Who Bait The Hook?: A Case Study
Who bait the hook?
Based on artifacts found on the suspect’s hard drive, it not possible to determine the attacker’s identity, but then I can think of at least three theoretical hypotheses:
First Hypothesis the first hypothesis is based on the email number 20 from Jean’s Inbox sent by Alison on the 6th July 2008, 20:25:14 with the Subject: By the way… : where Alison wrote “Looks like the woman we turned down for the job…” It’s possible that the woman mentioned in the email may have felt, somehow, unfairly turned down and tried to get back at Alison for turning her down.
The Second Hypothesis
The second hypothesis is based on the email 210 sent by Alex on the 20th July 00:43:48 with the Subject: Programmers where Alex wrote “Have you …show more content…
The fact that the email(s) sent by Alex are sent from within the company servers/network supports the second hypothesis. It doesn’t answer our question, but it sure helps. With the second hypothesis we assume the attack is someone who either works or is supposed to start working for M57.biz. From the content of the email we have three names that we need to look at. After looking at the emails sent and received by Jean, I was unable to find any artifacts belonging or linking Alice to Jean’s email account. There are however three email sent by Bob and two emails sent by Carol to Jean the day after Jean emailed the spreadsheet to tuckgorge@gmail.com. On the 21st July 2008, 00:53 Bob sends an email to Jean asking if she knowns anything about his social security number being posted on the Internet. This email raises no suspicion and a look at the meta-data doesn’t show anything suspicious per se.
As we can see the email was sent through M57.biz WebMail Server using squirrelmail a webmail client. It could have been easily dismissed if it wasn’t for the fact that squirrelmail requires a server with PHP. Maybe I am overlooking this… Since there isn’t a conclusive answer as in who is behind the attack we can explore the possibilities using the artifiacts found in the suspects hard drive. In the email 210 from Jean’s Inbox when the attacker requests the information(spreadsheet) from Jean we know that the email was sent through an apache server as shown
Based on artifacts found on the suspect’s hard drive, it not possible to determine the attacker’s identity, but then I can think of at least three theoretical hypotheses:
First Hypothesis the first hypothesis is based on the email number 20 from Jean’s Inbox sent by Alison on the 6th July 2008, 20:25:14 with the Subject: By the way… : where Alison wrote “Looks like the woman we turned down for the job…” It’s possible that the woman mentioned in the email may have felt, somehow, unfairly turned down and tried to get back at Alison for turning her down.
The Second Hypothesis
The second hypothesis is based on the email 210 sent by Alex on the 20th July 00:43:48 with the Subject: Programmers where Alex wrote “Have you …show more content…
The fact that the email(s) sent by Alex are sent from within the company servers/network supports the second hypothesis. It doesn’t answer our question, but it sure helps. With the second hypothesis we assume the attack is someone who either works or is supposed to start working for M57.biz. From the content of the email we have three names that we need to look at. After looking at the emails sent and received by Jean, I was unable to find any artifacts belonging or linking Alice to Jean’s email account. There are however three email sent by Bob and two emails sent by Carol to Jean the day after Jean emailed the spreadsheet to tuckgorge@gmail.com. On the 21st July 2008, 00:53 Bob sends an email to Jean asking if she knowns anything about his social security number being posted on the Internet. This email raises no suspicion and a look at the meta-data doesn’t show anything suspicious per se.
As we can see the email was sent through M57.biz WebMail Server using squirrelmail a webmail client. It could have been easily dismissed if it wasn’t for the fact that squirrelmail requires a server with PHP. Maybe I am overlooking this… Since there isn’t a conclusive answer as in who is behind the attack we can explore the possibilities using the artifiacts found in the suspects hard drive. In the email 210 from Jean’s Inbox when the attacker requests the information(spreadsheet) from Jean we know that the email was sent through an apache server as shown