I trust everyone had a nice week off for spring break and returned to school/work refreshed and ready to face the last few weeks of the school year. This is always an exciting time for students and staff - demonstrating what we know on tests and preparing for the Class of 2012 to graduate and all other students to be promoted to the next grade level. Spring is definitely a time of renewal and as trees and flowers continue to bud and bloom, we all should feel a sense of a new beginning and a chance to make positive changes in our lives. Here's to another great week!
I have been sharing information from sessions I attended at the KySTE Spring Conference several weeks ago and today I want to return to Jim McKinney and sessions he gave on Tracking E-Mail to the Source. With this week's entry and next week's, I will finish the discussion on the KySTE sessions.
Most everyone uses some form of electronic mail, or e-mail, today. In fact, in many jobs it is a required element because that is the main method of communication. Did you know e-mail got its start in the 1970's? It's been around for a lot longer than most of us realize. Since it has been around for many years, it is fairly easy to understand how users have tried to "hide" when using e-mail. All of us have experienced the spam-type e-mails or solicitation e-mails or suspicious e-mails which contain links and attachments and most of us are smart enough to just delete those. That is a very good practice to follow! If you don't recognize the sender and it's not a trusted source, simply delete it!
McKinney noted e-mails have two types of headers. The first is the memo header which most of us are familiar with - it contains the to, from, subject line, etc. The second is the expanded header which includes more information, such as the IP (Internet Protocol) address of the sender (well . . . kind of, more on that later). Right now we are on IP version 4, but they're running out of addresses so IP v 6 is coming soon. IP addresses are written in dotted quad notation, as a series of four (4) 8-bit numbers; for example, 111.222.333.444. Each number falls between 0 and 255. IP addresses can either be dynamic or static. Dynamic addresses change when you logoff and logon, but static addresses remain the same. IP addresses are mainly divided into five classifications - a, b, c, d and e. Classes a, b and c can be searched. Classes d and e are reserved for various experimental reasons. Class a = 0-126; Class b = 128-191; and Class c = 192-223. You'll notice that the number 127 is missing - this is used for loopback purposes and cannot be traced. IP v 6 will be expressed in hexidecimal, or base 16. This version will contain 8 segments divided by colons; for example, 2001:0db8:85a3:08d3:1319:8a2e:0370:7344. Can you imagine having to remember such an IP address? McKinney also taught about Domain Name Service (DNS), which is the way Internet names are located and translated into IP addresses. The top level are generic and country codes, like .us, .de, .fr, etc.
Now I realize most of the previous paragraph flew over most reader's heads. However, the basic information about how Internet addresses and everything is set up and used is crucial to understanding how to read an expanded e-mail header if you are wanting to trace where an e-mail has originated. According to McKinney, an abbreviated record of an e-mail's journey through the Internet is recorded in the expanded header. At the basic level, e-mail identifies a person (sender) and the location of that person on the Internet or network. As you "read" an e-mail expanded header, you read from the bottom up. If a field has an x prefix, it is not an official field. The X-mailer gives the service information. MIME = multi-purpose Internet extensions. Date and time stamps will show also. Be careful, though - the date and time stamp is from the computer that sends it (the computer's system time), but that can be easily manipulated. Very simply, you can just change the system date and time of your computer to change this date and time stamp.
The expanded header of an e-mail shows the hops the e-mail took from server to server. IP addresses in both parenthesis and brackets is verified. Be aware, though, that there are e-mail anonymizers which strip header information. Also, these anonymizers can delay the sending of e-mail for up to twelve (12) hours. This can easily throw off someone who is not aware. For example, someone could show the date and time stamp of an e-mail and then claim an alibi to proclaim their innocence. Law enforcement and lawyers have to be aware of the work anonymizers do when preparing cases. Also, McKinney reminded everyone not to just forward an e-mail to a technician or someone investigating a case because once you do that, the e-mail header changes to your information! Copy and paste the original e-mail, including the header, into a text document for preservation.
Next week I will cover McKinney's session on Hiding in the Web. I learned one important fact about pictures I didn't know in that session. Hopefully you are learning right along with me!
