Forensics
Re: Determining that someone is not the author of an offensive email May 30 2007 12:56PM
Flavio Silva (flavioabs gmail com) (1 replies)
Hi Gleyson, thanks for your answer.

On 5/29/07, Gleyson Melo <gleysonmelo (at) gmail (dot) com [email concealed]> wrote:
> Hi Flavio,
>
> I'm not really an expert, but I tought some things about the case.
>
> 1) I guess you tought in this but.. You may see with defense layer if
> S is really innocent. Otherwise, I don't guess it would be possible to
> prove that.

Yes, this is the great question. I have a feeling that the guy is
inocent because he is not directly connected to the offended company.
He is a serious person, he is not a computer expert, he works a lot
and he study at night. Of course we never know.

> 2) You may investigate if S really received the email.
> What is the complete content of "M"? Is the complete "EMAIL" or the
> complete text message?

There were 2 files in his computer with the complete content of the
message, not the email.

> 3) Can you ask for more information from hotmail provider about this
> deleted mail? There might be logs.

I don't know if it is possible. But we can try.

> 4) Does S have any relation with the received message? Depending on
> the message, there might be other investigation paths. The question
> is: why would S store the message M in his hard disk? It was deleted?
> Why?

No, S does not have any relation with the message. He said that he
copied the message to the computer to read sometime after and he
deleted it from his Hotmail account.

> 5) Which hotmail account was used to send the messages? They (S and P)
> received the same message at the same time? There were CC information
> on the mails?

All the destinations in the email was BCC. The account is
interesting. Something like Josedias_cake (at) hotmail (dot) com. [email concealed] P did not
receive the message.
>
> The idea here would be: if someone sent a real hotmail message, when
> this account was created and by what machine?

I'm not sure if this account Josedias_cake is real. But it is a
possible path to investigate.

> 6) Do S have other mail accounts? Does he could show them? Which other
> computer were accessed from S?

S said that he uses only his Hotmail account. He showed the account to
the expert. Nothing was found: there was not a sent message like the
offensive email.

> 7) A non-technical detail, is there any guy "G" who knows both of
> them? Investigating where they live, work, study and commonly goes
> would lead to some traces.
> Some guy who knows both would use his computer to do something like that.

OK, but as I know a lot of people received the message.

> I guess it would be hard to analyze all this, but it may give some ideas.
>
> Nice to see other brazilian people discussing on SecurityFocus :)
> __________________
> Atenciosamente,
> Gleyson Melo
> www.codebunker.org

Thank you!

Regards

Flavio

[ reply ]
Re: Determining that someone is not the author of an offensive email May 30 2007 01:30PM
Gleyson Melo (gleysonmelo gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus