2 Tracking An Offender

o m
r r .c
b lu
Tracking an rOffender tun
m a
a S
v i
e d
Hawaii Pacific
a r University
IS 6380 S h
i s
if le
hi s
T
We provide unlocked studymaterials from popular websites at affordable price, email enquiries to rishabhk28@live.com
Tracking an Offender m
.c o
r r
With all our connectivity, it is unrealistic to expect b lu
n

rtu
cyber crime incidents to be isolated to a single
system
m a

a S
Cyber sleuths often have to track offenders across
the digital matrix.
v i

e d
Though techniques of network forensics are still
r
undeveloped, must have a discussion of Internet
a
computers. S h
methods that you can use to find leads to suspect
i s

f il e
Tracking offenders on the Internet, we use many of
the same software tools that system and network
hi s administrators use to monitor and test network
T connectivity.
Tracking an Offender m
.c o
r r
Many are included in operating systems, b lu
n

 Most Internet protocols make no provisions for strongly
authentication a rtu
 Services like email and Usenet are based on simpleS m
i a
text-based initiation protocols and basically use the
v
honor system.
e d

a r
Complicates investigations because you cannot
S h
necessarily trust the identification information
contained in Internet messages.
i s

f e
The better you understand the underlying protocols
il
and processes, the better you can evaluate the validity
hi s
of the names and Internet addresses associated with
T Internet communications.
Internet Fundamentals m
.c o
r r
The book is intended to be an introduction to computer b lu
n

rtu
investigations, not a TCP/IP reference.
 The more you understand Internet technology, the better you
will be at investigating network-enabled crime.
m a

a S
The Internet and many private networks use a set of
protocols commonly referred to as TCP/IP,
v i
d
TCP/IP is not specific to any operating system,


r e
It is a set of standards that enables Macs, Windows, Unix,
a
routers, switches, and a variety of mainframe environments
h
S
to communicate with each other.
s

e i
It is not specific to network topology, meaning that Ethernet,
token ring, and wireless networks can also interoperate.

f il
This interoperability is a prerequisite to both modern
hi s
computer crime and investigations.
T
.c o
r r
b lu
n
a rtu
S m
v i a
e d
a r
S h
i s
f il e
hi s
T
.c o
r r
When you send and receive email, b you are lu

tun
dealing with three different addresses, each in a
different layer. a r
 S
MAC (media access control)
m addresses are
v i a
encapsulated in packets.
e d
Outside the LAN segment we have a numeric IP
r

address assigned to it
ha

s S
An IP address is usually written as a series of four
i
numbers in the range 0–255, separated by dots,
e
f il
such as 192.168.0.55.
hi s
T
.c o
r r
Certain IP addresses, or ranges of addresses, are b lu
n

rtu
reserved for special purposes these are "Private
addresses"
 When tracking offenders, if you locate an address within
m a
S
this range you have to determine the suspects' external
a
IP address to locate them.
v i

e d
An Internet address actually contains two parts.

a r
The network portion and the host section is unique

S h
among all the devices using the same network portion.
All IP addresses on the Internet are both unique and
i s
identifiable as being within a specific network.

il e
Private networks use addressing that is unique within
f
hi s
their networks, but any two private networks can use the
same "address space" as long as they are not
T interconnected to each other.
.c o
r r
The uniqueness of addresses and the distinction b lu
n

rtu
between network and host portions of the address make
it practical for routers to know where to route to.
 Routers automatically forward your data packets to m a
S
another network when the destination is not your network
a
instructions v i
based on current conditions and their programmed
e d

a r
The route between any two points can change.

S h
The network part of an Internet address is assigned by
the Internet Assigned Numbers Authority (IANA)

i s
The host part is assigned to individual hosts and devices
il e
by the network owner statically or dynamically
f
hi

s
DHCP makes detective work a little more difficult.
T
Reading Obfuscated IP Addresses m
.c o
r r
b l u
t
 Spammers try to keep their true identitiesun secret
a
otherwise, they would be overwhelmed r by disgruntled
Internet citizens who wish tom retaliate.
 In addition to using a bogus
a S return email address, they
often include obfuscated v i URLs.
 Instead of having adhuman-readable name, or the
r e such as 135.17.243.191, a URL
ina10 Digit Integer Format (base 256), so it
dotted-decimal format
may appear h
s
appears likeS this: http://2280853951.
e i
 To convert this format back into the normal IP format
il you can research the ownership of a Web site.
softhat
 is
Using Windows Calculator in scientific mode (in the
h
T Calculator window, choose View | Scientific).
.c o
r r
Convert 2280853951 to hexadecimal format

b u
l = 87F311BF.
Convert each pair to decimal notation n

r u
t 135.17.243.191
and add the dots:

87 = 135 F3 = 243 11 = 17 BF = 191

Dotted Quad to 10 Digit Decimal m a
(base 256):
Dotted Quad format: A.B.C.DS = 10 Digit Decimal #
a

A(2563) + B(2562) + C(2561)
v i +D=
Example:
e d
185.127.185.152

a r = 185(2563) + 127(2562) + 185(2561) + 152
= 3103784960
The easiestS
h + 8323072 + 47360 + 152 = 3112155544
way to convert is to let ping or traceroute do it for
s ping or traceroute on the 10 Digit Decimal

i
you. Running
e
i
Numberl will resolve its Dotted Decimal notation, showing you
thef dotted quad format equivalent.
his
For example: C:\>ping 2280853951 Pinging 135.17.243.191
T with 32 bytes of data:
.c o
r r
Devices on the same LAN segment are somewhat
b l u on a first-
name basis. They don't formal IP addresses
t un used on the

Internet.
a
A MAC address is used only at the hardwarer layer, so when a
segment by IP address, it has S
m
process or application specifies another device on a network
to be translated into a MAC
address.
v i a
d
It uses the ARP table, which is automatically created by the

e changed by using the ifconfig command in

Address Resolution Protocol ARP
r
MAC address can
Unix h a be
s S
it should also come as no surprise that programs are available
that can irandomly change a MAC


f e
pingilwhich is an acronym uses Internet Control Message
h s
i Moderately savvy Internet criminals may be monitoring all forms
Protocol's ECHO_REQUEST datagram.
T ofdon't

connection to their host, so don't ping someone when you
want that person to know about it.
DNS m
.c o
r r
Domain Name Service (DNS) most humans don't do as well b lu
n

rtu
with numbers, we prefer to use names that can be easily
remembered, spoken, and typed, such as http://www.cia.gov or
http://www.amazon.com.
m a
Domain Name Service (DNS) was developed.
S


v i a
DNS is effectively a huge global database, usable from any
point in the Internet and capable of mapping human-readable
d
names such as http://www.lucent.com to a corresponding
e
numeric IP address.
a r

S h
This process is called domain name resolution and is
controlled by the Internet Corporation for Assigned Names and
i s
Numbers (ICANN) through accredited registrars.

f il e
Many Internet applications perform reverse lookups as a simple
security measure, checking to ensure that the IP address
hi s
associated with an incoming connection attempt is associated
with a registered domain name a weak but useful test.
T
DNS m
.c o
r r
 The domain name server responsible for a particular domain may resolve
b lu
n
rtu
any query with any IP address.
 The IP address may not be one within an IP address range assigned to

that organization, and that doesn't matter.
m a
The owners of a particular domain, such as bubbabbq.com, may choose
S
to host their Web site at someone else's facility. In this case, the specific
a
with the rest of bubbabbq.com.
v i
machine, http://www.billybob.com, won't have an IP address contiguous

e d
Provides a great deal of flexibility, allowing organizations to move their
a r
machines from network to network, changing Web host service providers
or ISPs without having to change their human-readable domain names.

S h
Another type of network tool that will be useful to you in tracking an
offender is one that can be manually used to resolve a domain name.

i s
The classic tool for this purpose, nslookup, is available on Unix, Windows

f il e
NT, and Windows 2000.
You can use nslookup to perform both forward and reverse lookups,
hi s
resolving the IP address associated with a specific host name or
obtaining the name associated with a numeric address.
T
DNS m
.c o
r r
In order to use a domain name, the owner must register it with b lu
n

rtu
the appropriate authority a task that is usually facilitated by an
ISP or one of several online services.

m a
At the time of registration—and ideally whenever it is changed
contact information for a domain administrator.
a S
—the owner of the domain is required to include name and

v i
This person is expected to respond to email messages or
d
telephone calls regarding activities associated with his or her
e
r
domain, these people are frequently not easy to contact.
a

S h
The whois utility can be used to obtain contact information on a
specific domain from a server maintained by the appropriate
i s
Internet naming authority.

f il e
It isn't really verified for accuracy; either through deliberate
deception or an innocent mistake, it is possible to register an
hi s
address and include inaccurate or totally false contact names,
addresses, and phone numbers.
T
DNS m
.c o
r r
After pinging a system that we're researching from a computer b lu
n

rtu
that is not going to resolve to our company in case the suspect
is watching his or her network, perform a whois just to see what
comes up,
m a
S
Some sites enable you to perform a whois over the Web. One of


the most popular is the Sam Spade Web site.
v i a
Another popular and reliable Web-based whois service is
provided by Network Solutions.
e d

a r
After we perform a whois, we like to follow up with an inverse
S h
name server lookup to see what it provides and compare the
results to the whois output.

i s
The inverse lookup can be accomplished on a Unix or Linux
il e
machine (or with software such as NetScanTools Pro for
f
Windows) with either the nslookup or the dig –x command, and
hi s
Sam Spade provides reverse lookup services also.
T
DNS m
.c o
r r
 You can use dig on an IP address like this:
b lu
n
rtu
 dig –x @123.456.789.000 or
dig –x %domainname.com
a

m
dig is an alternative to nslookup, but we usually run nslookup again just

a S
to compare the results to all the previous queries.
After we have obtained contact information using the tools
i


taking to get to their destination.
d v
We usually run traceroute (or tracert) to see what route the packets are

r e
Traceroute sends your packets to the computer you are examining, so
a
don't use it if you don't want to tip off the suspect that you are watching.
h
S
Use the results from traceroute to help confirm or question the results of

whois (see the example in Figure 2-2). For example, if the site is
i s
registered to the Netherlands but traceroute takes a few hops and stops

f il e
at an ISP in Philadelphia, we might suspect that something is amiss.
Be aware that many corporations have their Web sites hosted by an
hi s
ISP, and not necessarily an ISP in their home town—or even their home
country.
T
DNS m
.c o
r r
 [root@intranet root]# traceroute aloha.net
b lu
n
rtu
 traceroute to aloha.net (64.75.176.10), 30 hops max, 38 byte packets
 1 sultan_3750 (10.0.0.44) 0.571 ms 0.541 ms 0.499 ms

m a
2 63.171.107.129 (63.171.107.129) 1.248 ms 1.239 ms 1.288 ms
S
 3 sl-gw2-prl-12-0-ts15.sprintlink.net (160.81.200.41) 3.765 ms 3.762 ms 6.191
ms

v i a
4 sl-bb21-prl-0-0.sprintlink.net (144.232.30.25) 4.952 ms 8.610 ms 3.889 ms
5 sl-bb22-ana-10-0.sprintlink.net (144.232.8.158) 58.750 ms 58.735 ms
d

58.456 ms
r e
a
6 sprint-gw.la2ca.ip.att.net (192.205.32.185) 59.983 ms 59.667 ms 59.441 ms



S h
7 12.123.222.42 (12.123.222.42) 128.777 ms 127.936 ms 127.601 ms
8 tbr1-cl3.sffca.ip.att.net (12.122.10.25) 130.128 ms 127.658 ms 126.998 ms

i s
9 12.122.1.114 (12.122.1.114) 127.904 ms 127.277 ms 137.190 ms

f il e
10 ar6-a3120s3.sffca.ip.att.net (12.123.12.157) 126.177 ms 125.981 ms
125.567 ms
hi

 s
11 12.126.193.18 (12.126.193.18) 126.127 ms 126.276 ms 127.477 ms
12 gr05-hnl-vl200.aloha.net (64.75.159.103) 129.279 ms 128.428 ms 126.576
T 
ms
13 honu.aloha.net (64.75.176.10) 127.431 ms 126.393 ms 126.244 ms
 [root@intranet root]#
Application Addresses m
.c o
r r

b
Internet addresses - application addresses lu
 Email, Web browsing, ICQ, and
n
tu Inter-net Relay
r
Chat (IRC) are just a few ofathe services that
S m
have their own application-specific addressing.
 When you send email,
v i a you know to use a two-
part address that e dincludes both a mailbox and a
domain, such a ras wkruse@computer-
S
forensic.com. h You can't send email to wkruse,
nor can i syou just send it to computer-
if le
forensic.com—you need to specify both in order
isfor a message to reach a destination.
Th
Application Addresses m
.c o
r r
Another ubiquitous form of Internet addressing that b lu
n

rtu
includes both domain- and application-specific
information is the Universal Resource Locators (URLs)
used with Web browsers. m a
a S

provides three types of information. v i
For instance, the URL http://www.lucent.com/services
e d

a r
The letters "http://" indicate the application protocol,
S h
which in this case is Hypertext Transfer Protocol
(HTTP). "http://www.lucent.com," of course, represents
i s
a specific numeric IP address, and "services" points to
f il e
a specific page.
hi s
T
Stalking the Stalker m
.c o
r r
When using programs such as ping, and some of the b lu
n

rtu
scanning tools, keep in mind that their use may easily
tip off even a novice computer crook that he or she is
under investigation. m a
a S

v i
In the online world of spy versus spy, you often use the
same tools to track an intruder that an intruder uses.
e d

a r
Clever attackers are like careful scouts. Those who
S h
suspect that they are being tracked will try to cover
their tracks (see Chapter 10), and they also sometimes
i s
will backtrack to see if someone is following them.

f il e
Skillful hackers carefully monitor systems they've
hi s
compromised for signs of unwelcome attention.
T
.c o
r r
If your goal is to track and catch b your prey, lu

you don't want to be blasting
n
tu away at the
r
suspect's box, especiallyafrom machines
that easily resolve back S mto your company's
name.
v i a
 To use the SONAR
e d analogy, there are both
passive andaractive surveillance techniques.
h
 ping andStraceroute are active and cannot
be hiddeni s from the object of the scan.
if le pings cannot be hidden from the
 While
hi s
object of the ping, it is easy enough to
T perform the scans from a system that isn't
obviously associated with your organization.
.c o
r r
You can maintain a few accounts b with
lu

t un
a dial-up ISP for just this a r purpose.
 When it's time to start S m investigating,
v i
unplug the workstation, a set it for
DHCP, dial ryour ed ISP, and you're off the
companyha network.
s S
e i
 The intruder who has been breaking
f
intoi l CorpNet does not suddenly see
i s
Th CorpNet probing back.
A Dial-Up Session m
.c o
r r
Let's take a look at how a typical b Internet dial- lu

up session works (see Figuretu
n
2-3).
a r
 When you dial to an ISP with
might use a layer 3 protocol S m a modem, you
called Point to
Point Protocol (PPP). v i a
 Referring back to
e d Figure 2-1, layer 3 is the
a r
network layer,
connection, S h and in the case of a dial-up
PPP replaces IP. Connectivity is not
i
automatic, s though.
i l e
 A fdial-up session must first be authenticated,
i s
h and then an IP address is assigned.
T
A Dial-Up Session m
.c o
r r
b lu
n
a rtu
S m
v i a
e d
a r
S h
i s
f il e
hi s
T
A Dial-Up Session m
.c o
r r
The modem at the ISP's Point of Presence (POP) is b lu
n

rtu
directly connected to or even a component within a
router that is designed to accommodate PPP
connections. m a

a S
When a connection attempt occurs, the dial-up router
v i
first prompts the user for a login name and password.

e d
A single ISP may have hundreds of POPs spread over
r
an entire continent it is certainly not practical for each
a
encrypted passwords. S h
dial-up router to maintain a list of all users and their
i s
A centralized directory contains this list, and the
e

f il
RADIUS protocol is used to support the authentication
hi s
request between the dial-up routers and the
centralized user directory.
T
A Dial-Up Session m
.c o
r r
After a user is authenticated to the b ISP, an IP lu

address is dynamically assigned
n
tu to that user
with DHCP. a r
 Although it is possible for S mindividual subscribers
v i a
to have their own permanently assigned IP
addresses, such e dan inefficient use of valuable
a
IP address spacer is virtually unheard of.
S h
 The IP address is almost always associated
s name, allowing reverse lookups.
withea iDNS
 Thef il name will be something generic, such as
i s
h ppp589.city.isp.com.
T
A Dial-Up Session m
.c o
r r
RADIUS is used not just for authentication; it is also used for b lu
n

rtu
accounting.
 The RADIUS server is normally the only ISP device that
m a
maintains records that can be used to track an offender, so it
is very important to your investigation.
a S

v i
The server normally maintains records of every login
attempt, both successful and unsuccessful, and also every
logoff or session end.
e d

a r
This information is necessary so the ISP can keep track of
h
subscriber connection time.
S

i s
The information associated with a RADIUS session also
includes the IP address assigned to a specific login during a
f il e
session, and ISPs often use caller ID to keep track of the
hi s
telephone number used to originate the session.
T
A Dial-Up Session m
.c o
r r
This allows the ISP to determine which login name b lu
n

rtu
was using a specific IP address at a specific time, but
the association of this login with a specific individual is
only as good as the authentication mechanism. m a
a S

v i
Most dial-up accounts authenticate with reusable
passwords, and it is common for cyber criminals to
e d
guess or otherwise steal passwords (most subscribers
a r
have no way of knowing that their accounts are
S h
sometimes being abused by someone else).
 i s
America Online (AOL) users have been especially
f il e
prone to ID theft, and AOL is just one of many ISPs
hi s
that provide free trial accounts that are frequently
T associated with phony names.
A Dial-Up Session m
.c o
r r
Because the RADIUS logs are used for accounting b lu
n

rtu
purposes, an ISP has to maintain them for at least a
one-month billing cycle.
m a

a S
In practice, ISPs keep them for periods of up to a year
billing mistakes. v i
in order to respond to customer complaints about
e d

a r
Even relatively small ISPs are used to responding to
S h
court orders that require providing the Internet
equivalent of a trap and trace record.
i s

f il e
According to Lucent consultant Aaron Higbee, who has
worked with the abuse departments of several large
hi s
Internet service providers:
T
A Dial-Up Session m
.c o
r r
ISPs do not like abusers because their mischief affects the b lu
n

rtu
bottom line and gives the ISP a black eye within the Internet
community.

m
If you want to identify an abuser, these are the necessary a
steps:
a S
1.
v i
Document the abuse with dates, time, time zone, and logs.
2.
e d
Send the logs as a complaint to abuse@isp.com.
3.
a r
Follow up your email with a phone call. (Do not call a tech
support or customer service line.) Ask for the legal
S h
department's fax number or ask to speak directly with the
s
abuse/security department.
i
4.
f e
Fax the same logs to the legal staff and let them know that
il
you will follow up your complaint with a court-ordered
hi s
subpoena for any and all subscriber information including all
captured caller IDs.
T
A Dial-Up Session m
.c o
r r
You must assume the subscriber information is b lu
n

rtu
fraudulent unless the account has a bill payment
history and the session in question can be pinpointed
as originating in the same calling area as the rest of m a
the subscriber's usage history.
a S

v i
If you are lucky, the caller ID will be captured for the
session you are interested in.
e d

a r
You then subpoena the local phone company for
S h
subscriber information for the phone number that was
captured in the caller ID.
i s
Sometimes reverse telephone lookup sites like http://
e

f il
www.anywho.com/rl.html can give you clues as to who
hi s
you are tracking, but the definitive answer will come
from the subpoenaed subscriber information.
T
A Dial-Up Session m
.c o
r r
You might think the biggest problem with obtaining b lu
n

rtu
information from ISPs would be the result of the terms
of service and confidentiality agreements that most
service providers have with their customers. m a
a S

v i
But to the contrary, most service providers are willing
to assist you because they do not want anyone
misusing their system. e d
a r

S h
In a prominent privacy case several years ago, AOL
was sued by a subscriber who accused the company
i s
of illegally providing sensitive personal information to a
f il e
law enforcement agency, so ISPs are now very
hi s
sensitive to the correct legal procedures.
T
A Dial-Up Session m
.c o
r r
When you obtain the information b from the lu

n
tu that the
service provider, keep in mindr
a be completely
subscriber information m can
bogus.
a S
v
 There is little to no
i authentication for any of
d
e associated with the
r
the information
subscriber.ha
S
s of the information is in
 The valuei
if le
determining the telephone number that was
i s
h used to connect to the ISP.
T
A Dial-Up Session m
.c o
r r
If you can obtain the phone number b and the lu

date and time that a session
n
tuwas set up,
r
you are yet another step acloser to finding
your suspect. S m
 You can then start ia
again and try e
v the subpoena process
todfind other connections
a
originating fromr that same phone number.
 This stillS h
might not lead directly to your
suspect,i s but you're getting closer and closer
tofialesuspect who thought he or she was well
ishidden by the free service.
Th
Tracing Email and News
Postings o m
.c r r
Before heading down thenmessaging b lu
path and looking for tracks r t u in the
m a
sand, let's quickly S discuss how these
messaging services v i a operate.
 News groups e dand email are cousins.
a r
 Descending
S h from original siblings on
i
pre-Internets Unix systems, they have
f i l e
continued to evolve in parallel, with
i s
Th much sharing of genetic material.
Postings o m
.c r r
lu

nb attributes:
Both services have the following
tuprotocols that use
 Simple
Internet application
a r
text commands
S m
i a
 Store-and-forward architecture allowing
messages to bevshuttled through a series of
e d
intermediate
a r systems
 Message
S h body composed entirely of
i s characters (7-bit, not 8-bit)
printable
if le
 Human-readable message headers
i s indicating the path between sender and
Th receiver
Postings o m
.c r r
 You'll need the assistance of n b
systems
lu
administrators, perhaps onrteveryu system
the message transited, and
m a they won't be
able to help you unless
a S they have logging
information on their
v i messaging hosts.
 If the originatordwants to cover his or her
r e
h a
tracks, determining the real sender of either
bogus newsS postings or suspicious email
can beischallenging.
if le is probably a bit easier, but email is
 News
ismore common today, so let's start with it.
Th
Tracking Email m
.c o
r r
An email program such as bOutlook, lu

t un
Notes, or Eudora is considered a r a
client application, which S m means that it
is network-enabled v i a software that is
d
intended to einteract with a server.
a r
 In the case
S h of email, it is normal to
interacti s with two different servers: one
forfileoutgoing and one for incoming
i s
h mail.
T
Tracking Email m
.c o
r r
When you want to read email, b your lu

t un
client connects to a mail
a r server using
m
S protocols:
one of three different
v
 Post Office Protocol i a
(POP, not to be
d
e Point of Presence)
confused a rwith
 Internet S h Mail Access Protocol (IMAP)
i s
if le
 Microsoft's Mail API (MAPI)
hi s
T
Internet Email Protocols m
o .c
r r
Post Office Service Protocol
l u
Relevance to Investigation
b
un
Incoming message store only POP
a rt
Must access workstation in order to trace mail.
S m
v i a
d
Storage of all messages (optional) Open: MAPI Copies of both incoming and outgoing
e
messages may be stored on server or
a r
Proprietary: Microsoft MAPI workstation (and server/workstation backup
tapes).
h
Lotus Notes
s S
e i
il
Web-based: send and receive HTTP Incoming and outgoing messages are stored on
s f server, possibly with optional manual download

to workstation.
hi
T
Facilities identify spoofing.
Tracking Email m
.c o
r r
For the purposes of investigation, the protocol used to b lu
n

rtu
gather incoming email from a server is of minimal interest.

m
protocols is that their use affects where mail messages area
The most important thing to understand about these different
stored (as depicted in Table 2-1).
a S

v i
All incoming mail is initially stored on a mail server, sorted
by that mail server into individual mailboxes for access by
the addressee.
e d

a r
POP users have the choice of either downloading a copy of
S h
their mail from their server, or downloading it and
subsequently allowing it to be automatically deleted.
i s
Email that has been read or stored for future use is stored
e

f il
on the computer that is running the email client.
hi

s
IMAP and MAPI users have the option of leaving all their
mail on their mail server.
T
Tracking Email m
.c o
r r
b
There are two major advantages to
lu

t un
r
leaving email stored on
a the server.
 First,
S
all of the storedm email for an
i
entire organization
v a can be easily
backed upefrom d a central location.
a r
 Second,
S h it provides users the flexibility
i s
of accessing their mailboxes from
le
if multiple client machines: office, home,
is through the Web, and so forth.
Th
Tracking Email m
.c o
r r
 b
The implications of this to theninvestigator is
lu
that POP mail users always r tuuse their local
m a
machine for their email archives: copies of
outgoing mail, mail stored
a S in folders for
v i
future reference, deleted mail that hasn't
been purged, all d are stored on the
re
individual's aworkstation.
S
 Organizations h that provide IMAP or MAPI
i
service, s or a proprietary service like Lotus
if le probably store email on the server,
Notes,
i s
although individual users may or may not
Th have the option of storing their email locally.
Tracking Email m
.c o
r r
Outgoing email uses a completely b different lu

protocol called Simple Mailrtu
n
Transfer
Protocol (SMTP).
m a
 Unlike the protocols used
a S to retrieve mail
from a post office,viSMTP doesn't require
any authentication
e d it is much like tossing a
message into a r a mail slot at the post office.
 Servers S h
that accept mail and relay it to other
i s
mail servers are sometimes called mail
if le agents (MTAs), and they also use
transfer
isSMTP.
Th
Tracking Email m
.c o
r r
Your ISP will give you the name bof the mail lu

server that you should userfor
n
tu outgoing mail,
often something along thea lines of
smtp.bobsisp.com. Sm
 The SMTP server that
v i a the ISP uses relays
messages to their
e d destinations.
a r
 Either the destination server recognizes a
messageSas h being addressed to one of its
i s and places it into the appropriate
local users,
if le for that user, or based on a set of
mailbox
isrules, it relays the message on further.
Th
Tracking Email m
.c o
r r
SMTP is a very simple protocol. b lu
n

 Like many Internet protocols, such as HTTP, it consists
of a few simple text-based commands or keywords. a rtu

S
One of the first tricks an Internet hacker learns is how m
i a
to manually send an email message by telneting to
v
port 25, the SMTP port.
e d

a r
Not only is it a fun trick to become a human email
h
forwarder, but it also enables you to put any
S
s
information you want into the headers of the email
i
f il e
message you are sending including fake origination
and return addresses.
hi s
T
Tracking Email m
.c o
r r
Actually, you needn't do this manually b if you lu

want to fake email. tun
r
 When you configure yourapersonal email
client, you tell it what S
m
return address to put
on your outgoing vmail. ia
 You can alwaysdchange that configuration,
r e
h a
but if you want to send only a single
messageScoming from
i s
Pres@whitehouse.gov, it is much easier to
if leone of several GUI-based hacker tools
use
i s
that enable you to quickly send a message
Th with your choice of return addresses.
Tracking Email m
.c o
r r
b
SMTP mail has no strong authentication
lu

tun
and without using PGP or rS/MIME (Secure
Multipurpose Internet Mail
m a Extensions) to
a S
add a digital signature, the level of trust
i message is pretty
associated with avmail
low. e d
a r
S h
 The following steps (our input is in boldface)
s incredibly easy it is to fake the
show ihow
if le address in an Inter-net mail
return
ismessage:
Th
Tracking Email m
.c o
r r
[root@njektd /root]# telnet localhost 25
b lu
n
rtu
Trying 127.0.0.1...
Connected to njektd.com.
Escape character is '^]'.
m a
S
220 njektd.com ESMTP Sendmail 8.9.3/8.9.3; Tue, 5 Dec 2000 17:37:02 – 0500
a
helo
250 OK
v i
mail from: teswt@test.com
e d
250 teswt@test.com Sender ok
rcpt to: you@domain.com
a r
S h
250 you@domain.com Recipient ok
data
354 i s
f il e
Haha-this is a spoofed mail message! .
hi
quit s
250 RAA25927 Message accepted for delivery
T 221 njektd.com closing connection Connection closed by foreign host.
Tracking Email m
.c o
r r
b
The results of this spoofed mail message are lu

tu n
shown in Figure 2-4.
a r
 The test.com domain is just
S m one we made up for
demonstration purposes,
v i a but the email client
reports whatever information it was provided.
e d
a r
S h
i s
f il e
hi s
T
Tracking Email m
.c o
r r
As we'll discuss later in this b chapter, lu

t un
some identification information
a r is
associated with the S m
mail header that is
v
a bit harder to spoof.i a
e d
 As recorded
a r in the following mail
header, S h
we were indeed logged in as
i s
ile
208.164.95.173:
f
hi s
T
Tracking Email m
.c o
r r
b lu
Received: from dhcp-95–173.ins.com ([208.164.95.173]) by n
dtctxexchims01.ins.com with SMTP (Microsoft Exchange Internet Mail
a rtu
Service Version 5.5.2653.13)
id YM4CM2VP; Sun, 10 Dec 2000 08:46:30 -0600 S m
From: teswt@test.com v i a
e d
r
Date: Sun, 10 Dec 2000 09:46:46 -0500 (EST)
a
h
Message-Id: 200012101446.JAA06830@horh1.emsr.lucent.com
S
i s
f il e
hi s
T
Tracking Email m
.c o
r r
When relaying a message from b another lu

n
tuof SMTP also
relay host, current versions
a r
keep track of the IP addressm of the system
connecting to them, and
a S they add that IP
address to the headerv i of the message.
e d
 If you want to r show that a mail message
a a specific computer, the
originatedhfrom
S
s to do so is to investigate the entire
best wayi
if lethat appears in the extended header
path
isinformation.
Th
Tracking Email m
.c o
r r
Although SMTP servers won't perform any authentication b lu
n

rtu
when receiving mail from the client, most Internet mail
servers are configured to accept mail for relay only when
m
that mail originates from a specific range of IP addresses.a

a S
If an ISP does not place any limits on which systems can
v i
connect to the ISP's mail server, allowing it to be used as
a free relay station, it won't take spammers long to find it.
e d

a r
To reduce the amount of spam mail that originates with
their mail servers, most ISPs allow relay connections only
S h
from IP addresses within the range that they assign to
i s
their own subscribers.

f il e
Authentication based just on IP address is very weak, but
for the purposes of preventing unauthorized use of SMTP
hi s
servers, it is adequate.
T
Tracking Email m
.c o
r r
It should come as no surprise that Web-based email is b lu
n

rtu
not only available, but is becoming increasingly
popular.
m a

a S
The Internet browser is rapidly becoming the universal
v i
front end. Web-based email enables users to access
all of their email—both incoming and saved messages
through a Web browser. e d
a r

S h
Not only does this free the user from installing and
configuring an email client on his or her workstation,
i s
but it also means that the user can easily access email
f il e
from any workstation virtually anywhere in the world.
hi
 s
Undoubtedly, many people are accessing free Web-
T based email from work for their personal use.
Tracking Email m
.c o
r r
It also shouldn't come as a surprise that free email b lu
n

rtu
services are being used by some people to hide their
identities.
m a
 For the novice computer criminal, these services
a S
v i
appear to be an easy way to hide their identity, and by
adding at least one more server and involving another
e d
service provider, it certainly does complicate the
a r
association of a mail account with a specific person.
 S h
The only way to find out who the ISP thinks is using a
i s
specific email address is to obtain a subpoena for the
f il e
account information.
hi s
T
Tracking Email m
.c o
r r
If you are working with law enforcement agencies, they b lu
n

rtu
can obtain a subpoena to facilitate their investigation,
or you can obtain a subpoena from a lawsuit (for more
information, see Chapter 12). m a
a S

v i
Fortunately, some providers of free email service are
including the originator's IP address in the header
information. e d
a r

S h
Previously, you would have to subpoena the email
provider and then the originating ISP to determine the
originator.i s

f il e
We recommend issuing a subpoena for the email logs
hi s
from the email provider, but at the same time, you can
T also subpoena the originating ISP.
Tracking Email m
.c o
r r
If investigating a case involving email, you have to b lu
n

rtu
decipher email headers.
If you have never viewed a header before, it might first
a

appear to be gibberish, but once you get the hang of it
and understand how SMTP works, it makes sense.
S m

v i a
The first annoyance you encounter is that most client
email programs hide the header information from the
user.
e d

a r
Depending on the mail client you're using, you may have
S h
to do a little bit of digging to get to the header.
In most programs, if you click File|Properties, an option
s

i
to view the header is displayed.
e

f il
If your particular program provides a different way to
hi s
access header information, consult the Help menu and
documentation or try the company's Web site for
T instructions.
Tracking Email m
.c o
r r
Most users don't want to be bothered b with
lu

n
tuwhich
deciphering email headers,
a r
encourages the email software
S m vendors to
make access to it as
v i a obscure as possible.
e d
 Let's look at Microsoft Outlook Express.
a r
h
 It is a popular email program for many
S
reasons,i s including the fact that it comes free
if leInternet Explorer and recent versions of
with
isWindows
Th
Tracking Email m
.c o
r r
File>Properties b lu
n
a rtu
S m
v i a
e d
a r
S h
i s
f il e
hi s
T
Tracking Email m
.c o
r r
Properties b lu
n
a rtu
S m
v i a
e d
a r
S h
i s
f il e
hi s
T
Tracking Email m
.c o
r r
E-Mail Headers
b lu
n
a rtu
S m
v i a
e d
a r
S h
i s
f il e
hi s
T
Tracking Email m
.c o
r r
 b
examining the headers of thisnmessage, it is lu
clear that both the From address
r tu
(test@testing.org) and the
m a Reply-To address
a S
are fake addresses (another_test@test. org).
 This is a real message
v i that we sent from the
d sending the message,
Internet, but before
e
r the From address to
we first changed
a
"HTCIA NE S h Chapter."
 The Fromi s address is completely arbitrary—it
if le whatever the sender configures into
contains
istheir email program.
Th
Tracking Email m
.c o
r r
The most important tracks are found at the top of the b lu
n

rtu
message.
 In this case, the first line shows the computer that the
message was originally sent from. m a
 While the name of the PC, "mypc," can easily be
a S
v i
spoofed, the IP address that mypc was assigned when
d
we logged on to the ISP is much more difficult to
e
spoof.
a r

S h
While it is not impossible to spoof an IP address, we
i s
are not aware of a case in which one has been
spoofed to counterfeit email.

f il e
The practical details involved in spoofing an IP
hi s
address make it virtually impossible in an email
T transaction, which involves several round trips
between the SMTP server and the connecting system.
Tracking Email m
.c o
r r
Do be aware, though, that the actual sender of the b lu
n

rtu
message could have cracked the system from which it
was sent, and logged on as somebody else.
m a

a S
In this case, the email was sent from a computer in the
v
that relayed the mail, shell.monmouth.com.
i
same domain, monmouth.com, as the SMTP server
e d

a r
Do a whois on the IP address and see if you get
S h
something that matches the purported domains of both
the originating client and the relay server.
i s

f il e
Then follow up using the Dig w/AXFR advanced query,
as shown in Figure 2-8, using NetscanTools.
hi s
T
Tracking Email m
.c o
r r
b lu
n
a rtu
S m
v i a
e d
a r
S h
i s
f il e
hi s
T
Tracking Email m
.c o
r r
 In contrast to Outlook b lu
n
rtu
Express, Microsoft Outlook
(included with Microsoft
Office) places the full email
header information in an
m a
obscure position.
a S
 As shown in Figure 2-9, to
view the header information, v i
you click on View and then
e d
r
Options. Clicking on Message
a
S h
Header seems to be a more
obvious way to access header
i s
information a mistake that we
make all the time but all that
il e
does is hide the To, From, and
f
Subject lines from the
hi s
message itself.
T
Tracking Email m
.c o
r r
b lu
 It does not show you the
n
detailed header information
that you need to track an a rtu
intruder.
S m
 By clicking on Options, you
access the Message v i a
Options window shown in
e d
Figure 2-10. a r
S h
i s
f il e
hi s
T
Tracking Email m
.c o
r r
You've probably already noticed b "Joe lu

n
tu sent to
Anonymous" in the Have replies
a r
field. m
 We faked this deliberately
a S to illustrate how
you cannot believe v i everything you read.
 The only wayre
d
a to extract this information from
this window S h is to select it all (hint: try
i
Control-A),s copy it, and then paste it into a
if ledocument, which we've done in the
text
i s
h following:
T
Tracking Email m
.c o
r r
Received: from hoemlsrv.firewall.lucent.com ([192.11.226.161]) by
b lu
nj7460exch002h.wins.lucent.com with SMTP (Microsoft Exchange Internet Mail Service
Version 5.5.2448.0) id W4VCF23A; Sat, 20 Nov 1999 21:19:10 –0500
n
rtu
Received: from hoemlsrv.firewall.lucent.com (localhost [127.0.0.1]) by
a
hoemlsrv.firewall.lucent.com (Pro-8.9.3/8.9.3) with ESMTP id VAA06660 for
<wgkruse@holmdel.exchange.lucent.com>; Sat, 20 Nov 1999 21:19:10 –0500 (EST)
S m
Received: from shell.?nmouth.com (shell.?onmouth.com [205.231.236.9]) by
hoemlsrv.firewall.lucent.com (Pro-8.9.3/8.9.3) with ESMTP id VAA06652 for
v a
<wgkruse@lucent.com>; Sat, 20 Nov 1999 21:19:09 –0500 (EST)
i
Received: from mypc (bg-tc-ppp961.?onmouth.com [209.191.51.149]) by shell.?
onmouth.com (8.9.3/8.9.3) with SMTP id VAA01448 for <wgkruse@lucent.com>; Sat, 20
Nov 1999 21:17:06 –0500 (EST)
e d
a r
Message-ID: <001401bf33c6$b7f214e0$9533bfd1@mypc>
Reply-To: "Joe Anonymous" <another_test@test.org>
S h
From: "Joe Anonymous" <test@testing.org>
To: <wgkruse@lucent.com>
i s
Subject: test from outlook express
il e
Date: Sat, 20 Nov 1999 21:18:35 –0500
f
MIME-Version: 1.0
hi s
Content-Type: text/plain; charset="iso-8859–1"
Content-Transfer-Encoding: 7bit
T X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3155.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0
Tracking Email m
.c o
r r
 This header is longer than it was in our first example. b lu
n
rtu
 This time, the message was relayed through four different servers.
Each time an SMTP server accepts a message, it places a new
a

Received header at the top of message before forwarding it on to
another server or a user mailbox.
S m

ISP account to our ISP account.
v a
In the first message, we intentionally sent the message from our
i

e d
The second message originated externally and then was relayed
mailbox. a r
through the Lucent firewall and to the mail server used to host our

S h
But even with the extra headers, it is still apparent that the original
i s
message was received from: "mypc," and our address at the time
was: ?onmouth.com [209.191.51.149].

f il e
The lines in the header tell a story about where the email message
hi s
has been, when it was there, and when it was delivered to its
destination.
T  It may be a contrived story, but it is still a story. Virtually any of the
headers with the exception of the topmost one could be bogus—it
is up to you to verify each one of them and determine the actual
history of the message.
SMTP Server Logs m
.c o
r r
All email servers have the ability b to maintain lu

logging information. tun
 If available, these logs are a r
m usually a more
a S
reliable source of information than the mail
headers. v i
 Because of thedhigh volume of email traffic,
r e
the ISP may ha not store records for very long.
 SMTP server
s S logs are important tools, used
by both e i ISPs and user organizations to
f i l
troubleshoot email problems and track
i s
h down the unauthorized use of mail.
T
SMTP Server Logs m
.c o
r r
The only way to completely verify the path of the mail b lu
n

rtu
is for the administrator of each host to check the logs
to find that they both sent the message to the recipient
as indicated and that their host received it from a m a
specific IP address.
a S

v i
If you are lucky, you can follow the chain all the way
back to an original IP address.
e d

a r
Examination of the original system, which might need
S h
to be cross-referenced against RADIUS logs and
phone records, is the only way to prove that a specific
i s
message existed at a specific place.

f il e
Accessing this workstation usually requires a court
hi s
order, but once a perpetrator is confronted with having
the incriminating evidence on his or her personal
T computer, a confession is often not far behind.
Usenet m
.c o
r r
Usenet is a vast, distributed bulletin board, consisting of b lu
n

rtu
thousands of hierarchically arranged topics contributed to
and read by millions of people worldwide.
 It was originally developed during a time in which Unix
m a
computers used modems for external connectivity.
a S

v i
Email and even individual files could be sent between
noncontiguous UNIX computers, as long as you knew the
e d
intervening series of connecting systems and chained their
a r
names within the destination mail address (such as ober!
S h
doebling!seismo!krampus!kirk).
Usenet still takes advantage of this same point-to-point
s

i
model, although now it uses the Internet as a transport
e
il
backbone.
f
hi

s
As shown in Figure 2-14, when a post is made, it is
transmitted through a chain of news servers and then it is
T diffused back out through all of the servers in the world that
subscribe to the same newsgroup.
Usenet m
.c o
r r
News Server Hierarchy b lu
n
a rtu
S m
v i a
e d
a r
S h
i s
f il e
hi s
T
Usenet m
.c o
r r
Usenet has adapted itself well to changes in Internet b lu
n

rtu
technology, resulting in a nearly seamless integration
of traditional news readers with email and Web
interfaces. m a

a S
Today, Usenet users have their choice of news clients,
v i
email or Web interfaces, both for posting and for
d
reading news messages (see Figure 2-15).
e

a r
Some Usenet mail gateways are also configured as
S h
email distribution listservers, enabling Internet citizens
to have all the postings for a certain newsgroup
i s
delivered directly to their mailboxes, either a message
il e
at a time or collected periodically into digests.
f
hi

s
The implications to you as the tracker is that your
attempt to research the origin of a news message may
T involve multiple types of servers.
Usenet m
.c o
r r
b lu
n
a rtu
S m
v i a
e d
a r
S h
i s
f il e
hi s
T
Usenet m
.c o
r r
 If you are not familiar withnbUsenet,
lu
and have not configured r t ua client to
a
m place to start
read postings, the Sbest
v
is the original Interneti a archive for
e d
Usenet, the a r DejaNews archives
provided S hby Google.
 An e
i s
if l example search is shown in Figure
i s
h 2-16.
T
Usenet m
.c o
r r
b lu
n
a rtu
S m
v i a
e d
a r
S h
i s
f il e
hi s
T
Usenet m
.c o
r r
Inappropriate material is probably b the most lu

significant use of news that
n
tuyou are likely to
a
encounter in an investigation.
r
S
 Unfortunately, huge amounts
m of
v
pornographic picturesi a are disseminated
through news,eandd it is common for some
a r
corporate employees to download this
h
material,Sexposing their employers to the
risk ofissexual harassment lawsuits.
if le and other binaries, will be found in
 Pictures,
isthe uuencoded format (see Chapter 4).
Th
Usenet m
.c o
r r
Usenet can provide a forum where you can publicly ask b lu
n

rtu
technical questions.
 You may also want to search archived news postings to see
m a
if you can find anything related to one of your suspects or an
organization involved in your investigation.
a S
 Some suspects may be active news posters.
v i
d
Searching for their names on a server such as Google may

e
give you valuable clues to their activities and interests.
r

ha
At times, news postings are directly relevant to an
investigation.
s S

e i
It is not unheard of for disgruntled employees to try to
damage the reputation of their company by making news
f il
posts containing harmful information.
hi
 s
In some cases, it is possible to trace these inappropriate
T postings to IP addresses actually within the corporation.
Tracking Usenet Posts m
o .c
r r
Just like when you are tracking email, you are b l u
n

dependent not only upon the cooperation of all the
rt u
news server administrators relevant to the message
that you are tracking, but you are also dependent upon m a
their having adequate logs.
a S

v i
News volume tends to be very high, so the information
in the logs is extremely volatile.
e d

a r
It is not unusual for a busy Usenet site to turn over
S h
their logs every day, so if you want to track a posting,
your chances of success are slim if you can't do it
i s
within 24 hours.

f il e
The process you follow will be very similar to tracking
hi s
a mail message, and some ISP abuse department
staffers feel that news is easier to trace because, after
T some practice, the bogus header information is
relatively easy to discern.
o .c
r r
Just like when tracking email, you work your way back b l u
n

from the recipient and verify each of the machine
rt u

names in the path.
Either you'll find a bogus connection point, which is m a
probably where the message was inserted, or you'll
a S
v i
actually verify that the message apparently did transit
all of the hosts shown.
e d

a r
If the origination host has a record of the poster, you
S h
can either subpoena that organization for more
information or notify their abuse department.
i s
Let's take a look at the header of a news posting.
e


f il
The following one is an example of a pornographic
hi s
post that has spent quite a lot of time zipping around
T the Internet:
o .c
r r
From: "YourMate" binkie1@xxx.com
b l u
un
Newsgroups: alt.binaries.dominion.erotica, alt.binaries.dominion.erotica.female,
rt
alt.binaries.erotica, alt.binaries.erotica.amateur.female, alt.binaries.erotica.blondes,
a
alt.binaries.erotica.centerfolds
Subject: - FREE CD !!!
Date: Sun, 5 Dec 1999 10:59:38 –0500
Lines: 2484 S m
i
X-Newsreader: Microsoft Outlook Express 4.72.3110.1
v
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
a
NNTP-Posting-Host: dialup599.xxx.com
e d
dialup599.nni.com
a r
Message-ID: 384a8a4b@news.xxx.com X-Trace: 5 Dec 1999 10:52:43 -0500,
S h
Path:news.rdc1.nj.home.com!newshub2.home.com!newshub1.home.com!news.ho me.com!
feeder.via.net!news.idt.net!netnews.com!newspeer1.nac.net!news. newyork.net!
i s
ffx.uu.net!uunet!ams.uu.net!tank.news.pipex.net!pipex!news - lond.gip.net!news.gsl.net!
gip.net!nntp.news.xara.net! xara.net!gxn.net!news.good.net!news.xxx.com!phila-
il e
dialup599.xxx.com
f
Xref: newshub2.home.com alt.binaries.dominion.erotica:30040448
hi s
alt.binaries.dominion.erotica.female:30252819
alt.binaries.erotica:31064499
T alt.binaries.erotica.amateur.female:30199540
alt.binaries.erotica.blondes:30083027
alt.binaries.erotica.centerfolds:30058010
o .c
r r
With the understanding that virtually everything on this b l u
n

header can be faked, each header purportedly
rt u
contains the following:
m a
 From: This is the name and email address of the
a S
original poster.
v i

e d
Newsgroups: In this case, the message was cross-
r
posted to six different news-groups.
a

S h
NNTP-Posting-Host: This is the machine from which
s
the posting was sent. It is usually the same as the
i
f il e
lower rightmost entry in the Path header.
hi s
T
o .c
r r
Message-ID: This is a unique serial number assigned to b l u
n

every post on NNTP servers. The logfile on news.xxx.com
should have an entry that associates this serial number with rt u
a
this specific message and a specific account. This ID should
m
a S
be unique throughout the worldwide Usenet, and it can be
used to cancel messages across all (well, most) news
servers worldwide.
v i

e d
Path: This is the meat of your investigation. In reverse
r
chronological order, it shows every host that the message
a
S h
has transited. The first host, news.rdc1. nj.home.com, is the
host on which this message was received, and it is the only
i s
information in this entire header that you can trust. The
f il e
succeeding hostnames are the hosts that purportedly
relayed this message. The next-to-last host, news.xxx.com,
hi s
is apparently the news server at an ISP, while the final
hostname looks like a dial-up account at that same ISP.
T
o .c
r r
Note that on the preceding header, the domain name in the b l u
n

From field is consistent with the domain name in the NNTP-
Posting-Host and Path fields. rt u

m
If it were not, you would know immediately that someone wasa
attempting to cover his or her tracks.
a S

v i
If they do match, you probably still need to verify the
intermediate hosts, but you can start with the origination
point.
e d

a r
If they don't match, you need to figure out which parts of the
S h
path are real and which are bogus.
It often helps to obtain other copies of the same message
s

i
from other servers (either Google or servers belonging to
e
il
friends of yours) and compare the paths.
f
hi

s
Whatever part of the paths is consistent among the different
news hosts probably contains the actual host at which the
T message was inserted.
o .c
r r
Like mail hosts, Network News Transfer Protocol b l u
n

(NNTP) hosts may or may not accept posts from
rt u
people outside of their organization.
m a

a S
You can test this by telneting to port 119 on that host. If
v i
you cannot connect to that host or you receive a
message that posts are not accepted, odds are lower
e d
that a bogus post was made using that host as the
news server. a r
 S h
However, if you receive a message that indicates you
i s
can connect, it means that other people can connect to
f il e
that host also.
hi
 s
The chances are reduced that the administrator will
T really know who is using the NNTP server.
o .c
r r
 Such a session may look like this: b l u
un
C:> telnet ferkel.piglet.com 119 a rt
m
200 NNTP Service Microsoft® Internet Services 5.00.7515 Version:
S
or
5.0.7515 Posting Allowed
v i a
e d
$ telnet news.isp.com 119 200 mercury2.isp.com Netscape-
a r
Collabra/3.52 17222 NNRP ready (posting ok).
S h

i s
If the host does not accept posts, it may look something like this:
f il e
$ telnet nntp.mindspring.com 119
hi s
502 You are not in my access file. Goodbye.
T
NetBios m
.c o
r r
For historical reasons, Windows computers often use a b lu
n

rtu
protocol called NetBIOS.
 Although originally used only within LANs, NetBIOS has
been extended so that it can run over TCP/IP, allowing
m a
S
organizations to provide Windows file- and print-sharing
a

services across a WAN.
v i
A helpful command to identify a user over a network using
NetBIOS is nbtstat.
e d

a r
nbtstat is a standard component on all current Windows
h
platforms, and a Linux version is also available.8
S

i s
From your remote computer you can run this command
against either the suspect's IP address:
f il e
h
 snbtstat –a 123.456.789.000 or against a specific machine
i name: nbtstat –A suspect.computer.com
T
NetBios m
.c o
r r
nbtstat displays protocol statistics and current TCP/IP b lu
n

rtu
connections using NBT (NetBIOS over TCP/IP). If the remote
computer is reachable over the network, you can receive the
following information:
m a
a S
i
NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-s] [S] [interval]
d v
-a(adapter status)Lists the remote machine's name table given its name
-A(Adapter status)Lists the remote machine's name table given its IP address
e
.-c(cache)Lists the remote name cache including the IP addresses
r
ha
-n(names)Lists local NetBIOS names.
-r(resolved)Lists names resolved by broadcast and via WINS
S
-R(Reload)Purges and reloads the remote cache name table
s
i
-S(Sessions)Lists sessions table with the destination IP addresses
e
-s(sessions)Lists sessions table converting destination IP addresses to host names via the
f il
hosts file.
RemoteNameRemote host machine name.
hi s
IP address:Dotted decimal representation of the IP address.
Interval:Redisplays selected statistics, pausing interval seconds between each display. Press
T Ctrl+C to stop redisplaying statistics.
NetBios m
.c o
r r
If a user is logged into the computer, you receive b lu
n

rtu
output similar to that shown in Figure 2-17.
 As you can see, it provides the machine name, the
Windows NT domain the computer is registered in (in m a
this case, a domain named "security"), and the MAC
a S
address.
v i

e d
Since the MAC address is unique, it is a positive
r
method of identifying a computer after it has been
a
seized.
S h

i s
Unless the NIC is swapped out, you have a promising
lead that this is the computer you're looking for.

f il e
nbtstat is a handy command because it enables you to
hi s
associate a user with an IP address and then copy and
T paste that information into a document that you can
print.
NetBios m
.c o
r r
b lu
n
a rtu
S m
v i a
e d
a r
S h
i s
f il e
hi s
T
NetBios m
.c o
r r
 We mostly use the nbtstatnbcommand
lu
from within our network r t u
since nbtstat
m a
issues a User Datagram S Protocol
(UPD) request vand ia is blocked by
default on many e d firewalls.
a r
 Don't be hsurprised if you can ping the
S
s but an nbtstat returns "host
system, i
if lefound" on a computer you know to
not
i s
h be a Windows platform.
T
Third Party Programs m
.c o
r r
 If you have the budget, b lu
n
rtu
you can purchase
additional programs
that will do any of the m a
previously discussed
a S
commands for you, v i
usually with a
e d
convenient GUI. a r
 Two of the tools are S h
Neotrace and Netscan i s
f il
Pro (the latter is shown e
i
to the right).
h s
T
.c o
r r
Both can do a traceroute for you, but Neotrace b lu
n

rtu
overlays a map and attempts to geographically plot the

traceroute.
This is a sexy feature, but its utility is questionable. m a
 It appears to map based on the zip code that the
a S
domain names are registered to. v i

e d
It would be more useful if the map could accurately
a r
show where the intermediate routers are located, but it
h
should be apparent to you by now that this information
S
s
is not available.
i

 f e
Both programs are chock-full of capabilities.
il
The NetScanTools Pro version obviously has a few
hi s
more features, but for tracking purposes either will do
T nicely.
.c o
r r
 Essential NetTools b lu
n
(shown in Figure 2-
18) is a set of a rtu
network tools that S m
are especially vi a
e d
useful when
a r
investigating
S h
i
Microsoft networks.s
It includes file
i s
Th
.c o
r r
NBScan: A fast multithreaded NetBIOS scanner for locating b lu
n

rtu
computers that are sharing resources on the network.
Instead of having to manually check each system on the
network individually (nbtstat –a 135.17.243.1, nbtstat –a
m a
a S
135.17.243.2, and so forth), simply enter a beginning
address and an ending address and let NBScan run nbtstat
for you.
v i

e d
NATShell: A user-friendly interface for the popular NetBIOS
r
Auditing Tool (NAT) network-auditing utilities.
a

S h
NetStat: Displays all of a computer's network connections
and monitors external connections to a computer's shared
resources. i s

f il e
You will find this handy set of utilities useful when you
examine networks using Windows file-sharing or Samba on
hi s
Unix.9
T
Whois Help m
.c o
r r
b lu
n
a rtu
S m
v i a
e d
a r
S h
i s
f i l e
Queriessmore than 20

h iServers

T
Whois
For inexperienced
users
Confirm Success m
.c o
r r
When you physically locate what you believe to be b lu
n

rtu
your suspect's computer, verify that its IP and machine
name match that of your suspect.
m a
 If the suspect computer is a Windows computer, use
a S
v i
winipcfg from either the Run box (accessible by
choosing Start | Run) or from a command prompt.
e d

a r
ipconfig /all can also be run from the command line

S h
A drop-down window at the top of the IP configuration
s
enables you to choose the network adapters that you
i
f il e
want to display configuration for.
hi s
T
IDS m
.c o
r r
Intrusion detection systems, usually abbreviated IDS, b lu
n

rtu
are automated mechanisms that are intended to
monitor specific subsystems, providing an alarm when
a suspected unauthorized event is detected. m a
 Although IDS has many practical problems, the
a S
v i
programs are increasingly popular, and in 2000, at
d
least one Internet intruder was captured and brought
e
r
to justice with the assistance of an IDS.
a

S h
At the time of this writing, IDS isn't necessarily a
technology that every forensic technician needs to be
i s
familiar with, but during the next few years, it not only
il e
could become a standard tool in the detection of
f
hi s
Internet intrusions, but could be routinely used to
gather evidence used for successful prosecutions.
T
IDS m
.c o
r r
IDS is applied in one of two places: It is either network b lu
n

rtu
based or host based.
 Network-based systems are a specialized form of network
sniffer.
m a

a S
A network IDS sits on a network segment, viewing all traffic
unauthorized activity. v i
sent to every host on the segment, looking for evidence of
e d
It is common practice to have a single centralized intrusion
r

ha
detection engine that provides logging, and alarm functions
based on the data provided by multiple remote sensors,
S
each located on a different LAN segment.
s

e i
Even on switched networks, at least one port on the switch
f il
can usually be con-figured to provide all of the data being
hi s
sent to each of the individual ports, which is where the
sensor may be placed.
T
IDS m
.c o
r r
Host-based IDS places the detection capability on a b lu
n

rtu
single host, although the trend in host-based IDS is

also to centralize the logging and alerting functions.
Most business units resist having some other business m a
S
unit looking over their shoulder and prefer not to have
a
v i
another organization place security software on their
computers.
e d

a r
Host-based IDS also tends to be more expensive
h
because more devices have to be monitored.
S

i s
Although they are not as convenient to install and
operate as network-based IDS, the host-based
f il e
systems are generally more accurate, having fewer
hi s
false positives and catching a higher percentage of
actual misuses.
T
IDS m
.c o
r r
Intrusion detection systems are usually categorized as b lu
n

rtu
detecting either specific events or changes in patterns.
 Both types have their advantages and disadvantages.
m a
 Event detection systems monitor for specific
a S
i
sequences of events, or sequences, that are
v
d
characteristic of attempts to gain unauthorized access
e
to a system.
a r

S h
A simple example is a system that alerts when a
s
specific number of failed login attempts have occurred.
i

f il e
Commercial network-based IDS might alert when it
detects a sequence of characters used to perform a
hi s
buffer overflow attack against a Linux lpd daemon.
T
IDS m
.c o
r r
These systems are dependent upon an up-to-date database b lu
n

rtu
of attack patterns.
 Although they may be able to log any arbitrary event type,
m
they cannot alarm on events that are not in their database.a

a S
Most commercial network IDS products at the time of this
v i
writing are of this type, and like the users of anti-virus
software, the users of these products regularly download
e d
updated attack fingerprint databases from the publisher.

a r
Host-based IDS, such as the Tripwire product discussed in
S h
Chapter 11, work by regularly checking the consistency of
system files, alerting whenever a security-relevant file has
i
been changed.s

f il e
It is usually not practical to perform such a check on every
hi s
host within an organization, but on those hosts that do have
their files checked for consistency, intrusions are virtually
T always detected.
IDS m
.c o
r r
The other IDS model, the one that detects changes in b lu
n

rtu
patterns, is sort of an artificial intelligence thing.

m a
The theory is that instead of limiting a detection engine just
to the population of known attack types, you create a system
S
that is sufficiently sophisticated to recognize anomalous
a
outside of normal parameters. v i
behavior and alert whenever something happens that is

e d
For instance, say a specific person normally accessed his or
a r
her account between the hours of 9 a.m. and 7 p.m.

S h
An IDS tracks and learns this normal behavior, and if the
user were to access the account in the middle of the night,
i s
the IDS would notify the security administrator that an
il e
unusual event had occurred.
f
hi

s
Obviously, such a system is more prone to false alerts than
one that is based on hostile event fingerprints, but it has the
T significant advantage of being able to detect brand-new
attack forms.
IDS m
.c o
r r
Research on such systems has been ongoing for at b lu
n

rtu
least ten years, and most commercial products rely on
finger-print databases.
m a

a S
While the idea of capturing cyber criminals in the act
v i
should be an appealing one to most computer forensic
types, widespread use of such products won't have a
e
huge effect on what investigators do. d
a r

S h
The biggest advantage to the investigator is that IDS
systems provide new and convenient forms of event
logging. i s

f il e
Once an attack or illegal activity is suspected, the
hi s
logging or recording function on an IDS can be used to
T monitor and record the suspect's behavior.
IDS m
.c o
r r
If you are interested in doing some further research in IDS, b lu
n

rtu
several excellent books are available.

hands-on guide for an analyst.
m a
Stephen Northcutt's, Network Intrusion Detection is the best

a S
In fact, it's a helpful book for a number of network security
v i
issues, and you should probably read it if you want to learn
more about network protocol attacks and their analysis.
e d
Rebecca Bace's Intrusion Detection (Indianapolis: Macmillan
r

ha
Technology Series, 2000) is more theoretical, like a college
textbook, making it a nice contrast to Northcutt's book.
s S
She describes the philosophy and architecture of IDS more
i

comprehensively and provides a complete overview of the
f il e
last ten years of relevant IDS research.
hi

s
If you would like to use a network Intrusion Detection
System but can't afford one of the commercial applications,
T you should take a look at Snort.
Web Resources for Researching
Internet Inhabitants o m
c r .
l u r
 International Registries
n b
 Three international organizations are responsible for the
rt u
administration of IP addresses within their region, so they
should be considered definitive sources.
m a

a S
Each of these organizations has a Web site that provides a
v i
whois interface, in addition to other information helpful in
locating the owner of a specific IP address:
e d
American Registry for Internet Numbers (ARIN): Western
r

a
Hemisphere, http://www.arin.net/whois/arinwhois.html
h

s S
Asia Pacific Network Information Centre (APNIC): Asia-
Pacific, http://www.apnic.net
e i
Reseaux IP Europeens (RIPE): Europe, http://www.ripe.net
il


s f
http://www.samconline.com/Internet.shtml gives links to,
hi APNIC, RIPE, LACNIC, AFRNIC and ARIN
T
c r .
l u r
 Network Diagnostic and Research Sites
n b
 Adhoc IP Tools: This site is a veritable Swiss Army knife of
rt u
Internet tools, providing front ends to a wide variety of
research services (whois, nslookup, ping, DNS dig, and
m a
others), all accessed from a single page:
a S

http://home.ag.org/iptools.htm.
v i
Sam Spade: Also provides a wide variety of research tools,
http://www.samspade.org.
e d

a r
Internet Service Provider lookup: Enables you to search
S h
for ISPs by name, providing a summary of their business
characteristics, http://www.webisplist.com.
i s
Dragon Star: Provides an index, relating IP network
e

f il
numbers to network names and identities. It also includes a
hi s
handy explanation of the IP address numbering scheme and
describes the difference between Class A, B, and C
T networks, http://ipindex.dragonstar.net/index.html.
c r .
l u r
 News and Email Abuse Information
n b
 The spamfaq or "Figuring out fake Email & Posts": This site,
maintained by Gandalf@digital.net, is the most comprehensive rt u
m a
source we're aware of. It has detailed instructions on how to track
both email and news, how to read the message headers in a dozen
S
different mail clients, and how to reach the appropriate abuse
a
v i
contact. It also has a huge number of additional links. It isn't edited
well, but it is worth your time if you really need to understand
d
message headers, http://ddi.digital.net/~gandalf/spamfaq.html.
e

a r
Fighting Email Spammers: A site maintained by Todd Burgess, it
S h
is an excellent source of information on tracking email,
http://eddie.cis.uoguelph.ca/tburgess/local/spam.html.

i s
Fight Spam on the Internet!: Another site with a number of links

f il e
on the subject of unsolicited email, http://spam.abuse.net/.
Reading EMail Headers: A detailed explanation of the function of
hi s
dozens of different email headers, http://
www.stopspam.org/email/headers/headers.html.
T

2 Tracking An Offender

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2 Tracking An Offender

Uploaded by

Copyright:

Available Formats

o m

e changed by using the ifconfig command in

s f server, possibly with optional manual download

T 221 njektd.com closing connection Connection closed by foreign host.

You might also like