1 / 10

Internet Investigations

Learn about email and phishing investigations, header analysis, legal processes, phishing URL identification, and case examples involving Microsoft and high school threats.

jcarole
Download Presentation

Internet Investigations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Investigations COEN 252 Computer Forensics Thomas Schwarz, S.J. 2006

  2. Email Investigation • Email investigations derive evidence from: • Internal data; • Headers. • Contents. • External data; • Server logs. • Sending machine itself • As we will see.

  3. Email Investigation • Header Analysis: • Most recent entries are on the top of the header. • Resolve all inconsistencies of information. • Resolve all IP addresses. • Create timeline. • Allow for clock drift between different sites. • Compare entries generated (allegedly) by known servers with previous ones.

  4. Email Investigation • Law Enforcement (LE) can use subpoenas for investigation of log files. • The same is true for private entities through the use of John Doe lawsuits.

  5. Phishing Investigation • Find the true URL to identify the server with which a potential victim interacts. • Difficult since phishers change sites frequently. • Using network tracer when accessing a website can speed things up. • Use subpoena process to obtain • log records of email • Contact infos for web-sites, redirection services, etc. • Try to obtain information amicably as often as possible. • Outside of US. • To guard volatile information

  6. Case Examples:1. A Kornblum, Microsoft • A. Kornblum: Searching for John Doe: Finding Spammers and Phishers • Used John Doe lawsuit to obtain sub-poenas for phisher that became active in September 2003.

  7. Case Examples:1. A Kornblum, Microsoft • Originating emails • Traced ultimately to ISP in India, from where not enough data could be obtained. • Traced websites: • At each round, a subpoena request would yield the IP address of a controlling website. • Hosting company in San Francisco. • Another hosting company in San Francisco. • Redirection Server in Austria. • Owner did not like spammers and handed out record voluntarily. • IP controlled by Quest. • 69 year old quest customer in Davenport, Iowa. • Who had grandson Jayson Harris living with him. • MS involved FBI who raided household and obtained three machines. • MS sued Jayson Harris and obtained a 3M$ default judgment against him. • Criminal charges are pending.

  8. Case Examples:2. Highschool Death Threads • Blog sites allow comments by anonymous friends. • Death threads were made on a high-school related blog anonymously. • XPD (name altered) was informed by principal.

  9. Case Examples:2. Highschool Death Threads • XPD contacted blog site, but owner/operator did not have valid contact data. • However, blog site operator gave out the IP address from which the comment originated. • XPD went to ISP to obtain the address of the computer to which the IP was assigned at the time of the thread. • XPD obtained a search warrant for the premises of the owner of the address. • The owner was a respectable, older community member. • XPD assumed that there was a grandson involved.

  10. Case Examples:2. Highschool Death Threads • Search warrant was executed at 7 am. • No sign of high school student in the house, but the owner was running an unsecured wireless access point. • XPD convinced the owner to keep the access point running, but to set up logging. • Using google maps and addresses of all high school students, they also identified a suspect. • Case is still pending.

More Related