Question

5. What questions should be considered when preparing testimony? List some general guidelines on testifying. [2+3 marks]

PART C: Case Study (10 marks) (Read the following case carefully and answer the question in the Answer booklet provided.)

Mr. Jones at Company A claims to have received an order for $200,000 in widgets from the purchasing manager, Mr. Smith, at Company B. Company A manufactures the widgets and notifies Company B that they are ready for shipment. Mr. Smith at Company B replies that they didn’t order any widgets and won’t pay for them. Company A locates an e-mail requesting the widgets that appears to be from Mr. Smith and informs Company B about the e-mail. Company B tells Company A that the e-mail didn’t originate from its e-mail server, and it won’t pay for the widgets. Company A files a lawsuit against Company B based on the widget order in Mr. Smith’s e-mail. The lawyers for Company A contact the lawyers for Company B and discuss the lawsuit. Company A’s lawyers make discovery demands to conduct a computer forensics analysis on Mr. Smith’s computer and hopes of finding the original message that caused the problem. At the same time, Company B’s lawyers demand discovery on Mr. Jones’s computer because they believe the e-mail is a fake. As a computer forensics investigator, you receive a call from your boss asking you to fulfil the discovery demands from Company B’s lawyers to locate and determine whether the email message on Mr. Jones’s computer is real or fake. Because it’s an e-mail investigation, not a major crime involving computers, you’re dispatched to Company A. When you get there, you find Mr. Jones’s computer powered on and running Microsoft Outlook. The discovery order authorises you to recover only Mr. Jones’s Outlook e-mail folder, the .pst file. You are not authorised to do anything else.

Question: What tasks would you perform in solving this case?

Answer 1

E-mail Abuse Investigations:

E-mail investigations typically include spam, inappropriate and offensive message content, and harassment or threats. The following list is what you need for an investigation involving e-mail abuse:

• An electronic copy of the offending e-mail that contains message header data; consult with your e-mail server administrator • If available, e-mail server log records; consult with your e-mail server administrator to see whether they are available

• For e-mail systems that store users’ messages on a central server, access to the server; consult with your e-mail server administrator

• For e-mail systems that store users’ messages on a computer as an Outlook .pst or .ost file, for example, access to the computer so that you can perform a forensic analysis on it

• Your preferred computer forensics analysis tool, such as Forensic Toolkit or ProDiscover

This is the recommended procedure for e-mail investigations:

1. For computer-based e-mail data files, such as Outlook .pst or .ost files, use the standard forensic analysis techniques and procedures described in this book for the drive examination.

2. For server-based e-mail data files, contact the e-mail server administrator and obtain an electronic copy of the suspect and victim’s e-mail folder or data.

3. For Web-based e-mail investigations, such as Hotmail, use tools such as Forensic Toolkit’s Internet keyword search option to extract all related e-mail address information.

4. Examine header data of all messages of interest to the investigation.

To find out whether the e-mail is fake or not in outlook:

Outlook shows indicators when the sender of a message is unverified, and either can't be identified through email authentication protocols or their identity is different from what you see in the From address.

• You see a '?' in the sender image

  When Outlook can't verify the identity of the sender using email authentication techniques, it displays a '?' in the sender photo.

  

  This message did not pass sender authentication [email protected] Reply all ? Today, 10:58 AM

• Not every message that fails to authenticate is malicious. However, you should be careful about interacting with messages that don't authenticate if you don't recognize the sender. Or, if you recognize a sender that normally doesn't have a '?' in the sender image, but you suddenly start seeing it, that could be a sign the sender is being spoofed. You can learn more about more about Spoof Intelligence from Office 365 Advanced Threat Protection and Exchange Online Protection in the Related topics below.

• The sender's address is different than what appears in the From address

  Frequently, the email address you see in a message is different than what you see in the From address. Sometimes phishers try to trick you into thinking that the sender is someone other than who they really are.

  When Outlook detects a difference between the sender's actual address and the address on the From address, it shows the actual sender using the via tag, which will be underlined.

  

  This message authenticates but sent by a different responsible sender Reply all [email protected] via suspicious.com U Today, 10:58 AM

  In this example, the sending domain "suspicious.com" is authenticated, but the sender put "[email protected]" in the From address.

  Not every message with a via tag is suspicious. However, if you don't recognize a message with a via tag, you should be cautious about interacting with it.

  In Outlook and the new Outlook on the web, you can hover your cursor over a sender's name or address in the message list to see their email address, without needing to open the message.

  

  [email protected] Sherrie Humphrey Get started with OneDrive 8/28/2017 Here's a guide to help you start using On... Getting started with One... pdf 389 KB