Investigating Email Activities

1
Investigating E-mail Activities

• Who, What, When, Where How

Scott L. Ksander IT Security and Policy Purdue
University ksander_at_purdue.edu
2
Some Perspective

• Average AOL subscriber averages 70 minutes of
  connect time per day
• AOL has 69 million sessions per day
• AOL handles 2.1 billion messages per day (390
  million emails, 2.1 billion IM sessions) compared
  to USPS 670 million items per day

3
Taking the Initial Report

• GET THE HEADERS!!!
• Get as accurate a timeline as possible
• Timezones are important!! http//tycho.usno.navy.m
  il/tzonemap.html
• Be sure the original e-mail is not deleted
• Simply forwarding e-mail does not preserve the
  headers

4
(No Transcript)
5
(No Transcript)
6
(No Transcript)
7
(No Transcript)
8
(No Transcript)
9
(No Transcript)
10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
(No Transcript)
15
Right Click
16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
The Initial Report Is VERY Important

• GET THE HEADERS!!!
• Get as accurate a timeline as possible
• Be sure the original e-mail is not deleted

23
So What Do They Do With That Stuff?

• Think of networking logs as a combination of
  postmarks and Caller ID. Discover and confirm
  information about the mail.
• Find the physical place where the message
  originated. Try to get logs from that site
• Find what other mail or activity originated at
  the same place (e.g. practice messages)

24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
(No Transcript)
32
1. MHS.log/full transaction 03-30-2000.120115
SMTPresponder-2886 03-30-2000.120116 SMTPresponder-2886
connection accepted callerweb4105.mail.yahoo.com
, address216.115.104.125 03-30-2000.120116
SMTPresponder-2886 250 herald.cc.purdue.edu
G'day web4105.mail.yahoo.com! 03-30-2000.120116
SMTPresponder-2886 7_at_yahoo.c om 03-30-2000.120116
SMTPresponder-2886 250 sender 07_at_yahoo.com OK 03-30-2000.120116
SMTPresponder-2886 0
3-30-2000.120116 SMTPresponder-2886 250
recipient OK 03-30-2000.120116
SMTPresponder-2886 SMTPresponder-2886 354 Enter mail, end with
"." on a line by itself 03-30-2000.120117
SMTPresponder-2886 250 Message received and
queued
33
Receipt of Message 03-30-2000.120711
SMTPresponder-25327 220 herald.cc.purdue.edu
(MailHub TurboSendmail) ESMTP Service
ready 03-30-2000.120711 SMTPresponder-25327 EHLO purdue.edu 03-30-2000.120711
SMTPresponder-25327 connection
accepted caller128.210.90.21,
address128.210.90.21 03-30-2000.120711
SMTPresponder-25327 250-herald.cc.purdue.edu 0
3-30-2000.120711 SMTPresponder-25327
250-EXPN 03-30-2000.120711 SMTPresponder-25327
250-8BITMIME 03-30-2000.120711
SMTPresponder-25327 250-PIPELINING 03-30-2000.
120711 SMTPresponder-25327
250-DSN 03-30-2000.120711 SMTPresponder-25327
250-ETRN 03-30-2000.120711
SMTPresponder-25327 250 SIZE
314572800 03-30-2000.120711 SMTPresponder-25327
03-30-2000.120
711 SMTPresponder-25327 250 sender
OK 03-30-2000.120711
SMTPresponder-25327
03-30-2000.120711 SMTPresponder-25327 250
recipient OK 03-30-2000.120711
SMTPresponder-25327 SMTPresponder-25327 354 Enter mail, end with
"." on a line by itself 03-30-2000.120711
SMTPresponder-25327 250 Message received and
queued 2. l-deliver - local delivery 03-30.120
633 l-deliver-19566 delivered to ksander
FROM 03-30.120821
l-deliver-8120 delivered to ferd
FROM
34
Client Date HH Min ID
Session mathb10pc12 3/30/00 0 17
gwebu 1.3644 mathb10pc12 3/30/00 1
44 jmeurer 4.0997 mathb10pc12
3/30/00 5 52 penumach
1.1575 mathb10pc12 3/30/00 11 52 ask
0.1094 mathb10pc12 3/30/00 18
31 taylorkm 0.3903 mathb10pc12
3/30/00 19 19 dougwatt
0.6494 mathb10pc12 3/30/00 20 22
jacques 5.3031
Client Date HH Min ID
Session mathb10pc11 3/30/00 0
17 swisker 1.3294 mathb10pc11
3/30/00 1 39 pattersj
0.2511 mathb10pc11 3/30/00 2 2
aakhan 0.5517 mathb10pc11 3/30/00 2
36 aakhan 0.1339 mathb10pc11
3/30/00 2 45 aakhan
0.6622 mathb10pc11 3/30/00 3 26
aakhan 0.9108 mathb10pc11 3/30/00 4
22 aakhan 1.2853 mathb10pc11
3/30/00 5 41 aakhan
1.3719 mathb10pc11 3/30/00 11 58 ask
0.1589 mathb10pc11 3/30/00 18
7 pingma 0.3528 mathb10pc11
3/30/00 18 31 santelik 0.4019 -- a
35
Data,Subpoenas, and Search Warrants

• AOL handles 75 search warrants per month
• AOL handles 1000-1200 subpoenas per month
• Check with ISP BEFORE you send the subpoena or
  warrant regarding effect on account and
  notification

36
Data,Subpoenas, and Search Warrants

• AOL options
• Access read, sent and deleted. No
  indication to user and account still open
• Access unread. User may notice items indicated
  as read. Account still open.
• Access all and freeze the account

37
AOL Data Retention

• Basic Subscriber Information 6-12 months
  (including log on/off times)
• Unread and Sent Mail 28 Days
• Read Mail 2 days
• Member Internet Protocol (IP) Addresses 60 - 90
  days
• Proxy Server IP up to 7 days max
• (Sometimes 1 or 2 days)
• IP connection Log Data 60-90 days
• AIM IP Connection Log Data 10 days

38
Handouts

• AOL Info for Law Enforcement
• ISP List

39
(No Transcript)
40
(No Transcript)
41
(No Transcript)
42
(No Transcript)
43
(No Transcript)
44
(No Transcript)
45
(No Transcript)
46
(No Transcript)
47
(No Transcript)
48
(No Transcript)
49
Right here in Lafayette??
50
(No Transcript)
51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54
(No Transcript)
55

• Microsoft Mail Internet Headers Version 2.0
• Received from pier.ecn.purdue.edu
  (128.46.154.98) by sevenofnine.borg with
  Microsoft SMTPSVC(5.0.2195.6713)
• Thu, 15 Apr 2004 140246 -0500
• Received from moeller.de (node1e8ab.a2000.nl
  24.132.232.171)
• by pier.ecn.purdue.edu (8.12.10/8.12.10) with
  SMTP id i3FJ2YHj022127
• for Thu, 15 Apr 2004
  140239 -0500 (EST)
• Message-ID r.de
• From "Matt Langston"
  
• To ask_at_ecn.purdue.edu
• Subject (6)It works or you don't pay(961)
• Date Fri, 16 Apr 2004 111117 0000
• MIME-Version 1.0
• Content-Type text/html
• charset"us-ascii"
• Content-Transfer-Encoding 8bit
• X-Virus-Scanned-ECN by AMaVIS version 11 (perl
  5.8) (http//amavis.org/)
• Return-Path mattlangstonrd_at_0123auto.de
• X-OriginalArrivalTime 15 Apr 2004 190246.0800
  (UTC) FILETIME3D51210001C4231C

56

• Microsoft Mail Internet Headers Version 2.0
• Received from omni.cc.purdue.edu
  (128.210.9.121) by sevenofnine.borg with
  Microsoft SMTPSVC(5.0.2195.6713)
• Thu, 8 Apr 2004 113003 -0500
• Received from tibas-a385.racsa.co.cr
  (tibas-a385.racsa.co.cr 196.40.89.200)
• by omni.cc.purdue.edu (8.12.10/8.12.10) with
  ESMTP id i38GTVNv029521
• for Thu, 8 Apr 2004
  112949 -0500 (EST)
• Received from unknown (HELO localhost)
  (127.0.0.1)
• by localhost.ioxu.com with SMTP Thu, 8 Apr
  2004 101529 -0700
• Received from 24.30.67.21 (24.30.67.2124.30.67.2
  1)
• by tibas-a385.racsa.co.cr (IMP) with HTTP
• for Thu, 8 Apr 2004
  101529 -0700
• Message-ID r
• From "Rasmus"
• To "Oswald"
• Subject Meet Single Russian Women or Get Cuban
  Cigars
• Date Thu, 8 Apr 2004 101529 -0700
• MIME-Version 1.0
• Content-Type text/html charset"iso-8859-1"
• Content-Transfer-Encoding 8bit

57

• Microsoft Mail Internet Headers Version 2.0
• Received from usstp10.itcs.purdue.edu
  (128.210.5.249) by sevenofnine.borg with
  Microsoft SMTPSVC(5.0.2195.6713)
• Sun, 18 Apr 2004 081747 -0500
• Received from 81-188-21-234.adsl.easynet.be
  (81-188-21-234.adsl.easynet.be 81.188.21.234)
• by usstp10.itcs.purdue.edu (8.12.10/8.12.10/scan-
  smtp) with SMTP id i3IDHcsl018802
• Sun, 18 Apr 2004 081741 -0500
• Date Sun, 18 Apr 2004 081738 -0500
• From YXOEFKIEDXAE_at_hotmail.com
• Message-Id tcs.purdue.edu
• MIME-Version 1.0
• X-Originating-IP 194.13.128.56
• X-Originating-Email ksadler_at_purdue.edu
• X-Sender ksadler_at_purdue.edu
• Received from 120.176.241.98 by
  by1aeolian.tune7.yahoo.com with HTTPSat, 17 Apr
  2004 114259 GMT
• X-Virus-Scanned by amavisd-new
• Bcc
• Return-Path YXOEFKIEDXAE_at_hotmail.com
• X-OriginalArrivalTime 18 Apr 2004 131747.0951
  (UTC) FILETIME8B14ABF001C42547

58

• Microsoft Mail Internet Headers Version 2.0
• Received from 1061exfe03.purdue.lcl
  (128.210.63.225) by EXCH02.purdue.lcl with
  Microsoft SMTPSVC(6.0.3790.0)
• Fri, 26 Mar 2004 020445 -0500
• Received from filter.purdue.edu
  (128.210.62.241) by 1061exfe03.purdue.lcl with
  Microsoft SMTPSVC(6.0.3790.0)
• Fri, 26 Mar 2004 020348 -0500
• Errors-To BOUNCE-xxx40purdue.edu_at_filter.purdue.e
  du
• Return-Path BOUNCE-xxx40purdue.edu_at_filter.purdue
  .edu
• X-Filter-Reason D1 54 4950279
  58EDEF1D3BD31FAB0A8EFE2460D76D36
• X-Mail-Filter Corvigo MailGate 2.0.1-3
• Received from usstp07.itcs.purdue.edu
  (usstp07.itcs.purdue.edu 128.210.5.246)
• by filter.purdue.edu (Corvigo MailGate) with
  ESMTP id 7103D161B2
• for Fri, 26 Mar 2004
  020413 -0500 (EST)
• Received from localhost (wm-cpu2.itcs.purdue.edu
  128.210.11.234)
• by usstp07.itcs.purdue.edu (8.12.10/8.12.10/scan-
  smtp) with ESMTP id i2Q74PhN016362
• for Fri, 26 Mar 2004 020425
  -0500
• Received from washdc3-ar8-4-62-075-094.washdc3.ds
  l-verizon.net (washdc3-ar8-4-62-075-094.washdc3.ds
  l-verizon.net 4.62.75.94)
• by webmail.purdue.edu (IMP) with HTTP
• for Fri, 26 Mar 2004
  020425 -0500
• Message-ID ue.edu

59

• Return-Path
• Received via tmail-2002(14) for sta Sat,
• 17 Apr 2004 130419 -0500 (EST)
• Return-Path
• Received from usstp10.itcs.purdue.edu
  (usstp10.itcs.purdue.edu
• 128.210.5.249)
• by herald.cc.purdue.edu (8.12.10/8.12.10/herald)
  with ESMTP id
• i3HI4J84020287
• for Sat, 17 Apr 2004 130419
  -0500 (EST)
• Received from isebelle (thecollegeweb.com
  69.26.136.136)
• by usstp10.itcs.purdue.edu (8.12.10/8.12.10/scan-
  smtp) with ESMTP
• id i3HI4Hsl004144
• for Sat, 17 Apr 2004 130418
  -0500
• Received from isebelle (127.0.0.1) by isebelle
  with Microsoft
• SMTPSVC(5.0.2195.6713)
• Sat, 17 Apr 2004 140225 -0400
• thread-index AcQkpiOf0o03tECFRZeixLNQ1epjaQ
• Thread-Topic Mellisa has invited you to join
  TheBoilerWeb.com!!
• From

60
Questions?(Before Elvis leaves the building)