Difference between pages "Email Headers" and "Network forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Open Source Network Forensics)
 
Line 1: Line 1:
'''Email Headers''' are lines of [[metadata]] attached to each [[email]] that contain lots of useful information for a [[forensic investigator]]. However, email headers can be easily forged, so they should never be used as the only source of information.
+
'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.
  
== Making Sense of Headers ==
+
There are both open source and proprietary network forensics systems available.
  
There is no single way to make sense of email headers. Some examiners favor reading from the bottom up, some favor reading from the top down. Because information in the headers can be put there by the user's [[Mail User Agent|MUA]], a server in transit, or the recipient's [[Mail User Agent|MUA]], it can be difficult to determine when a line was added.
+
== Open Source Network Forensics ==
  
=== Sender's IP Address ===
+
* [[Snort]]
{{main|IP addresses in webmail messages}}
+
* [[OSSEC]]
Some web-based email providers include the sender's IP address in the message headers. Some do not.
+
* [[Xplico]]
  
=== Mail User Agents ===  
+
== Commercial Network Forensics ==
{{main|List of MUA Header Formats}}
+
===Deep-Analysis Systems===
Every [[Mail User Agent|MUA]] sets up the headers for a message slightly differently. Although some headers are required under the applicable [http://www.faqs.org/rfcs/rfc2822.html RFC], their format and ordering can vary by client. Almost all clients, however, add their headers in a fixed format and order.
+
* Code Green Networks [http://www.codegreennetworks.com Content Inspection Appliance] - Passive monitoring and mandatory proxy mode. Simple to us Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.
The examiner can use the format and order for each client to show that messages were forged, but not that they were legitimate. For example, if a message purports to be from [[Apple Mail]] but the order or the headers do not match the [[Apple Mail Header Format]], the message has been forged. If the headers of the message do match that format, however, it does not guarantee that the message was sent by that program.
+
* ManTech International Corporation [http://www.netwitness.com/ NetWitness]
 +
* Network Instruments [http://www.networkinstruments.com/]
 +
* NIKSUN's [[NetDetector]]
 +
* PacketMotion [http://www.packetmotion.com/]
 +
* Sandstorm's [http://www.sandstorm.net/products/netintercept/ NetIntercept] - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
  
=== Servers in Transit ===  
+
===Flow-Based Systems===
 +
* Arbor Networks
 +
* GraniteEdge Networks http://www.graniteedgenetworks.com/
 +
* Lancope http://www.lancope.com/
 +
* Mazu Networks http://www.mazunetworks.com/
  
Mail servers can add lines onto email headers, usually in the form of "Received" lines, like this:
+
===Hybrid Systems===
<pre>Received: by servername.recipeienthost.com (Postfix, from userid 506)
+
These systems combine flow analysis, deep analysis, and security event monitoring and reporting.
id 77C30808A; Sat, 24 Feb 2007 20:43:56 -0500 (EST)</pre>
+
* Q1 Labs  http://www.q1labs.com/
  
== Message Id Field ==
+
== Tips and Tricks ==
{{main|Using message id headers to determine if an email has been forged}}. According to the current guidelines for email [http://www.faqs.org/rfcs/rfc2822.html], every message should have a Message-ID field. These id fields can be used to determine if a message has been forged. It is harder, but sometimes possible, to show that a message is authentic using the message id field. Where known, the Message-ID algorithms for known programs are [[List of MUA Header Formats|given on the separate pages for those programs]].
+
  
== Signature Fields ==
+
* The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.
{{main|Using signature headers to determine if an email has been forged}}. Some email programs allow users to sign messages. This gives the recipient some assurance that the sender given in the message really sent the message. Obviously these headers can be used by an examiner for the same purpose.
+
 
+
== Sample Header ==
+
 
+
This is an (incomplete) excerpt from an email header:
+
 
+
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
+
        by outgoing2.securityfocus.com (Postfix) with QMQP
+
        id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
+
Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
+
Precedence: bulk
+
List-Id: <forensics.list-id.securityfocus.com>
+
List-Post: <mailto:forensics@securityfocus.com>
+
List-Help: <mailto:forensics-help@securityfocus.com>
+
List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
+
List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
+
Delivered-To: mailing list forensics@securityfocus.com
+
Delivered-To: moderator for forensics@securityfocus.com
+
Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
+
From: YJesus <yjesus@security-projects.com>
+
To: forensics@securityfocus.com
+
Subject: New Tool : Unhide
+
User-Agent: KMail/1.9
+
MIME-Version: 1.0
+
Content-Disposition: inline
+
Date: Thu, 5 Jan 2006 16:41:30 +0100
+
Content-Type: text/plain;
+
  charset="iso-8859-1"
+
Content-Transfer-Encoding: quoted-printable
+
Message-Id: <200601051641.31830.yjesus@security-projects.com>
+
X-HE-Spam-Level: /
+
X-HE-Spam-Score: 0.0
+
X-HE-Virus-Scanned: yes
+
Status: RO
+
Content-Length: 586
+
Lines: 26
+
 
+
== External Links ==
+
* [http://en.wikipedia.org/wiki/E-mail#Header Wikipedia entry on email headers]
+

Revision as of 11:43, 3 March 2008

Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. A network forensics appliance is a device that automates this process.

There are both open source and proprietary network forensics systems available.

Open Source Network Forensics

Commercial Network Forensics

Deep-Analysis Systems

  • Code Green Networks Content Inspection Appliance - Passive monitoring and mandatory proxy mode. Simple to us Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.
  • ManTech International Corporation NetWitness
  • Network Instruments [1]
  • NIKSUN's NetDetector
  • PacketMotion [2]
  • Sandstorm's NetIntercept - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.

Flow-Based Systems

Hybrid Systems

These systems combine flow analysis, deep analysis, and security event monitoring and reporting.

Tips and Tricks

  • The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.