Embed Size (px)
Citation preview
1
CSCD 496Computer Forensics
Lecture 15Network Forensics
Internet Information - AnonymityWinter 2010
2
Lecture Outline
• Two Main Topics– Anonymity
• Hiding your identity on the Internet• E-mail anonymity
3
Introduction
• Internet - huge repository of information• A lot of information stored on Internet
applications and servers• Today, look at becoming anonymous on
the Internet • Look at anonymity servers and remailers• Should have had a chance to try out
remailer from the lab
4
Introduction
• Problem with Internet information– Tracing activity to an individual is hard
• Why might you want to be anonymous?
5
Anonymity
• Important– Investigators need to know
• How to hide themselves on-line• How criminals and others hide themselves
on-line• Undercover for gambling, child porn, drugs
or stolen merchandise
– What do you want to conceal?• Name, address, tel. number, IP address• Lots of ways to do this ...
6
Free ISPs
• Hiding On-line– Free ISPs – dial in without ID– Netzero is one that is free– NetZero launched in 1998, first free
internet service provider• Grew to 1,000,000 users in six months• Limited to 10 hours/month• Bought Juno
– Another service• http://www.fastfreedialup.com/
7
Free ISPs
• What does that get you?– Use a dial-up modem and provider such as
Earthlink, Juno, or NetZero to connect to the Internet
– Every time you dial in and connect to the Internet there is a very good chance that your IP address will be different
– Calling different access numbers (different cities, different States even) will increase chance of getting a unique IP address
8
Proxies• Another way to conceal IP while surfing the
Web• Direct all page requests through a proxy
–Proxy – remote machine connect through to the Net which forwards your IP traffic and makes it look like you are originating from
• Web server logs records IP of proxy instead of actual client IP
• Not all of them are free• Web proxy sites
–http://www.the-cloak.com/anonymous-surfing-home.html
– http://anon.inf.tu-dresden.de/– https://proxy.org/ (a whole bunch at one site)
9
Browser Proxies
• Browser proxies– Add-on to your browser allows automated
switching according to rules you set– Example: FoxyProxy for Firefox
• FoxyProxy Firefox extension automatically switches an internet connection across one or more proxy servers based on URL pattern
• FoxyProxy automates manual process of editing Firefox's Connection Settings dialog
10
Results of Proxies
• Proxies– What is accomplished by a proxy?
• Hides your IP in Web logs– Makes it more difficult to find originating IP
since must go back to proxy server to get IP of suspect
• Connect to IRC or ICQ with a proxy – Not all of the ones on previous page allow
this• Minimizes cookies and other types of tracking
11
VPN Connections
• How do they work?– Virtual Private Network (VPN) Providers: A
VPN special network allows computers to securely and privately access resources through them
– Computers configured to use a VPN can forward all traffic through the VPN and obscure their actual IP address
– Commercial service will have access to your billing information
12
Paid VPN's
• Several paid services https://www.relakks.com/faq/legal/– Swedish Broadband service– Really interesting terms of service
• Other VPN Services– http://blacklogic.com/– http://www.piratpartiet.se/international/
english– http://www.hotspotvpn.com/
13
Tests for Your Anonymity
• WhatsMyIP http://www.whatsmyip.org/
• Privacy Test http://privacy.net/analyze-your-internet-connection/
• Lagado Test http://www.lagado.com/proxy test
• Zaloop http://zaloop.net
14
Other Anonymity Services• The Onion Router (TOR)
http://www.torproject.org/
• TOR is a global Internet anonymity and privacy system. It utilizes between 800-1500 computers spread across the world to forward Internet traffic anonymously
• A user installs TOR and configures their web traffic to move through the TOR network
• This makes the user's traffic appear to originate at a random computer on the Internet
15
Other Anonymity Services• Change your browser habits and an add-
on– Stealther 1.0.8 -
https://addons.mozilla.org/en-US/firefox/addon/1306– Surf the web without leaving a trace in your local
computer– What it does is temporarily disable the following:
- Browsing History (also in Address bar)- Cookies- Downloaded Files History- Disk Cache- Saved Form Information- Sending of ReferrerHeader- Recently Closed Tabs list
16
Email Anonymity
17
• Every message header contains information about its origin and destination– Possible to track e-mail back to its
source– Identify the sender– Even when forged, there is information
in e-mail headers
18
• E-mail one of the most widely used services on the Internet
• Most important ways criminals communicate• For more privacy, encryption is used or anonymous
re-mailer• E-mail protected by strict privacy law – Which Law?
– Electronic Communication Privacy Act (ECPA)• Even if can obtain incriminating e-mail, difficult to
prove specific individual sent a specific message– Claim they never sent it
• Look more at anonymizing e-mail next
19
Anonymous E-mail• There are two kinds of services in this
category. • First is truly Anonymous: no one
anywhere knows your identity– This is a one-way channel, can’t get return
mail sent back to you– Usually encrypted– Typically, sent through more than one
remailer– Example: Cypherpunk or Mixmaster
20
Anonymous E-mail• Second, called Pseudo-anonymous or
sometimes Pseudonymous• Owner of the service knows your identity
and can be forced in a court of law to reveal it– Most truly anonymous services are free (it's
difficult to bill an unknown, unnamed client), but they often require some skill and effort to use
– You expect to have your email answered – You get your identify replaced with dummy
address– Responses replaced with dummy address too– Example: Craigslist and match.com
21
Anonymous E-mail
• Remailers make it hard to determine who sent a particular message– But no message is totally anonymous
• Sender puts txt in the message• Message leaves something behind with sender
ID• Machines that handle message may have useful
information• Forging and Tracking E-mail
– Important to know how e-mail is actually created and transmitted
– Understand e-mail headers too
22
Cipher Punk Example
http://anonymous.to/tutorials/anonymous-remailers/
• Steps– Create a message in your email client programs– Put the remailer address in the To: field
[email protected]– Message should have a subject, prior to it a '##'– In the body of the message type '::'– Then, next line, Anon-to: [email protected]– One blank line, then type message– Its that simple!!!
23
Cipher Punk Remailers
• ExampleTo: [email protected]
Subject: Testing anonymous email
> Body:
> ::
> Anon-To: [email protected]
>
> ##
> Subject: Subject of message
>
> Type your message here.
24
Tracking E-mail
• E-mail is like Real mail– Post offices in e-mail world called
• Mail Transfer Agents (MTA)– Message may travel through multiple
MTA’s• Each MTA adds something to the header of a
transmitted message–Time stamps, technical identifying
information –Each creates its own received header–Passed along to next MTA until
message reaches its destination
25
Tracking E-mail
• Default is not to see the e-mail header– Most e-mail clients have a setting that
allows you to view e-mail header• Netscape email
– View – Headers – All
• Outlook Express– File – properties - click on details
• Eudora– Click on blah-blah-blah
• Opera– Right click email header, select View all headers
26
Tracking E-mail
• Identity in E-mail– Unless remailer or advanced forging technique used
• Sender identity embedded in message• Two most useful header fields:
– Message ID– Received field
• Message ID– Is globally unique – current date/time, MTA domain
name and sender’s account name
Example: Message sent Dec. 4, 1999 from mail.corpX.com by user13
Message-id: <user13120499152415 – [email protected]>
27
Tracking E-mail
• Examining E-mail Headers– Some might have been forged, but the
last few were likely valid,– Since e-mail message was delivered– Can achieve pseudo-anonymity through
hotmail or netaddress e-mail account• Header will contain IP of original computer• Unless you went through an anonymizer ...
28
Return-Path: <[email protected]>Received: from hotmail.com (bay106-
f21.bay106.hotmail.com[65.54.161.31])by granite.cs.uidaho.edu (8.13.3+Sun/8.13.3) with ESMTP id
jA7IbwCl018714for <[email protected]>; Mon, 7 Nov 2005 10:38:04 -0800 (PST)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 7 Nov 2005 10:37:52 -0800
Message-ID: <[email protected]>Received: from 65.54.161.200 by by106fd.bay106.hotmail.msn.com
with HTTP;Mon, 07 Nov 2005 18:37:52 GMT
X-Originating-IP: [129.101.153.145]X-Originating-Email: [[email protected]]X-Sender: [email protected]: "Carol Taylor" <[email protected]>To: [email protected]: Sending a message to myselfDate: Mon, 07 Nov 2005 10:37:52 -0800Mime-Version: 1.0Content-Type: text/plain; format=flowedX-OriginalArrivalTime: 07 Nov 2005 18:37:52.0628 (UTC)
FILETIME=[5C97D340:01C5E3CA]Content-Length: 270
Example: Hot mail
29
Return-path: [email protected]: from imta21.westchester.pa.mail.comcast.net (LHLO imta21.westchester.pa.mail.comcast.net) (76.96.62.31) by sz0050.ev.mail.comcast.net with LMTP; Tue, 2 Mar 2010 18:48:42 +0000 (UTC)Received: from mout.perfora.net ([74.208.4.195]) by imta21.westchester.pa.mail.comcast.net with comcast Joh1d0194CTZVm0MJohcP; Tue, 02 Mar 2010 18:48:42 +0000. . . X-Authority-Analysis: v=1.1 Received: from localhost (u15177982.onlinehome-server.com [82.165.253.19]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis1NaFSs0bDp-013hVr; Tue, 02 Mar 2010 13:48:40 -0500MIME-Version: 1.0To: [email protected]: [email protected]: Trying beHidden.comContent-Type: text/plain; charset="ISO-8859-1"Content-Transfer-Encoding: 7bitMessage-ID: <[email protected]>Date: Tue, 02 Mar 2010 10:48:39 -0800X-Provags-ID: V01U2FsdGVkX18zZyGxtJetADPAYPYc8Tl6hLwJECvXwZofTGD yRUgR+qvaXYsRBIFlqS6cVOGnapEF0Ar8AW+hMEGAxQXA8HIi
Trying this service to see what it sends.
30
Email Anonymity
• Hushmail – Another level of anonymity– Wants recepient to log in and get the
message– See example
31
Where Email Comes From
• Superficially, it appears that email is passed directly from the sender's machine to the recipient's
• Lie. Email passes through at least four computers during its lifetime
• Most organizations have a dedicated machine to handle mail, called a "mail server”
• When a user sends mail, – She normally composes the message on her own
computer, then sends it off to her ISP's mail server– At this point her computer is finished with the job,
but the mail server still has to deliver the message• It does this by finding the recipient's mail server,
talking to that server and delivering the message
32
• Consider a couple of fictitious users:• [email protected] and [email protected]
– tmh is a dialup user of Immense ISP, Inc., using a mail program called Loris Mail
– rth is a faculty member at the Bieberdorf Institute, with a workstation on his desk networked with the Institute's other computers
• If rth wants to send a letter to tmh, – Composes it at his workstation alpha.bieberdorf.edu – Text passed to mail server, mail.bieberdorf.edu– Mail server, contacts other mail server mailhost.immense-
isp.com– And delivers the mail to it
– Message stored on mailhost.immense-isp.com until tmh dials in from his home computer and checks his mail
– At that time, the mail server delivers any waiting mail, including the letter from rth, to it.
33
• During all this processing, headers will be added to the message three times:
1. At composition time, by whatever email program rth is using;
2. When that program hands control off to mail.bieberdorf.edu3. At the transfer from Bieberdorf to Immense. (Normally, the dialup node that retrieves the message doesn't add any headers.) We can watch the evolution of these headers …
34
Mail Headers
• As generated by rth's mailer and handed off to mail.bieberdorf.edu:
• From: [email protected] (R.T. Hood)To: [email protected]: Tue, Mar 18 1997 14:36:14 PSTX-Mailer: Loris v2.32Subject: Lunch today?
35
EMail Headers• As they are when mail.bieberdorf.edu transmits the
message to mailhost.immense-isp.com:
Received: from alpha.bieberdorf.edu (alpha.bieberdorf.edu [124.211.3.11]) by mail.bieberdorf.edu (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17 -0800 (PST)------------------------------------------------------------------------------------From: [email protected] (R.T. Hood)To: [email protected]: Tue, Mar 18 1997 14:36:14 PSTMessage-Id: <[email protected]>X-Mailer: Loris v2.32Subject: Lunch today?
Header added
36
Email Headers• As they are when mailhost.immense-isp.com finishes
processing the message and stores it for tmh to retrieve:
Received: from mail.bieberdorf.edu (mail.bieberdorf.edu [124.211.3.78]) by mailhost.immense-isp.com (8.8.5/8.7.2) with ESMTP id LAA20869 for <[email protected]>; Tue, 18 Mar 1997 14:39:24 -0800 (PST)
------------------------------------------------------------------------------
Received: from alpha.bieberdorf.edu (alpha.bieberdorf.edu [124.211.3.11]) by mail.bieberdorf.edu (8.8.5) id 004A21; Tue, Mar 18 1997 14:36:17 -0800 (PST)From: [email protected] (R.T. Hood)To: [email protected]: Tue, Mar 18 1997 14:36:14 PSTMessage-Id: <[email protected]>X-Mailer: Loris v2.32Subject: Lunch today?
This last set of headers is the one that tmh sees on the letter when he downloads and reads his mail.
Header added
37
Conclusion• Internet is a wealth of information
sources– E-mail plus other ways to leave information– Useful for identifying criminal activity– Need to know if or how these sources were
used in a suspected crime• Anonymity
– Used a lot by people who want to hide their activities
– Can hide a lot of things, but still some identifying information• Just harder
38
Resources• Electronic Frontier Foundation
http://www.eff.org/
• Privacy Author
http://www.andrebacard.com/privacy.html
• BeHidden – email and surfing
http://www.behidden.com/
• Hushmail
http://www.hushmail.com/
• Privacy Test
http://privacy.net/analyze-your-internet-connection/
• VPN Encryption Tunnel
https://www.relakks.com/faq/legal/
39
End
Next time: Case Study – Digital Evidence Internet
Tracking someone via the Internet
