Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: johan_chen_2000
New Today: 2
New Yesterday: 2
Overall: 29413

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Hostile work enviornment
 Can anyone suggest me a topic under printers forensics
 Unallocated clustered as court evidence
 Encryption
 I know how to recover ost file 2016

Computer Forensics World Forums


Pages Served
We received
52930437
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Nitroba network forensics
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Nitroba network forensics

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
stupidgal
Newbie
Newbie


Joined: Jun 18, 2013
Posts: 7

PostPosted: Sun Dec 08, 2013 5:52 pm    Post subject: Nitroba network forensics Reply with quote

Hi,

I'm actually trying to figure out this Nitroba incident, but I find it so hard to analyse this. I have used Network Miner and Wireshark to analyse it but the evidence was vague. I can conclude that Johnny is the culprit who sent the harassing emails. But what bothers me is that how did Johnny knows Lily's personal email? Coincidentally, Amy and Johnny seem to be using the same laptop.

Amy is found to be "buddies" with Lily in the Yahoo (Frame 91336). I was told that frame 79732 was a chat or email by Johnny and someone I guess? How am I able to extract emails? How to verify it? I was not unable to verify that Amy did not collude with Johnny.

Is there any kind hearted soul who can help me with it? By not solving this, it really bothers me.. I need a helping hand to overcome this challenge. I give myself another day before I give up. This case is tedious!

Any help from anyone is greatly appreciated!

digitalcorpora.org/corpora/scenarios/nitroba-university-harassment-scenario

Edited: if I am not able to solve this within 12 hours, i'll give up which is by GMT+08:00 (4am)


[Edited by Admin: no direct URLs are allowed]
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Mon Dec 09, 2013 12:31 am    Post subject: Re: Nitroba network forensics Reply with quote

stupidgal wrote:
But what bothers me is that how did Johnny knows Lily's personal email? Coincidentally, Amy and Johnny seem to be using the same laptop.

Edited: if I am not able to solve this within 12 hours, i'll give up which is by GMT+08:00 (4am)
If Johnny is running packet capture on the traffic from Lily's computer, seeing the name of her e-mail account is trivial. Perhaps Johnny was shoulder surfing. Perhaps Lily left her computer unlocked and unattended.

Are you familiar with the categorical trinity? Means, motive, opportunity are necessary to prove guilt but are not always well defined in made up scenarios.

BTW hoping to solicit an answer in your time frame is pretty bold. Especially on a weekend.
Back to top
View user's profile
stupidgal
Newbie
Newbie


Joined: Jun 18, 2013
Posts: 7

PostPosted: Mon Dec 09, 2013 12:38 am    Post subject: Reply with quote

Nope. Johnny is not running packet capture on Lily's laptop.

This is a harassment case.

The culprit is either Johnny or Amy or both.

Lily is their teacher.

Edited: sorry for the rushing time.. I just doesn't want to hang onto this unsolved "mystery" for days..
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Mon Dec 09, 2013 12:52 am    Post subject: Re: Nitroba network forensics Reply with quote

stupidgal wrote:
Amy is found to be "buddies" with Lily in the Yahoo (Frame 91336). I was told that frame 79732 was a chat or email by Johnny and someone I guess? How am I able to extract emails? How to verify it? I was not unable to verify that Amy did not collude with Johnny.
Have you looked at 79732? It is clearly Gmail.

http://mail.google.com/mail/?ui=1&view=page&name=js&ver=167ge8cpe09rv

Your question about extracting e-mails has been covered several times on this site. If you are using Wireshark use a filter. Network Miner is not really the right tool. If you can use whatever tool you want, Xplico is a more focused tool for your needs.
Back to top
View user's profile
stupidgal
Newbie
Newbie


Joined: Jun 18, 2013
Posts: 7

PostPosted: Mon Dec 09, 2013 1:09 am    Post subject: Reply with quote

I'm using both Wireshark and NetworkMiner.

Yes, my mistake. Frame 79732 is a gmail inbox (my peers screenshot-ed his findings but he wanted me to learn so he did not teach me how he got it). But then i realised that frame 79732 does not seems relevant.

I'm now concerned who is the culprit. Confused

I have two assumption.

1. Amy is the culprit. the laptop is hers. Johnny used her laptop to surf the net for google mail but then he forgot to logged out. So Amy continued using it.

2. Johnny is the culprit since all activities were done within a short seven minutes.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Mon Dec 09, 2013 2:14 am    Post subject: Reply with quote

stupidgal wrote:
I'm using both Wireshark and NetworkMiner.
Xplico is a better tool for extracting e-mail from pcap.


stupidgal wrote:
I'm now concerned who is the culprit. Confused

I have two assumption.

1. Amy is the culprit. the laptop is hers. Johnny used her laptop to surf the net for google mail but then he forgot to logged out. So Amy continued using it.

2. Johnny is the culprit since all activities were done within a short seven minutes.
You are looking for a very advanced forensic concept and that is attribution or how to put the subject at the keyboard. From my reading of the scenario and looking at the pcap data there is not enough information available.

For example you might be able to say that someone with access to the laptop and access to Gmail was logged in and sent the harassing e-mail. You have no way to know unless you had physical surveillance of the laptop who did it.

What if Lily's boyfriend Timmy used to date and was dumped by Amy. Timmy hated Amy. Johnny was using the laptop and forgot to log off. Timmy happened across the laptop and sent the messages hoping to get Amy in trouble, but did not look to see that it was Johnny's Gmail account. Now you are blaming Johnny who is an innocent third party.

Too many inexperienced examiners get in to trouble by giving opinion of circumstances that are not available in just the digital evidence.

Present the FACTS of what is available in the evidence. You may not be able to answer all the questions.

If your instructor counts you off because you cannot answer the questions you pose, that person is doing you a disservice by teaching you that you can.
Back to top
View user's profile
stupidgal
Newbie
Newbie


Joined: Jun 18, 2013
Posts: 7

PostPosted: Mon Dec 09, 2013 2:38 am    Post subject: Reply with quote

That was an even better assumption. Hahaha!

Thanks for the advice!

I really appreciate it. Very Happy
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Mon Dec 09, 2013 3:56 am    Post subject: Reply with quote

If you want to delve into the pcap data let us know.
Back to top
View user's profile
stupidgal
Newbie
Newbie


Joined: Jun 18, 2013
Posts: 7

PostPosted: Mon Dec 09, 2013 4:27 am    Post subject: Reply with quote

Thanks for that.

But I don't think I'll be able to do that within 6 hours. I'll give up. Ready to flunk.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.