Threats over emailComputer Forensics |
Background:
The manager of a small company approached us. The family of an investor in the company had begun to receive threatening and insulting webmails from someone claiming to be him. The manager denied all responsibility.
Concern:
To locate the true sender of the emails before the relationship with the investor broke down completely.
Deloitte’s Actions:
• With the permission of the investor, Deloitte acquired a forensic copy of the home computer and analysed the emails.
• Metadata analysis of the offending emails allowed us to trace them to origin. Most were sent from an Internet Service Provider account, and were effectively untraceable, but two were found to originate on our client’s network.
• Deloitte analysed our client’s web proxy server. Two users were found to have been using web-mail when the offending emails were send.
• Both users' computers were imaged discretely (out of normal office hours).
Deloitte’s Findings:
• Analysis of web-browser remnants showed that the offending emails had been sent from a particular individual’s computer.
• Further web-browser analysis showed the same individual was the owner of the ISP account from where the other emails were sent.
• Analysis of web-mail and other communications revealed that the individual in question (a middle-manager) bore a grudge against the company’s manager.
Results:
• The individual in question was dismissed.
• Our client is currently considering further legal action against the same individual.
Comments:
Most computer users do not know that web-browser software such as Internet Explorer and Firefox stores 'caches' any web page they display on the computer. These pages can be stored for weeks or months. Browser software also retains the web-address of any sites visited which can be retained on the computer for months or years. Hence it is entirely possible to recover web-mails from computers, as long as your acceptable use policy allows you to do it.
Page Last Updated
