Cybercrime Capacity Building Program in Latin America and the Caribbean

Email Investigations
 Learning Objectives

By the end of this module, you will be

able to:
1. List 3 (three) email protocols
2. Describe the basic operation of an email as stated
in this course
3. Open email headers in at least 4 mail applications
4. Analyze an email header obtaining the originating
IP address
5. Compose a fake email using an Internet based tool
 What is an email
E-mail is a service to send messages and files to
one or more people via the Internet

stephen1622@yahoo.com

E-mail addresses can be divided into two parts:

User ID = (stephen1622)
Domain = (yahoo.com)
 E-mail address rule

Uppercase and lowercase English letters (az, AZ)

Characters !#$%&'*+-/=?^_`{|}~
Character . (dot, period, full stop)
Special characters are allowed with restrictions
Space and "(),:;<>@[\]
The restrictions for special characters
when contained between quotation marks, and
2 of them (the backslash \ and quotation mark ") must also
be preceded by a backslash \ (e.g. "\\\"")
Comments are allowed with parentheses at either
end of the local part
e.g. "john.smith(comment)@example.com" and
"(comment)john.smith@example.com" are both
equivalent to "john.smith@example.com"

International characters above U+007F are

permitted by RFC 6531, though mail systems may
restrict which characters to use when assigning local
parts
 Valid e-mail addresses
niceandsimple@example.com
very.common@example.com
a.little.lengthy.but.fine@dept.example.com
disposable.style.email.with+symbol@example.com
user@[IPv6:2001:db8:1ff::a0b:dbd0]
"much.more unusual"@example.com
"very.unusual.@.unusual.com"@example.com
"very.(),:;<>[]\".VERY.\"very@\\ \"very\".unusual"@strange.example.com
postbox@com (top-level domains are valid hostnames)
admin@mailserver1 (local domain name with no TLD)
!#$%&'*+-/=?^_`{}|~@example.org
"()<>[]:,;@\\\"!#$%&'*+-/=?^_`{}| ~.a"@example.org
" "@example.org (space between the quotes)
@example.com (Unicode characters in local part)
Components of an email message

HEADER
BODY
 Email Body
Text

Photo

Program/applications

Charts and images, etc.

Files
 Email Header
E-mail header = blocks of text that contain routing information
used to determine the actual origin of a message and the path it
took to reach your inbox.

From the "header", you can get:

a) The identity of the sender (which may be counterfeit);

b) The sender's e-mail address (which may be counterfeit);
c) The date and time of e-mail; and
d) Email Routing Information
 Email Headers contain the following information

Sender email address

Receiver email address
CC / BCC email address
Sender IP address
Date / Time of email sent out
Email servers
Message ID

CAUTION:
It is important to know that when reading an email header every
line can be forged, so only the Received: lines that are created by
your service or computer should be completely trusted.
 Email Protocols and Services

SMTP (Simple Mail Transfer Protocol)

- Used by MTA to deliver mail

POP(Post Office Protocol)

POP3 (Post Office Protocol 3)
- Used for retrieving email

IMAP (Internet Message Access Protocol)

- Standard protocol for accessing e-mail from your local
server
- With IMAP, a copy of every message is saved on the
server
 Email Protocols and Services

HTTP (Hypertext Transfer Protocol)

- Not a protocol dedicated for email
communications, but it can be used for accessing
your mailbox

Mail Transfer Agent (MTA) = Post office

Mail Delivery Agent (MDA) = Mailbox
Mail User Agent (MUA) = Retrieving mail
Mail User Agent (MUA) = Mail Client or Mail Program
 Mail User Agent
MUA

Client

Sender Send e-mail

Mail User Agent
MUA recipient@domain.com
SMTP
Client

Recipient Mail Delivery Agent

MDA
Mail Transfer Agent
POP/IMAP MTA
Forward E-mail
Deliver E-mail
SMTP

Mail Transfer Agent

MTA
How to open Email Header in
different applications
https://support.google.com/groups/answer/75960?hl=en
 AOL
Log in to your AOL account.
Open the message you'd like to view
headers for.
In the 'Action' menu, select View Message
Source.
The full headers will appear in a new
window.
 Hotmail
Log in to your Hotmail account.
Select Inbox from the left-side menu.
Right-click the message you'd like to view
headers for and select View Message
Source.
The full headers will appear in a new
window.
How to view the email header in most
applications

Options/preferences and then look for :

Open source/view source/ message
header/full header/show raw / show
original
 Email Header Analysis

Email headers should always

be read from bottom to top
Delivered-To: someone.someone@gmail.com
Received: by 10.50.246.15 with SMTP id xs15csp141599igc;
Tue, 29 Jul 2014 19:02:43 -0700 (PDT)
X-Received: by 10.50.138.11 with SMTP id qm11mr2440613igb.18.1406685763289;
Tue, 29 Jul 2014 19:02:43 -0700 (PDT)
Return-Path: <srm@molly.sacoor.com>
Received: from molly.sacoor.com (molly.sacoor.com. [69.167.148.139])
by mx.google.com with ESMTPS id fe16si2112304icb.60.2014.07.29.19.02.43
for <someone.someone@gmail.com>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Tue, 29 Jul 2014 19:02:43 -0700 (PDT)
Received-SPF: none (google.com: srm@molly.sacoor.com does not designate permitted sender hosts) client -
ip=69.167.148.139;
Authentication-Results: mx.google.com;
spf=neutral (google.com: srm@molly.sacoor.com does not designate permitted sender hosts)
smtp.mail=srm@molly.sacoor.com
Received: from molly.sacoor.com (localhost [127.0.0.1])
by molly.sacoor.com (8.13.8/8.13.8) with ESMTP id s6U22gKv037146
for <someone.someone@gmail.com>; Wed, 30 Jul 2014 03:02:42 +0100
Received: (from sacoor@localhost)
by molly.sacoor.com (8.13.8/8.13.8/Submit) id s6U22gYj037145;
Wed, 30 Jul 2014 03:02:42 +0100
Date: Wed, 30 Jul 2014 03:02:42 +0100
Message-Id: <201407300202.s6U22gYj037145@molly.sacoor.com>
To: someone.someone@gmail.com
Subject: Thank you for your visit
MIME-Version: 1.0
X-Mailer: SACOOR Resources Management (External)
From: "Patricia A Silva [Sacoor Brothers Group]" <customercare@sg.sacoor.com>
Content-Type: multipart/alternative; boundary=srm-alternative-e67cef107a8420cbfd705b118a082deb

--srm-alternative-e67cef107a8420cbfd705b118a082deb
Content-Type: text/plain; charset=iso-8859-1
Received: (from sacoor@localhost)
by molly.sacoor.com (8.13.8/8.13.8/Submit) id s6U22gYj037145;
Wed, 30 Jul 2014 03:02:42 +0100
DATE WHEN MESSAGE WAS COMPOSED AND SENT FROM COMPOSER PC TO FIRST MAIL SERVER
Date: Wed, 30 Jul 2014 03:02:42 +0100
A UNIQUE STRING ASSIGNED BY THE MAIL SYSTEM WHEN THE MESSAGE IS FIRST CREATED
THESE CAN EASILY BE FORGED
Message-Id: <201407300202.s6U22gYj037145@molly.sacoor.com>
RECIPIENTS EMAIL ADDRESS
To: someone.someone@gmail.com
MESSAGE SUBJECT
Subject: Thank you for your visit
MIME-Version: 1.0
THE MAIL CLIENT (MAIL PROGRAM) USED TO SEND THE MESSAGE
X-Mailer: SACOOR Resources Management (External)
SENDER EMAIL ADDRESS
From: "Patricia A Silva [Sacoor Brothers Group]" <customercare@sg.sacoor.com>
Content-Type: multipart/alternative; boundary=srm-alternative-
e67cef107a8420cbfd705b118a082deb

--srm-alternative-e67cef107a8420cbfd705b118a082deb
Content-Type: text/plain; charset=iso-8859-1
MESSAGE CONTENT
Dear Someone Someone,
RECIPIENT`S EMAIL ADDRESS
Delivered-To: someone.someone@gmail.com
First Email Server
Received: by 10.50.246.15 with SMTP id xs15csp141599igc;
Tue, 29 Jul 2014 19:02:43 -0700 (PDT)
X-Received: by 10.50.138.11 with SMTP id qm11mr2440613igb.18.1406685763289;
Tue, 29 Jul 2014 19:02:43 -0700 (PDT)
The email address which should be used for bounces. The mail server will send a message to the
specified email address if the message cannot be delivered
Return-Path: <srm@molly.sacoor.com>

Received: from molly.sacoor.com (molly.sacoor.com. [69.167.148.139])

by mx.google.com with ESMTPS id fe16si2112304icb.60.2014.07.29.19.02.43
for <someone.someone@gmail.com>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Tue, 29 Jul 2014 19:02:43 -0700 (PDT)
Received-SPF: none (google.com: srm@molly.sacoor.com does not designate permitted sender
hosts) client-ip=69.167.148.139; SENDERS IP ADDRESS
Authentication-Results: mx.google.com;
spf=neutral (google.com: srm@molly.sacoor.com does not designate permitted sender
hosts) smtp.mail=srm@molly.sacoor.com
Received: from molly.sacoor.com (localhost [127.0.0.1]) NOT A VALID IP ADDRESS
by molly.sacoor.com (8.13.8/8.13.8) with ESMTP id s6U22gKv037146
for <someone.someone@gmail.com>; Wed, 30 Jul 2014 03:02:42 +0100
Email Header Analysis

Not every email will

display the sender IP
address, e.g.

Gmail
Microsoft
 Gmail service omits the sender IP address information from all
headers.
Only the IP address of Gmail's mail server is shown in
Received: from.
Its impossible to find a sender's true IP address in a received
Gmail.
Microsoft's Hotmail service provides an extended header line
called "X-Originating-IP" that contains the sender's actual IP
address.
Emails from Yahoo contain the sender's IP address in the last
Received: entry.
 Time Zone
UTC Coordinated Universal Time

EST (Eastern Standard Time) North America

UTC -0500

PST (Pacific Standard Time) UTC -0800

(Singapore Time) UTC +0800

 Sender can send email to other parties
anywhere through local or overseas mail
server, and therefore, the date / time
shown on the email with different time
zone, e.g. UTC or MST etc.

Use Time Zone Converter: convert the time

zone to local date/time
INTERNET BASED TOOLS FOR EMAIL
ANALYSIS
mxtoolbox

http://mxtoolbox.com/EmailHeaders.aspx
ipTRACKERonline.com
m
http://whatismyipaddress.com/trace-email
https://toolbox.googleapps.com/apps/messageheader/
Fake mail
 Fake mail

IP address of sender mail

server

Can not pass the Google email server checking

 IMPORTANT TO REMEMBER!!!

Different platforms/email editor, different

header contents

Email was forwarded, the data will be

overwritten in the Email Header by the
forwarder

Contents of Email Header may be posing

 Summary
Conclusions
Questions

Thank You-Merci-Gracias

c.ion@interpol.int