Difference between pages "File Vault" and "Yahoo! Mail Header Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
File Vault is the cryptographic file system developed by [http://www.apple.com Apple] and introduced with MacOS 10.3.
+
The '''Yahoo! Web Mail''' header format has changed over time, but currently includes the [[IP addresses in webmail messages|sender's IP address]], a domain key signature, and some other helpful information.
  
File Vault works by storing each user's home directory in an encrypted "[[.sparseimage]]" file. The file is automatically mounted when the user logs in and unmounted when the user logs out. All of the user's files and preferences are stored in this file.  The file's encryption key is stored in the .sparseimage file, but that encryption key is itself encrypted with the user's login password.  
+
DomainKey-Signature
 +
<pre>
 +
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
 +
  s=s1024; d=yahoo.com;
 +
  h=Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
 +
  b=ql3kRKrhner1LTFFVBgCYI1uqK4+8hrb6d/Fefr/HkLuObQwIrIpEXA1OiagbuFZU+H+ue1anFvm1cHQ4hjpdUcjpIIPL7ldNL9YnOxauugdVW+
 +
  OpbTvAu0XaGf2t7eBqOWJF0Y5gM7TE27WdElgVRikunfCQca1VFV6KSuQP0o=;
 +
</pre>
  
There are no known attacks against File Vault other than a brute force attack on the user's password.
+
Here is a sample mail header. Note that the 'date' field will change from (PDT) to (PST) depending on the status of daylight savings time in California, USA. The sender's IP address is represented as a.b.c.d in the example below.
  
As part of the [http://www.apple.com/macosx/features/300.html#security security enhancements] in OS X 10.5 (Leopard) Apple have moved from AES-128 to AES-256 for the encryption used in the disk image.
+
Mail Header
 +
<pre>
 +
Received: from [a.b.c.d] by web53409.mail.re2.yahoo.com via HTTP; Sat, 14 Feb 2009 05:42:03 PST
 +
X-Mailer: YahooMailWebService/0.7.260.1
 +
Date: Sat, 14 Feb 2009 05:42:03 -0800 (PST)
 +
From: Sender Name <sender@yahoo.com>
 +
Reply-To: sender@yahoo.com
 +
Subject: Test Message
 +
To: recipient@domain.com
 +
MIME-Version: 1.0
 +
Content-Type: text/plain; charset=us-ascii
 +
Message-ID: <695976.86300.qm@web53409.mail.re2.yahoo.com>
 +
</pre>
  
=== Links ===
+
 
*You can find a good discussion of File Vault's usability shortcomings in [http://www.simson.net/thesis Simson Garfinkel's PhD Thesis].
+
== Message IDs ==
*[http://chaosradio.ccc.de/23c3_m4v_1642.html Unlocking FileVault] Talk at [http://events.ccc.de/congress/2006-static/static/2/3/r/23rd_Chaos_Communication_Congress_7c1f.html 23c3] (video)
+
The Message-ID header in yahoo emails is a good identifier for the device that sent the message. Below are some samples:
*[http://chaosradio.ccc.de/23c3_mp3_1642.html Unlocking FileVault] Talk at [http://events.ccc.de/congress/2006-static/static/2/3/r/23rd_Chaos_Communication_Congress_7c1f.html 23c3] (audio)
+
 
 +
Sent via Yahoo!® Mail for Android application on Android (Jelly Bean):
 +
<pre>Message-ID: <1332714176.54741.androidMobile@web141101.mail.bf1.yahoo.com></pre>
 +
 
 +
Sent via Yahoo Webmail from Chrome:
 +
<pre>Message-ID: <1332793663.59921.YahooMailNeo@web121601.mail.bf1.yahoo.com></pre>
 +
 
 +
Sent via Android browser on via mobile webmail interface:
 +
<pre>Message-ID: <1332792527.64712.BPMail_high_noncarrier@web121601.mail.bf1.yahoo.com></pre>
 +
 
 +
Sent via Android email application configured for SMTP (jelly bean):
 +
<pre>Message-ID: <gf4yxl2u7us2lp89xkgbty9u.1342797846221@email.android.com></pre>
 +
 
 +
Sent via iPod (IOS 5.0.1)
 +
<pre>Message-ID: <1341798412.80181.YahooMailMobile@web124306.mail.ne1.yahoo.com></pre>
 +
 
 +
[[Category:Mail Analysis]]

Revision as of 00:57, 21 July 2012

The Yahoo! Web Mail header format has changed over time, but currently includes the sender's IP address, a domain key signature, and some other helpful information.

DomainKey-Signature

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
  b=ql3kRKrhner1LTFFVBgCYI1uqK4+8hrb6d/Fefr/HkLuObQwIrIpEXA1OiagbuFZU+H+ue1anFvm1cHQ4hjpdUcjpIIPL7ldNL9YnOxauugdVW+
  OpbTvAu0XaGf2t7eBqOWJF0Y5gM7TE27WdElgVRikunfCQca1VFV6KSuQP0o=;

Here is a sample mail header. Note that the 'date' field will change from (PDT) to (PST) depending on the status of daylight savings time in California, USA. The sender's IP address is represented as a.b.c.d in the example below.

Mail Header

Received: from [a.b.c.d] by web53409.mail.re2.yahoo.com via HTTP; Sat, 14 Feb 2009 05:42:03 PST
X-Mailer: YahooMailWebService/0.7.260.1
Date: Sat, 14 Feb 2009 05:42:03 -0800 (PST)
From: Sender Name <sender@yahoo.com>
Reply-To: sender@yahoo.com
Subject: Test Message
To: recipient@domain.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <695976.86300.qm@web53409.mail.re2.yahoo.com>


Message IDs

The Message-ID header in yahoo emails is a good identifier for the device that sent the message. Below are some samples:

Sent via Yahoo!® Mail for Android application on Android (Jelly Bean):

Message-ID: <1332714176.54741.androidMobile@web141101.mail.bf1.yahoo.com>

Sent via Yahoo Webmail from Chrome:

Message-ID: <1332793663.59921.YahooMailNeo@web121601.mail.bf1.yahoo.com>

Sent via Android browser on via mobile webmail interface:

Message-ID: <1332792527.64712.BPMail_high_noncarrier@web121601.mail.bf1.yahoo.com>

Sent via Android email application configured for SMTP (jelly bean):

Message-ID: <gf4yxl2u7us2lp89xkgbty9u.1342797846221@email.android.com>

Sent via iPod (IOS 5.0.1)

Message-ID: <1341798412.80181.YahooMailMobile@web124306.mail.ne1.yahoo.com>