the investigators have not yet been able to establish as to how and from which PC the prohibted act was done.
Any detailed thoughts welcome.
General discussion on the topic of forensics.
jimbob wrote:If all you have is the email then analysis of the headers is a good start. This is not an uncommon situation, people often send email from unsecured wifi hotspots, public access computers etc. There's several avenues of investigation.
There's often a wealth of information in an email's headers. It can contain who the email is from, who it was addressed to, which IP address is came from and the route it took. I assume in this case the IP address was in the headers but the owner of said address claims no knowledge of the email being sent. It can get trickier here one but you can look to other headers for additional evidence.
Was the mail sent from a web mail account (gmail, yahoo!, hotmail) or from an email client like Outlook Express? If it came from an email client does the version number in the headers match that installed on a suspect's PC? If a webmail account was used can the provider give up and other IP addresses from which the account was accessed?
Do you believe that someone other than the owner used the wifi connection? Was encryption turned on and if so how likely is it that someone could have cracked the key? Are there any logs on the wireless access point which may provide additional info?
Those are just some thoughts.
It is not clear also how exactly a third party could have sent an email with the owner's IP address.
jimbob wrote:It is not clear also how exactly a third party could have sent an email with the owner's IP address.
- The source address could have been forged
- The email could have been sent from the computer on that IP address in question without the owners knowledge
- An improperly secured wireless network could have been used
- Inadequate physical access could let someone turn up and plug in a laptop
- The mail could have been sent by the IP address' owner
- The IP address could be running a proxy server or mail relay
- Malware on the PC could allow remote access
There are others, but I wanted to illustrate how without any other evidence there are a lot of possibilities. If you only have the email headers as evidence you investigation will be limited. If the situation is serious enough the computer[s] attached to the IP address from the email could be seized and examined for evidence.
br945 wrote:It is not clear also how exactly a third party could have sent an email with the owner's IP address.
$w33p3R wrote:br945 wrote:It is not clear also how exactly a third party could have sent an email with the owner's IP address.
It is very clear how the attacker sent an e-mail with the owner's IP address.
1. Hacker get's connection to owner's wifi (wireless)
2. Hacker receive's internal IP address through DHCP (ex: 192.168.1.102)
3. Hacker send's email
4. E-mail comes from the owner's external ISP provided IP address
That is just how things work. Another example.
You have a small home network with 3 computers on it. Your router is set to assign IP's through DHCP.
Computer 1: 192.168.0.1
Computer 2: 192.168.0.2
Computer 3: 192.168.0.3
All of these computer's only have (1) external IP address. Unless of course you have purchased (3) static IP's from your ISP.
I don't know if I have missed something, but I am sure hoping this is not baffling the experts that have investigated this.
issue is HOW TO ESTABLISH from which actual PC or which location and by whom was the hacking done whereby the email headers showed the IP address of the PC of tthe innocent wi-fi user.
Users browsing this forum: No registered users and 0 guests