Spamming Forensic Analysis Using Network Forensics Development Life Cycle Method

— E-mail is electronic mail used to send files, pictures, and others easily and quickly. However, as time goes by, there is a lot of misuse of e-mail, causing inconvenience to the recipient. One of them is spam e-mail sent to many people without prior permission from the intended owner. Hackers can forge e-mail headers anonymously for malicious purposes. The research object is to simulate sending spamming e-mails to 1 victim with a total of 40 spamming e-mails. The research follows the flow of the Network Forensics Development Life Cycle (NFDLC) method with the stages of initiation, acquisition, implementation, operation, and disposition. Simulation of sending e-mail using easy e-mail spammer tools and testing of e-mail using Wireshark tools. The test results show that 40 e-mails were successfully received or entered into the victim's inbox, and the test was successfully carried out by getting results based on predetermined parameters. The parameter is the IP address of the sender or spammer found is 72.125.68.109, the victim's IP address is 192.168.1.12.


I. INTRODUCTION
Sending letters was a conventional way used by ancient people to communicate [1].In contrast to today's era, which is easier and faster to communicate even at long distances, one of the things that can be done quickly and efficiently is electronic mail (e-mail).E-mail is a facility for sending digital-based letters that play a crucial role for agencies and companies in communicating [2].The use of e-mail is no stranger to the whole world using internet technology [3].Many people can widely use e-mail services to exchange information and collaborate with individuals, companies, and governments [4].So that in today's era, every individual has an email.
The E-mail itself has a positive side.A widespread negative side is that cybercriminals can also use e-mail as a tool to commit crimes.However, because the data transmission process is quite complicated, the guarantee of the data sent can be questioned.There can even be the possibility of e-mail forgery or attacks by hackers that can harm various parties [5].It allows parties to misuse e-mail to obtain illegal information [6].One of the crimes involving e-mail is email spamming using an unknown person sending messages in large numbers so that the server becomes overwhelmed.Spam e-mail usually contains things that are not wanted.Spam e-mail is also traditionally called bulk/junk e-mail [7].One of the methods commonly used to find digital evidence is to perform network forensics.Network forensics is used to obtain evidence in e-mail addresses and IP addresses of spammers [8].
Previous research used as a reference for this research is to compare e-mail security based on browsers, namely Mozilla Firefox, Google Chrome, and Microsoft Edge.The study results provide recommendations for security purposes so that e-mail providers can add several features for user security [9].Another study related to e-mail spoofing attacks with the Digital Forensics Research Workshop (DFRWS) method approach has been carried out with the results of being able to distinguish between legitimate e-mails and e-mail spoofing [10].Research on investigative approaches to tools, each of which has advantages and disadvantages to be adapted to user needs, has also been carried out [11].
This study aims to analyze spamming e-mails detected through network traffic.The research will be conducted simulations to find forensic e-mail spamming, which aims to find forensic evidence.Evidence found based on predetermined parameters.Parameters are the IP address used by the spammer, the IP address used by the victim, the time of sending e-mail, and the type of protocol.Several topics in previous studies were used as the basis for the flow of thought in design and development and their application to adapt to the needs and the latest relevant technological developments.
Digital forensics was an early term used as a synonym for computer forensics but has been expanded to include investigating all devices capable of storing digital data.[12].In addition to finding direct evidence of a crime, digital forensics can be used to outline or attribute proof to a particular suspect, confirm statements, determine intentions, and identify sources [13].In general, the components of digital forensics are the same as in other fields [14].Components include humans, tools, and equipment used, and a series of rules to be managed and empowered to achieve the final goal with all the quality and feasibility [15].Digital forensics is a science and computer technology to perform analysis and examination of the discovery of electronic evidence and digital evidence in seeing its relation to crime, for example, corruption in e-mail [16] Network forensics is the activity of capturing, recording, and analyzing events within the network.In theory, capturing information traffic over a network is quite simple, but it is relatively complex in practice [17].It aims to reveal facts, measure the success of the unauthorized activity, such as damaging, interfering, or infiltrating system components, and provide helpful information in recovering the related system from such harmful activities [18].E-mail is a method for converting, sending, storing, and receiving messages through electronic communication systems.Other terms of the e-mail include systems based on the Simple Mail Transfer Protocol (SMTP) and Internet systems that allow organizations to send messages to one another [19].The E-mail consists of two parts, namely header, and body.The title serves to carry the information needed for e-mail routing, subject lines, and timestamps.At the same time, the body is used to write messages or data to be conveyed to the recipient [3].E-mail spam, according to Paul Graham, is defined as junk e-mail.Spam e-mail is usually intended to advertise products so that it is increasingly becoming rampant.The Cranor and La Macchia survey found that 10% of e-mails received were spam [19].

II. RESEARCH METHOD
The research method used in this research is the Network Forensics Development Life Cycle (NFDLC), as shown in Figure 1 through sequential and structured system work with the stages of Initiation, Acquisition, Implementation, Operation/Maintenance, and Disposition.The analysis on this forensic e-mail will follow the path of this NFDLC method, starting from the simulation used to conducting testing to find forensic evidence that matches the parameters.If one step has not been completed, it cannot be continued to the next step.This method will help develop the framework.

A. Initiation
In this phase, the main focus is the initial risk assessment, including determining which assets in the network will guarantee digital forensic protection, including the acquisition phase model.

B. Acquisition
The acquisition process is the stage of finding evidence that supports the investigation.Tools are used to support studies and ensure that the device or procedure for collecting forensic data on the system will perform according to standards.

C. Implementation
Traditionally this is the stage where the acquired or deployed tools are used in real-time.
Calibration is recommended to verify the performance of the devices used to collect evidence and document the network's performance.Baselines need to be set for network devices and then system software.

D. Operation
The operation or maintenance phase closes the execution during the verification or analysis taken based on the audit.The resulting documentation is maintained as evidence that the network and forensic tools are functioning correctly and recording as required.

E. Disposition
Chain of custody will be put into this phase to preserve the potential evidence value residing in the system.

A. Initiation
This stage performs scenarios to analyze the detection of e-mail spamming.As in Figure 2, the case scenario aims to find and obtain evidence from incoming e-mails and can validate the truth of spamming e-mails.This case scenario raises a case of online shop fraud sent via e-mail.
If the origin of the e-mail is not investigated, many people will be deceived by this scenario.
The scenario or design helps know the flow that will be used to analyze evidence in IP addresses and network protocols.Case scenario as in Figure 3.

Figure 2. E-MAIL SPAMMING ATTACK SIMULATION FLOW
Figure 2 is a simulation for e-mail spamming.The process of simulating forensic retrieval on e-mail using a laptop that has been connected to the internet network, which is then accessed.
The simulation starts by using a laptop as an e-mail spammer with an e-mail account olshopsorong12@gmail.com, then sending 40 spam e-mails to Gmail using the Easy e-mail spammer tool.Then an analysis of the attacked e-mail was carried out using the live forensics method where the device used must be turned on.Retrieve e-mail log data with SMTP (Simple Mail Transfer Protocol) protocol using Wireshark tools.The data is taken by selecting a data package that is recorded using Wireshark.

B. Acquisition
At this stage, an acquisition will be made using an easy e-mail spammer as a tool to simulate the sending of e-mail spamming.Spammers will send 40 spam messages to victims.Victims will receive the e-mail at one time or send it in bulk.The process of sending spam e-mails can be seen in Figure 3, which displays the e-mail spamming process on Gmail using an easy e-mail spammer.

Figure 3. E-MAIL SPAMMING
In Figure 4, 40 incoming e-mails were sent by olshopsorong12@gmail.com using the easy email spammer tools.The picture shows that a spammer has sent the evidence in the form of an email.The implementation phase will look for IPs that pass through network traffic using the victim's IP address, namely Wireshark, as shown in Figure 7.The protocol used to find the IP address of the spammer is SMTP.All data that passes on the network is recorded and captured based on the filter process in the SMTP protocol.Next, the analysis process is carried out using Wireshark.

E. Disposition
This stage is based on the results of operations performed using Wireshark.The e-mail sent is spamming using an easy e-mail spammer with olshopsorong12@gmail.com and sent to Ujic5238@gmail.com. Figure 8 is the capture result evidence of e-mail spamming in the form of source IP addresses and destination IP addresses.Table 1 is the result of the research.

No. Evidence
Data Type Result 1.

IV. CONCLUSION
E-mail is a system used to send and receive messages in files, images, audio, etc.The NFDLC method was successfully implemented to find evidence.Simulation of sending e-mail using easy e-mail spammer tools and testing of e-mail using Wireshark tools.The test results show that 40 e-mails were successfully received or entered into the victim's inbox, and the test was successfully carried out by getting results based on predetermined parameters.The parameter is the IP address of the sender or spammer found is 72.125.68.109, the victim's IP address is 192.168.1.12.

Figure 4 .
Figure 4. SPAM E-MAIL RECEIVED BY THE VICTIM

Figure 5 .
Figure 5. RECEIVED E-MAIL FIELD DISPLAY