Forensics
Re: Determining that someone is not the author of an offensive email May 30 2007 12:56PM
Flavio Silva (flavioabs gmail com) (1 replies)
Re: Determining that someone is not the author of an offensive email May 30 2007 01:30PM
Gleyson Melo (gleysonmelo gmail com)
Hi Flavio,

Another investigation path would be the neighbours. Even if there are
no traces of the message in other computers of the building, there
might be guilty people involved who knows both of them.

1) Is there any TI professional/student on the building? This would be
S2. Maybe this one would use a live CD to send the email, or a laptop
not found on investigations.

2) Maybe S2, after or before sending the message, had log in to
another email account, using the same cookies. This is a common thing.
He is probably not an expert. Maybe he connected to MSN Messenger
through the same computer. Again, MSN could give useful information.

3) Other HTTP Headers could also be useful like Browser (IE, Opera,
Firefox...), language, etc. Common internet services used by
Brazilian people could also be searched.
Services like "Mercado Livre" and Internet Banking could have been
accessed in the building and the IP Address+Account used to logon
could also be useful to make a timeline.
Do you have the original mail?

4) Who was home and who was not when the mail was sent? How to prove it?

Although it is very hard to get all this information, someone's who's
innocent really deserves all of these efforts.

2007/5/30, Flavio Silva <flavioabs (at) gmail (dot) com [email concealed]>:
> Hi Gleyson, thanks for your answer.
>
> On 5/29/07, Gleyson Melo <gleysonmelo (at) gmail (dot) com [email concealed]> wrote:
> > Hi Flavio,
> >
> > I'm not really an expert, but I tought some things about the case.
> >
> > 1) I guess you tought in this but.. You may see with defense layer if
> > S is really innocent. Otherwise, I don't guess it would be possible to
> > prove that.
>
> Yes, this is the great question. I have a feeling that the guy is
> inocent because he is not directly connected to the offended company.
> He is a serious person, he is not a computer expert, he works a lot
> and he study at night. Of course we never know.
>
> > 2) You may investigate if S really received the email.
> > What is the complete content of "M"? Is the complete "EMAIL" or the
> > complete text message?
>
> There were 2 files in his computer with the complete content of the
> message, not the email.
>
> > 3) Can you ask for more information from hotmail provider about this
> > deleted mail? There might be logs.
>
> I don't know if it is possible. But we can try.
>
> > 4) Does S have any relation with the received message? Depending on
> > the message, there might be other investigation paths. The question
> > is: why would S store the message M in his hard disk? It was deleted?
> > Why?
>
> No, S does not have any relation with the message. He said that he
> copied the message to the computer to read sometime after and he
> deleted it from his Hotmail account.
>
> > 5) Which hotmail account was used to send the messages? They (S and P)
> > received the same message at the same time? There were CC information
> > on the mails?
>
> All the destinations in the email was BCC. The account is
> interesting. Something like Josedias_cake (at) hotmail (dot) com. [email concealed] P did not
> receive the message.
> >
> > The idea here would be: if someone sent a real hotmail message, when
> > this account was created and by what machine?
>
> I'm not sure if this account Josedias_cake is real. But it is a
> possible path to investigate.
>
> > 6) Do S have other mail accounts? Does he could show them? Which other
> > computer were accessed from S?
>
> S said that he uses only his Hotmail account. He showed the account to
> the expert. Nothing was found: there was not a sent message like the
> offensive email.
>
> > 7) A non-technical detail, is there any guy "G" who knows both of
> > them? Investigating where they live, work, study and commonly goes
> > would lead to some traces.
> > Some guy who knows both would use his computer to do something like that.
>
> OK, but as I know a lot of people received the message.
>
> > I guess it would be hard to analyze all this, but it may give some ideas.
> >
> > Nice to see other brazilian people discussing on SecurityFocus :)
> > __________________
> > Atenciosamente,
> > Gleyson Melo
> > www.codebunker.org
>
> Thank you!
>
> Regards
>
> Flavio
>

--
Atenciosamente,
Gleyson Melo
www.codebunker.org

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus