Home Uncategorized computer forensics

Uncategorized

computer forensics

see attached for 2 assignments. Pls deliver the solutions seperately

Assignment 1: The CAN-SPAM Act

Learning Objectives and Outcomes

· Describe the requirements of the CAN-SPAM Act in regards to a given scenario.

· Create a draft marketing email that complies with the CAN-SPAM Act.

Assignment Requirements
Company X, a cloud data storage provider, wants to send a mass email message to former customers announcing that it now offers managed IT services. That means Company X can remotely monitor and manage a client’s virtual computers and servers 24/7.

For this assignment:

Briefly describe the stipulations of the CAN-SPAM Act with regards to Company X. In other words, what must Company X do to adhere to the act? Address the following:

. Header information

. Subject line

. Company location

. Opting out

. Monitoring third parties

Create a draft email that complies with the CAN-SPAM Act.

Required Resources

· Course textbook

· Internet access

Submission Requirements
Format:	Microsoft Word
Font:	Arial, size 12, double-space
Citation Style:		Follow your school’s preferred style guide
Length:	1/2-1 page

Self-Assessment Checklist

· I described requirements of the CAN-SPAM Act in regards to planning a mass marketing email.

· I create a draft of a marketing email that complies with the CAN-SPAM Act.

· I followed the submission guidelines.

Assignment 2: Email Presentation

Learning Objectives and Outcomes

· Design a PowerPoint presentation appropriate for middle school students.

· Describe how email works.

· Identify the kinds of email related information that a forensic specialist can uncover.

Assignment Requirements
You are an employee of the DigiFirm Investigation Company. As part of its community outreach effort, the company is preparing a series of short presentations for local middle school students on computer-related topics. You have been asked to contribute a presentation that focuses on email.

For this assignment, create a PowerPoint presentation that includes:

· A graphic depiction of how email works

· The types of information forensic email investigations attempt to uncover.

Required Resources
· Course textbook
· Internet access

Submission Requirements

Format:

Font:

Citation Style:

Follow your school’s preferred style guide

Length:

Microsoft PowerPoint

Slide headings: Arial 32 pt; Slide body: Arial 32 pt (no less than 20 pt for smaller text)

3 to 5 slides

Self-Assessment Checklist

· I designed a PowerPoint presentation that’s appropriate for middle school students.

· I described how email works and included graphics that support the process.

· I included the types of email-related information that a forensic specialist can uncover.

System Forensics, Investigation, and Response

Lesson 7

Email Forensics

9 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com
All rights reserved.
1

Learning Objective

Summarize various types of digital forensics.

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Key Concepts
Email clients and servers
Email headers
Email tracing
Email server forensic examination
Laws related to email investigations

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

How Email Works
Sender uses a mail client to send a message
Message travels to multiple mail servers
Each mail server sends the message closer to its destination
Destination mail server stores the message
Receiver uses a mail client to retrieve the message from mail server

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
4

How Email Works

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Emails are generated by different types of devices and methods. Most commonly, a user composes a message on his or her computer and then sends it to his or her mail server. At this point, the user’s computer is finished with the job, but the mail server still has to deliver the message. The mail server sends and receives electronic mail. Most of the time, the mail server is separate from the computer where the mail was composed.

The sender’s mail server forwards the message through the organization’s network and/or the Internet to the recipient’s mail server. The message then resides on that second mail server and is available to the recipient. The software program used to compose and read email messages is the email client.
On the Internet, an email message can travel through many servers, referred to as “hops,” that relay the message from the sender to the recipient.

7/2/2017
5

What an Email Review Can Reveal
Email messages related to the investigation
Email addresses related to the investigation
Sender and recipient information
Information about those copied on the email
Content of the communications
Internet Protocol (IP) addresses

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
6

What an Email Review Can Reveal (Cont.)
Date and time information
User information
Attachments
Passwords
Application logs that show
evidence of spoofing

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
7

Email Protocols
Simple Mail Transfer Protocol (SMTP)
Used to send email from a client to a mail server, and between servers
Typically operates on port 25
SMTPS (secure) operates on port 465

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
8

Email Protocols (Cont.)
Post Office Protocol version 3 (POP3)
Used to receive email
Operates on port 110, or 995 (secure)
Designed to delete email on server as soon as user downloads email
Internet Message Access Protocol (IMAP)
Used to receive email
Operates on port 143
User views email on the server, decides whether to download the mail; email is retained on server

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Latest version of IMAP is similar to POP3 but supports more features
7/2/2017
9

Email Protocol Process
SMTP
Internet
SMTP
Internet
SMTP
Server
User
Server
POP3/
IMAP
User
Outbound Email
Inbound Email

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
10

Faking Emails

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
11

Spoofing

Anonymous remailing

“Valid”
emails

Spoofing
Making an email message appear to come from someone or someplace other than the real sender or location
First machine to receive spoofed message records machine’s real IP address
Header contains both the faked IP and the real IP address

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Spoofing involves making an email message appear to come from someone or someplace other than the real sender or location. The email sender uses a software tool to cut out his or her IP address and replace it with someone else’s IP address.
However, the first machine to receive the spoofed message records the machine’s real IP address. Thus, the header contains both the faked IP and the real IP address—unless, of course, the perpetrator is clever enough to have also spoofed his or her actual IP address.
7/2/2017
12

Anonymous Remailing
Suspect sends an email message to an anonymizer
Anonymizer is email server that strips identifying information from message before forwarding it with anonymous mailing computer’s IP address
To find out who sent remailed email, must examine logs maintained by remailer or anonymizer companies

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
This is an attempt to throw tracing or tracking attempts off the trail. A suspect using this technique sends an email message to an anonymizer, an email server that strips identifying information from an email message before forwarding it with the anonymous mailing computer’s IP address.
To find out who sent remailed email, look at any logs maintained by these remailer or anonymizer companies. Unfortunately, these services usually do not maintain logs. You can also closely analyze the message for embedded information that might give clues to the user or system that sent the message. Often the remailing servers are outside of the jurisdiction of U.S. law enforcement and may even be on another continent.
7/2/2017
13

“Valid” Emails
Appears as through mail is from trusted source
Message content is suspicious
Content may contain URL that points to malicious site

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Emails may appear to be from a trusted source and seem to be valid in every respect, except for the content of the message. The email passes all of the normal validity checks such as header structure and content, and even comes from a good known nonspam email server. However, the message is suspicious. The website uniform resource locator (URL) pointed to in the message may be a hacker or phishing site. These messages usually contain no hidden URL, pictures, or attachments and are very short. However, clicking the URL can unleash malicious software or other negative results.
7/2/2017
14

How to Fake an Email

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Find a free public Wi-Fi in an area at least one hour from your home.
Spoof both your IP address and MAC address.
Send the email through an anonymous email account set up for that purpose.
It is, however, very common for criminals to actually send emails from their own computers without even bothering to spoof their IP address or MAC address. Even computer-savvy criminals, who think to spoof their IP addresses, might not think to spoof the MAC address.
Email address spoofing is only one kind of spoofing.
7/2/2017
15
Use free public Wi-Fi

Spoof IP address and MAC address

Send email through anonymous
email account

Email Message Components
Header
Addressing information
Source and destination
Body
Contents of the message
Attachments
External data that travels along with each message

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
16

Email Message Components

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
17

Email Headers
RFC 2822
Standard for email format, including headers
All email programs use the same email format, regardless of operating system
Email from Outlook on a Windows 10 PC can be read by recipient using Hotmail on Android phone

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
18

Email Headers (Cont.)
Header keeps record of the message’s journey networks and mail servers
Each server adds information to the header
Each network device has an Internet Protocol (IP) address
Identifies device
Can be resolved to a
location address

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The header for an email message tells you a great deal about the email. The header keeps a record of the message’s journey as it travels through the communications network. As the message is routed through one or more mail servers, each server adds its own information to the message header. Each device in a network has an Internet Protocol (IP) address that identifies the device and can be resolved to a location address. A forensic investigator may be able to identify IP addresses from a message header and use this information to determine who sent the message. So, the message header provides an audit trail of every machine through which the email has passed.
7/2/2017
19

RFC 2822 Specifications for
Email Headers

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
20

Message header must include:

From field
The email address and, optionally, the name of the sender

Date field
The local time and date when the message was written

RFC 2822 Specifications for
Email Headers (Cont.)

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
In-Reply-To field: The message-ID of the message that this is a reply to; used to link related messages together
7/2/2017
21

Message header should include:

Message-ID field
An automatically generated field

In-Reply-To field
The message-ID of the message that this is a reply to

Email Header Fields (RFC 3864)

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
RFC 3864 describes message header field names. Common header fields for email include:
• To—The email address and, optionally, name of the message’s primary recipient(s)
• Subject—A brief summary of the topic of the message
• Cc—Carbon copy; a copy is sent to secondary recipients
• Bcc—Blind carbon copy; a copy is sent to addresses added to the SMTP delivery list while the Bcc address remains invisible to other recipients
• Content-Type—Information about how the message is to be displayed, usually
a Multipurpose Internet Mail Extensions (MIME) type
• Precedence—Commonly with values “bulk,” “junk,” or “list”; used to indicate that automated “vacation” or “out of office” responses should not be returned for this mail, for example, to prevent vacation notices from being sent to all other subscribers of a mailing list
• Received—Tracking information generated by mail servers that have previously handled a message, in reverse order (last handler first)
• References—Message-ID of the message to which this is a reply
• Reply-To—Address that should be used to reply to the message
• Sender—Address of the actual sender acting on behalf of the author listed in the From field
7/2/2017
22

Subject

Cc/Bcc

Content-Type

Precedence

Received

References

Reply-To

Sender

Find Microsoft Outlook 2010 Headers
Step 1
Used with permission from Microsoft

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
It is relatively easy to view the headers using Outlook.

With a specific message open, select File and then Info. Then select Properties and you will be able to view the headers.

Older versions of Outlook have a different method to get to headers. With Outlook 2000/2003/2007, there are two methods:
Method #1—Right-click the message in the folder view, and then choose Options.
Method #2—In an open message, choose View and then Options.
With either method, you will see the Internet headers portion of the Message Options dialog box.
7/2/2017
23

View Outlook 2010 Headers
Step 2
Used with permission from Microsoft

Microsoft Outlook 2010 Headers
Used with permission from Microsoft

Find Yahoo! Headers
Courtesy of Yahoo!

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
First open the message. On the lower right, there is a link named Full Headers. Clicking on that link allows you to see the headers for that email.
7/2/2017
26

View Yahoo! Headers
Courtesy of Yahoo!

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
27

Find Gmail Headers
Google and the Google logo are registered trademarks of Google Inc.,
used with permission

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Viewing email headers in Gmail is fairly simple. Follow these steps:
1. Log on to Gmail.
2. Open the message for which you want to view headers.
3. Click the down arrow next to Reply, at the top of the message pane.
4. Select Show Original.

The headers appear in a separate window.
7/2/2017
28

View Gmail Headers
Google and the Google logo are registered trademarks of Google Inc.,
used with permission

View Hotmail Email Headers
Select Inbox from the menu on the left.
Right-click the message for which you want to view headers, and select View Message Source.
The full headers will appear in a new window.

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/2/2017
30

View Apple Mail Email Headers
Open Apple Mail.
Click on the message for which you want to view headers.
Go to the View menu.
Select Message, then Long Headers.
The full headers will appear in the window below your Inbox.

7/2/2017
31

Email Files

7/2/2017
32

.pst
(Outlook)

.ost
(Offline Outlook Storage)

.mbx or .dbx
(Outlook Express)

.mbx
(Eudora)

.emi
(common to several email clients)

Paraben’s Email Examiner
Exclusively for email forensics
Works like the more complete forensic suites (Forensic Toolkit and EnCase) in that evidence is grouped by case

7/2/2017
33

Creating a Paraben Case
Courtesy of Paraben Corporation

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
When you first start Paraben, you select New and then create a new case.

7/2/2017
34

Adding the Investigator
Courtesy of Paraben Corporation

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Paraben will associate information about the investigator along with the case information.
7/2/2017
35

Selecting an Email Database
Courtesy of Paraben Corporation

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Next, select the type of email database you are going to be working with. The major email clients are all represented.
At this point, you select the database you want to work with, and it is added to the case.
From within Paraben, you can sort, search, scan, and otherwise work with the email data.

7/2/2017
36

Tracing Email
Looking at each point through which an email passed and working step by step back to the originating computer

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Tracing email In some ways, forensic email tracing is similar to traditional detective work. Tracing email involves looking at each point through which an email passed and working step by step back to the originating computer and, eventually, the perpetrator.

Email header information is typically examined to look for clues about where a message has been. Investigators often use audits or paper trails of email traffic as evidence in court. Many investigators recommend use of the tracert command. However, because of the dynamic nature of the Internet, tracert does not provide reliable, consistent, or accurate routing information for an email.

It may also be useful to determine the ownership of the source email server for a message. A number of whois databases are available on the Web that an investigator can use to find out to whom a given IP address is registered.
7/2/2017
37

Email Server Forensics
Examining email servers
Searching through deleted emails retained by the server
Many servers have a retention policy

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
At some point, you will need to check the email server. Even if the sender and the recipient have deleted the relevant emails, there is a good chance a copy is still on the email server. Many servers have a retention policy, which may be governed by law in certain industries. There are a variety of email server programs that could be in use. Microsoft Exchange is a very common server. Lotus Notes and Novell GroupWise are also popular email server products.
7/2/2017
38

Email Laws
The Fourth Amendment to the U.S. Constitution
The Electronic Communications Privacy Act (ECPA)
The CAN-SPAM Act
18 U.S.C. 2252B
Communication Assistance for Law Enforcement Act (CALEA)
Foreign Intelligence Surveillance Act (FISA)
The USA PATRIOT Act

Page ‹#›
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Fourth Amendment to the U.S. Constitution
The Fourth Amendment to the U.S. Constitution as well as state requirements govern the seizure and collection of any email messages that reside on a sender’s or recipient’s computer or other device. Does the person on whose computer the evidence resides have a reasonable expectation of privacy on that computer? If so, the Fourth Amendment requires a search warrant or one of the recognized exceptions to the search warrant requirements, such as consent from the device owner.

The Electronic Communications Privacy Act
If an Internet service provider (ISP) or any other communications network stores an email, retrieval of that evidence must be analyzed under the Electronic Communications Privacy Act (ECPA). The ECPA creates statutory restrictions on government access to such evidence from ISPs or other electronic communications service providers.

The ECPA requires different legal processes to obtain specific types of information:
Basic subscriber information—This information includes name, address, billing information, telephone number, etc. An investigator can obtain this type of information with a subpoena, court order, or search warrant.
Transactional information—This information includes websites visited, email addresses of others with whom the subscriber exchanged email, and buddy lists. An investigator can obtain this type of information with a court order or search warrant.
Content information—An investigator who has a search warrant can obtain content information from retrieved email messages and also acquire unretrieved stored emails.
Real-time access—To intercept traffic as it is sent or received, an investigator needs to obtain a wiretap order.

The CAN-SPAM Act
This was the first law meant to curtail unsolicited email, referred to as spam. However, the law has loopholes.
You do not need permission before sending email. This means that unsolicited email is not prohibited.
It applies only to commercial emails—emails that are trying to sell some product or service. Therefore, mass emailings for political, religious, or ideological purposes are not covered by the Act.

The only requirement of CAN-SPAM is that the sender must provide some mechanism whereby the receiver can opt out of future emails and that method cannot require the receiver to pay in order to opt out.

Restrictions on how the sender can acquire the recipient’s email address and how the sender can actually transmit the email:
A message cannot be sent through an open relay.
A message cannot be sent to a harvested email address.
A message cannot contain a false header.

These methods are often used by people who send spam email. Tracking down the original sender of the email is the first step in investigating spam. Unfortunately, the email is sometimes sent from offshore sites or relayed through an innocent third party’s servers. This makes prosecuting spam very difficult and enforcing a judgment almost impossible in most cases.

18 U.S.C. 2252B
This law is about perpetrators who attempt to hide the pornographic nature of their website, often to make it more accessible to minors.
This is a very serious concern, and one that sometimes arises in child predator cases.
Communication Assistance for Law Enforcement Act (CALEA)
CALEA is a U.S. wiretapping law. Its purpose is to allow law enforcement and intelligence agencies to lawfully conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband Internet, and VoIP traffic in real time.

Foreign Intelligence Surveillance Act (FISA)
This U.S. law prescribes procedures for the physical and electronic surveillance and collection of “foreign intelligence information” between foreign powers and agents of foreign powers, which may include American citizens and permanent residents suspected of espionage or terrorism.

The law does not apply outside the United States but may be encountered by a forensic investigator in researching intelligence even if it does not specifically regard espionage or terrorism. The law is an important part of many agencies’ approaches to information gathering. It has been amended frequently so it is important to stay current on the latest revisions and court cases.

The USA PATRIOT Act
The USA PATRIOT Act of 2001 was passed into law as a response to the terrorist attacks of September 11, 2001. The Act:
Reduced restrictions on law enforcement agencies’ intelligence gathering within the United States
Expanded the Secretary of the Treasury’s authority to regulate financial transactions
Broadened the discretion of law enforcement and immigration authorities in detaining and/or deporting immigrants suspected of terrorism and related acts
Expanded the definition of terrorism to include domestic terrorism, thus enlarging the number of activities to which the PATRIOT Act’s extended law enforcement powers can be applied

In May of 2011, President Barack Obama signed a four-year extension of three key provisions in the USA PATRIOT Act: roving wiretaps, searches of business records, and conducting surveillance of individuals suspected of terrorist-related activities not linked to terrorist groups.

The PATRIOT Act gives law enforcement dramatically enhanced powers for information gathering and should be a part of the knowledge base for any forensic investigator.
7/2/2017
39

Summary
Email clients and servers
Email headers
Email tracing
Email server forensic examination
Laws related to email investigations

Turn in your highest-quality paper
Get a qualified writer to help you with

“ computer forensics ”

Get high-quality paper

NEW! AI matching with writer

Hire a Writer

Client Reviews

4.9

Sitejabber

4.6

Trustpilot

4.8

Our Guarantees

100% Confidentiality

Information about customers is confidential and never disclosed to third parties.

Original Writing

We complete all papers from scratch. You can get a plagiarism report.

Timely Delivery

No missed deadlines – 97% of assignments are completed in time.

Money Back

If you're confident that a writer didn't follow your order details, ask for a refund.

New to Your Trusted Assignment Help Service? Sign up & Save

Calculate the price of your order

Type of paper needed:

Pages:

You will get a personal manager and a discount.

Academic level:

We'll send you the first draft for approval by at

Total price:

$0.00

Power up Your Academic Success with the
Team of Professionals. We’ve Got Your Back.

Power up Your Study Success with Experts We’ve Got Your Back.

Order Now Order Now