Nitroba University

Harassment Case
Study

Sourav Mishra
RSI2019005
Nitroba University Harassment 11/07/2019
CaseStudy

Forensic Email Report

Case study:-

You are a staff member at the Nitroba University Incident Response Team.
● Lily Tuckrige is teaching chemistry CHEM109 this summer at NSU.
● Tuckrige has been receiving harassing email at her personal email
address. –  Tuckrige's personal email is lilytuckrige@yahoo.com –  She
thinks that it is from one of the students in her class.
● Tuckrige contacted IT support. –  She sent a screen shot of one of the
harassing email messages. –  She wants to know who is doing it.

Information or Instructions
A). Email Header

B). After checking the IP, there is a host, who turns out to be from inside
the campus-

C). The Dorm Room

● Three women share the room: –  Alice –  Barbara –  Candice
● Nitroba provides 10mbps Ethernet in every room but no Wi-Fi.
● Barbara's boyfriend Kenny installed a Wi-Fi router in the room.
● There is no password on the router.

D). To detect a back attack, the campus conducts network sniffing on campus.

Tools Used : NetworkMiner

Sourav Mishra (RSI2019005)
2.4, Wireshark
Nitroba University Harassment 11/07/2019
CaseStudy

The attacker carried out the attack again

The content of the email is a message containing a link to the address

www.willselfdestruct.com containing the timely message.

Tools Used : NetworkMiner

Sourav Mishra (RSI2019005)
2.4, Wireshark
Nitroba University Harassment 11/07/2019
CaseStudy

E). Who is the culprit

Chemistry 109 class list:
Teacher: Lily Tuckrige
Students:
● Amy Smith
● Burt Greedom
● Tuck Gorge
● Ava Book
● Johnny Coach
● Jeremy Ledvkin
● Nancy Colburne
● Tamara Perkins
● Esther Pringle
● Asar Misrad
● Jenny Kant

F). To find the perpetrators of the stages carried out is

1. Mapping "dorm room" network
2. Find out who sent the email to lilytuckrige@yahoo.com
3. Search with TCP packet tools that contain the contents of email messages
4. Find information that can connect the contents of the message with the
web browser used by the sender
5. Identify other TCP packets related to the attacker
6. Get information on the TCP pack which has an attacker ID

Tools Used : NetworkMiner

Sourav Mishra (RSI2019005)
2.4, Wireshark
Nitroba University Harassment 11/07/2019
CaseStudy

Data Package Reading with Wireshark

1. Find the sender's IP or the contents of the message or information that

can be obtained about the attacker. For example using message content as a
keyword to look for TCP packets from an attacker. Use the find menu (Ctrl
+ F) select the String then enter the keyword in the form of "stop
teaching".

From this search we can get the contents of the sender's email, following
the sender's IP, mac address, operating system used and others.

Tools Used : NetworkMiner

Sourav Mishra (RSI2019005)
2.4, Wireshark
Nitroba University Harassment 11/07/2019
CaseStudy

Fill in the Email

IP information obtained

Mac Address (00:17:f2:e2:c0:ce)

With the information we get then we minimize the search on wireshark with
the filter "ip.src = = 192.168.15.4 and dns". The filter can be obtained
from any web that has been opened by the IP.

Tools Used : NetworkMiner

Sourav Mishra (RSI2019005)
2.4, Wireshark
Nitroba University Harassment 11/07/2019
CaseStudy

Can be seen from any site that has opened the IP, then we analyze
about what web can lead to the perpetrators, examples of these
results are www.facebook.com, www.amazon.com, www.gmail.com,
etc. .
We assume the offender opens a service that is often opened, such
as gmail, do a search with the keyword @ gmail.com or with other
keywords, which can be obtained if the perpetrator ID. It can be in
the form of e-mails or other related to the site that has been opened by
the perpetrators

Tools Used : NetworkMiner

Sourav Mishra (RSI2019005)
2.4, Wireshark
Nitroba University Harassment 11/07/2019
CaseStudy

Here we can get an email account that is jcoachj@gmail.com. With

Mac Address 00:17:f2:e2:c0:ce.

From the results of the analysis above, it turns out that the mac
address jcoachj@gmail.com matches the attacker's mac address in the
results of the previous analysis, so it can be concluded that the
main suspect is the one who has the email jcoachj@gmail.com, if
matched with the list of student names above, the suspect is Jhonny
Coach.

Data Package Reading with Network Miner

G). Using the network miner tool to read data packets is easier because it
has been classified according to their respective categories such as
recorded hosts, files, images, messages, accounts, sessions and other
categories.

Tools Used : NetworkMiner

Sourav Mishra (RSI2019005)
2.4, Wireshark
Nitroba University Harassment 11/07/2019
CaseStudy

H). From these various categories, just search for the contents of the e-
mail messages on the messages tab, you can see the IP of the sender of the
message, the destination host and also the contents of the message.

Tools Used : NetworkMiner

Sourav Mishra (RSI2019005)
2.4, Wireshark
Nitroba University Harassment 11/07/2019
CaseStudy

I). Then continue the analysis on the credentials tab, in that tab you can
see IP 192.168.15.4 accessing many websites, from which you can find out
who might be the sender of the email. It can be found that IP 192.168.15.4
has opened the website www.sendanonymousemail.com and also gmail with the
account jcoachj@gmail.com

J). On the hosts menu, you can see the mac address of the owner of IP
192.168.15.4. Then we can match the reading results on the
wireshark.

Tools Used : NetworkMiner

Sourav Mishra (RSI2019005)
2.4, Wireshark
Nitroba University Harassment 11/07/2019
CaseStudy

From this analysis it can be concluded that the most powerful perpetrator
is the owner of the jcoachj@gmail.com email account, if matched with a list
of student names the culprit is Johnny Coach.

Tools Used : NetworkMiner

Sourav Mishra (RSI2019005)
2.4, Wireshark