Difference between pages "Email Headers" and "DeepSpar Disk Imager"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Message Id Field: - Moved to new article)
 
 
Line 1: Line 1:
'''Email Headers''' are lines of [[metadata]] attached to each [[email]] that contain lots of useful information for a [[forensic investigator]]. However, email headers can be easily forged, so they should never be used as the only source of information.
+
; [[DeepSpar Disk Imager]]
 
+
[[Image:DeepSpardiskimager.jpg]],  
== Making Sense of Headers ==
+
:An independently written review of the DeepSpar Disk Imager written by Mike Montgomery of MJM Data Recovery in the UK is available at: http://www.deepspar.com/mjm-ds-disk-imager.html
 
+
:The whitepaper "Disk Imaging: A Vital Step in Data Recovery" is available to download from: http://www.deepspar.com/pdf/DeepSparDiskImagingWhitepaper3.pdf.
There is no single way to make sense of email headers. Some examiners favor reading from the bottom up, some favor reading from the top down. Because information in the headers can be put there by the user's [[Mail User Agent|MUA]], a server in transit, or the recipient's [[Mail User Agent|MUA]], it can be difficult to determine when a line was added.
+
:The product data sheet can be downloaded from: http://www.deepspar.com/pdf/DeepSparDiskImager.pdf.
 
+
=== Mail User Agents ===
+
{{main|List of MUA Header Formats}}
+
Every [[Mail User Agent|MUA]] sets up the headers for a message slightly differently. Although some headers are required under the applicable [http://www.faqs.org/rfcs/rfc2822.html RFC], their format and ordering can vary by client. Almost all clients, however, add their headers in a fixed format and order.
+
The examiner can use the format and order for each client to show that messages were forged, but not that they were legitimate. For example, if a message purports to be from [[Apple Mail]] but the order or the headers do not match the [[Apple Mail Header Format]], the message has been forged. If the headers of the message do match that format, however, it does not guarantee that the message was sent by that program.
+
 
+
=== Servers in Transit ===
+
 
+
Mail servers can add lines onto email headers, usually in the form of "Received" lines, like this:
+
<pre>Received: by servername.recipeienthost.com (Postfix, from userid 506)
+
id 77C30808A; Sat, 24 Feb 2007 20:43:56 -0500 (EST)</pre>
+
 
+
== Message Id Field ==
+
{{main|Using message id headers to determine if an email has been forged}}According to the current guidelines for email [http://www.faqs.org/rfcs/rfc2822.html], every message should have a Message-ID field. These id fields can be used to determine if a message has been forged. It is harder, but sometimes possible, to show that a message is authentic using the message id field. Where known, the Message-ID algorithms for known programs are [[List of MUA Header Formats|given on the separate pages for those programs]].
+
 
+
== Sample Header ==
+
 
+
This is an (incomplete) excerpt from an email header:
+
 
+
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
+
        by outgoing2.securityfocus.com (Postfix) with QMQP
+
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
+
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
+
Precedence: bulk
+
List-Id: <forensics.list-id.securityfocus.com>
+
List-Post: <mailto:forensics@securityfocus.com>
+
List-Help: <mailto:forensics-help@securityfocus.com>
+
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
+
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
+
Delivered-To: mailing list forensics@securityfocus.com
+
Delivered-To: moderator for forensics@securityfocus.com
+
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
+
From: YJesus <yjesus@security-projects.com>
+
To: forensics@securityfocus.com
+
Subject: New Tool : Unhide
+
User-Agent: KMail/1.9
+
MIME-Version: 1.0
+
Content-Disposition: inline
+
Date: Thu, 5 Jan 2006 16:41:30 +0100
+
Content-Type: text/plain;
+
  charset="iso-8859-1"
+
Content-Transfer-Encoding: quoted-printable
+
Message-Id: <200601051641.31830.yjesus@security-projects.com>
+
X-HE-Spam-Level: /
+
X-HE-Spam-Score: 0.0
+
X-HE-Virus-Scanned: yes
+
Status: RO
+
Content-Length: 586
+
Lines: 26
+
 
+
== External Links ==
+
 
+
* http://en.wikipedia.org/wiki/Computer_forensics#E-mail_Headers
+
* http://www.forensictracer.com software for forensic analysis of internet resources
+

Revision as of 14:07, 11 April 2007

DeepSpar Disk Imager

DeepSpardiskimager.jpg,

An independently written review of the DeepSpar Disk Imager written by Mike Montgomery of MJM Data Recovery in the UK is available at: http://www.deepspar.com/mjm-ds-disk-imager.html
The whitepaper "Disk Imaging: A Vital Step in Data Recovery" is available to download from: http://www.deepspar.com/pdf/DeepSparDiskImagingWhitepaper3.pdf.
The product data sheet can be downloaded from: http://www.deepspar.com/pdf/DeepSparDiskImager.pdf.