PCAP analysis report - Nitroba University
About this case, I received a packet capture files called "nitroba.pcap" containing the network traffic packets recorded from Nitroba student dormitories by a network sniffer and a slide called "slides.pdf".
According to the document "slides.pdf" that I have received, the following information was provided:
The email address used by victim Lily Tuckrige was “email@example.com”, and she received the harassing emails at this address.
The first harassing email was sent on Sun, 13 Jul 2008 17:21:01 -0700 from the email address “firstname.lastname@example.org” with IP address “188.8.131.52”.
The IP address points to a nitroba dorm room that shared by three women Alice, Barbara, and Candice.
Barbara's boyfriend Kenny has installed a Wi-Fi router in his dorm room.
There is no password on the router.
Lily Tuckrige received the second harassing email from the address "email@example.com" at 21 Jul 2008 23:04 -0700
The email was directed to an anonymous email service website "Will Self-Destruct", and the message will automatically destroy within seconds after reading.
The network setup as follow:
Analysis & Relevant findings
The data I was authorized to analyze in this case was a packet capture files called "nitroba.pcap" containing the network traffic packets recorded from Nitroba student dormitories by a network sniffer.
Network traffic source
According to the background information provided by the case, IP address 184.108.40.206 was from the nitroba dorm room, which was the "Network Switch" in the network setup diagram. Because the "Network Switch" was responsible for handling all network traffic in the dormitory room.
From the NetworkMiner Host window I found this Network Switch as a Server provides the IP address 192.168.15.4 device network connection. Therefore, it can be assumed that device 192.168.15.4 was the Wi-Fi router installed by Barbara's boyfriend Kenny. All personal devices in dormitory rooms are connected to the network through this Wi-Fi Router, so this Wi-Fi Router will contain most of the network traffic.
(Figure 1. IP 220.127.116.11 in “NetworkMiner”)
Harassment Letter Frames and User Agent
I found 2 emails related to harassment on NetworkMiner's Messages windows, and 2 emails were from IP address 192.168.15.4. The details are as follows:
However, 192.168.15.4 contains traffic from many users, in order to know more information about the harasser I used WireShark to view Frame #80614 and #83601.
According to WireShark, I found that the harassing email in Frame #80614 was sent by a browser with a UserAgent of "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" via the anonymous email site "www.sendanonymousemail.net".
The UserAgent usually includes information about the browser or the operating system, so the UserAgent can be used to find out which browser the user was using.
(Figure 2. Frame #80614 in “WireShark”)
In the parsing of the User Agent, I use the online service https://developers.whatismybrowser.com/useragents/parse/#parse-useragent
and found that User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) is Internet Explorer 6 on Windows XP SP2.
(Figure 3. UserAgent parsing service WhatIsMyBrowser)
I found that the harassing email in Frame #83601 was sent by a browser with the same UserAgent of "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" via another anonymous email site "www.willselfdestruct.com". The browser was “Internet Explorer 6 on Windows XP SP2”.
(Figure 4. Frame #83601 in WireShark)
The person behind the User Agent
According to the above information, the person who sent the harassing email has the following characteristics:
1. from the IP address "192.168.15.4"
2. Using the browser Internet Explorer 6 on Windows XP SP2 with UserAgent: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
I found several email addresses in NetworkMiner's "Credentials" window.
(Figure 5. jcoachj ’s Cridential in NetworkMiner)
(Figure 5. elishevet and mylady.ixchel ’s Cridential in NetworkMiner)
The only person
To find the UserAgent corresponding to the email address from the suspect list I used Wireshark to do a keyword search for the email addresses "firstname.lastname@example.org", "email@example.com", and "firstname.lastname@example.org". The following correlations were found:
(Figure 6. jcoachj ‘s UserAgent)
(Figure 7. elishevet ‘s UserAgent)
(Figure 8. mylady.ixchel ‘s UserAgent)
Based on the information above, the only account in the list that meets both conditions was email@example.com.
According to the case information, the list of students in Chemistry 109 of the victim Lily Tuckrige was as follows:
Chemistry 109 class list:
Teacher: Lily Tuckrige
Among them, Johnny Coach was most likely the owner of firstname.lastname@example.org.
Google search history
To get a better understanding of the suspect's behavior I used the filter function in Wireshark to select the google search history of network traffic that meets the following conditions:
1. IP address with 192.168.15.4
2. UserAgent with "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
Which was Johnny Coach's google search history.
The filter syntax I use was:
ip.addr == 192.168.15.4 and http.user_agent == "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" and http.host==www.google.com and http.request.uri contains "search?"
I got the following results:
(Figure 9. Wireshark filter function for google search history)
According to Wireshark's filtering results, Johnny Coach was Googling the keywords "I want to harass my teacher" and "send anonymous mail" etc. before the time he sent the harassing email to Lily Tuckrige (2008-07-22 06:02:57 UTC).
Exclusion of suspects
It is worth mentioning that a keyword search of the victim Lily Tuckrige's user account "lilytuckrige" reveals frame #90426. It also contains another user account "amy789smith".
The protocol for Frame#90426 was YMSG, which was a protocol designed for Yahoo messanger. Therefore, it can be inferred that "amy789smith" may be a friend of "lilytuckrige" in yahoo messenger, and the holder may be "Amy Smith", a student in Chemistry 109.
However, I searched for "amy789smith" as a keyword and found Frame#90471, and in the same tcp stream 1864 I learned that amy789smith's User-Agent was User-Agent: Mozilla/4.0 (compatible; MSIE 5.5) which was not match the conditions. Therefore, the possibility of "Amy Smith" sending harassing emails was excluded.
Based on my investigation and the information provided in the evidence file “nitroba.pcap”, Johnny Coach has sent harassing emails with the subject line "Your class stinks" and "You can't find us" to Lily Tuckrige, his teacher in CHEM109 at nitroba University on 2008-07-22 06:02:57 UTC and 2008-07-22 06:04:24 UTC via the online anonymous email site "www.sendanonymousemail.net" and "www.willselfdestruct.com".
Also, based on the information provide in the evidence file “nitroba.pcap”, Johnny Coach was Googling the keywords "I want to harass my teacher" and "send anonymous mail" etc. before the time he sent the harassing email to Lily Tuckrige (2008-07-22 06:02:57 UTC).
The tools and version information used in this case are as follows:
Screen shots of anonymous email website
www.willselfdestruct.com (Snapshot by https://web.archive.org/)
Post a Comment