that
 +
  generates it (see below).  This message identifier is intended to be
 +
  machine readable and not necessarily meaningful to humans.  A message
 +
  identifier pertains to exactly one instantiation of a particular
 +
  message; subsequent revisions to the message each receive new message
 +
  identifiers.
  
; [[PyFlag - Open Source]]
+
  ...
: http://pyflag.sourceforge.net/
+
  
; [[Wetstone Technologies]]
+
  The message identifier (msg-id) itself MUST be a globally unique
:http://www.wetstonetech.com/page/page/3004314.htm
+
  identifier for a message. The generator of the message identifier
 +
  MUST guarantee that the msg-id is unique. There are several
 +
  algorithms that can be used to accomplish this. Since the msg-id has
 +
  a similar syntax to angle-addr (identical except that comments and
 +
  folding white space are not allowed), a good method is to put the
 +
  domain name (or a domain literal IP address) of the host on which the
 +
  message identifier was created on the right hand side of the "@", and
 +
  put a combination of the current absolute date and time along with
 +
  some other currently unique (perhaps sequential) identifier available
 +
  on the system (for example, a process id number) on the left hand
 +
  side.  Using a date on the left hand side and a domain name or domain
 +
  literal on the right hand side makes it possible to guarantee
 +
  uniqueness since no two hosts use the same domain name or IP address
 +
  at the same time.  Though other algorithms will work, it is
 +
  RECOMMENDED that the right hand side contain some domain identifier
 +
  (either of the host itself or otherwise) such that the generator of
 +
  the message identifier can guarantee the uniqueness of the left hand
 +
  side within the scope of that domain.</pre>
  
= Hardware Vendors =
+
Where known, the Message-ID algorithms for known programs are given on the separate pages for those programs.
  
; [[ForensicPC]]
+
== Sample Header ==
: http://www.forensicpc.com/
+
: Various [[Write Blockers]], [[forensic field kit]]s, forensics software, etc.
+
  
; [[Wiebetech]]
+
This is an (incomplete) excerpt from an email header:
: http://wiebetech.com/
+
: Various [[Write Blockers]], [[forensic field kit]]s, etc.
+
  
; [[Forensic-Computers]]
+
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
: http://www.forensic-computers.com/
+
        by outgoing2.securityfocus.com (Postfix) with QMQP
: Various systems, [[Write Blockers]], [[forensic field kit]]s, etc.
+
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
 +
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
 +
Precedence: bulk
 +
List-Id: <forensics.list-id.securityfocus.com>
 +
List-Post: <mailto:forensics@securityfocus.com>
 +
List-Help: <mailto:forensics-help@securityfocus.com>
 +
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
 +
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
 +
Delivered-To: mailing list forensics@securityfocus.com
 +
Delivered-To: moderator for forensics@securityfocus.com
 +
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
 +
From: YJesus <yjesus@security-projects.com>
 +
To: forensics@securityfocus.com
 +
Subject: New Tool : Unhide
 +
User-Agent: KMail/1.9
 +
MIME-Version: 1.0
 +
Content-Disposition: inline
 +
Date: Thu, 5 Jan 2006 16:41:30 +0100
 +
Content-Type: text/plain;
 +
  charset="iso-8859-1"
 +
Content-Transfer-Encoding: quoted-printable
 +
Message-Id: <200601051641.31830.yjesus@security-projects.com>
 +
X-HE-Spam-Level: /
 +
X-HE-Spam-Score: 0.0
 +
X-HE-Virus-Scanned: yes
 +
Status: RO
 +
Content-Length: 586
 +
Lines: 26
  
= Training =
+
== External Links ==
* [http://www.asrdata.com/training/ ASR Data Training]
+
 
* [http://www.accessdata.com/training/ AccessData Training]
+
* http://en.wikipedia.org/wiki/Computer_forensics#E-mail_Headers
* [http://www.blackbagtech.com/training.html BlackBag Tech Training]
+
* http://www.forensictracer.com software for forensic analysis of internet resources
* [http://www.guidancesoftware.com/training/index.asp Guidance Software (EnCase) Training]
+
* [http://www.maresware.com/maresware/training/maresware.htm Maresware Training]
+
* [http://www.paraben-training.com/ Paraben Forensics Training]
+
* [http://www.wetstonetech.com/page/page/3004314.htm Wetstone Technologies]
+
* [http://www.forensics-intl.com/training.html Armor Forensics (NTI - Forensics International)]
+
* [http://nw3c.org/ocr/courses_desc.cfm National White Collar Crime Center] - Law Enforcement Only
+
* [http://www.search.org/programs/hightech/courses.asp Search.Org] - Law Enforcement Only
+
* [http://www.fletc.gov/cfi/fy06tibsched.htm Federal Law Enforcement Training Center] - Law Enforcement Only
+
* [http://www.cops.org/ IACIS Computer Training/Certification] - Law Enforcement Only
+
* [http://www.vigilar.com/training.html Vigilar]
+
* [http://www.cce-bootcamp.com/ Certified Comuter Examiner BootCamp]
+
* [http://www.crazytrain.com/training.html Linux Data Forensics Training]
+
* [http://www.cftco.com/ Computer Forensics Training Center On-Line]
+
* [http://www.e-fense.com/training.html e-fense Inc]
+
* [http://www.infosecinstitute.com/courses/security_training_courses.html InfoSec Institute]
+

Revision as of 14:37, 6 March 2007

Email Headers are lines of metadata attached to each email that contain lots of useful information for a forensic investigator. However, email headers can be easily forged, so they should never be used as the only source of information.

Making Sense of Headers

There is no single way to make sense of email headers. Some examiners favor reading from the bottom up, some favor reading from the top down. Because information in the headers can be put there by the user's MUA, a server in transit, or the recipient's MUA, it can be difficult to determine when a line was added.

Mail User Agents

Every MUA sets up the headers for a message slightly differently. The format and order of the entries can vary slightly under the RFC 2822. The examiner can use this to show that messages were forged, but not that they were legitimate. For example, if a message purports to be from Apple Mail but the order or the headers do not match the Apple Mail Header Format, the message has been forged. If the headers of the message do match that format, however, it does not guarantee that the message was sent by that program.

Servers in Transit

Mail servers can add lines onto email headers, usually in the form of "Received" lines, like this:

Received: by servername.recipeienthost.com (Postfix, from userid 506)
	id 77C30808A; Sat, 24 Feb 2007 20:43:56 -0500 (EST)

Message Id Field

According to the current guidelines for email RFC 2822), every email should have a Message-ID field:

   The "Message-ID:" field provides a unique message identifier that
   refers to a particular version of a particular message.  The
   uniqueness of the message identifier is guaranteed by the host that
   generates it (see below).  This message identifier is intended to be
   machine readable and not necessarily meaningful to humans.  A message
   identifier pertains to exactly one instantiation of a particular
   message; subsequent revisions to the message each receive new message
   identifiers.

   ...

   The message identifier (msg-id) itself MUST be a globally unique
   identifier for a message.  The generator of the message identifier
   MUST guarantee that the msg-id is unique.  There are several
   algorithms that can be used to accomplish this.  Since the msg-id has
   a similar syntax to angle-addr (identical except that comments and
   folding white space are not allowed), a good method is to put the
   domain name (or a domain literal IP address) of the host on which the
   message identifier was created on the right hand side of the "@", and
   put a combination of the current absolute date and time along with
   some other currently unique (perhaps sequential) identifier available
   on the system (for example, a process id number) on the left hand
   side.  Using a date on the left hand side and a domain name or domain
   literal on the right hand side makes it possible to guarantee
   uniqueness since no two hosts use the same domain name or IP address
   at the same time.  Though other algorithms will work, it is
   RECOMMENDED that the right hand side contain some domain identifier
   (either of the host itself or otherwise) such that the generator of
   the message identifier can guarantee the uniqueness of the left hand
   side within the scope of that domain.

Where known, the Message-ID algorithms for known programs are given on the separate pages for those programs.

Sample Header

This is an (incomplete) excerpt from an email header:

Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
        by outgoing2.securityfocus.com (Postfix) with QMQP
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <forensics.list-id.securityfocus.com>
List-Post: <mailto:forensics@securityfocus.com>
List-Help: <mailto:forensics-help@securityfocus.com>
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
Delivered-To: mailing list forensics@securityfocus.com
Delivered-To: moderator for forensics@securityfocus.com
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
From: YJesus <yjesus@security-projects.com>
To: forensics@securityfocus.com
Subject: New Tool : Unhide
User-Agent: KMail/1.9
MIME-Version: 1.0
Content-Disposition: inline
Date: Thu, 5 Jan 2006 16:41:30 +0100
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-Id: <200601051641.31830.yjesus@security-projects.com>
X-HE-Spam-Level: /
X-HE-Spam-Score: 0.0
X-HE-Virus-Scanned: yes
Status: RO
Content-Length: 586
Lines: 26

External Links

Retrieved from "http://forensicswiki.org/index.php?title=Vendors&oldid=2824"