Hotmail should be subpoena'd for the email account registration info,
which will include the IP used to create the account, and when it was
created. If this ties back to your client, or at least the NAT router
of the apartment, problem becomes harder exonerating him, but not an
insurmountable task.
INDEX.DAT is unique to logged on user, and every user has one. Analysis
of INDEX.DAT will show whose profile was used to access hotmail, when,
and how many times.
If the file(s) was saved to your client's hard drive, there will be
metadata and MFT record entires associated that will also indicate
accountability for the action, back to a user profile.
If under subpoena, Hotmail responded that the Orig IP was indeed the
Apartment bldg, your challenge gets harder. IN your NAT environment,
the DHCP will log lease times. Assuming you can retireve the DHCP logs,
go back to the time of the message (if possible because of log snip
interval and decay) and get the MAC addresses of the machines connected
during that time frame. Hope that "S's" MAC address is not among that
list.
To me, a true forensic analysis of the system would reveal a lot.
However, realize that all the gumshoe investigating without making a
image has seriously hampered anyone's chance of either prosecution or
defense. On that, did the prosecution make an image? How will they
then go into court and attempt to prove their case?
Also, only a forensic process of carving through unallocated space for
hotmail activity will bear this out. Due diligence requires it.
If you're gonna mount the "Trojan Horse" defense, you'd better be
prepared to demonstrate the existence of malicious code on the box whose
specific purpose is email spoofing. If the code is Spyware/Adware, with
no embedded code to handle either SMTP or HTTP protocols, that becomes
much harder.
I've said enough...
Best of Luck,
Jim Butterworth, EWC USN (Ret.)
EnCE, GCIA, GSNA
Director of Incident Response
Guidance Software, Inc.
215 N. Marengo Ave. 2nd Flr.
Pasadena, Ca. 91101
626-229-9191 x239 office
626-381-8574 cell
626-229-9199 fax
jim.butterworth@guidancesoftware.com
www.GuidanceSoftware.com
The World Leader in Digital Investigations(tm)
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Flavio Silva
Sent: Wednesday, May 30, 2007 3:42 AM
To: forensics@securityfocus.com
Subject: Re: Determining that someone is not the author of an offensive
email
Hi Robert, thanks for your message.
On 5/29/07, Robert Turner <Rturner@hollandhospital.org> wrote:
It seems as all the evidence found could have been spoofed or faked.
Email addresses and IPs and time stamps on files can be changed to
both hide the original sender as well as implicate a third party.
Additionally, there are known worms that can pull text from a computer
and add it to an automated email. Is there a possibility that the
suspects computer is infected, therefore raising the possibility that
the message was sent by someone else, from the suspects computer?
I did not inspect the computer of the suspect, but I also said all this.
I want to visit the guy in the next days so I can test the machine for
virus, worms, etc.
The IP numbers in the apartment are not false. They look as though
they are a DHCP assignments from an internal range of addresses.
Either the DSL modems are acting as the DHCP server for each computer
or they are being assigned addresses by a server at the Internet
Service Provider.
Here we use to call this IP numbers (198.162.?.?, 10.0.0.?) as false
IPs. I know it is not correct but it is usual to do so here.
I did not read about any evidence handling practices that were used to
ensure data integrity, such as taking images of hard drives, keeping
the original hard drives as evidence, examining only 3rd copies of
hard drives.
This would be important as any defense lawyer could raise the question
of appropriate forensic techniques and whether or not the original
data was modified. If you simply list a file, it will have been
modified.
Yes, the expert took copies of all disks from the 12 apartments using
DD. But all disks were sent back to the owners after the copies. The
expert used these copies to do the analysis. The original contents were
not preserved.
It sounds like you can also challenge the credentials of the expert,
but that might be a problem if they were appointed by the judge. An
indictment of this technician will essentially be an indictment of the
judge.
Yes, this is a problem. I don't want to advise the defence counselor to
do so, but it is a possibility of course.
Thank you again!
Regards
Flavio
Note: The information contained in this message may be privileged and
confidential and thus protected from disclosure. If the reader of this
message is not the intended recipient, or an employee or agent responsible
for delivering this message to the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer. Thank you.
