UnMask Files

E-Crime Investigative Technologies
FSU ECIT.
UnMask 3.0 User Manual
Dr. Sudhir Aggarwal
E-Crime Investigative Technologies Laboratory (ECIT)
Department of Computer Science, Florida State University
Tallahassee, Florida 32306
May 28, 2013


The actual User Manual and Deployment Manual can be found in Disc2/UnMaskDeploymentInstructions-Folder. 
The system requires Ubuntu 10.10 Server (32 bit) to be installed before running Discs 2 and 3. Please download and install Ubuntu 10.10 LTS from http://releases.ubuntu.com/lucid/ .
The following is abstracted from the user manual.

This document gives a brief introduction on getting started using the UnMask System. The system is designed to upload phishing emails to a database where they are automatically analyzed and customized reports can be generated. UnMask was developed under a grant from the National Institute of Justice to ECIT. UnMask has substantial on-line help features and should mainly be self-explanatory. If you need any assistance please contact ECIT at the contacts at the end of this document.
Accessing the UnMask System:
Please use either Firefox or Safari as your browser to access Unmask. We do not support Internet Explorer and it may not work properly as it does not support some of the software libraries that we use. Click on this link or paste it into the address bar of your browser. You will initially be presented with a Security Violation message that indicates that UnMask's certificate is unknown and you will be given an option to Add an Exception. Please click Add an Exception and follow the steps indicated. This is actually not a security violation but is the browser's default behavior for a Self Signed Certificate which is used by UnMask. Please follow your standard practice for other sites.
Logging Portal
Note: It is advisable not to use the first Administrator account for direct use. We have delibrately omitted Services like DBGUIv3 for the first Administrator. Please limit the Adminstrative account to do other administrative works like create new accounts, add webservice etc. You can however create new Admin accounts using this account and they will have access to DBGUIv3.
Logging in:
Login to the system using the username and password provided to you. On successful login, you will see a page with the Terms of Service and the main menu in the top right corner of the page as follows:
Main Menu
Submitting an Email:
UnMask organizes your submitted emails by cases. To submit an email click Submit Email and choose an existing case from the drop-down menu or create a new case using the New Case option. You can then use Email Upload to upload a phishing email (stored on your system in an .eml file format). You can also use the Copy-Paste option to cut and paste phishing emails in other formats. Detailed help is available by using Help at the main menu. Note that once you submit an email, you should use View Reports before submitting another email.
e: There may be some emails, which you may not be able to submit often due to problems in the body of the email that cause the parser to crash; for such email try submitting only the header part of the email.
Email Submission (Submitting a File)
Email Submission(Copy and paste)

Submitting a Malware:
The Portal to submit Malware is very similar to submitting an email. The System assumes that an attachment is attached to a particular Unmask email. Therefore the user has to submit an email (under Submit Email ) prior to submitting a corresponding attachment. Hence the user first has to select a Case, followed by an email (In that Case) and then locate the attachment for submission.
Please Note: We currently analyze only PDF format malware for analysis. Also, the size of PDF should be less than 15 MB. The Malware web service was developed and maintained by Randy Flood, and he should be contacted in order to use these services.
Submit Malware
Viewing Reports:
To view reports on submitted emails, select View Reports at the main menu. On the left, you will see a drop-down with all your cases listed. On selecting a case, the box below will show all the emails under this case. Clicking on an email will show its time of submission and a list of reports available for view in a drop-down at the bottom left. By clicking on any of the report types, your selection with highlighted links will be shown in the top center of the page. You can now click on the highlighted links to have information related to this link appended to the white text area. For instance, on selecting View Report on Email from the drop-down you will see the link Click to View Email highlighted.
Clicking on will populate the white text area with the raw content of the email. The text area can be cleared at any time by clicking the Clear button below it.
View Report Portal
View Report(Case Selected) View Report(Email Selected, View Report expanded)

All reports involving Hostnames and IP Addresses have the following options highlighted: Clicking on any of these links will also append the corresponding result to the text area. You should experiment by clicking on these links.
To view Malware Report, click on View Malware Report (View Report drop down list). It will show the attachments in the right portion of the screen. As indicted in the figure to the right, select an attachment from the list.
If the Malware has been processed you should see your report, similar to the sample report below.
Sample Malware Report (Processed)
If the malware attachment has not been processed yet, you will get a message that the report is not ready and you should try again later.

In a similar Fashion we can see the report on Link analysis if the “View Link Analysis Report” tab is selected from View Report drop down Menu. The Link Analysis web service was developed by Shay Ellison, and he can be contacted in order to use this service. The code for Link Analysis can be found in Disc 3/UnMask_Code/Webservices/WebServices_Malware_link_Analysis/LinkSiftWS.
Sample Link Analysis Report (Processed)
In the report section, it is also possible to use the basic web services to find information in additional to the information highlighted in the header of the email.
Clicking on invokes these web services.
You will get the following interface. You can first select the Web Service you want to use as several locations may have these services deployed. (You can add a new web service as Administrator using Account Tools). After choosing a web service, you can choose among the four types of basic queries that have been implemented: Whois, Geoip, Traceroute, and Dig. The results will be returned in the white space textbox.

WebService Interface
Making an SQL Query:
UnMask allows to you to query the database that contains information relating to submitted emails and associated information that is automatically gathered by UnMask. You can use SQL Query from the main menu and then type in any SELECT sql query to view results from the database. In order to use the querying it is assumed that you have familiarity with SQL. The following are some illustrative SQL queries you can make. You can simply copy the queries below into the query text area provided.
SqlQuery Interface
1. To see all information for the first 10 entries in the table which stores the dig results enter: select * from tbl_dig limit 10
2. To see only domain names & country information from the tbl_country table enter: select canonical_name, country from tbl_country limit 20
3. To see all websites (domains) with URLs in the body of the emails enter: select website_name from tbl_website where website_id in (select website_id from tbl_href)
4. To see all information related to whois results enter: select * from tbl_whois (Note: such queries typically have really large result sets. Adding a limit n to the end of the query limits the result set to the first n rows as in the first example.)
The results of your SQL query will appear in the white space textbox. You can clear the results or the query using the buttons provided. To view the database structures relevant to queries, click
. This will allow you to compose any select query possible. If you need to see the attribute fields of a table, you should first see query for the table of interest.
Using the Database GUI (DBGUIv3):
The design of the DBGUIv3 provides a graphical interface to the three main tables of the database i.e. Email Table, URI Table and Domain Table. From these tables as a starting point, it is possible to get substantial addition information. The initial tables are shown below:
DBGUIv3: Initial Three Tables
Any column that you are not interested in seeing can be closed by clicking next to the column name. Additionally, if only some of the rows are of interest, filtering can be done such as looking only for a specific domain name. The filtering condition can be typed into the white space field below the column name. Additionally the condition can be either the exact condition, Contains this condition, etc. as indicated in the figure to the right.
To make it easier, only a limited number of rows of the database table are displayed. The Prev, Next options can be used to get addition or previous row. Other options in the Database
GUI should be fairly self-explanatory. For example, by clicking on the an entry in the “Related Data” column, you can get additional information about a particular row entry.

Please Note: In order to access the Database GUI you cannot be the first Administrator of the unmask System but must have an account created by this administrator.
Changing your Password:
To change your password select Account Tools from the main menu.
Change Password Interface
Using Administrative Functions:
If you have a login with administrator rights, you will see the Administrative Tools option in the main menu, else this menu item will not appear. If you are an administrator you can Create New Users, Change Passwords or Disable Accounts for people in your group.
Administrative Interface
Adding Web Services (An Administrative Function):
You can also add Web Services by clicking on Add Web Service Location and typing in the required credentials.
WebServices Interface
Note that adding a Web Service is currently for deploying the basic web services at another location. A server must be configured and implemented at that location.