{"title":"利用电子邮件取证和内存取证识别欺骗邮件","authors":"Sanjeev Shukla, M. Misra, G. Varshney","doi":"10.1145/3442520.3442527","DOIUrl":null,"url":null,"abstract":"Email forensics is the subdomain of network forensics, and email spoofing is the most common type of email attack. Email spoofing is a process of creating a forged message by manipulating the sender’s email address so that it appears to the recipient that the originating email is coming from a genuine sender. Spoofed email attack and its detection is a challenging problem in email forensic investigation. Research in the past has tried to address email detection by different mechanisms. This paper tries to improve and fill some of the research gaps from the base paper of R.P Iyer [11]. In our work, we detect spoofed emails received by the user by applying memory forensic approach. Instead of capturing the complete memory dump, we only capture the browser’s live running processes from memory and extract the email header for analysis. This reduces the size of the memory dump and makes detection fast. Also proposed detection algorithm overcomes messageID based detection failures by applying nslookup to fetch MX record to identify the genuine emails. The advantage of memory forensic application for spoofed email detection is that we get guaranteed non-repudiation of the user’s digital footprint in physical memory. The results of the performance analysis show that the entire task can be completed in approximately 1 min with high accuracy with minimum false positives. The proposed method detects spoofed emails without disrupting the regular operation of the testing machine.","PeriodicalId":340416,"journal":{"name":"Proceedings of the 2020 10th International Conference on Communication and Network Security","volume":"459 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-11-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Identification of Spoofed Emails by applying Email Forensics and Memory Forensics\",\"authors\":\"Sanjeev Shukla, M. Misra, G. Varshney\",\"doi\":\"10.1145/3442520.3442527\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Email forensics is the subdomain of network forensics, and email spoofing is the most common type of email attack. Email spoofing is a process of creating a forged message by manipulating the sender’s email address so that it appears to the recipient that the originating email is coming from a genuine sender. Spoofed email attack and its detection is a challenging problem in email forensic investigation. Research in the past has tried to address email detection by different mechanisms. This paper tries to improve and fill some of the research gaps from the base paper of R.P Iyer [11]. In our work, we detect spoofed emails received by the user by applying memory forensic approach. Instead of capturing the complete memory dump, we only capture the browser’s live running processes from memory and extract the email header for analysis. This reduces the size of the memory dump and makes detection fast. Also proposed detection algorithm overcomes messageID based detection failures by applying nslookup to fetch MX record to identify the genuine emails. The advantage of memory forensic application for spoofed email detection is that we get guaranteed non-repudiation of the user’s digital footprint in physical memory. The results of the performance analysis show that the entire task can be completed in approximately 1 min with high accuracy with minimum false positives. The proposed method detects spoofed emails without disrupting the regular operation of the testing machine.\",\"PeriodicalId\":340416,\"journal\":{\"name\":\"Proceedings of the 2020 10th International Conference on Communication and Network Security\",\"volume\":\"459 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-11-27\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2020 10th International Conference on Communication and Network Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3442520.3442527\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2020 10th International Conference on Communication and Network Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3442520.3442527","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Identification of Spoofed Emails by applying Email Forensics and Memory Forensics
Email forensics is the subdomain of network forensics, and email spoofing is the most common type of email attack. Email spoofing is a process of creating a forged message by manipulating the sender’s email address so that it appears to the recipient that the originating email is coming from a genuine sender. Spoofed email attack and its detection is a challenging problem in email forensic investigation. Research in the past has tried to address email detection by different mechanisms. This paper tries to improve and fill some of the research gaps from the base paper of R.P Iyer [11]. In our work, we detect spoofed emails received by the user by applying memory forensic approach. Instead of capturing the complete memory dump, we only capture the browser’s live running processes from memory and extract the email header for analysis. This reduces the size of the memory dump and makes detection fast. Also proposed detection algorithm overcomes messageID based detection failures by applying nslookup to fetch MX record to identify the genuine emails. The advantage of memory forensic application for spoofed email detection is that we get guaranteed non-repudiation of the user’s digital footprint in physical memory. The results of the performance analysis show that the entire task can be completed in approximately 1 min with high accuracy with minimum false positives. The proposed method detects spoofed emails without disrupting the regular operation of the testing machine.