email investigations - oas...email analysis: a starting point iterative process generates leads...

24
Computer Crime & Intellectual Property Section Email Investigations An Introduction Email Investigations An Introduction Al Rees Trial Attorney Computer Crime and Intellectual Property Section (CCIPS) Criminal Division, U.S. Department of Justice

Upload: others

Post on 05-Aug-2020

0 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

Computer Crime & Intellectual Property Section

Email Investigations An Introduction Email Investigations An Introduction

Al ReesTrial Attorney

Computer Crime and Intellectual Property Section (CCIPS)Criminal Division, U.S. Department of Justice

Page 2: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 2

CCIPSUSDOJ

Understanding email basics

Collecting email and associated data

Finding information in email messages

Page 3: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 3

CCIPSUSDOJ

Understanding email basics

Collecting email and associated data

Finding information in email messages

Page 4: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 4

CCIPSUSDOJ

Requirements for EmailRequirements for Email

Email applicationComputer-based applicationWeb-based email (webmail)Generates an email address

Internet connectionRelies on an Internet Protocol (IP) address

Service providerInternet service provider (ISP)Webmail service provider

Page 5: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 5

CCIPSUSDOJ

[email protected]

Email AddressEmail Address

Page 6: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 6

CCIPSUSDOJ

149.101.1.120

IP AddressIP Address

Page 7: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 7

CCIPSUSDOJ

INTERNETINTERNET

E-Mail BasicsE-Mail Basics

E-mail travels from sender to recipient’s host, where it resides on a MAIL SERVERMAIL SERVER until therecipient retrieves it

SENDER’S ISPRECIPIENT’S ISP

Page 8: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 8

CCIPSUSDOJ

Understanding email basics

Collecting email and associated data

Finding information in email messages

Page 9: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 9

CCIPSUSDOJ

INTERNETINTERNET

Evidence of Past Activity – ContentEvidence of Past Activity – Content

Copies of a previously sent e-mail message may be stored on the

sender’s systemrecipient’s mail server(even after addressee has read it)recipient’s own machine

SENDER’S ISPRECIPIENT’S ISP

Page 10: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 10

CCIPSUSDOJ

INTERNETINTERNET

Evidence of Past Activity – Traffic DataEvidence of Past Activity – Traffic Data

A record of the e-mail transmission (date, time, source, destination) usually resides in the MAIL LOGSMAIL LOGS of the

sender’s systemrecipient’s mail server

SENDER’S ISPRECIPIENT’S ISP

Page 11: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 11

CCIPSUSDOJ

Gathering Evidence of Past Activity Gathering Evidence of Past Activity

Evidence on a computer or networkSearch and seizureImaging and analyzing

Evidence with a service providerData preservation or retentionAbility to provide evidenceLegal proceduresInternational considerations

LegalProcess

Page 12: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 12

CCIPSUSDOJ

Prospective Evidence – ContentProspective Evidence – Content

Interception, “wiretap”Creates a “cloned” account

WiretapOrder

INTERNETINTERNET

SUBJECT’S ISPSUBJECT’S COMPUTER

LAW ENFORCEMENT

COMPUTER

Page 13: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 13

CCIPSUSDOJ

INTERNETINTERNET

Prospective Evidence – Traffic DataProspective Evidence – Traffic Data

Install a pen/trap at user’s ISP to discover who corresponds with the user

SUBJECT’S ISP

Pen/TrapOrder

LAW ENFORCEMENT

SUBJECT’S COMPUTER

Page 14: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 14

CCIPSUSDOJ

Understanding email basics

Collecting email and associated data

Finding information in email messages

Page 15: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 15

CCIPSUSDOJ

Finding Information in EmailFinding Information in Email

ContentSubjectBodyAttachmentsLinks

Traffic dataSender and recipientRouting informationDate and time

Page 16: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 16

CCIPSUSDOJ

ContentContent

Page 17: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 17

CCIPSUSDOJ

ContentContent

Subject line

Body

Attachments

Hyperlinks

Page 18: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 18

CCIPSUSDOJ

Email HeadersEmail Headers

Page 19: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 19

CCIPSUSDOJ

Traffic DataTraffic Data

When created

How created

When sent

When received

Who sent and received

Routing

Page 20: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 20

CCIPSUSDOJ

Email Analysis: A Starting PointEmail Analysis: A Starting Point

Iterative process

Generates leads

Direct evidence

Timeline analysis

Page 21: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 21

CCIPSUSDOJ

Timeline of EventsTimeline of Events

Page 22: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 22

CCIPSUSDOJ

IssuesIssues

Spoofing

Phishing

Spamming

Page 23: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 23

CCIPSUSDOJ

In Closing…In Closing…

Understanding email basics

Collecting email and associated data

Finding information in email messages

…any questions?…any questions?

Page 24: Email Investigations - OAS...Email Analysis: A Starting Point Iterative process Generates leads Direct evidence Timeline analysis August 2009 21 USDOJ CCIPS Timeline of Events Timeline

August 2009 24

CCIPSUSDOJ

Al ReesTrial Attorney, CCIPS

[email protected](202) 514-1026