GIAC
GCFA · Question #67
GCFA Question #67: Real Exam Question with Answer & Explanation
The correct answer is C. 216.168.54.25. In email header forensics, the originating sender's IP address is identified by reading the bottom-most 'Received: from' header, which represents the first hop added by the receiving mail server closest to the sender.
Question
You work as a Network Security Analyzer. You got a suspicious email while working on a forensic project. Now, you want to know the IP address of the sender so that you can analyze various information such as the actual location, domain information, operating system being used, contact information, etc. of the email sender with the help of various tools and resources. You also want to check whether this email is fake or real. You know that analysis of email headers is a good starting point in such cases. The email header of the suspicious email is given below: What is the IP address of the sender of this email?
Exhibit
Options
- A172.16.10.90
- B209.191.91.180
- C216.168.54.25
- D141.1.1.1
Explanation
In email header forensics, the originating sender's IP address is identified by reading the bottom-most 'Received: from' header, which represents the first hop added by the receiving mail server closest to the sender.
Common mistakes.
- A. 172.16.10.90 is a private RFC 1918 address that would represent an internal network host rather than an externally routable sender IP visible in an internet email header.
- B. 209.191.91.180 is likely the IP of an intermediate relay server or mail infrastructure node added to the header at a later hop, not the originating sender.
- D. 141.1.1.1 appears in the header as another routing or infrastructure IP added during transit, not as the original sending host's address.
Concept tested. Email header forensics and sender IP tracing
Reference. https://www.rfc-editor.org/rfc/rfc5321#section-4.4
Community Discussion
No community discussion yet for this question.