Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Determining that someone is not the author of an offensive email

from [Flavio Silva] Network Security [Permanent Link]
Subject: Re: Determining that someone is not the author of an offensive email
Date: Fri, 1 Jun 2007 20:11:10 -0500 
Hi Alan! Thank you for your message.

On 6/1/07, Alan Parks <alan@mojohosting.com> wrote: 
Hey Flavio, I don't have a great deal of advise to give, but I am curious
about a few things:

I know literally nothing about Brazilian law, but how is it against the law
to send an offensive email?


Yes, I understand what you mean. The prosecution was started basing in
a defaming accusation.

And even if it is, how in the world do you get
a search warrant for 12 people with no evidence directly linking any of them?


It is some kind of regulation of our justice. The ISP gave the
information that the IP number sending the message was attending the
building and the judge signed the order to search all the apartments
using the common ADSL.

 > There were 12 apartments connected to that ADSL line. All them had
 > false IP numbers (198.162.???.???).

This was pointed out once before, but 192.162.x.x is very real (public)
ip-space.  192.168.x.x is private (fake, if you will), I assume this is what
you meant?


Yes.

Do you know if the NAT router has wireless capabilities, or if ANY of the 12
people had a wireless access point?  If so ANYONE could have attached to it
and sent the message.  There is also the possibility of one of their
computers being compromised, in which case a remote attacker could have sent
it through them.


I'm trying to verify this possibility.

 > The message was forwarded by four mail servers:
 > - Hotmail, timestamp 22:20 -0000
 > - MSN. timestamp 22:20 -0000
 > - a brazilian provider (BP), timestamp (16:20 -0300)
 > - a brazilian company (BC), timestamp (16:20 -0300)

These times don't add up if -0300 is correct, just convert them to all to UTC:

Hotmail, timestamp 22:20 -0000
MSN. timestamp 22:20 -0000
brazilian provider (BP), timestamp (19:20 -0000)
brazilian company (BC), timestamp (19:20 -0000)

For this to be true MSN must have sent the message back in time 3 hours.  It
is more likely that 19:20 -0300 is correct, then the times match perfectly.


I don't understand what you say here. Hotmail was the 1st. email
server to manipulate the email. BC was the last one. BP and BC can not
append lines to the header 3 hours "before" Hotmail and MSN. Both must
have expected times 22:20 plus something.

This is one reason I think the email is fake in some way. If it is
true, then it is possible that the origin IP is also fake.

Thank you for your thoughts.

Regards

Flavio

[More messages with this same subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Determining that someone is not the author of an offensive email, Alan Parks
Next by Date:  Call for Papers - Journal of Digital Investigation, nikkel
Previous by Thread:  Re: Determining that someone is not the author of an offensive email, Alan Parks
Next by Thread:  RE: recommendations/experience with CD/DVD autoloader, Michael Dunigan
Indexes:  [Date] [Thread] [Top] [All Lists]