Chapter 11. Case Studies

This chapter presents two case studies that illustrate how all the techniques I talked about in previous chapters are applied in real investigations.

The first case is a study of a pair of phishing attempts that revealed a surprising amount of information about the scam and the person responsible for it. This shows how Internet forensics can provide a great depth of detail about a single operation.

In contrast, the second example shows how forensics can be used very broadly across a large collection of spam messages to show how networks of computers are being hijacked and used as email relays.

Case Study 1: Tidball

This case study describes a pair of phishing attempts that took place in early 2005. For reasons that will become apparent, I refer to the individual, or group, responsible for the scam as Tidball.

The Initial Emails

It started out with an email, dated 29 January 2005, that appeared to be from Washington Mutual Bank and that included the following text.

We recently have determined that different computers have logged onto your Washington Mutual Bank Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us. If this is not completed by Feb 01, 2005, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner.

This looked like a typical phishing email and included a link ...

Get Internet Forensics now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.