email investigations - oas...email analysis: a starting point iterative process generates leads...
TRANSCRIPT
Computer Crime & Intellectual Property Section
Email Investigations An Introduction Email Investigations An Introduction
Al ReesTrial Attorney
Computer Crime and Intellectual Property Section (CCIPS)Criminal Division, U.S. Department of Justice
August 2009 2
CCIPSUSDOJ
Understanding email basics
Collecting email and associated data
Finding information in email messages
August 2009 3
CCIPSUSDOJ
Understanding email basics
Collecting email and associated data
Finding information in email messages
August 2009 4
CCIPSUSDOJ
Requirements for EmailRequirements for Email
Email applicationComputer-based applicationWeb-based email (webmail)Generates an email address
Internet connectionRelies on an Internet Protocol (IP) address
Service providerInternet service provider (ISP)Webmail service provider
August 2009 6
CCIPSUSDOJ
149.101.1.120
IP AddressIP Address
August 2009 7
CCIPSUSDOJ
INTERNETINTERNET
E-Mail BasicsE-Mail Basics
E-mail travels from sender to recipient’s host, where it resides on a MAIL SERVERMAIL SERVER until therecipient retrieves it
SENDER’S ISPRECIPIENT’S ISP
August 2009 8
CCIPSUSDOJ
Understanding email basics
Collecting email and associated data
Finding information in email messages
August 2009 9
CCIPSUSDOJ
INTERNETINTERNET
Evidence of Past Activity – ContentEvidence of Past Activity – Content
Copies of a previously sent e-mail message may be stored on the
sender’s systemrecipient’s mail server(even after addressee has read it)recipient’s own machine
SENDER’S ISPRECIPIENT’S ISP
August 2009 10
CCIPSUSDOJ
INTERNETINTERNET
Evidence of Past Activity – Traffic DataEvidence of Past Activity – Traffic Data
A record of the e-mail transmission (date, time, source, destination) usually resides in the MAIL LOGSMAIL LOGS of the
sender’s systemrecipient’s mail server
SENDER’S ISPRECIPIENT’S ISP
August 2009 11
CCIPSUSDOJ
Gathering Evidence of Past Activity Gathering Evidence of Past Activity
Evidence on a computer or networkSearch and seizureImaging and analyzing
Evidence with a service providerData preservation or retentionAbility to provide evidenceLegal proceduresInternational considerations
LegalProcess
August 2009 12
CCIPSUSDOJ
Prospective Evidence – ContentProspective Evidence – Content
Interception, “wiretap”Creates a “cloned” account
WiretapOrder
INTERNETINTERNET
SUBJECT’S ISPSUBJECT’S COMPUTER
LAW ENFORCEMENT
COMPUTER
August 2009 13
CCIPSUSDOJ
INTERNETINTERNET
Prospective Evidence – Traffic DataProspective Evidence – Traffic Data
Install a pen/trap at user’s ISP to discover who corresponds with the user
SUBJECT’S ISP
Pen/TrapOrder
LAW ENFORCEMENT
SUBJECT’S COMPUTER
August 2009 14
CCIPSUSDOJ
Understanding email basics
Collecting email and associated data
Finding information in email messages
August 2009 15
CCIPSUSDOJ
Finding Information in EmailFinding Information in Email
ContentSubjectBodyAttachmentsLinks
Traffic dataSender and recipientRouting informationDate and time
August 2009 16
CCIPSUSDOJ
ContentContent
August 2009 17
CCIPSUSDOJ
ContentContent
Subject line
Body
Attachments
Hyperlinks
August 2009 18
CCIPSUSDOJ
Email HeadersEmail Headers
August 2009 19
CCIPSUSDOJ
Traffic DataTraffic Data
When created
How created
When sent
When received
Who sent and received
Routing
August 2009 20
CCIPSUSDOJ
Email Analysis: A Starting PointEmail Analysis: A Starting Point
Iterative process
Generates leads
Direct evidence
Timeline analysis
August 2009 21
CCIPSUSDOJ
Timeline of EventsTimeline of Events
August 2009 22
CCIPSUSDOJ
IssuesIssues
Spoofing
Phishing
Spamming
August 2009 23
CCIPSUSDOJ
In Closing…In Closing…
Understanding email basics
Collecting email and associated data
Finding information in email messages
…any questions?…any questions?