Digital Forensic Review An analysis of Spoofed Email Hoyts2 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) Digital Forensic Analysis Date: 15 April 2010 Analyst: Craig S Wright 1. Table of Contents 2. Executive Summary........................................................................................................................... 3 3. Introduction ......................................................................................................................................... 4 4. Scope of Engagement........................................................................................................................ 5 5. Analysis Conducted & Findings .................................................................................................... 6 6. Conclusion............................................................................................................................................. 8 7. Appendix 1 - Email Analysis .......................................................................................................... 9 8. Appendix 2 - Site Analysis ............................................................................................................11 IP and Domain Information Sources 143 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) 2. Executive Summary This report details the analysis of a defamatory spoofed email. This email was sent on Fri, 2nd This email was actually sent from a server in the UK, web230.extendcp.co.uk. Apr 2010 and was supposedly sent from “Anthony Thiessen” to “Delfin Fernandez”. Evidence shows that a former employee of Hoyts, Jasmin had been using this site extensively. This is a commercial web hosting server. 2.1. On 02 Apr 2010, a spoofed defamatory email was sent from an Internet Hosting Company site. 2.2. Between Feb 2010 and Mar 2010, the hosting site web230.extendcp.co.uk ([79.170.40.230] had been accessed several times from within the Hoyts Network. 2.3. The primary server used to access the web hosting company was 10.1.1.210- HOYTS_MAC1 (assigned to Kamini Chetty). The server 10.1.1.207- HOYTS_MAC2 (assigned to Sue Cindric) was also used frequently. 2.4. A former employee of Hoyts, Jasmin, had been using both Mac hosts in Hoyts. 2.5. Use of the host was confirmed using Logs from the Mac host and interviews with staff at Hoyts. 2.6. A discussion of times when employees worked was held with the HR manager in Hoyts. 2.7. Access to the hosting site was made at times when Sue and Kamini were not at work. At all times when the access was made, Jasmin was at work. 2.8. A level of evidence sufficient for a civil matter points to Jasmin having sent the spoofed emails. 2.9. It would be possible to subpoena the hosting company to obtain the user lists for the server and the access logs. It is believed that this would provide a level of evidence suitable for a criminal matter if this option is pursued.4 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) 3. Introduction 3.1. This statement made by me, Craig Wright, a Director of Information Defense Pty Ltd (“Information Defense”), accurately sets out the evidence that I would be prepared to present to the Court as a witness. This statement is true to the best of my knowledge and is made in awareness of the fact that I would be liable to prosecution in the event that I wilfully state anything that I know to be false or do not believe to be true. My Curriculum Vitae is attached as Appendix 2. 3.2. This report has been prepared for THE HOYTS CORPORATION PTY LIMITED. 3.3. On 07th Apr 2010, I was contacted regarding the analysis of a spoofed email that was collected taken by staff of Hoyts, for the purpose of analysis. I was requested to conduct a digital forensic analysis of the emails and to trace the connection to the sender of this email.5 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) 4. Scope of Engagement 4.1. The initial scope of the digital forensic engagement was limited to: 4.1.1. Tracing the source of the email; 4.1.2. Analysing Logs, websites and data associated with the spoofed email; and 4.1.3. Determining how/where the email originated.6 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) 5. Analysis Conducted & Findings 5.1. As per the scope of the engagement, the web and email sites linked to the spoofed email were analysed. 5.2. The remote site where the spoofed email originated was extendcp.co.uk Registrant: Heart Internet Ltd Registrant type: UK Limited Company, (Company number: 4866768) Registrant's address: 2 Castle Quay Castle Boulevard Nottingham Nottinghamshire NG7 1FW United Kingdom 5.3. The server, web230.extendcp.co.uk is a commercial hosting server managed by Heart Internet in the UK. 5.4. A local account was used to send the email from this server. 5.5. The server was accessed by a former employee, Jasmin extensively between Feb 2010 and Mar 2010. 5.6. The only person on the system at all times in Hoyts (10.1.1.210) that was primarily used to access this server was Jasmin. Other people in Hoyts who had access to the system 10.1.1.210 were not available at all times that the hosting server was accessed. 5.7. In the week ending the 26th March, Jasmin and Kamini were in the office, but Sue was on the days that connections to the hosting server were made. 5.8. On these days, connections where made when Jasmin was in the office, but Kamini was not. 5.9. On selected days when Sue was not in the office, Sue’s Mac computer was used. This demonstrates that some level of account sharing is occurring. 5.10. At times when Kamini was not in the office, her Mac computer was used to access the Internet. This access was made using Kamini’s account. 5.11. Windows logs correlate to the times when Kamini, Sue and Jamin where in the office. Email access from these three people correlates to the times that they where physically in the office. 5.12. The access to the hosting server occurs when Jasmin is in the office. There are no occurances of the server being accessed when Jasmin is not in the office. 5.13. Access to the server does occur when Sue and Kamini are not in the office.7 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) 5.14. Jasmin was either accessing this server alone or other people accessed it when Jasmin was available. 5.15. All access to the hosting site from within the Hoyts network stopped on the 26th 5.16. Heart Internet is a web based commercial hosting company. Mar 2010. Jasmin has not accessed the office from this date. 5.17. Under UK law, all web access is required to be held for at least 90 days. All accounts are required to be held for over 12 months. 5.18. Heart Internet will have records of the users and accesses from the Hoyts network with financial details. This is further evidence of the use of the system and would be sufficient to conclusively prove the senders real identity. 5.19. There is circumstantial evidence connecting Jasmin to the sending of the spoofed email: 5.19.1. Jasmin used (and had an account) with the commercial hosting company from within Hoyts. 5.19.2. The same server was later used to send the spoofed email. 5.19.3. No other users within Hoyts had been accessing the hosting server. 5.20. The Abuse information for Heart Internet is (this is for reporting of user violations): Person: Jonathan Brealey Address: 2 Castle Quay, Castle Boulevard, Nottingham. NG7 1FW Abuse-mailbox: [email protected] | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) 6. Conclusion 6.1. The email was spoofed. 6.2. The creator of the email was most likely a former employee of Hoyts, Jasmin. 6.3. The web hosting company (Heart Internet) could be subpoenaed to provide evidence that would be beyond reasonable doubt if a civil or criminal case is initiated. 6.4. The email was not sent by Anthony Thiessen and it was a defamatory attack designed to assault his character. Information Defense Pty Ltd Craig S. Wright Director, Information Defense 15 Apr 20109 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) 7. Appendix 1 - Email Analysis 1. The following is the email that was received on the 02 Overview nd April 2010. The Email headers for this email follow. Microsoft Mail Internet Headers Version 2.0 Received: from mail87.messagelabs.com ([216.82.250.19]) by smtp.hoyts.com.au with Microsoft SMTPSVC(6.0.3790.3959); Fri, 2 Apr 2010 15:09:30 +1100 X-VirusChecked: Checked X-Env-Sender: [email protected] X-Msg-Ref: server-5.tower-87.messagelabs.com!1270181335!62779103!1 X-StarScan-Version: 6.2.4; banners=-,-,- X-Originating-IP: [79.170.40.27] X-SpamReason: No, hits=2.0 required=7.0 tests=msgid: No Message-ID, sa_preprocessor: VHJ1c3RlZCBJUDogNzkuMTcwLjQwLjI3ID0+IDIyNjE0\n Received: (qmail 16814 invoked from network); 2 Apr 2010 04:08:57 -0000 Received: from mail27.extendcp.co.uk (HELO mail27.extendcp.co.uk) (79.170.40.27)10 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) by server-5.tower-87.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 2 Apr 2010 04:08:57 -0000 Received: from web230.extendcp.co.uk ([79.170.40.230] helo=localhost) by mail27.extendcp.com with esmtpa (Exim 4.70) id 1NxYBg-00034I-NP for [email protected]; Fri, 02 Apr 2010 05:08:52 +0100 From: Anthony Thiessen To: [email protected] Subject: Delfin, you are a total arsehole Content-type: text/html Return-Path: [email protected] Message-ID: X-OriginalArrivalTime: 02 Apr 2010 04:09:30.0760 (UTC) FILETIME=[4B49F080:01CAD21A] Date: 2 Apr 2010 15:09:30 +1100 Analysis of Email The email was sent from the Internet and not from within Hoyts. The originating IP address is 79.170.40.27. This IP is associated with the server mail27.extendcp.co.uk. This is a commercial hosting site. The sender was logged into the server, web230.extendcp.co.uk with IP 79.170.40.230 when this email was sent.11 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) 8. Appendix 2 - Site Analysis Access to Web230 us restricted by username and password. In March 2010, the following access was made to the hosting servers from the Hoyts MAC host (10.1.1.210). The user account was corrected and later access was successful. Warning: mysql_pconnect() [function.mysql-pconnect]: Access denied for user 'web230-exdisplay'@'web230.extendcp.co.uk' (using password: YES) in /home/sites/ex-display.co.uk/public_html/Connections/exdisplay.php on line 9 Fatal error: Access denied for user 'web230- exdisplay'@'web230.extendcp.co.uk' (using password: YES) in /home/sites/ex-display.co.uk/public_html/Connections/exdisplay.php on line 912 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) Web230 hosts several websites.13 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347)14 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) IP and Domain Information Sources The following is a list of domains hosted on the Web230 server. CNET 79.170.40 79.170.40.0/21 Heart Internet Network via Node4 AS AS31727 Base Record IP Reverse *.blackpig.net 79.170.40.230 United Kingdom web230.extendcp.co.uk *.buckleburyfarmpark.com 79.170.40.230 United Kingdom web230.extendcp.co.uk *.crazytoes.com 79.170.40.230 United Kingdom web230.extendcp.co.uk *.generationq.net 79.170.40.230 United Kingdom web230.extendcp.co.uk *.godolphinandlatymer.com 79.170.40.230 United Kingdom web230.extendcp.co.uk *.goodmedicinegarden.com 79.170.40.230 United Kingdom web230.extendcp.co.uk *.pentahoportal.com 79.170.40.230 United Kingdom web230.extendcp.co.uk *.videoconferencehire.com 79.170.40.230 United Kingdom web230.extendcp.co.uk acode.net 79.170.40.230 United Kingdom web230.extendcp.co.uk15 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) Base Record IP Reverse activecycles.net 79.170.40.230 United Kingdom web230.extendcp.co.uk ad-search.net 79.170.40.230 United Kingdom web230.extendcp.co.uk apadanait.net 79.170.40.230 United Kingdom web230.extendcp.co.uk arenaworks.com 79.170.40.230 United Kingdom web230.extendcp.co.uk blackpig.net 79.170.40.230 United Kingdom web230.extendcp.co.uk buckleburyfarmpark.com 79.170.40.230 United Kingdom web230.extendcp.co.uk bulgariaproperty4u.net 79.170.40.230 United Kingdom web230.extendcp.co.uk cascadafan.net 79.170.40.230 United Kingdom web230.extendcp.co.uk catlake.net 79.170.40.230 United Kingdom web230.extendcp.co.uk chacewater.net 79.170.40.230 United Kingdom web230.extendcp.co.uk cheekybeach.com 79.170.40.230 United Kingdom web230.extendcp.co.uk16 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) Base Record IP Reverse chemicalemissions.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk chez-robertson.net 79.170.40.230 United Kingdom web230.extendcp.co.uk coachesinfo.com 79.170.40.230 United Kingdom web230.extendcp.co.uk crazytoes.com 79.170.40.230 United Kingdom web230.extendcp.co.uk crcconsultants.net 79.170.40.230 United Kingdom web230.extendcp.co.uk datarecoverydoctor.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk deltagames.net 79.170.40.230 United Kingdom web230.extendcp.co.uk dgblaw.net 79.170.40.230 United Kingdom web230.extendcp.co.uk diamondprint.net 79.170.40.230 United Kingdom web230.extendcp.co.uk discovery-centre.com 79.170.40.230 United Kingdom web230.extendcp.co.uk dnatraining.net 79.170.40.230 United Kingdom web230.extendcp.co.uk17 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) Base Record IP Reverse dyas.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk e-ssential.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk ecam.nu 79.170.40.230 United Kingdom web230.extendcp.co.uk english-countryclothing.com 79.170.40.230 United Kingdom web230.extendcp.co.uk excel-management.com 79.170.40.230 United Kingdom web230.extendcp.co.uk ez-hosts.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk factoryoutletscooters.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk freshinvest.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk generationq.net 79.170.40.230 United Kingdom web230.extendcp.co.uk glocos.net 79.170.40.230 United Kingdom web230.extendcp.co.uk godolphinandlatymer.com 79.170.40.230 United Kingdom web230.extendcp.co.uk18 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) Base Record IP Reverse goodmedicinegarden.com 79.170.40.230 United Kingdom web230.extendcp.co.uk hardyamies.com 79.170.40.230 United Kingdom web230.extendcp.co.uk highland-coos.com 79.170.40.230 United Kingdom web230.extendcp.co.uk jamesshaw.net 79.170.40.230 United Kingdom web230.extendcp.co.uk julian-smith.net 79.170.40.230 United Kingdom web230.extendcp.co.uk jvcarr.com 79.170.40.230 United Kingdom web230.extendcp.co.uk kaptivate.net 79.170.40.230 United Kingdom web230.extendcp.co.uk kleinartis.nl 79.170.40.230 United Kingdom web230.extendcp.co.uk landscapeevolution.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk landscapetv.com 79.170.40.230 United Kingdom web230.extendcp.co.uk limosandcars.net 79.170.40.230 United Kingdom web230.extendcp.co.uk19 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) Base Record IP Reverse ljcomp.net 79.170.40.230 United Kingdom web230.extendcp.co.uk mail2.quartermastergeneral. co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk maildefer.cascadafan.net 79.170.40.230 United Kingdom web230.extendcp.co.uk maildefer.micsltd.com 79.170.40.230 United Kingdom web230.extendcp.co.uk mailgate.optimainternational.com 79.170.40.230 United Kingdom web230.extendcp.co.uk mailserver.chemicalemissio ns.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk mailserver.thebuz.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk mailspool.cascadafan.net 79.170.40.230 United Kingdom web230.extendcp.co.uk mailspool.micsltd.com 79.170.40.230 United Kingdom web230.extendcp.co.uk medicineshopandclinic.com 79.170.40.230 United Kingdom web230.extendcp.co.uk medicineshopandclinic.net 79.170.40.230 United Kingdom web230.extendcp.co.uk20 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) Base Record IP Reverse metrosid.com 79.170.40.230 United Kingdom web230.extendcp.co.uk micsltd.com 79.170.40.230 United Kingdom web230.extendcp.co.uk millionpixelwebsite.net 79.170.40.230 United Kingdom web230.extendcp.co.uk neptuneconsulting.com 79.170.40.230 United Kingdom web230.extendcp.co.uk new-forest.com 79.170.40.230 United Kingdom web230.extendcp.co.uk notforsalesunday.net 79.170.40.230 United Kingdom web230.extendcp.co.uk olivercromwellhotel.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk optima-international.com 79.170.40.230 United Kingdom web230.extendcp.co.uk orange-spark.com 79.170.40.230 United Kingdom web230.extendcp.co.uk palmbrokers.com 79.170.40.230 United Kingdom web230.extendcp.co.uk panici.net 79.170.40.230 United Kingdom web230.extendcp.co.uk21 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) Base Record IP Reverse pentahoportal.com 79.170.40.230 United Kingdom web230.extendcp.co.uk pfnenterprises.net 79.170.40.230 United Kingdom web230.extendcp.co.uk pfnfinance.net 79.170.40.230 United Kingdom web230.extendcp.co.uk poshness.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk quartermastergeneral.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk remaconsulting.net 79.170.40.230 United Kingdom web230.extendcp.co.uk sadcow.com 79.170.40.230 United Kingdom web230.extendcp.co.uk sh55.com 79.170.40.230 United Kingdom web230.extendcp.co.uk srdstudio.com 79.170.40.230 United Kingdom web230.extendcp.co.uk tchc.net 79.170.40.230 United Kingdom web230.extendcp.co.uk thebuz.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk22 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) Base Record IP Reverse transit2.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk undergroundvenues.co.uk 79.170.40.230 United Kingdom web230.extendcp.co.uk videoconferencehire.com 79.170.40.230 United Kingdom web230.extendcp.co.uk web230.extendcp.co.uk 79.170.40.230 United Kingdom webvertize.co.uk 79.170.4 0.230 United Kingdom web230.extendcp.co.uk www.arenaworks.com 79.170.4 0.230 United Kingdom web230.extendcp.co.uk www.e-ssential.co.uk 79.170.4 0.230 United Kingdom web230.extendcp.co.uk www.factoryoutletscooters. co.uk 79.170.4 0.230 United Kingdom web230.extendcp.co.uk www.mcarthurtring.co.uk 79.170.4 0.230 web230.extendcp.co.uk23 | P a g e Information Defense Pty Ltd (ABN 90 135 141 347) Base Record IP Reverse United Kingdom www.olivercromwellhotel.c o.uk 79.170.4 0.230 United Kingdom web230.extendcp.co.uk www.quartermastergeneral. co.uk 79.170.4 0.230 United Kingdom web230.extendcp.co.uk www.scratch-busters.co.uk 79.170.4 0.230 United Kingdom web230.extendcp.co.uk www.starfitness.ie 79.170.4 0.230 United Kingdom web230.extendcp.co.uk www.videoconferencehire.c om 79.170.4 0.230 United Kingdom web230.extendcp.co.uk uk co.uk extendcp.co.uk com net mcarthurtring.co.uk nu scratch-busters.co.uk ie starfitness.ie