E-Mail Crime Investigation- A Case Study

December 18, 2015 | Views: 7717

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

E-Mail Crime Investigation- A Case Study

Researched and Authorized by:
Amrit Chhetri, Principal IT Security Consultant, Certified Computer Forensics Investigator/Consultant, Chief Penetration Tester, Social Media Consultant/Strategist
1. Case Summary:
Mr. Raja Chhetri worked as a Team Leader in an international BPO firm. He was a social media freak, smart and well performing entry-level management executive and had good taste of beautiful female friends. He had some psychological disorders and schizophrenic behaviors due to violent physical relationships with two female friends at same time in the past. One day he received an e-mail from one of the female partners of past and he was instructed to get involved in Website Phishing business. He discussed the mail with his cousin sister. She, with who enjoyed an illicit relationship that had ended her relationship with an NRI guy, suggested him to take service of Forensic expert and to make a complaint through online complaint portal.

2. Forensic Methodology:
a. Mrs. Rupali Chhetri working as Principal Computer Forensic Investigator initiated the investigation as requested.
b. Mrs. Rupali visited Mr. Raja’s office, photographed his desktop and removed 1 TB Segate HDD from his IBM Desktop.
c. She took it to his Forensic Lab and created bit-stream image of the HDD using FTK Imager.
d. She also created MD5 Hashes of the image to cross-check the integrity of the file during the investigation and court-trial.
e. She moved the acquired image file into a folder protected and encrypted by TrueCrypt.
f. She prepared Chain-Of-Custody documents and stored the original HDD in a forensically secure place/device.
g. Mrs. Rupali was requested to investigate the following evidences files:
i. Sender IP address
ii. Sender’s IP registered address
iii. E-Mail address domain details
iv. Steganographic pictures inside the attachment
h. She started the investigation with acquired image file. He loaded the image file in FTK/FTK Image from password protected folder in TrueCrypt file and secured the content with encryption and passcodes.
i. FTK search showed up MS Outlook’s .PST file and she extracted the header file of the mail.
j. She analyzed the header using E-Mail Tracer Pro and generated the Forensic details of sender, place and IP address. The analysis of the same on http://ip-address.org also confirmed the result of the first examination.
k. She analyzed the email domain using http://webdnstools.com and http://netcraft.com/site_report
l. She gathered domain registrant details using SmartWhois and http://who.godaddy.com and MegaPing.
m. She concluded herself, it was a public email address and she should perform further investigation.
n. She extracted hosting company’s details using Ipnetinfo and she also requested the admin for owner’s registered records, IP address and places of logins for the period given by E-Mail Tracer Pro.
o. She analyzed the mail-server logs received from hosting/mail-hosting company using LogAnalyzer and found that the sender had accessed the mail-account from her desktop to send the mail.
p. She asked the company security officer for video footage of entire office for the period when email was sent.
q. She aslo analyzed the video footage using VideoClear and VirtualDub; analysis indicated she was present on her desk in the time of sending the mail.
r. She also loaded attachment of the e-mail inside Stegdetect but it was free of stenographic message/content.

3. Trials and Prosecution:
Based on report prepared and produced, Indian Criminal Court issued a notice directing her to be present in Court of Law and later she was arrested in the charge of cheating, conspiracy, destruction of digital devices and misusing electronic communications for personal benefits.
( The names are changed for privacy reasons)

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
9 Comments
  1. All that because someone asked him to jump in on a phishing scam ring? A recorded phone call would have sufficed. I understand why you created a case study, but there was no reason to perform extensive digital forensics procedures on his personal hard drive because of one email. Take a screenshot of email and header, and be done with it.

    Better case study would be that Raja was fired for sexual harassment and decided to steal passwords from his former employers/employees and sell them, and the company hired a person like his “cousin sister” and go from there.

    Purchase this book, as it is one that I have used in school and it has case studies in it also. It tells you how to use the forensic tools like the FTK imager that you mentioned.

    I love the world of digital forensics, and I am glad that you have an interest in it, but a phishing scam is not a real world scenario for digital forensics unless you have the suspects physical computer. Even then it may not help since a smart person would use VM’s and you can’t do the same with the VM disk, provided you do not have access to VM (password, file location, ect..)

    link to text
    https://www.amazon.com/Guide-Computer-Forensics-Investigations-DVD/dp/1285060032/ref=sr_1_9?ie=UTF8&qid=1490632652&sr=8-9&keywords=digital+forensics

  2. All that because someone asked him to jump in on a phishing scam ring? A recorded phone call would have sufficed. I understand why you created a case study, but there was no reason to perform extensive digital forensics procedures on his personal hard drive because of one email. Take a screenshot of email and header, and be done with it.

    Better case study would be that Raja was fired for sexual harassment and decided to steal passwords from his former employers/employees and sell them, and the company hired a person like his “cousin sister” and go from there.

    Purchase this book, as it is one that I have used in school and it has case studies in it also. It tells you how to use the forensic tools like the FTK imager that you mentioned.

    I love the world of digital forensics, and I am glad that you have an interest in it, but a phishing scam is not a real world scenario for digital forensics unless you have the suspects physical computer. Even then it may not help since a smart person would use VM’s and you can’t do the same with the VM disk, provided you do not have access to VM (password, file location, ect..)

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel