Abstract
Emails encounter many types of cyber-attacks and email spoofing is one of the most common and challenging investigation problems. This paper identifies spoofing-based email attacks in an organization by analyzing received and replied emails. The detection works by capturing the email traces via memory forensics. Unlike the traditional approaches of capturing the entire physical memory, we only capture the memory of relevant processes for email header extraction. It significantly reduces the size of the memory dump and makes detection faster. We suggest a novel mechanism called URL extractor, which uses seven novel features from URL to identify the live running email message process by applying ML that traces received emails and captures their header fields for analysis. The authentication header fields of SPF, DKIM, DMARC, and ARC are examined closely to develop a detection algorithm for received emails. Similarly, novel header fields of Reference along with MX record are applied for the detection of replied emails. The MX record is fetched to verify the domain name by sending a forward ns-lookup query to DNS. It also includes an email attack alert mechanism for intimating IT admins of an organization regarding suspected attacks. The results thus obtained show that email detection takes 35 secs (apprx.) to complete with high accuracy and low false positives.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Lutui, R.: A multidisciplinary digital forensic investigation process model. Bus. Horiz. 59(6), 593–604 (2016)
Fruhlinger, J.: Top cybersecurity facts, figures and statistics. CSO Online, IDG (2020)
Sheikhalishahi, M., Saracino, A., Martinelli, F., Marra, A., Mejri, M., Mejri, N.: Digital waste disposal: an automated framework for analysis of spam emails. Int. J. Inf. Secur. 19, 499–522 (2020)
Gupta, B.B., Arachchilage, N.A.G., Psannis, K.: Defending against phishing attacks: taxonomy of methods, current issues and future directions. Telecommun. Syst. J. 67, 247–267 (2018)
Mooloo, D., Fowdu, T.P.: An ssl-based client-oriented anti-spoofing email application. Africon, pp. 1–5 (2013)
Hu, H., Peng, P., Wang, G.: Towards understanding the adoption of anti-spoofing protocols in email systems. In: IEEE Cybersecurity Development (SecDev 2018) (2018)
Hunt, R., Zeadally, R.: Network forensics: an analysis of techniques, tools, and trends. IEEE Comput. 45(12), 36–43 (2012)
Pagani, F., Fedorov, S., Balzarotti, D.: Introducing the temporal dimension to memory forensics. ACM Trans. Priv. Sec. 22(9), 1–21 (2019)
Parida, T., Das, S.: Pagedumper: a mechanism to collect page table manipulation information at run-time. Int. J. Inf. Secur. 20, 603–619 (2021)
Iyer, R., Atrey, P.K., Varshney, G., Misra, M.: Email spoofing detection using volatile memory forensics. In: IEEE Conference on Communications and Network Security (CNS), Las Vegas, NV, pp. 619–625 (2017)
Shukla, S., Misra, M., Varshney, G.: Identification of spoofed emails by applying email forensics and memory forensics. In: Published in Proceeding of ACM Digital Online, 10th International Conference (ICCNS 2020), pp. 109–114 (2020)
Mishra, P., Pilli, E., Joshi, R.: Forensic analysis of e-mail date and time spoofing. In: Third International Conference on Computer and Communication Technology (2013)
Gupta, S., Pilli, E.S., Mishra, P., Pilli, S., Joshi, R.C.: Forensic analysis of e-mail address spoofing. In: 5th IEEE International Conference on the Next Generation Information Technology Summit, pp. 898–904 (2014)
Odunibosi, O.: The classification of email headers using random forest algorithm to detect email spoofing. School of Computing, National College, Ireland (2019)
Konno, K., Kitagawa, N., Yamai, N.: False positive detection in sender domain authentication by dmarc by dmarc report analysis. In: 3rd International Conference on Information Science and System ICISS, pp. 38–41 (2020)
Maroofi, S., Korczynski, M., Hölzel, A., Duda, A.: Adoption of email anti-spoofing schemes: A large scale analysis. IEEE Trans. Netw. Service Manage. 1–1 (2021)
Hu, H., Wang, G.: End-to-end measurements of email spoofing attacks. In: Proceedings of 27th USENIX Security Symposium (2018)
Alexa: Alexa most popular website. http://www.alexa.com/topsites
Magnet: Magnet process capture tool. https://www.magnetforensics.com/resources/magnet-process-capture/
Microsoft: Windows sysinternals strings v2.53. https://docs.microsoft.com/en-us/sysinternals/downloads/strings
Banday, M.T.: Analysing e-mail headers for forensic investigation. J. Digital Foren. Sec. Law 6, 49–64 (2011)
Sanchez, P., Tapiador, J., Schneider, G.: After you, please: browser extensions order attacks and countermeasures. Int. J. Inf. Secur. 19, 623–638 (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Ethics declarations
Conflict of Interest
The authors declare that they have no conflict of interest.
Ethical Approval
This article does not contain any studies with human participants or animals performed by any of the authors.
Rights and permissions
Copyright information
© 2023 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Shukla, S., Misra, M., Varshney, G. (2023). Forensic Analysis and Detection of Spoofing Based Email Attack Using Memory Forensics and Machine Learning. In: Li, F., Liang, K., Lin, Z., Katsikas, S.K. (eds) Security and Privacy in Communication Networks. SecureComm 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 462. Springer, Cham. https://doi.org/10.1007/978-3-031-25538-0_26
Download citation
DOI: https://doi.org/10.1007/978-3-031-25538-0_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25537-3
Online ISBN: 978-3-031-25538-0
eBook Packages: Computer ScienceComputer Science (R0)