Proposal- Email Forensics Tracing and Mapping Digital Evidence from IP Address

Introduction
Email is a crucial means of communication in modern digital era. It is widely used to communicate personal, business and other sensitive information across the globe in a cost effective manner (Burns, 2006). Communication via email is vulnerable to various kinds of attacks, making it a likely target for those with criminal intent (Internet Crime Complaint Center [IC3], 2009). Private email communication between two or more known associates can be easily protected through security mechanisms such as tunneling and encryption. However, the majority of the e-mail communication over the Internet occurs between unknown people while public e-mail still faces various security threats.
E-mail, like any other communication activity over the Internet, can be traced back to its originator through various methods. This forms the basics of email forensics; enabling the collection of digital evidence against those who use e-mails to commit crimes. Digital evidence helps identify and trace back the originator of an e-mail attack. Due to the enormity of the Internet, the most important issue in determining the location of an e-mail attacker is to narrow down the search for the location of the attacker. This research proposes the implementation of ‘hop count distance’ method which would use the Time-to-Live (TTL) field in Internet Protocol packet to narrow down the location from where an attack is originated.

Project Background
Due to the widespread use of e-mail communication, individuals often have their own personal accounts along with those related to work. Workplace mailboxes and emails service providers store hundreds of thousands of emails. Hence most of the popular e-mail forensic applications such as encase, Nuix Forensics Desktop, x-ways forensics, Forensic Toolkit (FTK), Intella, etc., are aimed at searching millions of emails. These forensic application and others are also equipped with the capability of recovering deleted emails. These programs enable the collection of digital evidence through the recovery of email messages or email addresses related to any criminal activity. They do not trace back the email to its originator in terms of physical location of the attacker. Investigators rely on other email trace back applications to determine the location from where the email was sent. Most of the email trace back applications depend upon the Internet Protocol (IP) address of the source stored in the header of the email to determine the exact location of the originator. This technique works fine, however almost all malicious activity over the email is performed using spoofed IP address which negates the usability of tracing the source through IP address.
There are several IP trace back mechanisms that can find the source of the attack despite the IP address being spoofed in case of Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks (Karthik, Arunachalam, & Ravichandran, 2008). Although these mechanisms such as iTrace or PPM are highly efficient in determining the source of the attack, their complexity and high resource requirements for tracing the source renders them very improbable for being used as email forensic mechanisms. Thus there is a need to determine a resource efficient and simplistic solution for tracing the source of an email attack with a spoofed IP address.
Solution Outline
This study proposes a hop-count-based source-to-destination distance method for developing a simplistic and efficient trace back mechanism for tracing the source of an email attack with a spoofed source IP address. This mechanism is based on the hop count value (the intermediate devices between the source and the destination through which a set of data passes) stored inside the Time-to-Live (TTL) field in the IP packet to estimate the distance and subsequently the approximate location of the origin of the email (Wang et al., 2007). The hop-count-based source-to-destination distance can be worked out just within a minute after confining a single IP packet. The approximate location of the source of an email with a spoofed IP address can be located with a single day. The hop-count-based source-to-destination distance method cannot find the exact location of the source; however, it can prove to be an important tool in slimming down the scope of the search to aid further investigation and trace back process. Furthermore, the hop-count-based source-to-destination distance method can be applied in tracking various other attacks.
Project aims and Objectives
Currently, there are several IP trace back mechanisms that are designed to trace IP address in case of DoS or DDoS attacks over the Internet. These mechanisms require either a lot of resources or complicated network designs during trace back. The objective of this study is to propose a mechanism that fills the gap between resource-hungry and complicated trace back mechanisms.
Project Deliverables
This project will deliver a detailed report of the designed mechanism as part of the finding and analysis of a dissertation along with all its relevant components.
References
Burns, E. (2006). New online activities show greatest growth. Retrieved October 3, 2009 {online} http://www.clickz.com/3624155 (cited on 23rd Oct, 2012)
Internet Crime Complaint Center (IC3). (2009). IC3 2008 annual report on Internet crime released. Retrieved October 3, 2009 {online} http://www.ic3.gov/media/2009/090331.aspx (cited on 23rd Oct, 2012)
Karthik, S., & Arunachalam, V. P., & Ravichandran, T. (2008). A comparitive study of various IP traceback strategies and simulation of IP traceback. Asian Journal of Information Technology, 7(10), 454-458. Retrieved September 30, 2009 {online} http://docsdrive.com/pdfs/medwelljournals/ajit/2008/454-458.pdf (cited on 23rd Oct, 2012)
Wang, H., & Jin, C., & Shin, K. G. (2007). Defense against spoofed IP traffic using hop-count filtering. Retrieved October 1, 2009 {online} http://www.cs.wm.edu/~hnw/paper/hcf.pdf (cited on 23rd Oct, 2012)