Difference between pages "User:Spoon" and "Yahoo! Mail Header Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
'''Advanced Cell phone forensics at the lowest level '''                                                                
+
The '''Yahoo! Web Mail''' header format has changed over time, but currently includes the [[IP addresses in webmail messages|sender's IP address]], a domain key signature, and some other helpful information.
  
 +
DomainKey-Signature
 +
<pre>
 +
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
 +
  s=s1024; d=yahoo.com;
 +
  h=Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
 +
  b=ql3kRKrhner1LTFFVBgCYI1uqK4+8hrb6d/Fefr/HkLuObQwIrIpEXA1OiagbuFZU+H+ue1anFvm1cHQ4hjpdUcjpIIPL7ldNL9YnOxauugdVW+
 +
  OpbTvAu0XaGf2t7eBqOWJF0Y5gM7TE27WdElgVRikunfCQca1VFV6KSuQP0o=;
 +
</pre>
  
 +
Here is a sample mail header. Note that the 'date' field will change from (PDT) to (PST) depending on the status of daylight savings time in California, USA. The sender's IP address is represented as a.b.c.d in the example below.
  
Introduction
+
Mail Header
 +
<pre>
 +
Received: from [a.b.c.d] by web53409.mail.re2.yahoo.com via HTTP; Sat, 14 Feb 2009 05:42:03 PST
 +
X-Mailer: YahooMailWebService/0.7.260.1
 +
Date: Sat, 14 Feb 2009 05:42:03 -0800 (PST)
 +
From: Sender Name <sender@yahoo.com>
 +
Reply-To: sender@yahoo.com
 +
Subject: Test Message
 +
To: recipient@domain.com
 +
MIME-Version: 1.0
 +
Content-Type: text/plain; charset=us-ascii
 +
Message-ID: <695976.86300.qm@web53409.mail.re2.yahoo.com>
 +
</pre>
  
As more new cell phone technologies emerge, the digital forensics science has no record of published information on the specific protocols used for forensic acquisition and analysis of cell phones, PDAs, and smart phones. There are new cell phone technologies including OBEX, FBUS, SYNCML, BREW, and IDEN which are not disclosed to the public and law enforcement. Since cellular phones forensics is proprietary, it makes the process difficult. Therefore, there needs to be a way to acquire this information and display in a meaningful way for law enforcement and the respective authorities. The purpose is to penetrate cell phones using advanced cell phone forensics and data recovery at the lowest level.
 
  
This paper will give a short overview of the suggestions of processing forensics at the lowest level while analyzing these technologies.  
+
== Message IDs ==
 +
The Message-ID header in yahoo emails is a good identifier for the device that sent the message. Below are some samples:
  
 +
Sent via Yahoo!® Mail for Android application on Android (Jelly Bean):
 +
<pre>Message-ID: <1332714176.54741.androidMobile@web141101.mail.bf1.yahoo.com></pre>
  
Brew Concepts
+
Sent via Yahoo Webmail from Chrome:
 +
<pre>Message-ID: <1332793663.59921.YahooMailNeo@web121601.mail.bf1.yahoo.com></pre>
  
 +
Sent via Android browser on via mobile webmail interface:
 +
<pre>Message-ID: <1332792527.64712.BPMail_high_noncarrier@web121601.mail.bf1.yahoo.com></pre>
  
Brew stands for Binary Runtime Environment for Wireless. It was developed by Qualcomm as an application development platform in 2001 for CDMA, GSM/GPRS, and UMTS mobile cellular devices. Currently the latest version is BREW 3.1 version. Brew is being platform independent, is used for programming applications, games, wireless implementations, sending messages, and etc. BREW Application Execution Environment (AEE) must be present on the phone in order for BREW to run. A function in BREW that allows for a sending SMS commands is ‘ITAPI_SendSMS’. Often Brew is compared to J2ME since most of Europe uses J2ME while BREW is used in the U.S. and Japan.  
+
Sent via Android email application configured for SMTP (jelly bean):
 +
<pre>Message-ID: <gf4yxl2u7us2lp89xkgbty9u.1342797846221@email.android.com></pre>
  
Hayes AT Commands and Diagnostic mode
+
Sent via iPod (IOS 5.0.1)
 
+
<pre>Message-ID: <1341798412.80181.YahooMailMobile@web124306.mail.ne1.yahoo.com></pre>
Diagnostic mode is a certain state of the cell phone where deeper functions and information of a phone may be accessed. Typically called “DM mode”, phones before they can be fully extracted are put in “DM mode” first. BitPim a program for extracting data from CDMA phones uses this mode on phones before tapping into the data and file system.
+
Since most cell phones can function as a modem, AT commands can be executed to perform certain functions and information reporting. For CDMA phones, via Hyperterminal, the command “AT$QCDMG” allows for some CDMA phones to be put into diagnostic mode. BitPim also has this functionality automatically incorporated into its program. To utilize a Brew environment via Hyperterminal, the command ‘AT$BREW’ may allow some phones to go into Brew mode. Typically BitPim first changes the phone into DM mode before entering Brew mode to perform extraction and functions.  
+
 
+
 
+
 
+
 
+
Using BitPim
+
 
+
Bitpim is a open source program that runs on the Python programming language while
+
extracting forensic information such as phonebook, calls made, SMS, and etc from many
+
CDMA phones. Some of the features of Bitpim allow users to access the file system in
+
hex code.
+
 
+
The following screenshots shows a screenshot of a LG phone file system and the log using BitPim.
+
[[Image:Bitpim.JPG]]
+
[[Image:Bitpim_2.JPG]]
+
+
 
+
+
 
+
 
+
 
+
 
+
 
+
    FBUS
+
 
+
According to Embedtronics, Nokia “FBUS is a bi-directional serial type bus running at 115,200bps, 8 data bits.” Gnokii is an open source program that allows more capability than Hayes AT commands on Nokia AT compatible phones and has many functions such as: identifying a phone, read memory status, read SMS messages, read/write bitmaps, read network info, create/delete SMS folders, read RF/battery level, and etc.  
+
 
+
The following screenshot shows all the functions Gnokii offers to the user.                    
+
[[Image:Clip_image002.jpg]]
+
+
Significance to Investigation
+
 
+
Although Hayes AT commands can extract a significant amount of data acquisition data, protocols such as BREW and FBUS, allows forensic investigators to process cell phones further and with more options. As many protocols are still making there way to investigators, this paper helps to identify data acquisition at the lowest level.
+
+
                                                    Conclusion
+
 
+
The purpose of this paper was to penetrate cell phone suing advanced cell phone forensics and data recovery at the lowest level. Technical specifications of FBUS and BREW were described to assist law enforcement and the Purdue Cyber forensics program.
+

Revision as of 14:28, 20 July 2012

The Yahoo! Web Mail header format has changed over time, but currently includes the sender's IP address, a domain key signature, and some other helpful information.

DomainKey-Signature

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
  b=ql3kRKrhner1LTFFVBgCYI1uqK4+8hrb6d/Fefr/HkLuObQwIrIpEXA1OiagbuFZU+H+ue1anFvm1cHQ4hjpdUcjpIIPL7ldNL9YnOxauugdVW+
  OpbTvAu0XaGf2t7eBqOWJF0Y5gM7TE27WdElgVRikunfCQca1VFV6KSuQP0o=;

Here is a sample mail header. Note that the 'date' field will change from (PDT) to (PST) depending on the status of daylight savings time in California, USA. The sender's IP address is represented as a.b.c.d in the example below.

Mail Header

Received: from [a.b.c.d] by web53409.mail.re2.yahoo.com via HTTP; Sat, 14 Feb 2009 05:42:03 PST
X-Mailer: YahooMailWebService/0.7.260.1
Date: Sat, 14 Feb 2009 05:42:03 -0800 (PST)
From: Sender Name <sender@yahoo.com>
Reply-To: sender@yahoo.com
Subject: Test Message
To: recipient@domain.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <695976.86300.qm@web53409.mail.re2.yahoo.com>


Message IDs

The Message-ID header in yahoo emails is a good identifier for the device that sent the message. Below are some samples:

Sent via Yahoo!® Mail for Android application on Android (Jelly Bean):

Message-ID: <1332714176.54741.androidMobile@web141101.mail.bf1.yahoo.com>

Sent via Yahoo Webmail from Chrome:

Message-ID: <1332793663.59921.YahooMailNeo@web121601.mail.bf1.yahoo.com>

Sent via Android browser on via mobile webmail interface:

Message-ID: <1332792527.64712.BPMail_high_noncarrier@web121601.mail.bf1.yahoo.com>

Sent via Android email application configured for SMTP (jelly bean):

Message-ID: <gf4yxl2u7us2lp89xkgbty9u.1342797846221@email.android.com>

Sent via iPod (IOS 5.0.1)

Message-ID: <1341798412.80181.YahooMailMobile@web124306.mail.ne1.yahoo.com>