Forensics
Determining that someone is not the author of an offensive email May 28 2007 07:45PM
Flavio Silva (flavioabs gmail com) (4 replies)
Re: Determining that someone is not the author of an offensive email Jun 01 2007 05:30AM
Alan Parks (alan mojohosting com) (1 replies)
Re: Determining that someone is not the author of an offensive email Jun 02 2007 01:11AM
Flavio Silva (flavioabs gmail com)
Re: Determining that someone is not the author of an offensive email May 29 2007 04:13PM
Gleyson Melo (gleysonmelo gmail com)
RE: Determining that someone is not the author of an offensive email May 29 2007 03:46PM
Glenn Dardick (gdardick dardick net) (1 replies)
Assuming, S used Internet Explorer, you might want to look at the INDEX.DAT and Cache files within the Temporary Internet Files folder. It might show when Hotmail was accessed (in the INDEX.DAT) as well as what was on those pages (in the Cache). If S was composing email on Hotmail at 16:20 that would be bad. If S was not composing and did not even access Hotmail at that time, that would be good - assuming you are the defense of course.

Glenn S. Dardick, Ph.D.
804-402-9239
804-680-3038 (FAX)
gdardick (at) dardick (dot) net [email concealed]

Assistant Professor of Information Systems
Longwood University
dardickgs (at) longwood (dot) edu [email concealed]

Director, Association for Digital Forensics, Security and Law
http://www.adfsl.org

Editor, Journal of Digital Forensics, Security and Law
http://www.jdfsl.org

This electronic message is intended only for the use of the individual or company named above. If the intended recipient is a client, the information contained in this message is considered confidential, proprietary, privileged, and may contain client confidential information and work product. It may also contain trade secrets protected by State and Federal law. If you are not the addressee please do not copy or deliver this message to anyone. You should immediately delete the message without reading the contents and notify us by return email that the message was misdirected. I apologize for the inconvenience. Any other use of this information is strictly prohibited.

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Flavio Silva
Sent: Monday, May 28, 2007 3:46 PM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: Determining that someone is not the author of an offensive email

Hi all!

I am trying to help a defence lawier in this situation.

Someone sent an anonimous email to a lot of destinations. The message
(M) is offensive to a company (C) president (P). After 3 months, a
lawier company (L) specialized in Internet cases made C: 1st. to
request an analysis from a specialized security advice company (A). In
the message body they determined that M came from Hotmail, and from a
machine IP #200.200.200.200 (IPO). 2nd. in a justice request they
determined fom the communications company that IPO was a machine
attending an ADSL line of a residencial building (B).

So they requested to the justice to made an inspection in the B's
computers. The judge nominated an expert (E) to do the job. E was
helped by a technical advisor (T) from L. In fact, E did not know to
do the job. T told E all he had to do.

There were 12 apartments connected to that ADSL line. All them had
false IP numbers (198.162.???.???).

After 2 days they asked to the justice to inspec all the 12 apartments.

The expert searched all disks of the 12 apartments for some words that
were used in M. This operation took more than a month because some of
the people was traveling.

In the search they found only one disk with the words they were
searching. This disk was from a computer of a guy I call here as
Suspect (S).

S says that he also received M in his Hotmail account, and he copied
the content to files in his computer to read sometime after. So he
deleted M from his account. What E found were two Word files with the
complet content of M.

Analysing the metadata of the two files, E determined that file 1 had
only one minute of edition time, and file 2 had 16 minutes. Both files
were created by the time 16:20 -0300.

A made a confusing analysis of the message because they converted all
the time stamps to UTC time, Here is Brazil so they had to convert all
the time stamps to São Paulo time ( -03:00 ). But they didn't it.

So L made an analysis telling to the judge some ocurrences based on
19:20 -0300, but the message showed this time as 19:20 UTC. So the
real time is in fact 16:20 -0300.

The message was forwarded by four mail servers:
- Hotmail, timestamp 22:20 -0000
- MSN. timestamp 22:20 -0000
- a brazilian provider (BP), timestamp (16:20 -0300)
- a brazilian company (BC), timestamp (16:20 -0300)

In his analysis of the situation, E told to the judge what follows:
1) evidences proving that S sent the offensive message was not found.
2) S had the content of the offensive message in his computer.
3) the doc files were not created in the time the message was sent (in
his idea 19:20 -0300), and the files authors were third guys, but S
used the files of this guys to edit the message before he sent it.
4) Even without direct evidences that S created, and sented the
message, E said in his conclusion that "there was something near from
the 100% sure that S was the author of the message, and he also sent
it to all the destinations".

I already made an analysis to the defence attourney, and she already
communicated the judge. I want some help in this situation because the
prosecutor made an appeal disagreeing from my analysis.

The subjects I want help here is in these subjects.

1) IPO is not serving only B. I think it is very expensive to the
communications company to reserve a server to attend only 12 users. In
my analysis I told to the judge that IPO may serve a lot of places
different from B.

2) E did not find parcial files of M in S's computer, but only the
complete M. So he had to enter all the text in just one step, The
maximum edition time was 16 minutes, and I think this is not enough to
edit a complex text with 3 pages like M. In fact I think more than one
guy wrote the text. S is not a computer expert.

3) S is not directly related with C, nor P. There are other people
directly interested in to attack C. or/and P.

4) M was sent before 16:20 -0300 because BP, and BC say that they
received M in that time. This information is reliable. BP and BC are
different routers, but both times look real because they are very
close from each other.

5) According to the timestamps header of M, Hotmail, and MSN received
M after BP, and BC. This is not possible, as the order of the routers
is Hotmail, MSN, BP, and BC. I think this is an evidence that M is
fake, and I think these information is not reliable, as external
routers can be forged.

I want some advice in this case. Thanks for any help.

Regards
--
Flavio A. Braga

[ reply ]
Re: Determining that someone is not the author of an offensive email May 30 2007 02:15AM
Flavio Silva (flavioabs gmail com) (1 replies)
Re: Determining that someone is not the author of an offensive email May 31 2007 09:11PM
AdityaK (aditya1010 gmail com)
Re: Determining that someone is not the author of an offensive email May 29 2007 03:07PM
Justin Alcorn (justin jalcorn net)


 

Privacy Statement
Copyright 2010, SecurityFocus