Forensics
Determining that someone is not the author of an offensive email May 28 2007 07:45PM
Flavio Silva (flavioabs gmail com) (4 replies)
Re: Determining that someone is not the author of an offensive email Jun 01 2007 05:30AM
Alan Parks (alan mojohosting com) (1 replies)
Re: Determining that someone is not the author of an offensive email Jun 02 2007 01:11AM
Flavio Silva (flavioabs gmail com)
Re: Determining that someone is not the author of an offensive email May 29 2007 04:13PM
Gleyson Melo (gleysonmelo gmail com)
Hi Flavio,

I'm not really an expert, but I tought some things about the case.

1) I guess you tought in this but.. You may see with defense layer if
S is really innocent. Otherwise, I don't guess it would be possible to
prove that.
2) You may investigate if S really received the email.
What is the complete content of "M"? Is the complete "EMAIL" or the
complete text message?
3) Can you ask for more information from hotmail provider about this
deleted mail? There might be logs.
4) Does S have any relation with the received message? Depending on
the message, there might be other investigation paths. The question
is: why would S store the message M in his hard disk? It was deleted?
Why?
5) Which hotmail account was used to send the messages? They (S and P)
received the same message at the same time? There were CC information
on the mails?

The idea here would be: if someone sent a real hotmail message, when
this account was created and by what machine?

6) Do S have other mail accounts? Does he could show them? Which other
computer were accessed from S?

7) A non-technical detail, is there any guy "G" who knows both of
them? Investigating where they live, work, study and commonly goes
would lead to some traces.
Some guy who knows both would use his computer to do something like that.

I guess it would be hard to analyze all this, but it may give some ideas.

Nice to see other brazilian people discussing on SecurityFocus :)

2007/5/28, Flavio Silva <flavioabs (at) gmail (dot) com [email concealed]>:
> Hi all!
>
> I am trying to help a defence lawier in this situation.
>
> Someone sent an anonimous email to a lot of destinations. The message
> (M) is offensive to a company (C) president (P). After 3 months, a
> lawier company (L) specialized in Internet cases made C: 1st. to
> request an analysis from a specialized security advice company (A). In
> the message body they determined that M came from Hotmail, and from a
> machine IP #200.200.200.200 (IPO). 2nd. in a justice request they
> determined fom the communications company that IPO was a machine
> attending an ADSL line of a residencial building (B).
>
> So they requested to the justice to made an inspection in the B's
> computers. The judge nominated an expert (E) to do the job. E was
> helped by a technical advisor (T) from L. In fact, E did not know to
> do the job. T told E all he had to do.
>
> There were 12 apartments connected to that ADSL line. All them had
> false IP numbers (198.162.???.???).
>
> After 2 days they asked to the justice to inspec all the 12 apartments.
>
> The expert searched all disks of the 12 apartments for some words that
> were used in M. This operation took more than a month because some of
> the people was traveling.
>
> In the search they found only one disk with the words they were
> searching. This disk was from a computer of a guy I call here as
> Suspect (S).
>
> S says that he also received M in his Hotmail account, and he copied
> the content to files in his computer to read sometime after. So he
> deleted M from his account. What E found were two Word files with the
> complet content of M.
>
> Analysing the metadata of the two files, E determined that file 1 had
> only one minute of edition time, and file 2 had 16 minutes. Both files
> were created by the time 16:20 -0300.
>
> A made a confusing analysis of the message because they converted all
> the time stamps to UTC time, Here is Brazil so they had to convert all
> the time stamps to São Paulo time ( -03:00 ). But they didn't it.
>
> So L made an analysis telling to the judge some ocurrences based on
> 19:20 -0300, but the message showed this time as 19:20 UTC. So the
> real time is in fact 16:20 -0300.
>
> The message was forwarded by four mail servers:
> - Hotmail, timestamp 22:20 -0000
> - MSN. timestamp 22:20 -0000
> - a brazilian provider (BP), timestamp (16:20 -0300)
> - a brazilian company (BC), timestamp (16:20 -0300)
>
> In his analysis of the situation, E told to the judge what follows:
> 1) evidences proving that S sent the offensive message was not found.
> 2) S had the content of the offensive message in his computer.
> 3) the doc files were not created in the time the message was sent (in
> his idea 19:20 -0300), and the files authors were third guys, but S
> used the files of this guys to edit the message before he sent it.
> 4) Even without direct evidences that S created, and sented the
> message, E said in his conclusion that "there was something near from
> the 100% sure that S was the author of the message, and he also sent
> it to all the destinations".
>
> I already made an analysis to the defence attourney, and she already
> communicated the judge. I want some help in this situation because the
> prosecutor made an appeal disagreeing from my analysis.
>
> The subjects I want help here is in these subjects.
>
> 1) IPO is not serving only B. I think it is very expensive to the
> communications company to reserve a server to attend only 12 users. In
> my analysis I told to the judge that IPO may serve a lot of places
> different from B.
>
> 2) E did not find parcial files of M in S's computer, but only the
> complete M. So he had to enter all the text in just one step, The
> maximum edition time was 16 minutes, and I think this is not enough to
> edit a complex text with 3 pages like M. In fact I think more than one
> guy wrote the text. S is not a computer expert.
>
> 3) S is not directly related with C, nor P. There are other people
> directly interested in to attack C. or/and P.
>
> 4) M was sent before 16:20 -0300 because BP, and BC say that they
> received M in that time. This information is reliable. BP and BC are
> different routers, but both times look real because they are very
> close from each other.
>
> 5) According to the timestamps header of M, Hotmail, and MSN received
> M after BP, and BC. This is not possible, as the order of the routers
> is Hotmail, MSN, BP, and BC. I think this is an evidence that M is
> fake, and I think these information is not reliable, as external
> routers can be forged.
>
> I want some advice in this case. Thanks for any help.
>
> Regards
> --
> Flavio A. Braga
>

--
Atenciosamente,
Gleyson Melo
www.codebunker.org

[ reply ]
RE: Determining that someone is not the author of an offensive email May 29 2007 03:46PM
Glenn Dardick (gdardick dardick net) (1 replies)
Re: Determining that someone is not the author of an offensive email May 30 2007 02:15AM
Flavio Silva (flavioabs gmail com) (1 replies)
Re: Determining that someone is not the author of an offensive email May 31 2007 09:11PM
AdityaK (aditya1010 gmail com)
Re: Determining that someone is not the author of an offensive email May 29 2007 03:07PM
Justin Alcorn (justin jalcorn net)


 

Privacy Statement
Copyright 2010, SecurityFocus