Hi guys,
am looking for some ideas.
Am doing an email investigation, an email was sent out an we are trying to establish who sent the email. It was sent from a yahoo email address. The header information was not very useful because the person used a proxy server to send the mail, therefore not able to trace the source IP. All we see is the Proxy's IP.

Now, we have 2 suspects. I have acquired their machines and trying to do some analysis on them. Do you think a keyword search based on the content of the email would be worth doing?
When you send mail through yahoo, are any traces left on your machine?
I have tried looking at the IE Cache but am not seeing anything useful.
What would be the best approach? We are trying to establish whether the email originated from one of these machines.

Cheers.

Do you think a keyword search based on the content of the email would be worth doing?

Certainly. If you get a solid hit, you're home. (And not only the text content -- include sender/from e-mail address, etc.)

And you might look around for traces of contact with that proxy server. To me proxy server means something configured into the mail client -- in which case you may find traces of past configurations in system restore points. Looking for the IP address or domain address may also help. If you mean something else by the term, such as a web client, you need to look for traces from that site.

One such trace could easily be graphic components from a web interface found in the cache: visit the web site under Sandboxie, say, and collect hashes from the sandbox area. They won't necessarily prove that that mail was sent, but they may indicate contact -- unless some bog-standard webmail interface was used. But you may find a logo.

Also, if you have a mail, you probably have a time stamp, and you should be able to check system activities from around that time.

Agufa,

You are on the right lines. The most obvious way of checking is keyword searches. It will be simple to achieve this by using keywords from one machine and search for the same keywords on the other ones.

If this doesnt work, then I think its time to get some professional assistance, as there are dozens of options, some simple, some very complicated.

Regards,

Simon

Thanks guys for your opinions and ideas.
Keyword searches did not give a positive hits.
I looked at web history using NetAnalysis and non of the PCs appeared to be logged into yahoo around the time the email was sent.

I feel that we were either given the wrong suspect machines or the suspects might have cleaned out their tracks

It could be that the BIOS clock wasnt set at the right time. That could explain the timings?

Have you tried to run a hash against data wiping software?

As you rightly said, they might not be the correct machines?

Its a tough one.

Are they networked?

We have a tool that can sniff out users interent histories which would find the info if it was on a network.

Simon

Yes the computers are networked in a domain set up. Its a big corporation, but the particular department under investigation has about 30 people located in different locations of the company.

Is the tool free?:):o

Agufa,

Regretfully not! :(

If you are struggling, I can send someone out?

The software basically interrogates the network then brings back a report and files of all the internet user histories of all users, (even if they have hot desked).

We then investigate and produce a report.

If we could get a testimonial from this 'big corporation', I 'could' offer you a rather cheap trial, (expenses plus £1,500.00).

Regards,

Simon