Lecture 8: Network forensics

What is network forensics?

- sub branch of digital forensics
- monitoring, capturing, recording and analyzing network traffic
- purpose: trace intrusions and attacks
- data characteristics: deals with volatile and dynamic data
- Attack Vector: usually results from single unauthorized system
entry into the network.
- Network devices involved: data flows in/out of netweork over
routers, firewalls, switches, proxies, etc

What are network forensics challenges?

- Sources identification: accurately identifying the
attacker/unauthorized source.
- Affected equipment/services: determining which network
devices/services were exploited (esp in complex env with multiple
interconnected devices)
- Security weaknesses: identifying vulnerabilities in network
defenses that allowed the intrusion (e.g. inadequate firewalls or
weak access control)
- Data volume and overload: high volumes of data cause delays in
processing and analyzing potential threats
- Encryption: encrypted traffic (HTTPS, VPNs) adds a complex layer
to NF. Struggle to inspect and analyze encrypted data without
decryption keys.

NF data collection methods:

1- Catch-it-as-you-can
2- Stop-look-listen
 Sources of Network Evidence

1. Tapping the wire and air

Wire Tapping (Physical Network)

 Definition: Captures network traffic for analysis without disrupting
network operation. It is commonly used for forensic investigations to
collect evidence of potential intrusion or data leakage.
 Process:
1. A Network TAP (Test Access Point) is placed between two
network points (e.g., A and B).
2. The network cable between these points is replaced by two
cables connected to the TAP.
3. The TAP forwards the traffic to an analyzer for examination.
 Purpose:
o Identify signs of intrusion, data leakage, or suspicious
activities in wired networks.

Air Tapping (Wireless Network)

 Definition: Examines traffic in a wireless network using a wireless
receptor (e.g., wireless adapter) connected to an analysis machine.
 Process:
1. The receptor is tuned to the same channel as the target
access point.
 2. It listens to all traffic being broadcast on that channel.
3. The receptor records all traffic associated with a specific
access point or channel.
 Purpose:
o Monitor and capture wireless network data for analysis of
security threats or breaches.

2. CAM Table on a Network Switch

 Definition: A CAM (Content Addressable Memory) table is a
dynamic database in network switches that maps MAC addresses to
physical switch ports.
 Characteristics:
o Ensures efficient packet delivery by directing packets only to
the intended device.
o Prevents the packet flooding typical of hubs.
 Port Mirroring:
o Duplicates traffic from one or more switch ports (or VLANs)
and sends a copy to an analysis port.
o Essential for network forensics as it enables traffic capture
without disrupting normal operations.
 Purpose:
o Monitor and analyze all communications across VLANs and
systems.
o Detect suspicious activities, unauthorized access, or data
breaches.

3. Routing Tables on Routers

 Definition: Routers connect multiple networks and forward data

packets between them. They use routing tables to determine the
path to various destinations on the network.

 Components of Routing Tables:

o Information about network destinations.

o Details of the ports or interfaces on the router leading to

those destinations.

 Purpose in Network Forensics:

 1. Helps investigators trace the path of network traffic as it
moves across routers and networks.

2. Enables the reconstruction of packet routes to identify:

 Potential intrusion points.

 Locations where data may have been leaked.

 Compromised areas within the network.

4. Dynamic Host Configuration Protocol (DHCP)

 Definition: DHCP is a protocol that assigns IP addresses to devices

on the network when they connect.
 Evidence from DHCP Logs:
o Logs contain:
 Device's MAC address.
 Assigned IP address.
 Timestamp of the connection.
 Purpose in Network Forensics:
1. Tracks the presence and activity of specific devices on the
network.
2. Identifies unauthorized devices.
3. Tracks network access patterns.
4. Detects potential security incidents by analyzing device
connection behavior.

5. DNS Server Logs

 Definition: DNS (Domain Name System) translates domain names
(e.g., example.com) into IP addresses to enable devices to
communicate with servers (DNS resolution).
 Evidence from Logs:
o Records queried domain names.
o Tracks requests to malicious or suspicious domains.
o Identifies patterns of unusual domain names or repeated
lookups, which may indicate malware attempting to connect
to attacker-controlled domains.
 Purpose in Network Forensics:
1. Monitor domain name requests to detect suspicious or
harmful activity.
2. Identify potential malware activity by analyzing repeated
connections to attacker domains.
3. Use DNS filtering to block access to malicious or distracting
domains:
 Prevent phishing or malware-based attacks.
 Enforce business policies by restricting access to non-
productive websites.

6. Authentication Servers Logs

 Definition: Authentication servers verify user credentials to grant

access to applications or systems.

 Evidence from Logs:

o Stores logs of all authentication attempts (both successful

and unsuccessful).

o Highlights failed logins, suspicious patterns, or

unauthorized access attempts.

Authentication Processes:

o Single-Factor Authentication:

1. User enters username and password.

2. Server compares the credentials to saved data in its

database.

3. If credentials match, access is granted.

o Multi-Factor Authentication:
 1. After username and password verification, a one-time
password (OTP) is generated.

2. OTP is sent to the user (e.g., via SMS or email).

3. User enters the OTP to complete the authentication process.

 Purpose in Network Forensics:

1. Identify potential intrusion attempts by analyzing failed

login attempts.

2. Track unauthorized access and suspicious user activity.

3. Strengthen system security by enforcing multi-factor

authentication mechanisms.

7. IDS/IPS Logs

 Definition:
o Intrusion Detection Systems (IDS) monitor network traffic
for signs of potential intrusions.
o Intrusion Prevention Systems (IPS) go a step further by
actively blocking detected threats, such as dropping packets
or terminating malicious sessions.
 Key Evidence Provided:
o IP addresses of the source and destination.
o Port numbers for both source and destination.
o Matched signatures indicating known attack patterns.
o Details about ongoing attacks and malware presence.
o Information on Command and Control (C&C) servers,
which direct compromised devices.
 Purpose in Network Forensics:
o Detect and block real-time malicious activities.
o Trace the origin of an attack.
o Analyze patterns to prevent future intrusions.

8. Firewall Logs

 Definition:

o Firewalls regulate incoming and outgoing network traffic based

on predefined security rules.

 Key Evidence Provided:

 o Source and destination IP addresses.

o Ports used by applications or services.

o Date and time of connection attempts.

o Action taken (allowed or blocked).

o Protocol (e.g., TCP, UDP).

 Purpose in Network Forensics:

1. Identify unauthorized access: Detect unusual or

unauthorized IP addresses.

2. Track intrusion attempts: Recognize repeated failed

attempts as signs of brute-force attacks or port scans.

3. Monitor suspicious activity: Spot patterns of unusual data

transfers or unexpected access.

4. Incident investigation and response: Understand how

attackers gained access, their targets, and whether data was
transferred.

9. Proxy Server Logs

 Definition: Proxy servers act as intermediaries between users and

the internet, managing requests and responses.

 Key Evidence Provided:

 Client IPAddress: the IP address of the user or device making the

request.
 URLRequested: the specific website or resource the user tried to
access.
 DateandTime: when the request was made.
 HTTPMethod: how the request was made, such as GET or POST.
 Status Code: the server’s response to the request (e.g., 200 for
success, 404 for not found).
 BytesTransferred: the amount of data sent to or received from the
requested site.
Purpose in Network Forensics:

1. Track user activity: Detect suspicious browsing behavior.

 2. Analyze malware activity: Identify compromised devices
making connections to malicious domains.

3. Monitor data theft: Detect sensitive data being sent to

unauthorized servers.

Summary of the Network Forensic Process Model

1. Preparation and Detection Phase

Preparation Phase:
 Focuses on deploying necessary tools like Intrusion
Detection/Prevention Systems (IDPS), firewalls, and packet
analyzers.
 Ensures authorization and legal compliance to protect user
privacy before deployment.

Detection Phase:
 Tools generate alerts or warnings indicating potential security
breaches or policy violations.
 A quick validation process is carried out to confirm whether the
suspected activity is indeed an attack.

2. Incident Response and Collection Phase

Incident Response Phase:

 Actions depend on the type of attack and follow organizational and
legal policies.
 Applicable when investigations are initiated during an ongoing
attack.
 Collection Phase:
 The most challenging phase as network data changes rapidly
and cannot be recreated later.
 Requires reliable hardware and software along with effective
procedures to collect maximum evidence while minimizing
network disruption.

3.Preservation and Examination Phase

Preservation Phase:

 Ensures the original data is securely stored with computed

hashes to verify authenticity.

 A copy of the data is used for analysis to prevent tampering or loss

of the original evidence.

Examination Phase:

 Conducts a methodical examination of the preserved data to

uncover hidden or altered information by attackers.

 Reduces the volume of high data to focus on evidence with the

highest relevance to the case.

4. Analysis and Investigation Phase

Analysis Phase:
 Evaluates collected evidence to identify specific indicators of
intrusion.
 Utilizes statistical analysis and data mining to reconstruct
attacking patterns and understand the attack’s purpose and
methodology.

Investigation Phase:
 Focuses on identifying the attacker based on the analysis results.
 Addresses challenges like IP spoofing or other techniques attackers
use to hide their identity.
 Investigation methods depend on the type of attack.

5. Presentation Phase
 The final stage involves compiling the findings into a clear, concise,
and legally admissible format.

 Evidence is presented in reports or courtrooms to demonstrate

the forensic process and findings.

 Ensures the forensic investigation adheres to legal requirements

and supports decision-making.

Network-Based Evidence Challenges

1. Acquisition:

 Locating specific evidence in a network environment is challenging

due to the distributed and transient nature of network data.

 Even when evidence is identified, gaining access can be difficult due

to technical or security barriers.

2. Content:

 Unlike file systems that contain comprehensive metadata and

structured data, network devices often lack the capacity to store
diverse and detailed evidence.

3. Storage:

 Network devices typically do not include secondary or persistent

storage, and their storage capacities are limited, making long-term
data retention impractical.

4. Privacy:

 Depending on the jurisdiction, legal and privacy issues may arise.

Network-based evidence acquisition often involves access to
sensitive information, raising privacy concerns.

5. Seizure:
  Seizing network devices can disrupt individuals or organizations
significantly more than seizing hard drives. In extreme cases,
seizing network equipment can result in an entire network segment
being taken offline indefinitely.

6. Admissibility:

 While file system evidence is widely accepted in legal proceedings,

network forensics is relatively new. The lack of consistent or clear
legal procedures can create challenges for admitting network-based
evidence in court.

Lecture 9: Network Attacks

 Sources of Attacks:

 Network attacks can originate from external or internal sources within a network.
 Monitoring such attacks is possible using tools like network analyzers (e.g.,
Wireshark).

 Role of Network Analyzers:

 Identify unusual patterns or suspicious packet contents.

 Detect issues such as:
o Network scans (searching for vulnerabilities).
o Malformed packets (incorrectly structured data packets).
o Unusual protocols or applications that are not typically part of the network
operations.
o Unauthorized conversations or unexpected communication on the network.

 Detection Process:

 Requires an understanding of what constitutes normal network behavior.

 Focuses on identifying patterns that deviate from normal activity to spot potential
attacks.
 Key Considerations:

 It is essential to differentiate between malicious attempts (intentional attacks) and

network problems (bugs or accidental issues) that can occur for various reasons.

Network Attack Forensics

1. ARP spoofing

What is ARP and ARP Scans?

 ARP (Address Resolution Protocol):

o Maps IP addresses to MAC addresses within a local network,
enabling devices to communicate.
o Before communication begins, a device sends an ARP
request to find the MAC address associated with an IP
address.
 ARP Scans (or Sweeps):
o Used to discover active devices (local hosts) in a network
segment.
o Typically, not an attack but can gather information about the
network.
o Detecting ARP sweeps requires observing incremental
patterns from the same device using display filters.

What is ARP Spoofing?

 Definition:

o A malicious technique where an attacker sends fake ARP

messages.

o The attacker associates their MAC address with the IP address

of another device, such as a router or a victim's computer.

 Purpose:

o Intercept traffic: Enables the attacker to eavesdrop on

communication between devices.

o Man-in-the-Middle (MitM) attacks: The attacker can

modify or steal data exchanged between two devices.

When to Investigate ARP Activity?

 Normal ARP Operation:

 o ARP requests and replies are normal network functions.

o Requests from multiple sources are typically not a concern

unless excessive.

 Suspicious ARP Behavior:

1. Many requests from a single device:

 Could indicate:

 A management system scanning the network.

 A malicious device performing reconnaissance.

2. ARP Requests from Unknown Sources:

 If the source cannot be identified, it may be a worm or

ARP poisoning.

 Action: Begin an investigation.

3. ARP Replies Without Requests:

 Replies sent without corresponding requests could

signify malicious intent.

 Action: Investigate immediately.

2.ICMP scan

What is ICMP and ICMP Scanning?

 ICMP (Internet Control Message Protocol):

 o Primarily used for network diagnostics (e.g., ping) to check
connectivity between devices.

 ICMP Scan:

o Involves sending ICMP Echo Request messages to multiple

hosts to determine which devices are active on the network.

o Commonly used as a network discovery technique for

mapping devices and identifying hosts.

o ICMP flooding can be an attack, where an attacker floods a

network with ICMP Echo Request messages to overwhelm the
network or device.

Impact on Network Structure

 In scenarios with a central server:

o The central server manages resources for remote sites

through a WAN or backbone network.

o ICMP floods directed at the server can slow down or disrupt

services, impacting all remote users relying on the server.

Types of ICMP Scan Attacks

1. ICMP Flood Attack:

o The attacker floods the target with a high volume of ICMP

requests.

o Overwhelms the target's resources, causing it to slow down,

freeze, or crash.

2. Ping of Death:

o Sends oversized ICMP packets that the target cannot

handle, resulting in a system crash or freeze.

3. Smurf Attack:

o The attacker spoofs the source IP of ICMP requests.

o Causes all devices on the network to respond to the spoofed

IP, flooding the target with replies.

Detection of ICMP Scans and Flooding

 1. Massive Ping Requests:

o Large volumes of ICMP requests sent in a short time frame.

2. Short Time Intervals:

o Scans are automated, resulting in ICMP packets sent with

minimal delay.

3. Multiple ICMP Requests:

o Unusual patterns, such as multiple timestamp or ping sweep

requests from a single source.

4. Traffic Anomalies:

o Excessive ICMP traffic directed at multiple devices or repeated

pings to specific targets.

When to Investigate ICMP Activity

1. Sort by Destination:

o Examine packets by destination to identify the targeted

devices.

2. Look for Timing Patterns:

o Short intervals between packets indicate automated scanning

tools or attacks.

3. Examine Request Patterns:

o Look for multiple requests originating from a single source,

which can signal scanning activity.

4. Check for High-Frequency Pings:

o Repeated pings or excessive ICMP traffic are red flags for

flooding or scanning attempts.

3.TCP-SYN scan

What is a TCP-SYN Scan?

 Definition:

o A method used to discover open ports on a target machine.

 o Often employed in reconnaissance or penetration testing to
identify ports that are open and listening for connections.

 How it Works:

o The attacker sends TCP-SYN packets to random TCP ports.

o The system responds with either:

 A SYN-ACK packet: Indicates the port is open and

ready for communication.

 A RST (Reset) packet: Indicates the port is closed.

Attack Scenarios

1. Half-Open Connections:

o The attacker continues to send SYN packets, leaving many

half-open connections on the target device.

o This can overwhelm the system and disrupt normal

operations.

2. Full Connections:

o The attacker completes the handshake with an ACK packet to

establish a full connection.

o Once connected, the attacker can exploit the open port for
malicious purposes.
Detecting TCP-SYN Scans

1. Indicators in Network Traffic:

o Numerous SYN packets sent from the same source to multiple

destination ports.

o Lack of corresponding ACK packets from the target device

under attack.

2. Packet Behavior:

o A scan often results in the same source and destination

addresses in the captured traffic.

o Traffic logs show repetitive SYN packets without any

established connections.

4.DOS and DDOS attacks

- DoS (Denial of Service):

 An attack aimed at disrupting access to network services by

overloading them.

-DDoS (Distributed Denial of Service):

 Similar to a DoS attack but launched from multiple distributed

sources, making it harder to trace and mitigate.

Targets of DoS/DDoS Attacks

1. Communication Lines:
 o Attackers generate overwhelming traffic that floods and blocks
the communication lines.

2. Applications and Services:

o Targets web services, mail servers, etc., by overloading the

server to prevent it from serving legitimate client requests.

Characteristics of a DoS Attack

1. Slow Communication Line:

o When a communication line becomes slow, use port

mirroring and tools like Wireshark to analyze traffic.

2. Traffic Analysis:

o Traffic logs reveal:

 Source addresses in ascending order generating

traffic to a specific IP (e.g., 94.23.71.12).

 Time intervals between frames are unusually short

(e.g., 11-12 microseconds).

o Large numbers of TCP-SYN packets in such a pattern are

indicators of a potential DoS attack.

Example: Single MAC Address in DoS

1. Issue:

o All source addresses might be fake but traced back to a

single MAC address.

2. Investigation:
 o Verify IP and MAC addresses to check for spoofing or worms
generating false source addresses.

o Look for SYN scans to identify if the attack involves incomplete

connection handshakes.

Indicators in Forensic Analysis

1. Traffic Pattern:

o Repeated TCP-SYN packets or unusual traffic directed to one

destination.

2. Single MAC Address:

o Identifying all fake source addresses originating from a single

MAC points to an orchestrated attack.

3. Overwhelmed Services:

o Services or servers failing to respond due to high traffic loads.

5.Brute force attacks

Definition:

 A brute force attack is a trial-and-error method used to gain

unauthorized access to a system or retrieve sensitive information by
systematically guessing passwords, organizational server details, or
directories.

Types of Observations in Brute Force Attacks:

1. DNS Queries with No Response:

o Many DNS queries sent without receiving valid responses can

indicate an attack or someone attempting to locate non-
existent servers.

o Example: Queries directed to dns.icomm.com yielding no reply

suggest an attack source.

o The source of such queries must be identified to trace the

origin.
2. HTTP Errors as a Symptom:

o Unusually high rates of HTTP errors in a short period might

signify brute force attempts.

o Use tools like Wireshark to track statistics for error patterns

and their sources.

3. Incorrect Login Attempts:

o Repeated failed attempts to log in using usernames like root,

admin, or administrator.

o System logs show multiple trials with an increasing number of

failed responses
Detection and Mitigation:

 Detection:

o Monitor for patterns like:

 High frequency of queries or login attempts.

 Excessive error messages in web server logs.

 Repeated trials targeting specific usernames.

o Use tools such as Wireshark to analyze traffic and identify

anomalies.

 Mitigation:

o Implement rate limiting to prevent excessive requests.

o Use multi-factor authentication (MFA) to strengthen login

security.

o Monitor DNS and HTTP logs for early signs of brute force
activity.

o Set up Intrusion Detection Systems (IDS) to flag unusual

traffic patterns.

Suspicious Network Traffic

Types of Suspicious Network Traffic:

1. MAC or IP Address Scans:

o Aim to identify active hosts on the network.

o These scans probe for devices with specific IP or MAC

addresses to gather information about active endpoints.

2. TCP or UDP Port Scans:

o Attempt to identify active applications and services on

the network.

o These scans target open ports to discover running services or

applications that can be exploited.

3. Clear Text Passwords:

o Passwords sent unencrypted over the network.

 o Commonly seen in File Transfer Protocol (FTP) logins or other
insecure communications.

o Such traffic can be intercepted and read in tools like

Wireshark, posing a significant security risk.

4. Password Cracking Attempts:

o Involve repeated, systematic attempts to guess a

password.

o Typically executed by a single device using brute-force

techniques to find the correct combination.

5. Flooding or Denial of Service (DoS) Attacks:

o High packet-per-second rates are sent to overwhelm one or

more hosts.

o Aim to prevent legitimate users from accessing services by

saturating the network.

Network Attack Investigation

1. Update Network Topology

 Details to Obtain:

o Server IP addresses and IP address ranges in the network.

o IP addresses of routers, switches, and other communication

equipment.

o Security defense systems (firewalls, IDS/IPS, WAF).

o Applications allowed over the network and their port numbers.

2. Check Traffic

 Normal:

o Traffic originates from known addresses and address ranges.

 Suspicious:

o Traffic from or to unknown addresses.

3. Application and Port Numbers

 Normal:
 o Standard port numbers like 80 (HTTP), 137/8/9 (NetBIOS),
3389 (RDP), 20/21 (FTP), etc.

 Suspicious:

o Unusual port numbers not associated with valid applications

(e.g., RDP packets to a web server).

4. TCP Patterns

 Normal:

o TCP SYN/SYN-ACK/ACK patterns indicating connection

establishment.

o Reset (RST) for quick tear-down, FIN/FIN-ACK for regular

closure.

 Suspicious:

o Large amounts of SYN packets to single or multiple

destinations.

o Unusual flag combinations like RST/FIN or URG.

5. Massive Traffic

 Normal:

o Traffic patterns fluctuate and are not fixed in bandwidth

usage.

 Suspicious:

o Fixed bandwidth patterns indicating potential surveillance or

misuse (e.g., consistent data transfer rates).

6. Broadcasts

 Normal:

o Limited NetBIOS, ARP, or DHCP broadcasts occurring

occasionally.

 Suspicious:

o Tens, hundreds, or thousands of broadcasts per second per

device.

7. DNS Queries and Responses

  Normal:

o Standard query-response rates of a few tens per second.

 Suspicious:

o Excessive DNS queries/responses, responses without

corresponding queries.

Lecture 10: Email Forensics

File Analysis
File analysis is a critical process in digital forensics aimed at
understanding the nature of files to extract meaningful artifacts. It
involves two primary components:

1. Content Identification

2. Metadata Extraction

1. Content Identification

The goal of content identification is to confirm the file's type and purpose
by examining its content, structure, and associated data.

 Purpose: To determine what the file is and who has access to its
data.

 File Extensions:

o Provide hints about file types but can be misleading.

o Malicious users may change extensions to obfuscate the file's

nature.

o Some files may lack extensions (e.g., temporary or cache

files), yet their content may hold critical investigation data.

 File Signatures:

o These are unique sequences of bytes located in a file's header.

o Examining a file's signature provides a reliable way to identify

its type, especially when the extension is manipulated.

o Tools like hex editors can be used to analyze these signatures.

For example, a .png file starts with the hexadecimal sequence
89 50 4E 47 ("PNG").
2. Metadata Extraction

Metadata refers to additional information about the file's content and

provides context about its origin, usage, and modifications.

 Purpose: To retrieve embedded data that may hold investigative

value.

 Tools: Specialized tools like ExifTool can extract metadata from

various file formats.

 Types of Metadata:

o Image Metadata:

 Includes dimensions, resolution, camera model, date

and time of capture, and color representation.

o Audio/Video Metadata:

 Contains details such as duration, producer, sample

rates, compression, and frame rates.

o Document Metadata:

 Includes creation, modification, and last printed times.

Email Analysis
- Importance of Emails:

 Emails are a primary means of communication that have evolved

from social usage to corporate requirements.

 They can be abused through forgery for activities such as spam,

threatening messages, or aiding crimes.

- Forensic Importance:
  Emails can contain incriminating evidence, including unintentional
documentation of people's activities.

 Investigation techniques include:

o Email Header Analysis.

o Evidence collection.

o Presentation of findings.

o Building a case.

Email Data Flow

 User has a client program such as Outlook.
 Client program is configured to work with one or more servers.
 E-mails sent by client reside on PC.
 A larger machine runs the server program that communicates with
the Internet, where it exchanges data with other e-mail servers.
 Two standard methods to send and receive e-mail:
- Client/server applications: A piece of software application
that runs on the client or the user side and make requests to the
server or access information from it.
- Webmail: Anapplication that runs completely on the user’s
browser.
 Examples of client-server applications include Microsoft Outlook,
Yahoo messenger, Windows Live
 Examples of web application are Google Apps, Gmail, Yahoo mail
and Microsoft Office Live.

Sending an Email:

Receiving an Email:
Protocols:

 Post Office Protocol Version 3 (POP3):

 o Downloads all messages to the local computer.

o Deletes messages from the email server after download.

 Internet Message Access Protocol (IMAP):

o Downloads emails but retains a copy on the server.

Working with resident email files vs. webmails

Resident Email:

 Functionality: Users can work offline, as emails are stored locally

on the device.

 Storage: Since emails are stored locally, they are readily accessible
for forensic analysis when the computer is seized.

Webmail:

 Functionality: Requires internet access to log into the webmail

interface via a browser.

 Storage: Emails are stored on the webmail provider's server, and

no emails are stored on the local device.

 Usage: Actions like composing and sending emails involve

communication with the webmail server behind the scenes.

Comparison Between POP3 and IMAP Protocols

POP3 (Post Office Protocol version 3):

  Synchronization: One-way synchronization; emails are
downloaded from the server to the client and then removed from
the server.

 Limitations:

o Inability to mark messages as read across devices.

o Sent items cannot be synchronized and are only saved on the

originating device.

o Requires users to manually check for new emails or set up

periodic checks.

o Email organization (e.g., folders) is not synchronized across

devices; users must replicate changes on each device
individually.

 Usability: Suitable for users who access emails on a single device.

IMAP (Internet Message Access Protocol):

 Synchronization: Two-way synchronization; emails remain on the

server and are accessible from multiple devices.

 Advantages:

o Changes (e.g., read/unread status, organization) sync across

all devices.

o Emails are stored on the server until explicitly deleted by the

user.

o Sent and received emails are stored remotely, enabling easy

access and synchronization.

 Usability: Ideal for users who need to access and manage their
emails across multiple devices simultaneously.

Email Headers
Email headers provide essential details about the sender, receiver, and
servers involved in an email's journey. These headers serve as a forensic
tool to trace the email's origins and verify its authenticity.
Key Details in Email Headers

1. Logical Address:

o Comprises two parts: the mailbox (before the '@' symbol)

and the domain (after the '@').

o Helps identify the user ID and the email server's location.

2. Visibility:

o Most email clients show a short version, but detailed headers

(long form) reveal complete routing and metadata
information.

3. Clues for Investigation:

o Analyzing email headers can help uncover the true origins of

the message, determine the sending program, and detect
spoofing attempts.

Common Components of Email Headers

1. Basic Fields:

o To: Displays the recipient's email address and those in

CC/BCC.

o Subject: Indicates the email's topic or purpose.

o Message Body: Contains the main email content.

o Content Type: Shows whether the email includes plain text,

HTML, or multimedia.

2. Metadata:

o Date: Timestamp of when the email was sent. Note that the
sending device's clock may affect accuracy.

o From: Identifies the sender but can be spoofed by attackers.

o Message-ID: A unique identifier for distinguishing emails

globally.

o Received: Lists valid recipient addresses and tracks the

email's path across servers, showing timestamps and IP
addresses.

3. Security Protocols:
 o Received-SPF: Indicates whether the email passes Sender
Policy Framework (SPF) checks, a security measure to prevent
spam and phishing.

o SPF with DMARC: Works with domain-based authentication

to enhance security and prevent fraudulent emails.

Viewing emial header example:

Challenges with Message-Id in email forensics

Key Challenges:

1. Optional Field:

o While most mail systems add a Message-ID, it is not

mandatory. Some emails may lack this field entirely,
complicating forensic investigations.

2. Lack of Standardization:

o There is no universal algorithm for generating Message-IDs.

Each email service provider employs its own method, leading
to inconsistencies in format and structure.

3. Decoding Complexity:

o must have a sound understanding of multiple email platforms

and their Message-ID formats to decode these identifiers for a
comprehensive investigation.
Email spoofing and forged emails
Email Spoofing

 Definition: Email spoofing is a deceptive practice where attackers

trick recipients into believing the email is from a trustworthy source,
such as a colleague, vendor, or brand.

 Goal: Exploit the recipient's trust to elicit sensitive information or

prompt specific actions.

 Example:

o An attacker sends an email pretending to be from PayPal,

warning the recipient about a suspended account.

o The email asks the user to click on a link, authenticate, and

change their account password.

o If the user complies and enters their credentials, the attacker

gains unauthorized access to the account and can steal funds.

 Mechanism:

o Attackers use email API endpoints to specify a sender address,

regardless of whether the address is legitimate.

o Outgoing email servers cannot validate the authenticity of the

sender address, making it challenging to detect spoofed
emails.

Forged Emails

 Definition: Forged emails are a more technical form of email

spoofing where attackers manipulate email headers to disguise the
true origin of the email.

 Example of Forgery:

o An email appears to be sent from "[email protected]."

o Clues in the email header:

 The "Received" section shows that the email originated

from "email.random-company.nl," not Microsoft servers.
  The Received-SPF field is marked as "Fail," indicating
the sender's domain does not align with the authorized
sending server.

 Indicators of Forgery:

o Inconsistent "Received" sections in the email header.

o SPF (Sender Policy Framework) field failing validation.

o Mismatches between the sender’s domain and the actual

email server.

DomainKeys Identified Mail (DKIM)

Definition:

 DKIM (DomainKeys Identified Mail) is a security mechanism used to

verify that an email:

1. Was sent by the claimed sender.

2. Was not tampered with during its transit to the recipient.

How It Works:

o When an email is sent, the sender’s mail server

creates a unique digital signature.

o This signature is made by taking parts of the email

(like its body and some headers) and hashing them (a
secure way to make a unique "fingerprint").

o The server then encrypts this "fingerprint" with a

private key that only it knows.

o The sender’s domain publishes its public key in its

DNS records.

o When the recipient gets the email, their mail server

looks up the sender’s public key using the domain in
the email.

o It then uses this public key to decrypt the signature

and check if it matches the email’s content.

If the signature matches, it confirms the email's authenticity

and integrity.

Importance:
 DKIM is widely used alongside SPF (Sender Policy
Framework) and DMARC (Domain-based Message
Authentication, Reporting, and Conformance) for a
comprehensive email authentication framework.

 Enhances email security by mitigating spoofing and

tampering risks.