In order to prevent more information leakage, all incoming e-mails are forwarded to a temporary alias e-mail address. Afterward, one of the IT personnel is assigned to feed the mailbox with fake and unreal information that look real by which we can keep the criminal watching the mailbox.
Digital evidence collection/reduction and collection:
In this phase, all SMTP connections for mail relay, POP, IMAP and web connections that try to access this specific mail box should be recorded and logged, since we can not distinguish between different mailboxes while TCP connections are being intercepted, we need to recover contents of all TCP packets coming and leaving the mail server, after information recovery, we need to filter unwanted data and keep the necessary data.
In order to intercept the packets we can use Ethereal in bottleneck of the network or on the mail server itself. Ethereal has a very nice tool that can reconstruct the fragmented TCP packet from captured network packets. However, we may need NetIntercept software that can deal with mime contents.
After all, we need to identify the offender, what we have at hand is the model and the time that the offender tries to intrude. The time might reveal the time zone of the place that he lives and leads us to the relevant public IP addresses databases, such as arin.net and ripe.net, checking the IP address leads us to the geographical location of the person who performs such illegal activity. If the IP addresses have not been registered by its owner, we need to begin from the upper layers until we get to some results.
After finding the originating IP address of offender, we need to investigate the ISP log files to find out any clues. And collect evidential data from the servers, as we have discussed this week, the administrator of that ISP should be cooperative and we may need relevant warrants in order to be able to reach server logs.
In case of unavailability of server log files, since we know the ISP, we can install our equipment over there (We might need warrant for this as well) intercept the network traffic and collect necessary data and recover the communication content.
As soon as we receive any traffic towards our mail server, we would try to retrieve the phone number of that ISP subscriber who’s committing such a criminal activity.
After all, we should have the following items,
- Traffic logs and analysis of our mail server
- Modus Operandi (MO) of the offender and studying the times that he has time to begin his attack
- The IP address and the network name that the offender use to commit the crime.
- Log files and all other evidences of the ISP of the offender.
- Physical address of the offender
- Accompanying documents that compose the chain of custody
Although we have all these evidences, we might need to capture the offender at the time of committing the crime and it depends on the law and regulations of the jurisdiction.
We might also need to investigate his place in order to seize any potential evidence that can prove this case or other similar offences committed by this person. To search his place, we obviously need to have relevant permissions and warrants.
In parallel to this, we need to have an open lawsuit against our potential criminal; hence we can commence the trial as soon as we arrest the offender.
Eoghan, C. (2004) Digital Evidence and Computer Crime, Second Edition, Academic Press, ISBN-10: 0-12-163104-4
Wang, D. (2006) ‘Computer Forensics: Seminar for Week 6: Network Forensics I ‘ [Embanet] Available at: MASSHR-CF-061123-01 Sem 6 (Accessed: December 31st, 2006)
Note: This article is prepared for the University of Liverpool.