Aces High Bulletin Board
General Forums => The O' Club => Topic started by: Wolfala on July 10, 2006, 01:09:51 PM
-
Someone cooked an email to frame me at work. I have the papertrail and they did a really bad job of covering their tracks. I need help and a reference.
Wolf
-
What you need is a lawyer with a good reference in employment law. Not computer entrapment, that is ancillary. That lawyer's firm will hire people that can perform forensics. Don't get all Columbo at this time looking to disprove anything. The company, if they pull you in to speak with HR, they aren't going to let you rife through the email server anyhow. You're gonna need that lawyer to file a motion, and that's after you decide with the lawyer that you have a case.
-
BiGguns is a BAy area guy ..he may know soem good folks
Copy all records..keep detailed records
-
I am in bay area, but don't know any lawyers to deal with this. If however you need lawyer for securities & investments, I know a few.
-
As someone who has done computer forensics, I can say with some authority that time is not on your side. You need to get someone in IT, preferably someone you can trust, to make backup copies of that email from the email server. Copies that can be verified would be best, but have them burned to a CD-R (not a CD-RW). The email headers will likely rat out the author of the message, so make sure you have good copies of the email showing them. Have the IT person retain a copy under lock and key if you can. Backup tapes will also work.
You will need a witness to attest to the authenticity of the copies, especially if you believe that this will wind up in litigation. Otherwise it's going to boil down to a "He said, she said" argument that rarely goes well for the employee.
-
If they did a bad job at covering thier tracks, then the company investigation will do the job for you?? Or is it the company that is out to get you? In that case, good luck.
-
If the IT guy agrees, the best way to make a forensic copy of a server is a bit-to-bit copy of THE WHOLE DISK OR ARRAY (on another disk* or a tape). This will take a complete 'screenshot' of the situation and it will allow experts and counter-experts to inspect the files and the free space but also the slack space. Date and time stamps of files aren't touched. The downside is that the server needs to be down during the copy.
In most cases, I use a Knoppix live-on CD and issue a dd if=original disk of=destination conv=noerror,sync command.
* big IDE disks are cheap and also easier to use to perform the analysis. Be aware that most servers don't have a fast IDE interface (it is only used by CD or DVD drives) nor an USB 2.0 interface. I usually perform the copy over the network (command dd piped to nc) to a workstation booted with Linux where the destination disk is (USB 2.0, firewire or fast IDE)...
To avoid any discussion about the validity of the findings later on, you'll need to wipe the destination disk beforehand (shred -n 1 -z)
The IT guy needs to double check his stuff because if he ever mixes the origin and destinations disks in the dd command, he'll wipe the whole server disk or array.
But check with a lawyer first because I don't know your laws in this matter.
-
So far i've got senior management on my side. I showed the originating message and the message which was cooked. The guy did a pretty lousey job of covering his tracks b/c I called one of the guys who was supposedly CC'd on the message - but he never got it, and we verified that with 2 other guys who were on the list.
Its pretty much open and shut so far as me being in the clear. I've got an appointment this afternoon in San Jose with a criminal attorney to see how this plays out from a legal standpoint.
So far, my status is Warning Yellow - Weapons Hold.
Wolf
-
BigGun, you got a PM.
-
you work at the Post grad school..or a student? I'd love to see an Officer go down in flames for some computer BS LOL.
No offense to our glorious Naval Leadership...just an average enlisted man's take on it.
-
This was outside of NPS - they have a little more sense - but not much.
-
Originally posted by Wolfala
So far i've got senior management on my side. I showed the originating message and the message which was cooked. The guy did a pretty lousey job of covering his tracks b/c I called one of the guys who was supposedly CC'd on the message - but he never got it, and we verified that with 2 other guys who were on the list.
Its pretty much open and shut so far as me being in the clear. I've got an appointment this afternoon in San Jose with a criminal attorney to see how this plays out from a legal standpoint.
So far, my status is Warning Yellow - Weapons Hold.
Wolf
Print out a copy of the email showing all the header information. Ask for the email server logs for that day and firewall connection logs to the email server as well. The email server connections will also reveal a lot of detail.
Email headers will look like this (but longer... this is just a snippit):
received: from renaissance.co.nz (smtp2.renaissance.co.nz [10.100.0.5]) by rennzaklex1.renaissance.co.nz with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72)
id 3L3B6CVY; Mon, 10 Jul 2006 15:45:01 +1200
Received: from ([67.115.118.13])
by smtp2.renaissance.co.nz with ESMTP id 4420263.3192789;
Mon, 10 Jul 2006 15:42:18 +1200
Lemme know if you need to know more.
-
Vulcan.
I'm using Outlook 2003 and it doesn't show the headers by default.
How do I bring them up?
Wolf
-
in outlook 6 you have to
right mouse click> properties> details (left top corner of window) > message source button
its also works when you mark message and use properties from top "file" menu
outlook 2003 should have something similar
-
In latest Outlook you open the email, on the menu click View, Options, theres a window that is titled Internet Headers... thats what you need.
Feel free to PM me the headers and I'll tell you what they mean.