Re: Determining that someone is not the author of an offensive email

Heh, forgot to send this to the list.
> Also you can't forget one of the most obvious.
> SNMP Engines are easy to come by, and when you own your own domain and 
> email system (perhaps hotmail allows it, I don't use it) you can 
> telnet into your email system (either hotmail or your own domain) and 
> use SNMP to format a message any way you see fit. You can customize 
> the To:, CC:, From:.. anything in the message via SNMP (it's what 
> trojans and viruses use to generate those random "From:" fields)
>
> Secondly, the IT expert for the prosecution would have to prove that
> A:) None of those 12 computers could be remotely administered (i.e. 
> RDP or VNC etc)
> B:) None of those computers were running as a proxy service.
> C:) None of those computers were hosting a domain or website.
> D:) That SNMP could not have been used via any of those 12 machines to 
> manufacture an email (this will only hold if A, B and C are proven true)
> E:) That S's computer was completely patched and protected via 
> Firewall anti Anti viurs/spyware.
>
> No the kicker that can throw a case to the dogs. (BTW, im not an 
> expert in forensics but I know laws are porrly written for IT forensics)
> S can only be found guilty by a Judge or Jury, the IT Experts views on 
> S's activities are purely opinions. If he ever says that S has 
> actually done something it can be thrown out because he must prove it. 
> Nothing can be proven in IT forensics on the biological standpoint. 
> There are no DNA traces on the "paper" of the email so you can only 
> say "S's account was used to write and send this offensive email", 
> they cannot prove S really did it. However if S used a fingerprint 
> scanner to log into the machine, he's kinda screwed, on that , but not 
> entirely (see E: above).
>
> The point is there are so many holes in email (or any electronic 
> message) cases that it takes extraordinary amounts of time to collect 
> all the evidence and make a strong case.
>
> Oh and btw, since they sent the originals back to the people and he 
> "tested" on those DD image of the drives, make sure he made a copy of 
> those images to test on. If he booted up or done any kind of write 
> operation to those images that changed both their SHA1 and MD5 hashes, 
> the evidence is inadmissible, be cause he cannot prove that those 
> images are copies of the originals, hell its inadmissible because he 
> gave the originals back.
> Thats like saying, okay, heres your gun back, we got a copy of the 
> rifling's on the barrel, then the suspect goes home and bores out his 
> gun barrel to complete smoothness... prove those copies are from the 
> original barrel you gave back to the suspect.
>
> I believe the whole case against S can be thrown out simply because 
> all they have now is that the message could have originated from one 
> of those 12 people because the originals were given back to the 
> "suspects", therefore causing reasonable doubt and therefore cannot 
> find the S guilty. But this is the US, Brazil probably operates a 
> little differently (for one they may have lawyers that understand the 
> law)
>
>
> Gleyson Melo wrote:
> > Hi Flavio,
> >
> > Another investigation path would be the neighbours. Even if there are
> > no traces of the message in other computers of the building, there
> > might be guilty people involved who knows both of them.
> >
> > 1) Is there any TI professional/student on the building? This would be
> > S2. Maybe this one would use a live CD to send the email, or a laptop
> > not found on investigations.
> >
> > 2) Maybe S2, after or before sending the message, had log in to
> > another email account, using the same cookies. This is a common thing.
> > He is probably not an expert. Maybe he connected to MSN Messenger
> > through the same computer. Again, MSN could give useful information.
> >
> > 3) Other HTTP Headers could also be useful like Browser (IE, Opera,
> > Firefox...), language, etc.  Common internet services used by
> > Brazilian people could also be searched.
> > Services like "Mercado Livre" and Internet Banking could have been
> > accessed in the building and the IP Address+Account used to logon
> > could also be useful to make a timeline.
> > Do you have the original mail?
> >
> > 4) Who was home and who was not when the mail was sent? How to prove it?
> >
> > Although it is very hard to get all this information, someone's  who's
> > innocent really deserves all of these efforts.
> >
> > 2007/5/30, Flavio Silva <flavioabs@gmail.com>:
> > > Hi Gleyson, thanks for your answer.
> > >
> > > On 5/29/07, Gleyson Melo <gleysonmelo@gmail.com> wrote:
> > > > Hi Flavio,
> > > >
> > > > I'm not really an expert, but I tought some things about the case.
> > > >
> > > > 1) I guess you tought in this but.. You may see with defense layer if
> > > > S is really innocent. Otherwise, I don't guess it would be 
> > > possible to
> > > > prove that.
> > >
> > > Yes, this is the great question. I have a feeling that the guy is
> > > inocent because he is not directly connected to the offended company.
> > > He is a serious person, he is not a computer expert, he works a lot
> > > and he study at night. Of course we never know.
> > >
> > > > 2) You may investigate if S really received the email.
> > > > What is the complete content of "M"? Is the complete "EMAIL" or the
> > > > complete text message?
> > >
> > > There were 2 files in his computer with the complete content of the
> > > message, not the email.
> > >
> > > > 3) Can you ask for more information from hotmail provider about this
> > > > deleted mail? There might be logs.
> > >
> > > I don't know if it is possible. But we can try.
> > >
> > > > 4) Does S have any relation with the received message? Depending on
> > > > the message, there might be other investigation paths. The question
> > > > is: why would S store the message M in his hard disk? It was deleted?
> > > > Why?
> > >
> > > No, S does not have any relation with the message. He said that he
> > > copied the message to the computer to read sometime after and he
> > > deleted it from his Hotmail account.
> > >
> > > > 5) Which hotmail account was used to send the messages? They (S 
> > > and P)
> > > > received the same message at the same time? There were CC information
> > > > on the mails?
> > >
> > > All the destinations in the email was  BCC. The account is
> > > interesting. Something like Josedias_cake@hotmail.com. P did not
> > > receive the message.
> > > >
> > > > The idea here would be: if someone sent a real hotmail message, when
> > > > this account was created and by what machine?
> > >
> > > I'm not sure if this account Josedias_cake is real. But it is a
> > > possible path to investigate.
> > >
> > > > 6) Do S have other mail accounts? Does he could show them? Which 
> > > other
> > > > computer were accessed from S?
> > >
> > > S said that he uses only his Hotmail account. He showed the account to
> > > the expert. Nothing was found: there was not a sent  message like the
> > > offensive email.
> > >
> > > > 7) A non-technical detail, is there any guy "G" who knows both of
> > > > them? Investigating where they live, work, study and commonly goes
> > > > would lead to some traces.
> > > > Some guy who knows both would use his computer to do something 
> > > like that.
> > >
> > > OK, but as I know a lot of people received the message.
> > >
> > > > I guess it would be hard to analyze all this, but it may give some 
> > > ideas.
> > > >
> > > > Nice to see other brazilian people discussing on SecurityFocus :)
> > > > __________________
> > > > Atenciosamente,
> > > > Gleyson Melo
> > > > www.codebunker.org
> > >
> > > Thank you!
> > >
> > > Regards
> > >
> > > Flavio