Tutorial: Post Office Protocol (POP)

POP is a protocol allowing the client to retrieve mails from E-Mail Servers. This tutorial discusses the features of the plugin popDecode including its Data Carving capabilities.

Preparation

Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.

First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$

Then compile the following plugins

$ t2build tranalyzer2 basicFlow tcpStates popDecode txtSink
...
BUILD SUCCESSFUL

$

If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:

$ mkdir ~/data ~/results
$

Download the sample pcap here: pop3.pcap. Now you’re all set.

popDecode

Let’s look at the plugin configuration first. It looks like the other Data Carving plugins.

$ popDecode
$ vi src/popDecode.h

This plugin is data carving capable, so it extracts the content of the retrieved Emails to the path POP_F_PATH if POP_SAVE=1 is activated.

Note that POP_RMDIR=1 defines that the file directory is deleted for each new t2 execution. So if you want to keep earlier files, switch it to 0.

POP_BTFLD controls the output of the command bitfield.

For the time being we leave everything as default. Now run t2 on the supplied pcap.

$ t2 -r ~/data/pop3.pcap -w ~/results/ -s
================================================================================
Tranalyzer 0.8.10 (Anteater), Tarantula. PID: 18333
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.10
    02: tcpStates, 0.8.10
    03: popDecode, 0.8.10
    04: txtSink, 0.8.10
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406077 (406.08 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51069 (51.07 K)
Processing file: /home/wurst/data/pop3.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1377201633.570191 sec (Thu 22 Aug 2013 20:00:33 GMT)
Dump stop : 1377201785.011707 sec (Thu 22 Aug 2013 20:03:05 GMT)
Total dump duration: 151.441516 sec (2m 31s)
Finished processing. Elapsed time: 0.001892 sec
Finished unloading flow memory. Time: 0.001953 sec
Percentage completed: 100.00%
Number of processed packets: 125
Number of processed bytes: 27969 (27.97 K)
Number of raw bytes: 27969 (27.97 K)
Number of pcap bytes: 29993 (29.99 K)
Number of IPv4 packets: 125 [100.00%]
Number of A packets: 58 [46.40%]
Number of B packets: 67 [53.60%]
Number of A bytes: 3612 (3.61 K) [12.91%]
Number of B bytes: 24357 (24.36 K) [87.09%]
Average A packet load: 62.28
Average B packet load: 363.54
--------------------------------------------------------------------------------
tcpStates: Aggregated tcpStatesAFlags=0x43
popDecode: Aggregated popStat=0x02ce
popDecode: Number of POP packets: 67 [53.60%]
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of TCP packets: 125 [100.00%]
Number of TCP bytes: 27969 (27.97 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed   flows: 22
Number of processed A flows: 11 [50.00%]
Number of processed B flows: 11 [50.00%]
Number of request     flows: 11 [50.00%]
Number of reply       flows: 11 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed   packets/flows: 5.68
Number of processed A packets/flows: 5.27
Number of processed B packets/flows: 6.09
Number of processed total packets/s: 0.83
Number of processed A+B   packets/s: 0.83
Number of processed A     packets/s: 0.38
Number of processed   B   packets/s: 0.44
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.15
Average full raw bandwidth: 1477 b/s (1.48 Kb/s)
Average full bandwidth : 1468 b/s (1.47 Kb/s)
Max number of flows in memory: 6 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows

So the aggregated popStat flags the existence of POP3 in the pcap. We further see that there is an authentication error. An array overflow and potential content which can be extracted.

$ tawk -V popStat=0x02ce
The popStat column with value 0x02ee is to be interpreted as follows:

   bit | popStat | Description
   =============================================================================
     1 | 0x0002    | POP3 port found
     2 | 0x0004    | Response +OK
     3 | 0x0008    | Response -ERR
     5 | 0x0020    | Data storage in progress
     7 | 0x0080    | Array overflow
     9 | 0x0200    | Return path pending

In the flow you see the aggregated pop3 commands, users, passwords and content until the maximum defined array length is met; s. flow 11 B.

$ cd ~/results
$ tcol pop3_flows.txt
%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP           srcIPCC  srcIPOrg           srcPort  dstIP           dstIPCC  dstIPOrg           dstPort  l4Proto  tcpStatesAFlags  popStat  popCBF  popCC                               popRM  popUsrNum  popUsr                               popPwNum  popPw                                                               popCNum  popC
A     1        0x0400000000004000  1377201633.570191  1377201633.570191  0.000000  1           3        eth:ipv4:tcp  c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800              192.168.0.4     07       "Private network"  26242    212.227.15.188  de       "1&1 IONOS SE"     110      6        0x03             0x0002   0x0000                                             0                                               0                                                                             0
B     1        0x0400000000004001  1377201633.620883  1377201633.620883  0.000000  1           3        eth:ipv4:tcp  4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800              212.227.15.188  de       "1&1 IONOS SE"     110      192.168.0.4     07       "Private network"  26242    6        0x43             0x0002   0x0000                                             0                                               0                                                                             0
A     2        0x0400000000004000  1377201634.118955  1377201634.118955  0.000000  1           3        eth:ipv4:tcp  c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800              192.168.0.4     07       "Private network"  26242    212.227.15.188  de       "1&1 IONOS SE"     110      6        0x03             0x0002   0x0000                                             0                                               0                                                                             0
B     2        0x0400000000004001  1377201634.179802  1377201634.179802  0.000000  1           3        eth:ipv4:tcp  4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800              212.227.15.188  de       "1&1 IONOS SE"     110      192.168.0.4     07       "Private network"  26242    6        0x43             0x0002   0x0000                                             0                                               0                                                                             0
A     3        0x0400000000004000  1377201634.679980  1377201634.679980  0.000000  1           3        eth:ipv4:tcp  c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800              192.168.0.4     07       "Private network"  26242    212.227.15.188  de       "1&1 IONOS SE"     110      6        0x03             0x0002   0x0000                                             0                                               0                                                                             0
B     3        0x0400000000004001  1377201634.730947  1377201634.730947  0.000000  1           3        eth:ipv4:tcp  4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800              212.227.15.188  de       "1&1 IONOS SE"     110      192.168.0.4     07       "Private network"  26242    6        0x43             0x0002   0x0000                                             0                                               0                                                                             0
A     4        0x0400000000004000  1377201634.731376  1377201634.731376  0.000000  1           3        eth:ipv4:tcp  c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800              192.168.0.4     07       "Private network"  26245    212.227.15.171  de       "1&1 IONOS SE"     110      6        0x03             0x0002   0x0000                                             0                                               0                                                                             0
B     4        0x0400000000004001  1377201634.782081  1377201634.782081  0.000000  1           3        eth:ipv4:tcp  4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800              212.227.15.171  de       "1&1 IONOS SE"     110      192.168.0.4     07       "Private network"  26245    6        0x43             0x0002   0x0000                                             0                                               0                                                                             0
A     5        0x0400000000004000  1377201635.282020  1377201635.282020  0.000000  1           3        eth:ipv4:tcp  c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800              192.168.0.4     07       "Private network"  26245    212.227.15.171  de       "1&1 IONOS SE"     110      6        0x03             0x0002   0x0000                                             0                                               0                                                                             0
B     5        0x0400000000004001  1377201635.332082  1377201635.332082  0.000000  1           3        eth:ipv4:tcp  4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800              212.227.15.171  de       "1&1 IONOS SE"     110      192.168.0.4     07       "Private network"  26245    6        0x43             0x0002   0x0000                                             0                                               0                                                                             0
A     6        0x0400000000004000  1377201635.832038  1377201635.832038  0.000000  1           3        eth:ipv4:tcp  c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800              192.168.0.4     07       "Private network"  26245    212.227.15.171  de       "1&1 IONOS SE"     110      6        0x03             0x0002   0x0000                                             0                                               0                                                                             0
B     6        0x0400000000004001  1377201635.879756  1377201635.879756  0.000000  1           3        eth:ipv4:tcp  4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800              212.227.15.171  de       "1&1 IONOS SE"     110      192.168.0.4     07       "Private network"  26245    6        0x43             0x0002   0x0000                                             0                                               0                                                                             0
A     8        0x0400000000004000  1377201676.627010  1377201680.096849  3.469839  1           3        eth:ipv4:tcp  c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800              192.168.0.4     07       "Private network"  26284    212.227.15.166  de       "1&1 IONOS SE"     110      6        0x00             0x0002   0x0006  AUTH;CAPA                                  0                                               1         "AGRpZ2l0YWxpbnZlc3RpZ2F0b3JAbmV0d29ya3NpbXMuY29tAG5hcGllcg=="      0
B     8        0x0400000000004001  1377201679.672783  1377201680.147200  0.474417  1           3        eth:ipv4:tcp  4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800              212.227.15.166  de       "1&1 IONOS SE"     110      192.168.0.4     07       "Private network"  26284    6        0x00             0x024e   0x0000                                      1      0                                               0                                                                             4        "POP server ready H mimap8 0MHXFQ-1VDgSF1308-003NYq";"1 argument required";"Capability list follows";"authentication failed"
A     10       0x0400000000004000  1377201700.505011  1377201701.042241  0.537230  1           3        eth:ipv4:tcp  c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800              192.168.0.4     07       "Private network"  26308    212.227.15.166  de       "1&1 IONOS SE"     110      6        0x00             0x0002   0x0086  AUTH;CAPA;QUIT                             0                                               1         "AGRpZ2l0YWxpbnZlc3RpZ2F0b3JAbmV0d29ya3NpbXMuY29tAG5hcGllcjEyMw=="  0
B     10       0x0400000000004001  1377201700.559388  1377201701.091336  0.531948  1           3        eth:ipv4:tcp  4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800              212.227.15.166  de       "1&1 IONOS SE"     110      192.168.0.4     07       "Private network"  26308    6        0x00             0x024e   0x0000                                      1      0                                               0                                                                             5        "POP server ready H mimap13 0MW5rZ-1VayeZ2jFp-00XVZd";"1 argument required";"Capability list follows";"mailbox \"digitalinvestigator@networksims.com\" has 3 messages (191";"POP server signing off"
A     7        0x0400000000004000  1377201663.814560  1377201663.978066  0.163506  1           3        eth:ipv4:tcp  c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800              192.168.0.4     07       "Private network"  26272    212.227.15.166  de       "1&1 IONOS SE"     110      6        0x02             0x0002   0x0084  CAPA;QUIT                                  0                                               0                                                                             0
B     7        0x0400000000004001  1377201663.880379  1377201664.026584  0.146205  1           3        eth:ipv4:tcp  4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800              212.227.15.166  de       "1&1 IONOS SE"     110      192.168.0.4     07       "Private network"  26272    6        0x02             0x0006   0x0000                                             0                                               0                                                                             3        "POP server ready H mimap4 0MHoUr-1VDxRD3Ui5-003eq2";"Capability list follows";"POP server signing off"
A     9        0x0400000000004000  1377201698.254021  1377201698.460579  0.206558  1           3        eth:ipv4:tcp  c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800              192.168.0.4     07       "Private network"  26304    212.227.15.166  de       "1&1 IONOS SE"     110      6        0x02             0x0002   0x0084  CAPA;QUIT                                  0                                               0                                                                             0
B     9        0x0400000000004001  1377201698.302143  1377201698.507279  0.205136  1           3        eth:ipv4:tcp  4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800              212.227.15.166  de       "1&1 IONOS SE"     110      192.168.0.4     07       "Private network"  26304    6        0x02             0x0006   0x0000                                             0                                               0                                                                             3        "POP server ready H mimap9 0MK0or-1VBlin3ixZ-001RVN";"Capability list follows";"POP server signing off"
A     11       0x0400000000004000  1377201783.749577  1377201784.963062  1.213485  1           3        eth:ipv4:tcp  c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800              192.168.0.4     07       "Private network"  26383    212.227.15.166  de       "1&1 IONOS SE"     110      6        0x00             0x0022   0x2596  AUTH;CAPA;STAT;LIST;UIDL;RETR;QUIT         0                                               1         "AGRpZ2l0YWxpbnZlc3RpZ2F0b3JAbmV0d29ya3NpbXMuY29tAG5hcGllcjEyMw=="  3        "1";"2";"3"
B     11       0x0400000000004001  1377201783.798292  1377201785.011707  1.213415  1           3        eth:ipv4:tcp  4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800              212.227.15.166  de       "1&1 IONOS SE"     110      192.168.0.4     07       "Private network"  26383    6        0x00             0x00ce   0x0000                                      1;3    1          "noreply@bounce.unitedinternet.com"  0                                                                             5        "POP server ready H mimap15 0LfD5x-1VsVU4327M-00pHSn";"1 argument required";"Capability list follows";"mailbox \"digitalinvestigator@networksims.com\" has 3 messages (191";"3 19191"

The AUTH method being used in this pcap requires base64 decoding, so apply the base64 command.

$ echo "AGRpZ2l0YWxpbnZlc3RpZ2F0b3JAbmV0d29ya3NpbXMuY29tAG5hcGllcg==" | base64 -d
digitalinvestigator@networksims.comnapier
$ echo ""AGRpZ2l0YWxpbnZlc3RpZ2F0b3JAbmV0d29ya3NpbXMuY29tAG5hcGllcjEyMw==" | base64 -d
digitalinvestigator@networksims.comnapier123
$

In the packet file only the status is printed, all the rest can be seen in l7Content.

$ tcol pop3_packets.txt
%pktNo  flowInd  flowStat            time               pktIAT    flowDuration  numHdrs  hdrDesc       ethVlanID  srcMac             dstMac             ethType  srcIP           srcIPCC  srcIPOrg         srcPort  dstIP           dstIPCC  dstIPOrg         dstPort  l4Proto  tcpStatesAFlags  popStat  l7Content
...
75      11       0x0400000000004001  1377201783.798292  0.000000  0.000000      3        eth:ipv4:tcp             4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800   212.227.15.166  de       1&1 IONOS SE     110      192.168.0.4     07       Private network  26383    6        0x00             0x0002
76      11       0x0400000000004000  1377201783.798402  0.048825  0.048825      3        eth:ipv4:tcp             c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800   192.168.0.4     07       Private network  26383    212.227.15.166  de       1&1 IONOS SE     110      6        0x00             0x0002
77      11       0x0400000000004001  1377201783.850368  0.052076  0.052076      3        eth:ipv4:tcp             4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800   212.227.15.166  de       1&1 IONOS SE     110      192.168.0.4     07       Private network  26383    6        0x00             0x0006   +OK POP server ready H mimap15 0LfD5x-1VsVU4327M-00pHSn\r\n
78      11       0x0400000000004000  1377201783.883686  0.085284  0.134109      3        eth:ipv4:tcp             c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800   192.168.0.4     07       Private network  26383    212.227.15.166  de       1&1 IONOS SE     110      6        0x00             0x0002   AUTH\r\n
79      11       0x0400000000004001  1377201783.930170  0.079802  0.131878      3        eth:ipv4:tcp             4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800   212.227.15.166  de       1&1 IONOS SE     110      192.168.0.4     07       Private network  26383    6        0x00             0x0006
80      11       0x0400000000004001  1377201783.931322  0.001152  0.133030      3        eth:ipv4:tcp             4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800   212.227.15.166  de       1&1 IONOS SE     110      192.168.0.4     07       Private network  26383    6        0x00             0x000e   -ERR 1 argument required\r\n
81      11       0x0400000000004000  1377201783.980510  0.096824  0.230933      3        eth:ipv4:tcp             c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800   192.168.0.4     07       Private network  26383    212.227.15.166  de       1&1 IONOS SE     110      6        0x00             0x0002   CAPA\r\n
82      11       0x0400000000004001  1377201784.031062  0.099740  0.232770      3        eth:ipv4:tcp             4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800   212.227.15.166  de       1&1 IONOS SE     110      192.168.0.4     07       Private network  26383    6        0x00             0x000e   +OK Capability list follows\r\nTOP\r\nUSER\r\nUIDL\r\nSTLS\r\nSASL PLAIN\r\nIMPLEMENTATION trinity\r\n.\r\n
83      11       0x0400000000004000  1377201784.075526  0.095016  0.325949      3        eth:ipv4:tcp             c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800   192.168.0.4     07       Private network  26383    212.227.15.166  de       1&1 IONOS SE     110      6        0x00             0x0102   AUTH PLAIN\r\n
84      11       0x0400000000004001  1377201784.123508  0.092446  0.325216      3        eth:ipv4:tcp             4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800   212.227.15.166  de       1&1 IONOS SE     110      192.168.0.4     07       Private network  26383    6        0x00             0x004e   + \r\n
85      11       0x0400000000004000  1377201784.172369  0.096843  0.422792      3        eth:ipv4:tcp             c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800   192.168.0.4     07       Private network  26383    212.227.15.166  de       1&1 IONOS SE     110      6        0x00             0x0002   AGRpZ2l0YWxpbnZlc3RpZ2F0b3JAbmV0d29ya3NpbXMuY29tAG5hcGllcjEyMw==\r\n
86      11       0x0400000000004001  1377201784.235051  0.111543  0.436759      3        eth:ipv4:tcp             4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800   212.227.15.166  de       1&1 IONOS SE     110      192.168.0.4     07       Private network  26383    6        0x00             0x024e   +OK mailbox "digitalinvestigator@networksims.com" has 3 messages (19191 octets) H mimap15\r\n
87      11       0x0400000000004000  1377201784.269186  0.096817  0.519609      3        eth:ipv4:tcp             c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800   192.168.0.4     07       Private network  26383    212.227.15.166  de       1&1 IONOS SE     110      6        0x00             0x0002   STAT\r\n
88      11       0x0400000000004001  1377201784.317468  0.082417  0.519176      3        eth:ipv4:tcp             4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800   212.227.15.166  de       1&1 IONOS SE     110      192.168.0.4     07       Private network  26383    6        0x00             0x024e   +OK 3 19191\r\n
89      11       0x0400000000004000  1377201784.365146  0.095960  0.615569      3        eth:ipv4:tcp             c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800   192.168.0.4     07       Private network  26383    212.227.15.166  de       1&1 IONOS SE     110      6        0x00             0x0002   LIST\r\n
90      11       0x0400000000004001  1377201784.412429  0.094961  0.614137      3        eth:ipv4:tcp             4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800   212.227.15.166  de       1&1 IONOS SE     110      192.168.0.4     07       Private network  26383    6        0x00             0x02ce   +OK\r\n1 5565\r\n2 8412\r\n3 5214\r\n.\r\n
91      11       0x0400000000004000  1377201784.462146  0.097000  0.712569      3        eth:ipv4:tcp             c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800   192.168.0.4     07       Private network  26383    212.227.15.166  de       1&1 IONOS SE     110      6        0x00             0x0002   UIDL\r\n
92      11       0x0400000000004001  1377201784.508445  0.096016  0.710153      3        eth:ipv4:tcp             4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800   212.227.15.166  de       1&1 IONOS SE     110      192.168.0.4     07       Private network  26383    6        0x00             0x02ce   +OK\r\n1 0M8Oog-1VyW6I2B74-00vNGA\r\n2 0LalaO-1VwtZq3DAW-00kuzg\r\n3 0MLPgA-1VC2Ru34ja-000jOl\r\n.\r\n
93      11       0x0400000000004000  1377201784.557389  0.095243  0.807812      3        eth:ipv4:tcp             c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800   192.168.0.4     07       Private network  26383    212.227.15.166  de       1&1 IONOS SE     110      6        0x00             0x0022   RETR 1\r\n
94      11       0x0400000000004001  1377201784.606405  0.097960  0.808113      3        eth:ipv4:tcp             4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800   212.227.15.166  de       1&1 IONOS SE     110      192.168.0.4     07       Private network  26383    6        0x00             0x02ce   +OK\r\n
95      11       0x0400000000004001  1377201784.608357  0.001952  0.810065      3        eth:ipv4:tcp             4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800   212.227.15.166  de       1&1 IONOS SE     110      192.168.0.4     07       Private network  26383    6        0x00             0x00ce   Return-Path: <noreply@bounce.unitedinternet.com>\r\nDelivery-Date: Thu, 22 Aug 2013 21:14:44 +0200\r\nReceived: from mbulk.1and1.com (mbulk.1and1.com [212.227.126.222])\r\n\tby mx.kundenserver.de (node=mxeu0) with ESMTP (Nemesis)\r\n\tid 0M8Oog-1VyW6I2B74-00vNGA for digitalinvestigator@networksims.com; Thu, 22 Aug 2013 21:14:44 +0200\r\nDKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=1and1.co.uk;\r\n\ts=global1; t=1377198884; i=support@1and1.co.uk; bh=wgZdEaS8CGMFeJet\r\n\t6YN26Li8CZo8Y6B9rW5ZPOvk5Ks=; h=MIME-Version:From:Subject:To:\r\n\t Content-Type:Message-Id:Date; b=jEWHqJ559xXUf/1yZeCcy/IQbHKGJbRqaX\r\n\t3jP8iB+k2130Uthz5RbaLdXxDNrLx1H8RR5NoeiG2K060HWVwHywK6CgHLe5CTDIpDo\r\n\tDhX1YNJOGUTMW/V2H03Loy09kWzYPObADON/bWHJcnucUa46N1IssACeTHIiNZpjz58\r\n\tVaA=\r\nReceived: from omsmail (streamserve3.mt.einsundeins.de [172.19.7.103])\r\n\tby mbulk.1and1.com (node=mbulk2) with ESMTP (Nemesis)\r\n\tid 0M251y-1W5Nip0Pgx-00tHOr; Thu, 22 Aug 2013 21:14:44 +0200\r\nMIME-Version: 1.0\r\nFrom: 1&1 Internet Ltd. <support@1and1.co.uk>\r\nSubject: A message from 1&1 Internet\r\nTo: digitalinvestigator@networksims.com\r\nX-Message-ID: 90256101725241684#3\r\nContent-Type: multipart/alternative; boundary="multipart_alternative.878382066"\r\nMessage-Id: <0M251y-1W5Nip0Pgx-00tHOr@mbulk.1and1.com>\r\nDate: Thu, 22 Aug 2013 21:14:44 +0200\r\nX-Provags-ID: V02:K0:p2/TRoKqwwD816cbn/YD4v8DlYZz+czD/ffRyasdUlZ\r\n 2qCehsMVLorPcSPk+AVmQ6sGC56UuMGwRiEZGsYsWg1kyWcKRn\r\n p3MADLg5bUcPjtSzcNfcyNCJys50lVE90moNktM5MhlCTs
96      11       0x0400000000004000  1377201784.608415  0.051026  0.858838      3        eth:ipv4:tcp             c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800   192.168.0.4     07       Private network  26383    212.227.15.166  de       1&1 IONOS SE     110      6        0x00             0x0022
97      11       0x0400000000004001  1377201784.611546  0.003189  0.813254      3        eth:ipv4:tcp             4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800   212.227.15.166  de       1&1 IONOS SE     110      192.168.0.4     07       Private network  26383    6        0x00             0x00ce   kY5D\r\n Z0e9QxdXccdasz6BRIuhVkOhc9Jpu+IwQGfragWrlDFsQjDVCv\r\n B1IqXL/112MUShMwnS1BbQLDhj2i5qNVli0nKr5jnhpmsVNOS3\r\n FOVAjswsscmojNg9/d9aM1pHVHxH2I3ALXvsxNtKU1O/pLiO7a\r\n /x2TvFTVXp78T7qag/MsTco0NM/Ec6VF7pDZIz2b9M5H7BK4g=\r\n =\r\nEnvelope-To: digitalinvestigator@networksims.com\r\n\r\n--multipart_alternative.878382066\r\nContent-Type: text/plain; charset=utf-8\r\nContent-Transfer-Encoding: quoted-printable\r\n\r\nHello and welcome to your new e-mail account!\r\n\r\nThank you for using 1&1 Internet e-mail services for your e-mail account.=\r\n=20\r\nWe'd like to take this opportunity to tell you about a feature that is=20\r\nincluded in 1&1 e-mail services.=20\r\n\r\nWebMail 2.0\r\n-----------\r\nWhich e-mail client are you using? Is it as flexible and easy to use as=20\r\n1&1 WebMail?\r\n\r\nTry WebMail today. You can reach your e-mail account from any browser=20\r\nand without installing any software.=20\r\n\r\n- Access to your e-mail from any browser. Log in to your account at\r\n  https://email.1and1.co.uk\r\n- WebMail is an integral part of 1&1 e-mail services. There are no=20\r\n  additional fees for using WebMail and there is no software to set up.\r\n- Keep track of your appointments with your calendar, auto-responder and=20\r\n  password management directly accessible for each mailbox.=20\r\n- Professional and versatile layout which we've based on MailXchange,=20\r\n  a communication and collaboration solution for businesses.\r\n =20\r\nNo extra set up needed. You can start using WebMail immedia
98      11       0x0400000000004001  1377201784.611613  0.000067  0.813321      3        eth:ipv4:tcp             4c:17:eb:64:16:49  c8:f7:33:4b:82:37  0x0800   212.227.15.166  de       1&1 IONOS SE     110      192.168.0.4     07       Private network  26383    6        0x00             0x00ce   tely!\r\n\r\nLog in to your account using your e-mail address and your password at:\r\nhttps://webmail.1and1.co.uk=20\r\n\r\nFor help using WebMail please visit our FAQ:\r\nhttp://faq.1and1.co.uk/search/go.php?t=3Dn49907=20\r\n\r\nEnjoy the flexibility of using 1&1 WebMail as either your primary e-mail=20\r\naccount or in addition to your local e-mail client.=20\r\n\r\nBest regards,\r\n\r\nRegistered at Cardiff, Company number 3953678  - VAT No GB 752539027\r\nAquasulis House, 10-14 Bath Road, Slough, Berkshire, SL1 3SA, United Kingdo=\r\nm\r\n\r\n--multipart_alternative.878382066\r\nContent-Type: text/html; charset=utf-8\r\nContent-Transfer-Encoding: quoted-printable\r\n\r\n<html>\r\n<body>\r\nHello and welcome to your new e-mail account!\r\n<br/>\r\n<br/>\r\nThank you for using 1&amp;1 Internet e-mail services for=20\r\nyour e-mail account. We'd like to take this opportunity\r\nto tell you about a feature that is included in 1&amp;1=20\r\ne-mail services.=20\r\n<br/>\r\n<br/>\r\nWebMail 2.0\r\n<br/>-----------<br/>\r\nWhich e-mail client are you using?\r\nIs it as flexible and easy to use as 1&amp;1 WebMail?=20\r\n<br/>\r\n<br/>\r\nTry WebMail today. You can reach your e-mail account from=20\r\nany browser and without installing any software.=20\r\n<br/>\r\n<br/>\r\n<ul>\r\n<li>Access to your e-mail from any browser. Log in to your account at\r\n<a href=3D"https://email.1and1.co.uk">https://email.1and1.co.uk</a></li>\r\n<li>WebMail is an integral part of 1&amp;1 e-mail services. There are no=20\r\nadditional fees for using W
99      11       0x0400000000004000  1377201784.611650  0.003235  0.862073      3        eth:ipv4:tcp             c8:f7:33:4b:82:37  4c:17:eb:64:16:49  0x0800   192.168.0.4     07       Private network  26383    212.227.15.166  de       1&1 IONOS SE     110      6        0x00             0x0022
...

So you could read the emails in the packet file. In order to facilitate the extraction of the email content the data carving mode stores all emails into a file.

Data carving with popDecode

In order to enable the Data Carving mode POP_SAVE has to be switched on. Use t2conf and t2build to reconfigure, recompile popDecode and rerun t2 on the pcap.

$ t2conf popDecode -D POP_SAVE=1 && t2build popDecode
...
$ t2 -r ~/test_data/data/pop3.pcap -w ~/results
...
--------------------------------------------------------------------------------
tcpStates: Aggregated tcpStatesAFlags=0x43
popDecode: Aggregated popStat=0x02fe
popDecode: Number of POP packets: 67 [53.60%]
popDecode: Number of files extracted: 1
--------------------------------------------------------------------------------
...
$

The status confirms that files were successfully extracted.

$ tawk -V popStat=0x0x02fe
The popStat column with value 0x02fe is to be interpreted as follows:

   bit | popStat | Description
   =============================================================================
     1 | 0x0002    | POP3 port found
     2 | 0x0004    | Response +OK
     3 | 0x0008    | Response -ERR
     4 | 0x0010    | Data storage exists
     5 | 0x0020    | Data storage in progress
     6 | 0x0040    | Response not valid or data
     7 | 0x0080    | Array overflow
     9 | 0x0200    | Return path pending

Now move to POP_F_PATH and look into the file whereas its name is defined by the flowInd and the reverse flow.

$ cd /tmp/POPFILES/
$ ls
_11_B
$ cat _11_B
Return-Path: <noreply@bounce.unitedinternet.com>
Delivery-Date: Thu, 22 Aug 2013 21:14:44 +0200
Received: from mbulk.1and1.com (mbulk.1and1.com [212.227.126.222])
	by mx.kundenserver.de (node=mxeu0) with ESMTP (Nemesis)
	id 0M8Oog-1VyW6I2B74-00vNGA for digitalinvestigator@networksims.com; Thu, 22 Aug 2013 21:14:44 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=1and1.co.uk;
	s=global1; t=1377198884; i=support@1and1.co.uk; bh=wgZdEaS8CGMFeJet
	6YN26Li8CZo8Y6B9rW5ZPOvk5Ks=; h=MIME-Version:From:Subject:To:
	 Content-Type:Message-Id:Date; b=jEWHqJ559xXUf/1yZeCcy/IQbHKGJbRqaX
	3jP8iB+k2130Uthz5RbaLdXxDNrLx1H8RR5NoeiG2K060HWVwHywK6CgHLe5CTDIpDo
	DhX1YNJOGUTMW/V2H03Loy09kWzYPObADON/bWHJcnucUa46N1IssACeTHIiNZpjz58
	VaA=
Received: from omsmail (streamserve3.mt.einsundeins.de [172.19.7.103])
	by mbulk.1and1.com (node=mbulk2) with ESMTP (Nemesis)
	id 0M251y-1W5Nip0Pgx-00tHOr; Thu, 22 Aug 2013 21:14:44 +0200
MIME-Version: 1.0
From: 1&1 Internet Ltd. <support@1and1.co.uk>
Subject: A message from 1&1 Internet
To: digitalinvestigator@networksims.com
X-Message-ID: 90256101725241684#3
Content-Type: multipart/alternative; boundary="multipart_alternative.878382066"
Message-Id: <0M251y-1W5Nip0Pgx-00tHOr@mbulk.1and1.com>
Date: Thu, 22 Aug 2013 21:14:44 +0200
X-Provags-ID: V02:K0:p2/TRoKqwwD816cbn/YD4v8DlYZz+czD/ffRyasdUlZ
 2qCehsMVLorPcSPk+AVmQ6sGC56UuMGwRiEZGsYsWg1kyWcKRn
 p3MADLg5bUcPjtSzcNfcyNCJys50lVE90moNktM5MhlCTskY5D
 Z0e9QxdXccdasz6BRIuhVkOhc9Jpu+IwQGfragWrlDFsQjDVCv
 B1IqXL/112MUShMwnS1BbQLDhj2i5qNVli0nKr5jnhpmsVNOS3
 FOVAjswsscmojNg9/d9aM1pHVHxH2I3ALXvsxNtKU1O/pLiO7a
 /x2TvFTVXp78T7qag/MsTco0NM/Ec6VF7pDZIz2b9M5H7BK4g=
 =
Envelope-To: digitalinvestigator@networksims.com

--multipart_alternative.878382066
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello and welcome to your new e-mail account!
...

If the pcap contains user password authentication, the user name is readily available, so that each email can be stored into a separate file. Unfortunately I have no pcap of such kind available. Try your own.

And don’t forget to reset the plugin configuration for the next tutorial.

$ t2conf popDecode --reset && t2build popDecode
...
$

Have fun analyzing.