Forensics
Re: Determining that someone is not the author of an offensive email Jun 01 2007 04:32AM
Kevin Gay (rot_betruger sbcglobal net)
Heh, forgot to send this to the list.
> Also you can't forget one of the most obvious.
> SNMP Engines are easy to come by, and when you own your own domain and
> email system (perhaps hotmail allows it, I don't use it) you can
> telnet into your email system (either hotmail or your own domain) and
> use SNMP to format a message any way you see fit. You can customize
> the To:, CC:, From:.. anything in the message via SNMP (it's what
> trojans and viruses use to generate those random "From:" fields)
>
> Secondly, the IT expert for the prosecution would have to prove that
> A:) None of those 12 computers could be remotely administered (i.e.
> RDP or VNC etc)
> B:) None of those computers were running as a proxy service.
> C:) None of those computers were hosting a domain or website.
> D:) That SNMP could not have been used via any of those 12 machines to
> manufacture an email (this will only hold if A, B and C are proven true)
> E:) That S's computer was completely patched and protected via
> Firewall anti Anti viurs/spyware.
>
> No the kicker that can throw a case to the dogs. (BTW, im not an
> expert in forensics but I know laws are porrly written for IT forensics)
> S can only be found guilty by a Judge or Jury, the IT Experts views on
> S's activities are purely opinions. If he ever says that S has
> actually done something it can be thrown out because he must prove it.
> Nothing can be proven in IT forensics on the biological standpoint.
> There are no DNA traces on the "paper" of the email so you can only
> say "S's account was used to write and send this offensive email",
> they cannot prove S really did it. However if S used a fingerprint
> scanner to log into the machine, he's kinda screwed, on that , but not
> entirely (see E: above).
>
> The point is there are so many holes in email (or any electronic
> message) cases that it takes extraordinary amounts of time to collect
> all the evidence and make a strong case.
>
> Oh and btw, since they sent the originals back to the people and he
> "tested" on those DD image of the drives, make sure he made a copy of
> those images to test on. If he booted up or done any kind of write
> operation to those images that changed both their SHA1 and MD5 hashes,
> the evidence is inadmissible, be cause he cannot prove that those
> images are copies of the originals, hell its inadmissible because he
> gave the originals back.
> Thats like saying, okay, heres your gun back, we got a copy of the
> rifling's on the barrel, then the suspect goes home and bores out his
> gun barrel to complete smoothness... prove those copies are from the
> original barrel you gave back to the suspect.
>
> I believe the whole case against S can be thrown out simply because
> all they have now is that the message could have originated from one
> of those 12 people because the originals were given back to the
> "suspects", therefore causing reasonable doubt and therefore cannot
> find the S guilty. But this is the US, Brazil probably operates a
> little differently (for one they may have lawyers that understand the
> law)
>
>
> Gleyson Melo wrote:
>> Hi Flavio,
>>
>> Another investigation path would be the neighbours. Even if there are
>> no traces of the message in other computers of the building, there
>> might be guilty people involved who knows both of them.
>>
>> 1) Is there any TI professional/student on the building? This would be
>> S2. Maybe this one would use a live CD to send the email, or a laptop
>> not found on investigations.
>>
>> 2) Maybe S2, after or before sending the message, had log in to
>> another email account, using the same cookies. This is a common thing.
>> He is probably not an expert. Maybe he connected to MSN Messenger
>> through the same computer. Again, MSN could give useful information.
>>
>> 3) Other HTTP Headers could also be useful like Browser (IE, Opera,
>> Firefox...), language, etc. Common internet services used by
>> Brazilian people could also be searched.
>> Services like "Mercado Livre" and Internet Banking could have been
>> accessed in the building and the IP Address+Account used to logon
>> could also be useful to make a timeline.
>> Do you have the original mail?
>>
>> 4) Who was home and who was not when the mail was sent? How to prove it?
>>
>> Although it is very hard to get all this information, someone's who's
>> innocent really deserves all of these efforts.
>>
>> 2007/5/30, Flavio Silva <flavioabs (at) gmail (dot) com [email concealed]>:
>>> Hi Gleyson, thanks for your answer.
>>>
>>> On 5/29/07, Gleyson Melo <gleysonmelo (at) gmail (dot) com [email concealed]> wrote:
>>> > Hi Flavio,
>>> >
>>> > I'm not really an expert, but I tought some things about the case.
>>> >
>>> > 1) I guess you tought in this but.. You may see with defense layer if
>>> > S is really innocent. Otherwise, I don't guess it would be
>>> possible to
>>> > prove that.
>>>
>>> Yes, this is the great question. I have a feeling that the guy is
>>> inocent because he is not directly connected to the offended company.
>>> He is a serious person, he is not a computer expert, he works a lot
>>> and he study at night. Of course we never know.
>>>
>>> > 2) You may investigate if S really received the email.
>>> > What is the complete content of "M"? Is the complete "EMAIL" or the
>>> > complete text message?
>>>
>>> There were 2 files in his computer with the complete content of the
>>> message, not the email.
>>>
>>> > 3) Can you ask for more information from hotmail provider about this
>>> > deleted mail? There might be logs.
>>>
>>> I don't know if it is possible. But we can try.
>>>
>>> > 4) Does S have any relation with the received message? Depending on
>>> > the message, there might be other investigation paths. The question
>>> > is: why would S store the message M in his hard disk? It was deleted?
>>> > Why?
>>>
>>> No, S does not have any relation with the message. He said that he
>>> copied the message to the computer to read sometime after and he
>>> deleted it from his Hotmail account.
>>>
>>> > 5) Which hotmail account was used to send the messages? They (S
>>> and P)
>>> > received the same message at the same time? There were CC information
>>> > on the mails?
>>>
>>> All the destinations in the email was BCC. The account is
>>> interesting. Something like Josedias_cake (at) hotmail (dot) com. [email concealed] P did not
>>> receive the message.
>>> >
>>> > The idea here would be: if someone sent a real hotmail message, when
>>> > this account was created and by what machine?
>>>
>>> I'm not sure if this account Josedias_cake is real. But it is a
>>> possible path to investigate.
>>>
>>> > 6) Do S have other mail accounts? Does he could show them? Which
>>> other
>>> > computer were accessed from S?
>>>
>>> S said that he uses only his Hotmail account. He showed the account to
>>> the expert. Nothing was found: there was not a sent message like the
>>> offensive email.
>>>
>>> > 7) A non-technical detail, is there any guy "G" who knows both of
>>> > them? Investigating where they live, work, study and commonly goes
>>> > would lead to some traces.
>>> > Some guy who knows both would use his computer to do something
>>> like that.
>>>
>>> OK, but as I know a lot of people received the message.
>>>
>>> > I guess it would be hard to analyze all this, but it may give some
>>> ideas.
>>> >
>>> > Nice to see other brazilian people discussing on SecurityFocus :)
>>> > __________________
>>> > Atenciosamente,
>>> > Gleyson Melo
>>> > www.codebunker.org
>>>
>>> Thank you!
>>>
>>> Regards
>>>
>>> Flavio
>>>
>>
>>
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus