Difference between pages "License transition status" and "Email Headers"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
This page keeps track of the '''license status''' of the wiki.
+
'''Email Headers''' are lines of [[metadata]] attached to each [[email]] that contain lots of useful information for a [[forensic investigator]]. However, email headers can be easily forged, so they should never be used as the only source of information.
  
All contributions after '''March 19th, 2006''' are under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license. Contributions prior to that date have an unclear license. We are currently contacting the authors of the respective content, asking them whether they agree to license their contributions under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license...
+
== Making Sense of Headers ==
  
__TOC__
+
There is no single way to make sense of email headers. Some examiners favor reading from the bottom up, some favor reading from the top down. Because information in the headers can be put there by the user's [[Mail User Agent|MUA]], a server in transit, or the recipient's [[Mail User Agent|MUA]], it can be difficult to determine when a line was added.
  
== HOWTO ==
+
=== Sender's IP Address ===
 +
{{main|IP addresses in webmail messages}}
 +
Some web-based email providers include the sender's IP address in the message headers. Some do not.
  
If you have contributed to this wiki '''before March 19th, 2006''', please consider (re-)licensing your contributions under this license. You can do that by adding this small paragraph to your user page:
+
=== Mail User Agents ===
 +
{{main|List of MUA Header Formats}}
 +
Every [[Mail User Agent|MUA]] sets up the headers for a message slightly differently. Although some headers are required under the applicable [http://www.faqs.org/rfcs/rfc2822.html RFC], their format and ordering can vary by client. Almost all clients, however, add their headers in a fixed format and order.
 +
The examiner can use the format and order for each client to show that messages were forged, but not that they were legitimate. For example, if a message purports to be from [[Apple Mail]] but the order or the headers do not match the [[Apple Mail Header Format]], the message has been forged. If the headers of the message do match that format, however, it does not guarantee that the message was sent by that program.
  
I hereby license all my contributions to this wiki (before and after March 19th, 2006) under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license.
+
=== Servers in Transit ===
  
Thanks in advance.
+
Mail servers can add lines onto email headers, usually in the form of "Received" lines, like this:
 +
<pre>Received: by servername.recipeienthost.com (Postfix, from userid 506)
 +
id 77C30808A; Sat, 24 Feb 2007 20:43:56 -0500 (EST)</pre>
  
== Current License Status ==
+
== Message Id Field ==
 +
{{main|Using message id headers to determine if an email has been forged}}. According to the current guidelines for email [http://www.faqs.org/rfcs/rfc2822.html], every message should have a Message-ID field. These id fields can be used to determine if a message has been forged. It is harder, but sometimes possible, to show that a message is authentic using the message id field. Where known, the Message-ID algorithms for known programs are [[List of MUA Header Formats|given on the separate pages for those programs]].
  
=== Pages ===
+
== Signature Fields ==
 +
{{main|Using signature headers to determine if an email has been forged}}. Some email programs allow users to sign messages. This gives the recipient some assurance that the sender given in the message really sent the message. Obviously these headers can be used by an examiner for the same purpose.
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
== Sample Header ==  
|- style="background:#bfbfbf; font-weight: bold"
+
! Page
+
! License Status
+
! Checked for copyright infringement
+
|-
+
| [[AFF]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[AFIS]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[AFOSI]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[ASR]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-" | OK
+
| style="background:lime" | OK
+
|-
+
| [[ILook External Imager]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[ILook Imager]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[ILook Investigator]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[ILook file format]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[IXimager]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[JPEG]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Jesse Kornblum]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Journals]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[LNK]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[License transition status]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Linux]]
+
| ?
+
| style="background:lime" | OK
+
|-
+
| [[Mailing lists]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Main Page]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Md5deep]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Metadata]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Microsoft PocketPC]]
+
| ?
+
| ?
+
|-
+
| [[Microsoft Windows]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Microsoft Windows Mobile]]
+
| ?
+
| ?
+
|-
+
| [[National Software Reference Library]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Ontrack Data Eraser]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Organizations]]
+
| ?
+
| style="background:lime" | OK
+
|-
+
| [[Other Websites]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[PDAs]]
+
| ?
+
| ?
+
|-
+
| [[Palm]]
+
| ?
+
| ?
+
|-
+
| [[Papers]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Paraben]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[People]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Personal Digital Devices]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[ProDiscover]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[ProDiscovery]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[PyFlag]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Pyflag]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[RIM Blackberry]]
+
| ?
+
| style="background:lime" | OK
+
|-
+
| [[Raw image file]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Raw image files]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Recovering Overwritten Data]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Recovering bad data]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Recovering deleted data]]
+
| ?
+
| style="background:lime" | OK
+
|-
+
| [[Reports]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[SIM Cards]]
+
| ?
+
| ?
+
|-
+
| [[SMART]]
+
| ?
+
| style="background:lime" | OK
+
|-
+
| [[Safeback]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Sanitization Standards]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Scalpel]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Simson Garfinkel]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Sleuthkit]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[SmartPhones]]
+
| ?
+
| style="background:lime" | OK
+
|-
+
| [[SpinRite]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Symbian]]
+
| ?
+
| ?
+
|-
+
| [[Techniques]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Tools]]
+
| ?
+
| style="background:lime" | OK
+
|-
+
| [[UNIX]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[VMware]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Vendors]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Websites]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Wetstone]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Write Blockers]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
|}
+
  
=== Files/Images ===
+
This is an (incomplete) excerpt from an email header:
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
|- style="background:#bfbfbf; font-weight: bold"
+
        by outgoing2.securityfocus.com (Postfix) with QMQP
! File
+
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
! License Status
+
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
! Comments
+
Precedence: bulk
|-
+
List-Id: <forensics.list-id.securityfocus.com>
| [[:Image:Simpic.jpg]]
+
List-Post: <mailto:forensics@securityfocus.com>
| style="background:lime" | OK
+
List-Help: <mailto:forensics-help@securityfocus.com>
| Replaced with free version.
+
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
|-
+
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
| [[:Image:Treo.jpg]]
+
Delivered-To: mailing list forensics@securityfocus.com
| style="background:lime" | OK
+
Delivered-To: moderator for forensics@securityfocus.com
| Deleted.
+
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
|-
+
From: YJesus <yjesus@security-projects.com>
| [[:Image:Pocketpc.jpg]]
+
To: forensics@securityfocus.com
| style="background:lime" | OK
+
Subject: New Tool : Unhide
| Replaced with free version.
+
User-Agent: KMail/1.9
|-
+
MIME-Version: 1.0
| [[:Image:Newton.jpg]]
+
Content-Disposition: inline
| style="background:lime" | OK
+
Date: Thu, 5 Jan 2006 16:41:30 +0100
| Deleted.
+
Content-Type: text/plain;
|-
+
  charset="iso-8859-1"
| [[:Image:Zaurus-front.jpg]]
+
Content-Transfer-Encoding: quoted-printable
| style="background:lime" | OK
+
Message-Id: <200601051641.31830.yjesus@security-projects.com>
| Replaced with free version.
+
X-HE-Spam-Level: /
|-
+
X-HE-Spam-Score: 0.0
| [[:Image:Sharp sl-c3100-thm.jpg]]
+
X-HE-Virus-Scanned: yes
| style="background:lime" | OK
+
Status: RO
| Deleted.
+
Content-Length: 586
|-
+
Lines: 26
| [[:Image:Yale fat16 diagram.jpg]]
+
| ?
+
|
+
|-
+
| [[:Image:Recover-FAT-volume-structur.jpg]]
+
| style="background:lime" | OK
+
| Deleted.
+
|-
+
| [[:Image:HelixGroupPaper.pdf]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Network Appliance DataFort.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Draft Paper.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Survey3.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Survey.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Biblio.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:HelixCFS.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Init2.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Init.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Securing Storage White Paper.pdf]]
+
| style="background:lime" | OK
+
| Decru white paper. Not Creative Commons licensed, but we'll keep it here, as it might disappear from the net.
+
|-
+
  
|}
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/E-mail#Header Wikipedia entry on email headers]

Latest revision as of 09:04, 14 February 2009

Email Headers are lines of metadata attached to each email that contain lots of useful information for a forensic investigator. However, email headers can be easily forged, so they should never be used as the only source of information.

Making Sense of Headers

There is no single way to make sense of email headers. Some examiners favor reading from the bottom up, some favor reading from the top down. Because information in the headers can be put there by the user's MUA, a server in transit, or the recipient's MUA, it can be difficult to determine when a line was added.

Sender's IP Address

Some web-based email providers include the sender's IP address in the message headers. Some do not.

Mail User Agents

Every MUA sets up the headers for a message slightly differently. Although some headers are required under the applicable RFC, their format and ordering can vary by client. Almost all clients, however, add their headers in a fixed format and order. The examiner can use the format and order for each client to show that messages were forged, but not that they were legitimate. For example, if a message purports to be from Apple Mail but the order or the headers do not match the Apple Mail Header Format, the message has been forged. If the headers of the message do match that format, however, it does not guarantee that the message was sent by that program.

Servers in Transit

Mail servers can add lines onto email headers, usually in the form of "Received" lines, like this:

Received: by servername.recipeienthost.com (Postfix, from userid 506)
	id 77C30808A; Sat, 24 Feb 2007 20:43:56 -0500 (EST)

Message Id Field

Main article Using message id headers to determine if an email has been forged. According to the current guidelines for email [1], every message should have a Message-ID field. These id fields can be used to determine if a message has been forged. It is harder, but sometimes possible, to show that a message is authentic using the message id field. Where known, the Message-ID algorithms for known programs are given on the separate pages for those programs.

Signature Fields

Main article Using signature headers to determine if an email has been forged. Some email programs allow users to sign messages. This gives the recipient some assurance that the sender given in the message really sent the message. Obviously these headers can be used by an examiner for the same purpose.

Sample Header

This is an (incomplete) excerpt from an email header:

Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
        by outgoing2.securityfocus.com (Postfix) with QMQP
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <forensics.list-id.securityfocus.com>
List-Post: <mailto:forensics@securityfocus.com>
List-Help: <mailto:forensics-help@securityfocus.com>
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
Delivered-To: mailing list forensics@securityfocus.com
Delivered-To: moderator for forensics@securityfocus.com
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
From: YJesus <yjesus@security-projects.com>
To: forensics@securityfocus.com
Subject: New Tool : Unhide
User-Agent: KMail/1.9
MIME-Version: 1.0
Content-Disposition: inline
Date: Thu, 5 Jan 2006 16:41:30 +0100
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-Id: <200601051641.31830.yjesus@security-projects.com>
X-HE-Spam-Level: /
X-HE-Spam-Score: 0.0
X-HE-Virus-Scanned: yes
Status: RO
Content-Length: 586
Lines: 26

External Links