Back to list
Re: Determining that someone is not the author of an offensive email
May 30 2007 01:42AM
Flavio Silva (flavioabs gmail com)
Hi Robert, thanks for your message.
On 5/29/07, Robert Turner <Rturner (at) hollandhospital (dot) org [email concealed]> wrote:
> It seems as all the evidence found could have been spoofed or faked. Email
> addresses and IPs and time stamps on files can be changed to both hide the
> original sender as well as implicate a third party. Additionally, there are
> known worms that can pull text from a computer and add it to an automated
> email. Is there a possibility that the suspects computer is infected,
> therefore raising the possibility that the message was sent by someone else,
> from the suspects computer?
I did not inspect the computer of the suspect, but I also said all
this. I want to visit the guy in the next days so I can test the
machine for virus, worms, etc.
> The IP numbers in the apartment are not false. They look as though they are
> a DHCP assignments from an internal range of addresses. Either the DSL
> modems are acting as the DHCP server for each computer or they are being
> assigned addresses by a server at the Internet Service Provider.
Here we use to call this IP numbers (198.162.?.?, 10.0.0.?) as false
IPs. I know it is not correct but it is usual to do so here.
> I did not read about any evidence handling practices that were used to
> ensure data integrity, such as taking images of hard drives, keeping the
> original hard drives as evidence, examining only 3rd copies of hard drives.
> This would be important as any defense lawyer could raise the question of
> appropriate forensic techniques and whether or not the original data was
> modified. If you simply list a file, it will have been modified.
Yes, the expert took copies of all disks from the 12 apartments using
DD. But all disks were sent back to the owners after the copies. The
expert used these copies to do the analysis. The original contents
were not preserved.
> It sounds like you can also challenge the credentials of the expert, but
> that might be a problem if they were appointed by the judge. An indictment
> of this technician will essentially be an indictment of the judge.
Yes, this is a problem. I don't want to advise the defence counselor
to do so, but it is a possibility of course.
Thank you again!
[ reply ]
Copyright 2010, SecurityFocus