Difference between pages "Email Headers" and "Cell phone forensics bibliography"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Known Header Formats: - Wikified the text)
 
m
 
Line 1: Line 1:
'''Email Headers''' are lines of [[metadata]] attached to each [[email]] that contain lots of useful information for a [[forensic investigator]]. However, email headers can be easily forged, so they should never be used as the only source of information.
+
==Academic Publications==
 +
; [http://www.waset.org/pwaset/v26/v26-6.pdf Data Acquisition from Cell Phone using Logical Approach], Keonwoo Kim, Dowon Hong, Kyoil Chung, and Jae-Cheol Ryou, PROCEEDINGS OF WORLD ACADEMY OF SCIENCE, ENGINEERING AND TECHNOLOGY VOLUME 26 DECEMBER 2007 ISSN 1307-6884
 +
: This article discusses three approaches for acquiring data from cell phones: physically removing the flash RAM chips and reading them directly; reading the data out using the [[JTAG]] interface, and running software on the cell phone to extract the files at a logical level. The authors have built a logical extraction system and are working on a system based on JTAG.
  
== Making Sense of Headers ==
+
; [http://portal.acm.org/citation.cfm?id=1363257 Forensics for Korean cell phone], Keonwoo Kim, Dowon Hong and Kyoil Chung, Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop, Adelaide, Australia, 2008.
  
There is no single way to make sense of email headers. Some examiners favor reading from the bottom up, some favor reading from the top down. Because information in the headers can be put there at any time (e.g. when the message is created, in transit, or by the reader's MUA), there is no single method for making sense of them.
+
; [http://www.ssddfj.org/papers/SSDDFJ_V2_1_Luck_Stokes.pdf An Integrated Approach to Recovering Deleted Files from NAND Flash Data], James Luck & Mark Stokes, SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, VOL. 2, NO. 1, JUNE 2008 ISSN# 1941-6164
  
Many legitimate programs put data in a fixed order that can be validated. If parts of the data are not in the correct order or missing, the header can be shown to be forged. For example, if an email purports to have been sent by [[Apple Mail]] but has a Message-Id field that could not have been generated by that program, it has been forged.
+
==US Government Publications==
 +
; [http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf Guidelines on Cell Phone Forensics] (NIST SP 800-101), May 2007
 +
; [http://csrc.nist.gov/publications/nistir/nistir-7250.pdf Cell Phone Forensic Tools: An Overview and Analysis] (NISTIR 7250)
 +
; [http://csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdf PDA Forensic Tools: An Overview and Analysis] (NISTIR 7100)
  
== Message Id Field ==
 
  
According to the current guidelines for email ([http://www.faqs.org/rfcs/rfc2822.html RFC 2822]), every email should have a Message-ID field:
+
[[Category:Bibliography]]
<pre>  The "Message-ID:" field provides a unique message identifier that
+
  refers to a particular version of a particular message.  The
+
  uniqueness of the message identifier is guaranteed by the host that
+
  generates it (see below).  This message identifier is intended to be
+
  machine readable and not necessarily meaningful to humans.  A message
+
  identifier pertains to exactly one instantiation of a particular
+
  message; subsequent revisions to the message each receive new message
+
  identifiers.
+
 
+
  ...
+
 
+
  The message identifier (msg-id) itself MUST be a globally unique
+
  identifier for a message.  The generator of the message identifier
+
  MUST guarantee that the msg-id is unique.  There are several
+
  algorithms that can be used to accomplish this.  Since the msg-id has
+
  a similar syntax to angle-addr (identical except that comments and
+
  folding white space are not allowed), a good method is to put the
+
  domain name (or a domain literal IP address) of the host on which the
+
  message identifier was created on the right hand side of the "@", and
+
  put a combination of the current absolute date and time along with
+
  some other currently unique (perhaps sequential) identifier available
+
  on the system (for example, a process id number) on the left hand
+
  side.  Using a date on the left hand side and a domain name or domain
+
  literal on the right hand side makes it possible to guarantee
+
  uniqueness since no two hosts use the same domain name or IP address
+
  at the same time.  Though other algorithms will work, it is
+
  RECOMMENDED that the right hand side contain some domain identifier
+
  (either of the host itself or otherwise) such that the generator of
+
  the message identifier can guarantee the uniqueness of the left hand
+
  side within the scope of that domain.</pre>
+
 
+
Where known, the Message-ID algorithms for known programs are given on the separate pages for those programs.
+
 
+
 
+
== Known Header Formats ==
+
 
+
The format for the given headers are different for each [[Mail User Agent]]. We currently know the [[Apple Mail Header Format]] and [[Thunderbird Header Format]].
+
 
+
We would like to know the [[Outlook Header Format]], [[Outlook Express Header Format]], [[Microsoft Mail Header Format]], [[Yahoo! Mail Header Format]], and [[Gmail Header Format]]. Additions to this list are welcome.
+
 
+
== Example ==
+
 
+
This is an (incomplete) excerpt from an email header:
+
 
+
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
+
        by outgoing2.securityfocus.com (Postfix) with QMQP
+
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
+
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
+
Precedence: bulk
+
List-Id: <forensics.list-id.securityfocus.com>
+
List-Post: <mailto:forensics@securityfocus.com>
+
List-Help: <mailto:forensics-help@securityfocus.com>
+
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
+
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
+
Delivered-To: mailing list forensics@securityfocus.com
+
Delivered-To: moderator for forensics@securityfocus.com
+
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
+
From: YJesus <yjesus@security-projects.com>
+
To: forensics@securityfocus.com
+
Subject: New Tool : Unhide
+
User-Agent: KMail/1.9
+
MIME-Version: 1.0
+
Content-Disposition: inline
+
Date: Thu, 5 Jan 2006 16:41:30 +0100
+
Content-Type: text/plain;
+
  charset="iso-8859-1"
+
Content-Transfer-Encoding: quoted-printable
+
Message-Id: <200601051641.31830.yjesus@security-projects.com>
+
X-HE-Spam-Level: /
+
X-HE-Spam-Score: 0.0
+
X-HE-Virus-Scanned: yes
+
Status: RO
+
Content-Length: 586
+
Lines: 26
+
 
+
== External Links ==
+
 
+
* http://en.wikipedia.org/wiki/Computer_forensics#E-mail_Headers
+
* http://www.forensictracer.com software for forensic analysis of internet resources
+

Revision as of 19:17, 12 November 2008

Academic Publications

Data Acquisition from Cell Phone using Logical Approach, Keonwoo Kim, Dowon Hong, Kyoil Chung, and Jae-Cheol Ryou, PROCEEDINGS OF WORLD ACADEMY OF SCIENCE, ENGINEERING AND TECHNOLOGY VOLUME 26 DECEMBER 2007 ISSN 1307-6884
This article discusses three approaches for acquiring data from cell phones: physically removing the flash RAM chips and reading them directly; reading the data out using the JTAG interface, and running software on the cell phone to extract the files at a logical level. The authors have built a logical extraction system and are working on a system based on JTAG.
Forensics for Korean cell phone, Keonwoo Kim, Dowon Hong and Kyoil Chung, Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop, Adelaide, Australia, 2008.
An Integrated Approach to Recovering Deleted Files from NAND Flash Data, James Luck & Mark Stokes, SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, VOL. 2, NO. 1, JUNE 2008 ISSN# 1941-6164

US Government Publications

Guidelines on Cell Phone Forensics (NIST SP 800-101), May 2007
Cell Phone Forensic Tools: An Overview and Analysis (NISTIR 7250)
PDA Forensic Tools: An Overview and Analysis (NISTIR 7100)