Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: ant888
New Today: 3
New Yesterday: 0
Overall: 29286

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Hash calculation between image and original file
 Final Year Project
 Android devices with PIN screen lock and without USBdebb. on
 Can file creation and modifications on pendrives be found?
 Viewing real MAC times of a timestomped file

Computer Forensics World Forums


Pages Served
We received
49944926
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Please help my friend avoid bankruptcy!
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Please help my friend avoid bankruptcy!

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues
View previous topic :: View next topic  
Author Message
concerned_friend
Newbie
Newbie


Joined: Nov 30, 2014
Posts: 6

PostPosted: Mon Dec 01, 2014 3:16 am    Post subject: Please help my friend avoid bankruptcy! Reply with quote

Hi

I am trying to help a friend who is in a legal dispute and cannot afford the expense of computer forensic experts investigating a litigation issue. The court case has already nearly bankrupted her. In a nutshell, she was conned by someone and tried to sue them for her lost savings. The con artist has used the age-old trick of dragging and convoluting legal matters so much in order to make her mentally break, or win by default when she can no longer proceed due to finances.

She is close to a nervous breakdown but I am desperately hoping that I have found something that might be a lifeline (at least to risk further legal expense to pursue it). In short I think the other party has forged an email on MS Outlook, to change what had originally been said.

The legal side were able to get the header data from the email sent. Here it is. I have replaced anything personal with Mr X and Mr Y, but if anyone thinks that anyone of the code data is in anyway relatable to someone – let me know I will alter it.

From: "mr y" <IMCEAEX-
_O=mrx_OU=FIRST+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=mry@
mrx.com>
To: "Mr X" <mrx@mrx.com>
Subject:
Date: Mon, 17 Aug 2009 14:23:23 -0000
Message-ID:
<B9AEF2610B5B734B81B7BDE3C129B391208A51@sbsserver.mrx.local>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_000A_01CFF364.6F6D0A90"
X-Mailer: Microsoft Outlook 14.0
Content-class: urn:content-classes:message
Thread-Index: AQLnkjSJuPJ9m0ea4HGGL5Wbzj+Zsg==

I might be clutching at straws, but it was noticed that “X-Mailer: Microsoft Outlook 14.0” was mentioned in the header data. With my very limited knowledge, I think this relates to the Outlook build which was only released with Microsoft Office 2010 which was only released in mid-2010, but the email date stamp is Aug 2009.

Please can someone tell me if this is relevant? If someone can confirm that it is ‘not possible’ for the X-Mailer entry to say that if it were sent in 2009, then I think we can go down the lines of further investigation. This would involve applying to the court to get hold of computers used etc.

Anyway I am hoping someone can help. My friend is in desperate need of a bit of luck. Any help or pointers would be most gratefully received.

Please help!
Concerned Friend
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 237

PostPosted: Mon Dec 01, 2014 4:25 am    Post subject: Re: Please help my friend avoid bankruptcy! Reply with quote

concerned_friend wrote:
With my very limited knowledge, I think this relates to the Outlook build which was only released with Microsoft Office 2010 which was only released in mid-2010, but the email date stamp is Aug 2009.


As far as the regular version goes, yes. However, there are such things as alpha and beta versions that appear earlier -- and there seem to have been a leakage of an early internal version of 2010 in August, 2009 (which is mentioned in the Wikipedia page on 'Office 2010').
On Wikipedia, also, a Technical Preview of Office 2010 from July 2009 is mentioned.

I can't say how those versions identified themselves, though. The leaked version seems to have been made into a pirate torrent -- in which case, it might be available somewhere still, and it might consequently be possible to check.

I assume you as part of the depersonalization also edited the time zone offset into -0000, right? It seemed a bit strange ...

'sbsserver'? Small Business Server?
Back to top
View user's profile
concerned_friend
Newbie
Newbie


Joined: Nov 30, 2014
Posts: 6

PostPosted: Mon Dec 01, 2014 10:07 pm    Post subject: Reply with quote

Hi

Thanks for replying!

I only edited out stuff that identified the company name and the to/from parties. I know next to nothing about this sort of thing.

I never touched the timezone. Its true we are in the UK so its GMT, would this explain the 0000? GMT also explains the delay in replying to you!

sbserver - no idea! this email is allegedly sent from one team member to another, within the company that ripped off my friend. It is part of their submission including the email headers.

They are relying on it to prove something happened on a certain date. If there was strong doubt cast on it, it would weaken their position. If it was proved to be faked, well they would be in serious trouble.

I get what you say about the early leaked version. That would be disappointing if they claim something like this. Of course its impossible, they are a small business with multiple small computers, i highly doubt they would know or rush to get some early beta version, when they would already be working just fine on the prior version.

Is there any way we could put that debate to bed though? would a deeper analysis show that the Outlook was in fact part of a purchased MS suite?

Sorry - clutching at straws here. My friend has already been scammed for her entire life savings, and now the fight to get it back could end up losing her home and forced to give up the fight.

Anyway i appreciate anything you can throw me.

Regards
CF
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Tue Dec 02, 2014 1:24 am    Post subject: Reply with quote

Compare headers from other emails submitted as evidence. You are going to end up needing an expert to testify. Forging an email is a very simple task however the court won't take your word for it.
Back to top
View user's profile
concerned_friend
Newbie
Newbie


Joined: Nov 30, 2014
Posts: 6

PostPosted: Tue Dec 02, 2014 6:38 pm    Post subject: Reply with quote

Can you please list any other forums where my question might be seen by more traffic, or might better suited to ask there?

I know you have offered help - but who knows somewhere else i may land on an expert who has dealt with the same thing before or who has a more definitive and conclusive answer for me.

Thanks again.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Wed Dec 03, 2014 2:03 am    Post subject: Reply with quote

All I can say is WOW. This forum has most of the top forensics experts in the world as members. Most experts have dealt with something as simple as email headers. You need an expert. You need an expert to actually review ALL of the emails introduced as evidence. Looking at modified headers without the actual evidence in hand leaves anybody that looks at it in a situation where they must offer possible scenarios but nothing more. Hire an expert.
Back to top
View user's profile
concerned_friend
Newbie
Newbie


Joined: Nov 30, 2014
Posts: 6

PostPosted: Wed Dec 03, 2014 2:53 am    Post subject: Reply with quote

Hi Cybercop

Thank you for your reply. There is no need for sarcasm with your WOW comment Rolling Eyes

This is not my field and i do not know the reputation of this forum, what experts are present, or anything else. If its offensive to ask about other sources / forums, i apologise for my ignorance.

All i am trying to do is get help for a friend in desperate need. I am a complete layman about any IT issues let alone this specialism. I didn't even know forums like this existed!

I appreciate that an expert will need to be hired, IF and ONLY IF it is worth going that far. My friend is verging on bankruptcy as explained and cannot hire an expert on a wing and a prayer.

So - I am trying to establish if there is anything of substance FIRST, before large sums of life savings are spent. On the basis of what i have provided so far (all that is available so far) - what do you think?

Thank you for your reply i have noted your points.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Wed Dec 03, 2014 7:08 am    Post subject: Reply with quote

It is impossible to tell if there is anything there without more evidence to compare it to. In reality, what you need are the computers that were used to send the emails and probably the email server since it is an in-house email system. There is nothing that can be determined looking at an excerpt from an email header that has been modified.
Back to top
View user's profile
concerned_friend
Newbie
Newbie


Joined: Nov 30, 2014
Posts: 6

PostPosted: Wed Dec 03, 2014 8:02 am    Post subject: Reply with quote

Hi

Treat me as dim. Are you saying the email header has been clearly modified by me (taking out names), or by the company (the other stuff).

Someone on another forum i went to wrote this:

Quote:
"By the way, that e-mail header is incomplete if it was ever sent.

Any and all SMTP messages will have at least a single "Received:" line, even if the message is on the same mail server.

Furthermore, presuming Microsoft Small Business Sever (from the sbsserver), there would be at least half dozen other X- tags in the message.

What happened at the meet & confer? Where is all the discovery material from the other party? Much of this should have never be coming in this format from the other side."


Sorry for being thick. I am hoping you can say the email was tempered in ways other that i did with the identies...
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Wed Dec 03, 2014 1:38 pm    Post subject: Reply with quote

I found your other forum question earlier. I was referring to your sanitizing it. As far as comments from the other forum, they are correct. The headers you posted are missing quite a bit of information. If the emails were introduced as evidence exactly as you posted (without your sanitization of mrx and mry) then it is a very simple task of proving that the emails are poor forgeries at best. The issue, you can't go into court and say "this isn't right, it should be like this". It will take an expert going in and telling them "these are forged and here is why".

Again, we are all (both forums) working on an assumption that you have copied all of the headers and posted them without leaving any out.

In the end, it will take an expert to determine the validity of emails.
Back to top
View user's profile
concerned_friend
Newbie
Newbie


Joined: Nov 30, 2014
Posts: 6

PostPosted: Wed Dec 03, 2014 6:58 pm    Post subject: Reply with quote

Hi

I really do appreciate your comments.

Yes the only alterations were where you see Mr X and Mr Y. You are right, there is less X-mailer data because this is essentially an 'internal' email between X and Y.

So i think this thread is enough to demonstrate that it is worth pursuing this route (showing the email was forged).

The other side produced this and had an expert forensic IT guy give a written witness testimony to say in his expert opinion it should be considered genuine. This production of the email along with the expert opinion was the first time my friend was aware this email existed (and it arrived at the 11th hour).

Thanks for your help!
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops © 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. © 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.