research-article

Identification of Spoofed Emails by applying Email Forensics and Memory Forensics

Authors:

Sanjeev Shukla,

Gaurav VarshneyAuthors Info & Claims

ICCNS '20: Proceedings of the 2020 10th International Conference on Communication and Network Security

Pages 109 - 114

https://doi.org/10.1145/3442520.3442527

Published: 13 March 2021 Publication History

Abstract

Email forensics is the subdomain of network forensics, and email spoofing is the most common type of email attack. Email spoofing is a process of creating a forged message by manipulating the sender’s email address so that it appears to the recipient that the originating email is coming from a genuine sender. Spoofed email attack and its detection is a challenging problem in email forensic investigation. Research in the past has tried to address email detection by different mechanisms. This paper tries to improve and fill some of the research gaps from the base paper of R.P Iyer [11]. In our work, we detect spoofed emails received by the user by applying memory forensic approach. Instead of capturing the complete memory dump, we only capture the browser’s live running processes from memory and extract the email header for analysis. This reduces the size of the memory dump and makes detection fast. Also proposed detection algorithm overcomes messageID based detection failures by applying nslookup to fetch MX record to identify the genuine emails. The advantage of memory forensic application for spoofed email detection is that we get guaranteed non-repudiation of the user’s digital footprint in physical memory. The results of the performance analysis show that the entire task can be completed in approximately 1 min with high accuracy with minimum false positives. The proposed method detects spoofed emails without disrupting the regular operation of the testing machine.

References

[1]

Kristine Amari. 2009. Techniques and tools for recovering and analyzing data from volatile memory. SANS Institute InfoSec Reading Room(2009).

[2]

M. Tariq. Banday. 2011. Technology Corner: Analysing E-mail Headers For Forensic Investigation. J. Digit. Forensics Secur. Law 6 (2011), 49–64.

[3]

Andrew Case and Golden G Richard III. 2016. Detecting objective-C malware through memory forensics. Digital Investigation 18(2016), S3–S10.

Digital Library

[4]

DFRWS 2005. Digital Forensics Research WorkShop. Retrieved May, 2020 from http://www.dfrws.org/2005/challenge/index.shtml.

[5]

DKIM [n.d.]. DomainKeys Identified Mail. http://www.dkim.org/

[6]

DMARC [n.d.]. Domain-based Message Authentication, Reporting and conformance. https://dmarc.org/overview/

[7]

Liu Guangqi, Wang Lianhai, Zhang Shuhui, Xu Shujiang, and Zhang Lei. 2014. Memory dump and forensic analysis based on virtual machine. In 2014 IEEE International Conference on Mechatronics and Automation. IEEE, 1773–1777.

[8]

Surekha Gupta, Emmanuel S Pilli, Preeti Mishra, Sumit Pundir, and RC Joshi. 2014. Forensic analysis of E-mail address spoofing. In 2014 5th International Conference-Confluence The Next Generation Information Technology Summit (Confluence). IEEE, 898–904.

[9]

Cheng-Ta Huang, Ya-Ting Chang, and Shiuh-Jeng Wang. 2015. Evidence revelations at memory forensics in conversations of instant messages. Forensic Science Journal 14, 1 (2015), 59–67.

[10]

Ray Hunt and Sherali Zeadally. 2012. Network forensics: an analysis of techniques, tools, and trends. Computer 45, 12 (2012), 36–43.

Digital Library

[11]

R Padmavathi Iyer, Pradeep K Atrey, Gaurav Varshney, and Manoj Misra. 2017. Email spoofing detection using volatile memory forensics. In 2017 IEEE Conference on Communications and Network Security (CNS). IEEE, 619–625.

[12]

Neethu Joseph, Sherina Sunny, S Dija, and KL Thomas. 2014. Volatile Internet evidence extraction from Windows systems. In 2014 IEEE International Conference on Computational Intelligence and Computing Research. IEEE, 1–5.

[13]

Yusuf KAVURUCU and Ömer SEVER. 2016. Hybrid non-repudiation protocol with all types of pairings. Journal of Naval Sciences and Engineering 12, 1 (2016), 33–50.

[14]

Igor Korkin and Ivan Nesterov. 2015. Applying memory forensics to rootkit detection. arXiv preprint arXiv:1506.04129(2015).

[15]

Manish Kumar, M Hanumanthappa, and TV Suresh Kumar. 2013. A Countermeasure Technique for Email Spoofing.International Journal of Advanced Research in Computer Science 4, 1(2013).

[16]

Kyoungho Lee, Hyunuk Hwang, Kibom Kim, and BongNam Noh. 2016. Robust bootstrapping memory analysis against anti-forensics. Digital Investigation 18(2016), S23–S32.

Digital Library

[17]

Raymond Lutui. 2016. A multidisciplinary digital forensic investigation process model. Business Horizons 59, 6 (2016), 593–604.

[18]

Preeti Mishra, Emmanuel S Pilli, and RC Joshi. 2012. Forensic analysis of e-mail date and time spoofing. In 2012 Third International Conference on Computer and Communication Technology. IEEE, 309–314.

Digital Library

[19]

D. Mooloo and T. P. Fowdur. 2013. An SSL-based client-oriented anti-spoofing email application. In 2013 Africon. 1–5. https://doi.org/10.1109/AFRCON.2013.6757757

[20]

SPF [n.d.]. Sender policy framework project overview. Retrieved 2014 from http://www.openspf.org/

[21]

Lian Hai Wang and Qiu Liang Xu. 2015. An apt trojan detection method based on memory forensics techniques. In Applied Mechanics and Materials, Vol. 701. Trans Tech Publ, 927–934.

[22]

Anargyros Xrysanthou and Ioannis Apostolakis. 2006. Network forensics: Problems and solutions. E-Democracy: Challenges of the Digital Era(2006), 307–318.

[23]

Lijuan Xu and Lianhai Wang. 2013. Research on extracting system logged-in password forensically from windows memory image file. In 2013 Ninth International Conference on Computational Intelligence and Security. IEEE, 716–720.

Digital Library

Cited By

Shukla SMisra MVarshney G(2024)Email bombing attack detection and mitigation using machine learningInternational Journal of Information Security10.1007/s10207-024-00871-723:4(2939-2949)Online publication date: 13-Jun-2024
https://doi.org/10.1007/s10207-024-00871-7
Shukla SMisra MVarshney G(2023)Forensic Analysis and Detection of Spoofing Based Email Attack Using Memory Forensics and Machine LearningSecurity and Privacy in Communication Networks10.1007/978-3-031-25538-0_26(491-509)Online publication date: 4-Feb-2023
https://doi.org/10.1007/978-3-031-25538-0_26
Tran ANguyen QNguyen ATran M(2022)MemInspect2: OS-Independent Memory Forensics for IoT Devices in Cybercrime Investigations2022 IEEE/ACIS 22nd International Conference on Computer and Information Science (ICIS)10.1109/ICIS54925.2022.9882517(162-169)Online publication date: 26-Jun-2022
https://doi.org/10.1109/ICIS54925.2022.9882517
Show More Cited By

Recommendations

Analysis of Email Header for Forensics Purpose
CSNT '13: Proceedings of the 2013 International Conference on Communication Systems and Network Technologies

Email is ubiquitous in the contemporary commercial environment, providing a convenient and efficient method for communication. However, involving email-related disputes and crime problems have become increasingly prominent. Many cases of inability to ...
Privacy-preserving email forensics

In many digital forensic investigations, email data needs to be analyzed. However, this poses a threat to the privacy of the individual whose emails are being examined and in particular becomes a problem if the investigation clashes with privacy laws. ...
How Experts Detect Phishing Scam Emails
CSCW

Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICCNS '20: Proceedings of the 2020 10th International Conference on Communication and Network Security

November 2020

145 pages

ISBN:9781450389037

DOI:10.1145/3442520

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 March 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ICCNS 2020

ICCNS 2020: 2020 the 10th International Conference on Communication and Network Security

November 27 - 29, 2020

Tokyo, Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
390
Total Downloads

Downloads (Last 12 months)102
Downloads (Last 6 weeks)4

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Shukla SMisra MVarshney G(2024)Email bombing attack detection and mitigation using machine learningInternational Journal of Information Security10.1007/s10207-024-00871-723:4(2939-2949)Online publication date: 13-Jun-2024
https://doi.org/10.1007/s10207-024-00871-7
Shukla SMisra MVarshney G(2023)Forensic Analysis and Detection of Spoofing Based Email Attack Using Memory Forensics and Machine LearningSecurity and Privacy in Communication Networks10.1007/978-3-031-25538-0_26(491-509)Online publication date: 4-Feb-2023
https://doi.org/10.1007/978-3-031-25538-0_26
Tran ANguyen QNguyen ATran M(2022)MemInspect2: OS-Independent Memory Forensics for IoT Devices in Cybercrime Investigations2022 IEEE/ACIS 22nd International Conference on Computer and Information Science (ICIS)10.1109/ICIS54925.2022.9882517(162-169)Online publication date: 26-Jun-2022
https://doi.org/10.1109/ICIS54925.2022.9882517
Yu BLi PLiu JZhou ZHan YLi Z(2022)Advanced Analysis of Email Sender Spoofing Attack and Related Security Problems2022 IEEE 9th International Conference on Cyber Security and Cloud Computing (CSCloud)/2022 IEEE 8th International Conference on Edge Computing and Scalable Cloud (EdgeCom)10.1109/CSCloud-EdgeCom54986.2022.00023(80-85)Online publication date: Jun-2022
https://doi.org/10.1109/CSCloud-EdgeCom54986.2022.00023
Solanke AChen XRamírez-Cruz Y(2021)Pattern Recognition and Reconstruction: Detecting Malicious Deletions in Textual Communications2021 IEEE International Conference on Big Data (Big Data)10.1109/BigData52589.2021.9671921(2574-2582)Online publication date: 15-Dec-2021
https://doi.org/10.1109/BigData52589.2021.9671921
Malik AShahzad MHussain M(2021)A Forensic Framework for Webmail Threat Detection Using Log AnalysisInnovative Security Solutions for Information Technology and Communications10.1007/978-3-031-17510-7_5(57-69)Online publication date: 25-Nov-2021
https://dl.acm.org/doi/10.1007/978-3-031-17510-7_5
Arya SChamotra S(2021)Multi Layer Detection Framework for Spear-Phishing AttacksInformation Systems Security10.1007/978-3-030-92571-0_3(38-56)Online publication date: 16-Dec-2021
https://dl.acm.org/doi/10.1007/978-3-030-92571-0_3

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents