Implementasi Email Forensik dengan Menggunakan Tools (Emkei's Fake Mailer, Mxtoolbox dan Talos)

El Rahmat Jaya Hulu_ 0143

10 Feb 202309:06

Summary

TLDRIn this forensic email investigation tutorial, the speaker demonstrates the process of creating fake emails using NTT mailer and analyzing email headers to distinguish between fraudulent and legitimate messages. By sending a manipulated email to their own address, they use tools to analyze and compare email headers, identifying discrepancies such as mismatched IP addresses and domains. The speaker contrasts a fake email with an original one to show how forensic analysis can uncover deceptive practices, emphasizing the importance of header analysis in detecting email fraud.

Takeaways

😀 The goal of the forensic email process is to determine whether an email is fake or authentic using various analysis tools.
😀 The NTT mailer tool is used to manipulate email headers and create a fake email that appears to come from the original sender.
😀 Fake emails are sent to a victim's email address for the purpose of analysis, with the investigator using their own email for testing.
😀 Email header analysis is performed using a tool called MX, where the header details are copied and pasted to reveal the email's origin.
😀 Discrepancies in the email’s header, such as mismatched IP addresses and DNS domains, can indicate the email is fake.
😀 In the example, a fake email appears to come from 'Alfamart 2018 Force One', but the actual domain was different, signaling manipulation.
😀 The investigator uses an original email for comparison, where the header shows legitimate details, such as matching IP and DNS information from Google.
😀 Analyzing the DNS and IP address in the header allows the forensic expert to verify if an email is originating from a legitimate source or a fake one.
😀 The process illustrates how forensic tools can be used to detect email manipulation by identifying inconsistencies in email headers and domains.
😀 The final comparison between fake and real emails highlights the significance of email header analysis in confirming the authenticity of an email.

Q & A

What is the purpose of using the NTT Mailer tool in the forensic email process?
-The NTT Mailer tool is used to send fake emails by manipulating email headers, which helps in analyzing and identifying whether the email is legitimate or forged.
How does forensic email analysis help in detecting fake emails?
-Forensic email analysis involves examining email headers and comparing them with legitimate sources, helping to identify discrepancies that suggest the email is fake.
What steps are involved in creating a fake email using the NTT Mailer tool?
-The process involves creating a fake email with manipulated headers to make it appear as though it came from an original, trusted source, and then sending it to the target email address.
What is the role of MX tools in forensic email analysis?
-MX tools are used to analyze the email header by pasting it into the tool, which then provides insights into whether the email is legitimate or fake based on the sender's IP address and domain.
How can you identify a fake email based on the IP address in the email header?
-By checking the IP address in the email header using tools like MX, you can identify if the IP matches a legitimate source. If the IP corresponds to a different, suspicious domain, it indicates a fake email.
What is the significance of DNS match in email header analysis?
-A DNS match confirms whether the email is coming from a legitimate domain or a fake one. If the domain name in the header does not match the expected source, it suggests that the email may be forged.
What was the key finding when comparing a fake email with an original email in the analysis?
-The key finding was that the fake email came from a different domain, such as 'cool hosting,' instead of the expected domain like 'google.com,' indicating the email was manipulated.
How does the tool differentiate between an original email and a fake one?
-The tool analyzes the email header, specifically the sender's IP address and domain, to detect mismatches. An original email will show a DNS match with its legitimate domain, while a fake one will not.
Why is it important to compare the results of the fake email with the original email?
-Comparing the results helps verify the authenticity of the email by ensuring that the IP addresses, domains, and other header elements match those of a legitimate source, revealing discrepancies in fake emails.
What was the conclusion after analyzing the fake email's header?
-The conclusion was that the email came from a fake source, as evidenced by the mismatch between the IP address, domain, and the expected email source, indicating that it was not sent by the claimed original sender.