Internet Investigations

1. Internet Investigations COEN 252 Computer Forensics Thomas Schwarz, S.J. 2006

2. Email Investigation • Email investigations derive evidence from: • Internal data; • Headers. • Contents. • External data; • Server logs. • Sending machine itself • As we will see.

3. Email Investigation • Header Analysis: • Most recent entries are on the top of the header. • Resolve all inconsistencies of information. • Resolve all IP addresses. • Create timeline. • Allow for clock drift between different sites. • Compare entries generated (allegedly) by known servers with previous ones.

4. Email Investigation • Law Enforcement (LE) can use subpoenas for investigation of log files. • The same is true for private entities through the use of John Doe lawsuits.

5. Phishing Investigation • Find the true URL to identify the server with which a potential victim interacts. • Difficult since phishers change sites frequently. • Using network tracer when accessing a website can speed things up. • Use subpoena process to obtain • log records of email • Contact infos for web-sites, redirection services, etc. • Try to obtain information amicably as often as possible. • Outside of US. • To guard volatile information

6. Case Examples:1. A Kornblum, Microsoft • A. Kornblum: Searching for John Doe: Finding Spammers and Phishers • Used John Doe lawsuit to obtain sub-poenas for phisher that became active in September 2003.

7. Case Examples:1. A Kornblum, Microsoft • Originating emails • Traced ultimately to ISP in India, from where not enough data could be obtained. • Traced websites: • At each round, a subpoena request would yield the IP address of a controlling website. • Hosting company in San Francisco. • Another hosting company in San Francisco. • Redirection Server in Austria. • Owner did not like spammers and handed out record voluntarily. • IP controlled by Quest. • 69 year old quest customer in Davenport, Iowa. • Who had grandson Jayson Harris living with him. • MS involved FBI who raided household and obtained three machines. • MS sued Jayson Harris and obtained a 3M$ default judgment against him. • Criminal charges are pending.

8. Case Examples:2. Highschool Death Threads • Blog sites allow comments by anonymous friends. • Death threads were made on a high-school related blog anonymously. • XPD (name altered) was informed by principal.

9. Case Examples:2. Highschool Death Threads • XPD contacted blog site, but owner/operator did not have valid contact data. • However, blog site operator gave out the IP address from which the comment originated. • XPD went to ISP to obtain the address of the computer to which the IP was assigned at the time of the thread. • XPD obtained a search warrant for the premises of the owner of the address. • The owner was a respectable, older community member. • XPD assumed that there was a grandson involved.

10. Case Examples:2. Highschool Death Threads • Search warrant was executed at 7 am. • No sign of high school student in the house, but the owner was running an unsecured wireless access point. • XPD convinced the owner to keep the access point running, but to set up logging. • Using google maps and addresses of all high school students, they also identified a suspect. • Case is still pending.