Difference between pages "Email Headers" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(File header)
 
Line 1: Line 1:
'''Email Headers''' are lines of [[metadata]] attached to each [[email]] that contain lots of useful information for a [[forensic investigator]]. However, email headers can be easily forged, so they should never be used as the only source of information.
+
{{expand}}
  
== Making Sense of Headers ==
+
== MEMO file ==
 +
Some of the <tt>Ag*.db</tt> files are MEMO files.
  
There is no single way to make sense of email headers. Some examiners favor reading from the bottom up, some favor reading from the top down. Because information in the headers can be put there by the user's [[Mail User Agent|MUA]], a server in transit, or the recipient's [[Mail User Agent|MUA]], it can be difficult to determine when a line was added.
+
The MEMO file consists of:
 +
* file header
 +
* compressed blocks
  
=== Sender's IP Address ===
+
=== File header ===
{{main|IP addresses in webmail messages}}
+
The file header is 84 bytes of size and consists of:
Some web-based email providers include the sender's IP address in the message headers. Some do not.
+
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO")
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
  
=== Mail User Agents ===  
+
=== Compressed blocks ===
{{main|List of MUA Header Formats}}
+
The file header is followed by compressed blocks:
Every [[Mail User Agent|MUA]] sets up the headers for a message slightly differently. Although some headers are required under the applicable [http://www.faqs.org/rfcs/rfc2822.html RFC], their format and ordering can vary by client. Almost all clients, however, add their headers in a fixed format and order.
+
{| class="wikitable"
The examiner can use the format and order for each client to show that messages were forged, but not that they were legitimate. For example, if a message purports to be from [[Apple Mail]] but the order or the headers do not match the [[Apple Mail Header Format]], the message has been forged. If the headers of the message do match that format, however, it does not guarantee that the message was sent by that program.
+
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
|
 +
| Compressed data size
 +
|-
 +
| 4
 +
| ...
 +
|
 +
| Compressed data
 +
|-
 +
|}
  
=== Servers in Transit ===  
+
=== Uncompressed data ===
 +
<b>TODO</b>
  
Mail servers can add lines onto email headers, usually in the form of "Received" lines, like this:
+
== TRX file ==
<pre>Received: by servername.recipeienthost.com (Postfix, from userid 506)
+
The <tt>Ag*.db.trx</tt> files are TRX files.
id 77C30808A; Sat, 24 Feb 2007 20:43:56 -0500 (EST)</pre>
+
  
== Message Id Field ==
+
<b>Note that the following format specification is incomplete.</b>
{{main|Using message id headers to determine if an email has been forged}}. According to the current guidelines for email [http://www.faqs.org/rfcs/rfc2822.html], every message should have a Message-ID field. These id fields can be used to determine if a message has been forged. It is harder, but sometimes possible, to show that a message is authentic using the message id field. Where known, the Message-ID algorithms for known programs are [[List of MUA Header Formats|given on the separate pages for those programs]].
+
  
== Signature Fields ==
+
=== File header ===
{{main|Using signature headers to determine if an email has been forged}}. Some email programs allow users to sign messages. This gives the recipient some assurance that the sender given in the message really sent the message. Obviously these headers can be used by an examiner for the same purpose.
+
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 1
 +
| Unknown (Version?)
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Unknown
 +
|-
 +
| 8
 +
| 4
 +
|
 +
| File size
 +
|-
 +
| 12
 +
| 4
 +
|
 +
| Unknown (Record count?)
 +
|-
 +
| 16
 +
| 4
 +
|
 +
| Unknown (Record count?)
 +
|-
 +
| 20
 +
| 4
 +
|
 +
| Unknown (Records offset or file header size)
 +
|-
 +
|}
  
== Sample Header ==  
+
== See Also ==
 +
* [[SuperFetch]]
  
This is an (incomplete) excerpt from an email header:
+
== External Links ==
 +
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
  
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
+
[[Category:File Formats]]
        by outgoing2.securityfocus.com (Postfix) with QMQP
+
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
+
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
+
Precedence: bulk
+
List-Id: <forensics.list-id.securityfocus.com>
+
List-Post: <mailto:forensics@securityfocus.com>
+
List-Help: <mailto:forensics-help@securityfocus.com>
+
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
+
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
+
Delivered-To: mailing list forensics@securityfocus.com
+
Delivered-To: moderator for forensics@securityfocus.com
+
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
+
From: YJesus <yjesus@security-projects.com>
+
To: forensics@securityfocus.com
+
Subject: New Tool : Unhide
+
User-Agent: KMail/1.9
+
MIME-Version: 1.0
+
Content-Disposition: inline
+
Date: Thu, 5 Jan 2006 16:41:30 +0100
+
Content-Type: text/plain;
+
  charset="iso-8859-1"
+
Content-Transfer-Encoding: quoted-printable
+
Message-Id: <200601051641.31830.yjesus@security-projects.com>
+
X-HE-Spam-Level: /
+
X-HE-Spam-Score: 0.0
+
X-HE-Virus-Scanned: yes
+
Status: RO
+
Content-Length: 586
+
Lines: 26
+
 
+
== External Links ==
+
* [http://en.wikipedia.org/wiki/E-mail#Header Wikipedia entry on email headers]
+

Revision as of 01:28, 15 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

MEMO file

Some of the Ag*.db files are MEMO files.

The MEMO file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO") Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

Uncompressed data

TODO

TRX file

The Ag*.db.trx files are TRX files.

Note that the following format specification is incomplete.

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Unknown (Record count?)
16 4 Unknown (Record count?)
20 4 Unknown (Records offset or file header size)

See Also

External Links