E-Mail Crime Investigation A Case Study
Researched and Authorized by:
Amrit Chhetri, Principal IT Security Consultant, Certified Computer Forensics Investigator/Consultant, Chief Penetration Tester, Social Media Consultant/Strategist
1. Case Summary:
Mr. Raja Chhetri worked as a Team Leader in an international BPO firm. He was a social media freak, smart and well performing entry-level management executive and had good taste of beautiful female friends. He had some psychological disorders and schizophrenic behaviors due to violent physical relationships with two female friends at same time in the past. One day he received an e-mail from one of the female partners of past and he was instructed to get involved in Website Phishing business. He discussed the mail with his cousin sister. She, with who enjoyed an illicit relationship that had ended her relationship with an NRI guy, suggested him to take service of Forensic expert and to make a complaint through online complaint portal.
2. Forensic Methodology:
a. Mrs. Rupali Chhetri working as Principal Computer Forensic Investigator initiated the investigation as requested.b. Mrs. Rupali visited Mr. Raja’s office, photographed his desktop and removed 1 TB Segate HDD from his IBM Desktop.c. She took it to his Forensic Lab and created bit-stream image of the HDD using FTK Imager.d. She also created MD5 Hashes of the image to cross-check the integrity of the file during the investigation and court-trial.e. She moved the acquired image file into a folder protected and encrypted by TrueCrypt.f. She prepared Chain-Of-Custody documents and stored the original HDD in a forensically secure place/device.g. Mrs. Rupali was requested to investigate the following evidences files:i. Sender IP addressii. Sender’s IP registered addressiii. E-Mail address domain detailsiv. Steganographic pictures inside the attachmenth. She started the investigation with acquired image file. He loaded the image file in FTK/FTK Image from password protected folder in TrueCrypt file and secured the content with encryption and passcodes.i. FTK search showed up MS Outlook’s .PST file and she extracted the header file of the mail.j. She analyzed the header using E-Mail Tracer Pro and generated the Forensic details of sender, place and IP address. The analysis of the same on http://ip-address.org also confirmed the result of the first examination.k. She analyzed the email domain using http://webdnstools.com and http://netcraft.com/sitereportl. She gathered domain registrant details using SmartWhois and http://who.godaddy.com and MegaPing.m. She concluded herself, it was a public email address and she should perform further investigation.n. She extracted hosting company’s details using Ipnetinfo and she also requested the admin for owner’s registered records, IP address and places of logins for the period given by E-Mail Tracer Pro.o. She analyzed the mail-server logs received from hosting/mail-hosting company using LogAnalyzer and found that the sender had accessed the mail-account from her desktop to send the mail.p. She asked the company security officer for video footage of entire office for the period when email was sent.q. She aslo analyzed the video footage using VideoClear and VirtualDub; analysis indicated she was present on her desk in the time of sending the mail.r. She also loaded attachment of the e-mail inside Stegdetect but it was free of stenographic message/content.
3. Trials and Prosecution:
Based on report prepared and produced, Indian Criminal Court issued a notice directing her to be present in Court of Law and later she was arrested in the charge of cheating, conspiracy, destruction of digital devices and misusing electronic communications for personal benefits.( The names are changed for privacy reasons)
