Determining that someone is not the author of an offensive email May 28 2007 07:45PM
Flavio Silva (flavioabs gmail com)
Hi all!

I am trying to help a defence lawier in this situation.

Someone sent an anonimous email to a lot of destinations. The message
(M) is offensive to a company (C) president (P). After 3 months, a
lawier company (L) specialized in Internet cases made C: 1st. to
request an analysis from a specialized security advice company (A). In
the message body they determined that M came from Hotmail, and from a
machine IP # (IPO). 2nd. in a justice request they
determined fom the communications company that IPO was a machine
attending an ADSL line of a residencial building (B).

So they requested to the justice to made an inspection in the B's
computers. The judge nominated an expert (E) to do the job. E was
helped by a technical advisor (T) from L. In fact, E did not know to
do the job. T told E all he had to do.

There were 12 apartments connected to that ADSL line. All them had
false IP numbers (198.162.???.???).

After 2 days they asked to the justice to inspec all the 12 apartments.

The expert searched all disks of the 12 apartments for some words that
were used in M. This operation took more than a month because some of
the people was traveling.

In the search they found only one disk with the words they were
searching. This disk was from a computer of a guy I call here as
Suspect (S).

S says that he also received M in his Hotmail account, and he copied
the content to files in his computer to read sometime after. So he
deleted M from his account. What E found were two Word files with the
complet content of M.

Analysing the metadata of the two files, E determined that file 1 had
only one minute of edition time, and file 2 had 16 minutes. Both files
were created by the time 16:20 -0300.

A made a confusing analysis of the message because they converted all
the time stamps to UTC time, Here is Brazil so they had to convert all
the time stamps to São Paulo time ( -03:00 ). But they didn't it.

So L made an analysis telling to the judge some ocurrences based on
19:20 -0300, but the message showed this time as 19:20 UTC. So the
real time is in fact 16:20 -0300.

The message was forwarded by four mail servers:
- Hotmail, timestamp 22:20 -0000
- MSN. timestamp 22:20 -0000
- a brazilian provider (BP), timestamp (16:20 -0300)
- a brazilian company (BC), timestamp (16:20 -0300)

In his analysis of the situation, E told to the judge what follows:
1) evidences proving that S sent the offensive message was not found.
2) S had the content of the offensive message in his computer.
3) the doc files were not created in the time the message was sent (in
his idea 19:20 -0300), and the files authors were third guys, but S
used the files of this guys to edit the message before he sent it.
4) Even without direct evidences that S created, and sented the
message, E said in his conclusion that "there was something near from
the 100% sure that S was the author of the message, and he also sent
it to all the destinations".

I already made an analysis to the defence attourney, and she already
communicated the judge. I want some help in this situation because the
prosecutor made an appeal disagreeing from my analysis.

The subjects I want help here is in these subjects.

1) IPO is not serving only B. I think it is very expensive to the
communications company to reserve a server to attend only 12 users. In
my analysis I told to the judge that IPO may serve a lot of places
different from B.

2) E did not find parcial files of M in S's computer, but only the
complete M. So he had to enter all the text in just one step, The
maximum edition time was 16 minutes, and I think this is not enough to
edit a complex text with 3 pages like M. In fact I think more than one
guy wrote the text. S is not a computer expert.

3) S is not directly related with C, nor P. There are other people
directly interested in to attack C. or/and P.

4) M was sent before 16:20 -0300 because BP, and BC say that they
received M in that time. This information is reliable. BP and BC are
different routers, but both times look real because they are very
close from each other.

5) According to the timestamps header of M, Hotmail, and MSN received
M after BP, and BC. This is not possible, as the order of the routers
is Hotmail, MSN, BP, and BC. I think this is an evidence that M is
fake, and I think these information is not reliable, as external
routers can be forged.

I want some advice in this case. Thanks for any help.

Flavio A. Braga

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus