Difference between pages "Email Headers" and "Data copy king"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Reorganized making sense of headers)
 
m (make this page clear with more information)
 
Line 1: Line 1:
'''Email Headers''' are lines of [[metadata]] attached to each [[email]] that contain lots of useful information for a [[forensic investigator]]. However, email headers can be easily forged, so they should never be used as the only source of information.
+
Data Copy King is one disk image hardware,DoD data wipe hardware and also used as one professional forensic disk image tool.  
  
== Making Sense of Headers ==
+
Data Copy King has build-in IDE and SATA ports and supports USB data copy with adapters, it is one 1:1 hard drive duplicator. The top features of DCK is its claimed disk image speed at 7GB/min and data wipe speed at 8GB/min and its ability to copy bad sectors/unstable drives.
  
There is no single way to make sense of email headers. Some examiners favor reading from the bottom up, some favor reading from the top down. Because information in the headers can be put there by the user's [[Mail User Agent|MUA]], a server in transit, or the recipient's [[Mail User Agent|MUA]], it can be difficult to determine when a line was added.
 
  
=== Mail User Agents ===
+
[[Image:Hard_drive_duplicator_data_copy_king.jpg|frame|Data Copy King package]]
  
Every [[Mail User Agent|MUA]] sets up the headers for a message slightly differently. The format and order of the entries can vary slightly under the ([http://www.faqs.org/rfcs/rfc2822.html RFC]. The examiner can use this to show that messages were forged, but not that they were legitimate. For example, if a message purports to be from [[Apple Mail]] but the order or the headers do not match the [[Apple Mail Header Format]], the message has been forged. If the headers of the message do match that format, however, it does not guarantee that the message was sent by that program.
+
== Universal hard drive duplicator ==
  
We currently know the [[Apple Mail Header Format]] and [[Thunderbird Header Format]]. We would like to know the [[Outlook Header Format]], [[Outlook Express Header Format]], [[Microsoft Mail Header Format]], [[Yahoo! Mail Header Format]], and [[Gmail Header Format]]. Additions to this list are welcome.
+
1, 'Universal' indicates the storage medias from hard drives to flash drives, from good storage medias to storage medias with defects such as a lot of bad sectors, unstable heads or motor after head or platter swap, clicking drives but still detected in the bios or other kind of logical failure with detected status;
  
=== Servers in Transit ===
+
2, 'Universal' suggests a combination of multiple Data Copy related solutions such as drive health checking, data clean or data destruction;
  
Mail servers can add lines onto email headers, usually in the form of "Received" lines, like this:
+
3, 'Universal' means the wide use among different fields like data recovery field, IT after sale field, Education and training field, Government and miliary field, computer forensics field, Financial department field etc;
<pre>Received: by servername.recipeienthost.com (Postfix, from userid 506)
+
id 77C30808A; Sat, 24 Feb 2007 20:43:56 -0500 (EST)<pre>
+
  
 
+
4, One important thing to mention about the 'Universal' here is the green concept used, no backdoor design, physical read only, 0 training required, friendly and nice interface, Energy-saving, cost effective, etc.
 
+
== Message Id Field ==
+
 
+
According to the current guidelines for email [http://www.faqs.org/rfcs/rfc2822.html RFC 2822]), every email should have a Message-ID field:
+
<pre>  The "Message-ID:" field provides a unique message identifier that
+
  refers to a particular version of a particular message.  The
+
  uniqueness of the message identifier is guaranteed by the host that
+
  generates it (see below).  This message identifier is intended to be
+
  machine readable and not necessarily meaningful to humans.  A message
+
  identifier pertains to exactly one instantiation of a particular
+
  message; subsequent revisions to the message each receive new message
+
  identifiers.
+
 
+
  ...
+
 
+
  The message identifier (msg-id) itself MUST be a globally unique
+
  identifier for a message.  The generator of the message identifier
+
  MUST guarantee that the msg-id is unique.  There are several
+
  algorithms that can be used to accomplish this.  Since the msg-id has
+
  a similar syntax to angle-addr (identical except that comments and
+
  folding white space are not allowed), a good method is to put the
+
  domain name (or a domain literal IP address) of the host on which the
+
  message identifier was created on the right hand side of the "@", and
+
  put a combination of the current absolute date and time along with
+
  some other currently unique (perhaps sequential) identifier available
+
  on the system (for example, a process id number) on the left hand
+
  side.  Using a date on the left hand side and a domain name or domain
+
  literal on the right hand side makes it possible to guarantee
+
  uniqueness since no two hosts use the same domain name or IP address
+
  at the same time.  Though other algorithms will work, it is
+
  RECOMMENDED that the right hand side contain some domain identifier
+
  (either of the host itself or otherwise) such that the generator of
+
  the message identifier can guarantee the uniqueness of the left hand
+
  side within the scope of that domain.</pre>
+
 
+
Where known, the Message-ID algorithms for known programs are given on the separate pages for those programs.
+
 
+
 
+
== Sample Header ==
+
 
+
This is an (incomplete) excerpt from an email header:
+
 
+
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
+
        by outgoing2.securityfocus.com (Postfix) with QMQP
+
        id 7E9971460C9; Mon, 9 Jan 2006 08:01:36 -0700 (MST)
+
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
+
Precedence: bulk
+
List-Id: <forensics.list-id.securityfocus.com>
+
List-Post: <mailto:forensics@securityfocus.com>
+
List-Help: <mailto:forensics-help@securityfocus.com>
+
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
+
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
+
Delivered-To: mailing list forensics@securityfocus.com
+
Delivered-To: moderator for forensics@securityfocus.com
+
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
+
From: YJesus <yjesus@security-projects.com>
+
To: forensics@securityfocus.com
+
Subject: New Tool : Unhide
+
User-Agent: KMail/1.9
+
MIME-Version: 1.0
+
Content-Disposition: inline
+
Date: Thu, 5 Jan 2006 16:41:30 +0100
+
Content-Type: text/plain;
+
  charset="iso-8859-1"
+
Content-Transfer-Encoding: quoted-printable
+
Message-Id: <200601051641.31830.yjesus@security-projects.com>
+
X-HE-Spam-Level: /
+
X-HE-Spam-Score: 0.0
+
X-HE-Virus-Scanned: yes
+
Status: RO
+
Content-Length: 586
+
Lines: 26
+
 
+
== External Links ==
+
 
+
* http://en.wikipedia.org/wiki/Computer_forensics#E-mail_Headers
+
* http://www.forensictracer.com software for forensic analysis of internet resources
+

Revision as of 22:52, 6 April 2010

Data Copy King is one disk image hardware,DoD data wipe hardware and also used as one professional forensic disk image tool.

Data Copy King has build-in IDE and SATA ports and supports USB data copy with adapters, it is one 1:1 hard drive duplicator. The top features of DCK is its claimed disk image speed at 7GB/min and data wipe speed at 8GB/min and its ability to copy bad sectors/unstable drives.


Data Copy King package

Universal hard drive duplicator

1, 'Universal' indicates the storage medias from hard drives to flash drives, from good storage medias to storage medias with defects such as a lot of bad sectors, unstable heads or motor after head or platter swap, clicking drives but still detected in the bios or other kind of logical failure with detected status;

2, 'Universal' suggests a combination of multiple Data Copy related solutions such as drive health checking, data clean or data destruction;

3, 'Universal' means the wide use among different fields like data recovery field, IT after sale field, Education and training field, Government and miliary field, computer forensics field, Financial department field etc;

4, One important thing to mention about the 'Universal' here is the green concept used, no backdoor design, physical read only, 0 training required, friendly and nice interface, Energy-saving, cost effective, etc.