Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
Five on Forensics Page 1 - Craig Ball
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<str<strong>on</strong>g>Five</str<strong>on</strong>g> <strong>on</strong> <strong>Forensics</strong><br />
© 2002-2008 <strong>Craig</strong> <strong>Ball</strong> All Rights Reserved<br />
Figure 1 shows the source code of an e-mail which I sent using a browser-based Hotmail<br />
account. The e-mail was sent from forensicguru@hotmail.com and addressed to<br />
craig@ball.net, with a cc: to ball@sbot.org. A small photograph in JPG format was attached<br />
to the message.<br />
Before we dissect the e-mail message in Figure 1, note that any e-mail can be divided into<br />
two parts, the header and body of the message. By design, the header details the journey<br />
taken by the e-mail from origin to destinati<strong>on</strong>; but be cauti<strong>on</strong>ed that it’s a fairly simple matter<br />
for a hacker to spoof (falsify) the identificati<strong>on</strong> of all but the final delivery server. Accordingly,<br />
where the origin or originati<strong>on</strong> date of an e-mail is suspect, the actual route of the message<br />
may need to be validated at each server al<strong>on</strong>g its path.<br />
In an e-mail header, each line which begins with the word "Received:" represents the transfer<br />
of the message between or within systems. The transfer sequence is reversed<br />
chr<strong>on</strong>ologically; such that those closest to the top of the header were inserted after those that<br />
follow, and the topmost line reflects delivery to the recipient’s e-mail server. As the message<br />
passes through intervening hosts, each adds its own identifying informati<strong>on</strong> al<strong>on</strong>g with the<br />
date and time of transit.<br />
Tracing an E-Mail’s Incredible Journey<br />
In this header, taken from the cc: copy of the message, secti<strong>on</strong> (A) indicates the parts of the<br />
message designating the sender, addressee, cc: recipient, date, time and subject line of the<br />
message. Though a message may be assigned various identificati<strong>on</strong> codes by the servers it<br />
transits in its journey (each enabling the administrator of the transiting e-mail server to track<br />
the message in the server logs), the message will c<strong>on</strong>tain <strong>on</strong>e unique identifier assigned by<br />
the originating Message Transfer Agent. The unique identifier assigned to this message (in<br />
the line labeled “Message-ID:”) is “Law10-F87kHqttOAiID00037be4@ hotmail.com.” In the<br />
line labeled “Date,” both the date and time of transmittal are indicated. The time indicated is<br />
13:31:30, and the “-0600” which follows this time designati<strong>on</strong> denotes the time difference<br />
between the sender’s local time (the system time <strong>on</strong> the sender’s computer) and Greenwich<br />
Mean Time (GMT), also called Universal Time or UTC. As the offset from GMT is minus six<br />
hours, we deduce that the message was sent from a machine set to Central Standard Time,<br />
giving some insight into the sender’s locati<strong>on</strong>. Knowing the originating computer’s time and<br />
time z<strong>on</strong>e can occasi<strong>on</strong>ally prove useful in dem<strong>on</strong>strating fraud or fabricati<strong>on</strong>.<br />
At (B) we see that although this carb<strong>on</strong> copy was addressed to ball@sbot.org, the ultimate<br />
recipient of the message was ball@EV1.net. How this transpired can be deciphered from the<br />
header data.<br />
The message was created and sent using Hotmail’s web interface; c<strong>on</strong>sequently the first hop<br />
(C) indicates that the message was sent using HTTP from my home network router,<br />
identified by its IP address: 209.34.15.190. The message is received by the Hotmail server<br />
(D), which transfers it to a sec<strong>on</strong>d Hotmail server using SMTP. The first Hotmail server<br />
timestamps the message in Greenwich Mean Time (GMT) but the sec<strong>on</strong>d Hotmail server<br />
<strong>Page</strong> 54