SCP Syntax Tutorial

The scp command is available on UNIX based systems (including Linux and Mac OS) and allows files to be copied to, from, or between different hosts. It uses secure shell or ssh for data transfer and provides the same authentication and same level of security as ssh.

Here you’ll find a document outlining the syntax required when using the scp command.

Firefox Add-on Tutorial

Here you will find a tutorial explaining how to download, install and customise an Add-on on the Firefox web browser.

Click the Firefox logo below for the tutorial in PDF format.

The new version of Firefox (v.57 Quantum – released November 18 2017) will look slightly different but the functionality and installation of add-ons remains principally the same.

ff

Hashing Tutorial

Click the fingerprint logo for a PDF tutorial document on hashing digital evidence in investigations.

You’ll need the Hash My Files software by Nirsoft for this tutorial. You can download  it for free by clicking here, if you don’t already have it.

digital_fingerprint580-300x156

Facebook Search Techniques

Facebook search tools are developing all the time.

Facebook Graph Search is a ‘Semantic’ search tool provided within Facebook. This tool allows the user to search Facebook using natural language or phrases.

So, for example, you can search Facebook for ‘people who work at British Airways’ by typing this phrase in to the Facebook search field.

However, some of the functionality of Graph Search has changed recently, so here we will look at a straightforward method for you to use to enhance your Facebook searching using built in features.

You will need a Facebook account and you will need to be logged in to use the techniques discussed here.

If you want to use Facebook Graph Search in full, you will need to set your Facebook language  to English (US) on a computer, by clicking the ‘settings’ tab and then ‘Languages’.

langfb

The simplest way to use Facebook Graph Search is to simply type is your search term into the Facebook search box – for example – ‘photos posted by Jo Ellis‘ or ‘places checked in by Jo Ellis’

2015-01-15_10-40-54-1024x60

Remember to select the ‘Places’ tab, in this case, as we are looking for places.

2015-01-29_09-32-05

This may provide the desired result,  but there is another method if this fails.

The first thing you will need is the unique Facebook ID of the person, group or organisation you are interested in.

Method 1

To do this to use the socmint.tools website.

In Facebook, find your subjects Facebook profile page and click on their name, in the profile. This sanitises the Facebook profile URL in the browsers URL bar.

Copy the full URL of your subjects Facebook page from the URL bar.

Open socmint.tools in a new tab and click on option 2 ‘Find Facebook ID’

Paste the Facebook URL it into the search box.

fbid1

The subjects unique Facebook ID will be displayed. Copy it and close the tab.

fbid2

So, the unique Facebook ID of Jo Ellis is 100006229980571

Once you have obtained your subjects unique Facebook ID, click on option 3  at socmint.tools ‘Graph Search’

Paste the unique Facebook ID against the desired search criteria and click the associated button.

Results will be displayed in a new browser tab.

Facebook entities such as groups, communities and organisations also have a unique Facebook ID which can be located in the same fashion.

If you receive the error below, try method 2.

You will find that results returned will depend on the privacy settings of your subject.

However, also look at your subjects profile to ensure all of the available data has been returned.

Remember that available information from Facebook profiles can be limited by the privacy settings of the subject.

Method 2

For the second method of obtaining the unique Facebook ID you will need to:

  • right click on a blank area of your subjects Facebook page
  • select ‘View Page Source’ which reveals the pages HTML script
  • search the script that appears for the term ‘profile_id’ by using  ctrl + f – enter the term profile_id in the search box and clicking highlight all. Don’t press enter.
  • The first occurrence will be followed by the Facebook ID of your subject

jo9

Facebook often change their interface, settings and features – more details about Facebook privacy settings can be found here.

Here is a link to a website called stalkscan.com that conducts graph searches for you, just enter the Facebook URL of the subject in the search box.

Other online Facebook Graph Search Tools are available here and here

Finally, check out this excellent post by Paul Myers at Research Clinic

Examining Email Headers

Whenever an email is sent, information is transmitted with that email and the route the email takes across a network is recorded. This information is known as the  ‘Extended Header’.

The extended header can be of great use to the researcher and when used correctly, provides an insight into the sender, their software and hardware and potential recipients.

The extended header information potentially includes the senders IP address, email client, return address and the route the email has taken to reach its destination. This is useful in identifying and investigating ‘spoof’ or ‘phishing’ emails.

There are three main issues to discuss here before we move on.

The first is that different email services provide different information in the extended header.

The second is that we need to be in possession of original email, not one that has been forwarded to us for examination. A forwarded email will contain extended header information of the forwarder,  not of the original email. The subject email can in some circumstances be sent as an attachment and in this case the extender header information will be retained.

The third is that different email clients / web based services present the extended header in different formats and the information is accessed in different ways. A Google search will reveal how to view the extended header information in your email client or web based service.

For our example, we are going to use an email sent from Microsoft Outlook 2013 to a gmail.com address.

We will be viewing the extended header of the email thorough the web based gmail service, but similar procedures apply to all email clients and services.

Below are the details of the email as it was sent from the Outlook 2013 account. We can see details of the recipient, the CC recipient, the BCC recipient, the email subject and the details of the attachment.

headeremail3

So, heres how to view the extended header information in the gmail web service:

  • Log in to the web service at mail.google.com
  • Open the email in question
  • Click the drop-down arrow to the right of the reply button
  • Click on ‘Show Original’ in the menu that has appeared
  • The extended header information for that email will open in a new window
  • Select all of the text that appears and copy it to your clipboard
  • Open either Word, Notepad or a similar text editor and paste in the extended email header. You can examine the header in its web page but I find it easier in an editor

For the extended header information used in this example , click on the icon below. It should open in a new tab.

header

This example has the relevant sections highlighted. The red numbers on the highlighted section do not form part of the header and have been appended for reference only.

To examine an Extended Email Header, we should read from the bottom up.

So, working upwards, here are the details:

1. The text content of the email

2. ‘Disposition-Notification-To’ means that the sender has asked for a delivery or read receipt form the recipient. This receipt is often sent automatically when the recipient receives or opens the message, but this option can usually be modified in the recipients email program or client giving the recipient the option whether to send a receipt or not.

3. X-Mailer is the email client used by the sender. A Google search for ‘Microsoft Outlook 15.0’ identifies the client in this case as Microsoft Outlook 2013, so the sender must be running Windows.

3A. Message ID  is the unique ID refernence of this message. It may be generated by the mail server or the ISP, but is unique and essential when speaking with administrators to trace a message and related information on a server or network.

4. The day, date and time sent from the senders machine. In this case its GMT +0100 as it is summer. Look closely, further up the header (below item 10) and you will see the server time (kundenserver.de) is GMT +0200 as that is the local time.

5. The subject line of the original email

6. The ‘CC’ or Carbon Copy recipients email address (jhellis@hotmail.co.uk).

NOTE: the ‘BCC’ or Blind Carbon Copy recipients name or email address (jellis@gmx.com) is not shown in the header.

7. The main recipients email address

8. The email address from which the original email was sent.

9. The reply to address (info@onlineops.co.uk) which is different to the senders email address. When the recipient replies to the email, this is the email address the reply is sent to. In this case this is the original senders email address, but could be an alternative email address. This is often the case in ‘scam’ emails.

10. This is the hostname of the computer used by the sender (jonmbp)and the senders public facing Internet Protocol (IP) address. In this case this IP address 87.117.199.182 when investigated (type it in to centralops.net) appears to be owned by Rapidswitch Limited in the UK.

Reading upwards, the first IP address that appears is usually that of the sender.

NOTE: not all email service providers capture the senders IP address in the Extended Header.

11. This entry confirms that the email was delivered to mrjhellis70@gmail.com and this is the recipients email address that this header relates to. This would be different if we where to examine the header of the other recipients email addresses.

The time and date of delivery to the server are shown. In this case the time is followed by the letters PDT which refer to ‘Pacific Daylight Time) and -0700 which means the time displayed is PDT minus 7 hours. This is not the time the email was read by the recipient.

Take particular care when interpreting times in Headers as they are specific to the location of the mail servers.

Try cut and pasting an email header in to the service at  mxtoolbox.com This services help breakdown the route and email has taken to reach its destination.

For help finding the Extended Email Header in your particular service or client, check out Header Help

As can be seen from the above example, Extended Email Headers provide a wealth of information about the originator and the content of an email, its path and recipients.