چكيده به لاتين
Abstract:
By 1978, what we call Email todays was firstly invented. More than 4 billion users are using the Email services and 70 percent of emails every day send or receive include any type of cybercrimes in it. Various types of crimes committed by email have targeted reliability and integrity of this highly common service. Two from three sections of C-I-A triangle which focuses on confidentiality, integrity, and availability are losing their credibility day by day. Stats show us that email services are already a very important tool in the commission of crime. Receiving suspicious emails including sabotage contents, bombing, identity theft, kidnapping, pornography, intimidation, fake and spoofing are some of the threats in which email users are dealing with.
Every email is consisted of two parts, the header and the body. The header part carries routing and networking information and the body contains the actual message/data of an email. The header contains several mandatory and optional fields. In order to uniquely identify each email all mail transfer agents (MTAs) use some sort of unique identifier. Basically, when an email created by a client (called the MUA, for Mail User Agent) is sent, it is routed from server to server. The recipient's MTA then delivers the email to the incoming mail server (called the MDA, for Mail Delivery Agent), which stores the email as it waits for the user to accept it. All mail servers have to use a common protocols to communicate each other. Working properly, every mail particles must use SMTP, POP3, IMAP and some sort of standard protocols. Any change in the mail architecture must be confirmed with one of these protocols. The latest RFC that describes SMTP is RFC 5321, released October 2008. RFC 1425 accepted in February 1993, described a way to extend the services SMTP offers, so that calling clients can ask what services are available on the server.
The information in the SMTP headers is stored in clear text. Hence those information may be easily manipulated. The possibility that the mail headers could have been edited makes the information in the headers unreliable. Editing the mail headers in order to hide or change genuine information is called spoofing.
RFC 821 was made obsolete in April 2001 by RFC 2821. RFC 2822 standard states every email must have a globally unique identifier by the name of message ID. It also provides syntax of message-id and some suggestion to create unique identifier. Just like spoofing other header fields of email, spoofing message-id is also possible.
SMTP standards must be backwards compatible, which means services that are not in use regularly, might not be described in later RFC documents but are expected to remain available.
The format of the trace header is defined in RFC 5322 as the trace rule. The trace header consists of two sub headers namely the return-path and received headers. The return path header is used to store the address where error reports should be sent. The received header stores the delivery path with a data stamp for each delivery entry. When a SMTP server receives a message for delivery or forwarding, it MUST insert trace information at the beginning of the header.
As “any digital forensic process must have an outcome that is acceptable by law” the investigators have to obtain a chain of information as a chain of custody in which every parts of data can be relied on by court of law. In this regard the fields existed in headers such as received from, X-Originating-IP and message ID plays an important role and highly necessary to study but not enough.
In this paper we will propose a new way to track an email forensically. Some changes in email header and TCP/IP packets header, we will have our new idea implemented. In every law enforcement case study, to find out an accused person, the main question is where is the exact location of the accused.
What is important in law enforcement investigation process is to find the place of accused person. However in some cases the intermediate devices are used to make the study more solid. Through our forensic proposal the investigators can easily find accused by using a new field in the header of an email and some changes in the structure of intermediate gateway routing procedures. The forensic related information will be gathered into a field by the name of Adlofil in which some of highly unique data will be extracted from CPU, mac and motherboard of a mail sender. It will be a digestion of these data to uniquely identify the sender device. Every intermediate devices from sender to receiver will add its unique data into this digestion. In the case of abuse or criminal investigation on these data and by finding the relation and correlation between them, investigators will clear the truth. Moreover if an accused person is framed, it will be showed. Integrity and non-repudiation are two other advantages of using this technique.
Keywords: Email tracking, Email header, simple mail transfer protocol(SMTP), email spoofing, post office protocol 3(POP3), Internet message access protocol(IMAP), mail user agent(MUA), mail transfer agent(MTA), mail delivery agent(MDA).
