±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 34726
New Yesterday: 3 Visitors: 140

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Wrong timestamp on Yahoo Mail email

If you require the services of a computer forensics or data recovery firm please post details of your requirements here. Other members will then be able to contact you with a quote for their services [NOTE: Forensic Focus assumes no liability whatsoever for the results of services provided].
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5 
  

Re: Wrong timestamp on Yahoo Mail email

Post Posted: Wed Feb 07, 2018 12:48 pm

Apologies, I missed that email being sent in 2011.  

badgerau
Senior Member
 
 
  

Re: Wrong timestamp on Yahoo Mail email

Post Posted: Wed Feb 07, 2018 1:25 pm

- badgerau
Apologies, I missed that email being sent in 2011.


No prob Smile , but it is anyway not that if it was sent in 2013 things would have changed.

A data breach capable of stealing data is very different from the kind of "take control" capabilities needed to offset time of a network.

Which doesn't mean that it cannot have happened, only that IF it happened it would have been unrelated to the data breach.

One could extrapolate that the 2013 data breach was a consequence of poor security that affected the whole Yahoo networks since long before the actual exploit took place, let's say for the sake of reasoning 2009, but it still wouldn't be (IMHO) reasonable.

BTW I believe that anyway - even "private" and "large" networks like Yahoo, which surely has its own time servers - anyway rely (indirectly) on public NTP servers, or - more properly to pools of them, the issue is usually in the syncing of seconds (or less), and the whole stuff is somehow intertwined with other sources like GPS, or other satellites networks.
Example:
www.meinbergglobal.com...server.htm


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Wrong timestamp on Yahoo Mail email

Post Posted: Wed Feb 07, 2018 2:03 pm

I lived in a town 250 miles from the person to whom my email was sent. I had moved back to Toronto a couple of months before and I had some stuff still at my friends house. He had sent me an email on Sep18, 2011 asking when I would pick it up and it was clear he wanted me to get the stuff out of his yard. The Sep19, 2011 email said that I would get it at the earliest. After sending the email I decided I'd better go and get it. There was a very serious crime took place in that vicinity that took place at the home of someone I know, and it was known that there was considerable enmity between us. I would have been the prime suspect in any case. But I explained to the police what I was doing there in the first place and that after sending the email I decided to drive up there. The police looked at the email and the timestamp said 12:06 which was within half an hour of the crime: it was made out in court that I was trying to create an alibi for myself that I was in Toronto at 12:06 pm and nowhere near the crime but the timestamp doesn't lie.
Obviously there is more to this story but I said in my first post here that it is a very long story and so it is.

I was arrested 3 days later. I was denied bail due to the seriousness of the crime and spent 3 1/2 years in custody awaiting trial which took place in March 2015: it was in trial that the prosecution sprung a police forensic computer expert on the defense with only 3 days notice, which is legal in Canada. The expert testified there was no question the email was sent at 12:06pm--making me a liar in front of the jury. I was convicted and sentenced to years in prison. I was released on bail by the Court of Appeal in Feb 2016. My bail had to be renewed periodically and the last renewal stipulated that the completed appeal must be filed by the end of this month. FF is hardly my first attempt to find proof of when the email was sent, in fact I had just recently accepted the fact the I am never going to be able to prove when the email was sent--if I could undoubtedly my conviction would be overturned by the Court of Appeal.

"IF it happened then... ". Clearly you doubt the veracity of what I am saying, and you aren't the first. It has been opined that I am clutching at straws hoping an expert might--just might--find something that could make this story true.

It is true.

And I am back to simply accepting that I am never going to be able to come up with that which would prove it.  

freebird
Member
 
 
  

Re: Wrong timestamp on Yahoo Mail email

Post Posted: Wed Feb 07, 2018 2:36 pm

- freebird

"IF it happened then... ". Clearly you doubt the veracity of what I am saying, and you aren't the first. It has been opined that I am clutching at straws hoping an expert might--just might--find something that could make this story true.


Not at all Smile , there are several distinct things (none of which affect my trusting your word for it):

Q1) Is it possible that there was *somehow* an error in the whole thing?
A1) Yes, it is possible, and if there was such an error a possible theory (to be verified experimentally and coincidentally in accordance with your reported "low Wi-Fi signal" report has been provided).

Q2) Is it likely that the error lies in Yahoo time servers?
A2) No, it is IMHO very, very unlikely.

Q3) Is there any error (formal or mathematical) interpreting the data?
A3) Seemingly not, again IMHO and from the data provided.

Q4) Is the "right" next step attempting to obtain from Yahoo the server side logs?
A4) No, this will lead you nowhere, for two reasons, first one being that you won't obtain them (or you won't obtain them in a timely fashion), second since (IMHO) there is not any issue on Yahoo servers even if you obtain them they will not provide any additional meaningful information/data.

Q5) What is then the "right" next step?
A5) Test the given theory or - much better - find someone willing to test it that has also the capability - should it prove to be correct - to act as expert winess in Court.

Q6) Anything else I can do?
A6) IF it is possible find a competent forensic expert to make a full timeline of the activities of the PC (I believe you said that the laptop is still available and has not been touched/modified since 2011) may provide additional data (as said whether these additional data might be actually exculpatory evidence is another thing).

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Wrong timestamp on Yahoo Mail email

Post Posted: Wed Feb 07, 2018 3:46 pm

I can't imagine it possible to duplicate the original conditions because:
1. The email was sent from Toronto and I am now restricted by bail conditions from leaving Kingston (where I am now and a matter of 25 miles from where the crime was committed).

2. Even if I could get to the residence in Toronto from where the email was sent, it is questionable as to whether the same wifi source that I was "bumming off" at the time is still operating--and I don't remember the name of the wireless network I used at the time (it didn't seem very important at that time), and even still most ppl these days have passwords on their routers these days.

Do not think that I am trying to negate a possible solution, I just can't imagine how I could duplicate the conditions.

I assure you that I am grateful someone is at least trying to help.  

freebird
Member
 
 
  

Re: Wrong timestamp on Yahoo Mail email

Post Posted: Fri Feb 09, 2018 4:51 am

- freebird
I can't imagine it possible to duplicate the original conditions because:

1. & 2.
Maybe you misunderstood (or I wasn't clear enough) there is not any "geographical" restriction, nor any need of the original equipment.

The theory is that the e-mail service essentially works as a file transfer.

The file is transferred (via Wi-FI) from your computer to a local router, then transferred from the local router to a Yahoo server, then transmitted (within the Yahoo network to one or more other Yahoo "intermediate" servers) until it is finally delivered to the - (in your case still Yahoo) recipient's server.

The hypothesis is that the "Sent" timestamp is generated only when the file has in its entirety reached the first Yahoo server and it is sent by it to the "next" server.

You can compare it with how a "normal" letter works, you walk to the mailbox at the corner of the street and drop the letter into it, then some time later a postman collects all the letters from the mailbox and carries them to the Post Office, and it is only once it is in the Post Office that the envelope is stamped with the sent date.

The sent stamp does not consider in any way the time from the moment you dropped the letter in the mailbox until it reached the Post Office and it was processed.

As hinted before the test to be made is only about attempting to slow down the outbound connection from a computer (towards a Yahoo mail server) to replicate the reportedly weak (and thus slow/subject to error/retries) Wi-Fi connection you mentioned.

The questions are:
1) How slow can the connection be made before it timeouts/fails?
2) Is such speed slow enough to justify that it took several hours to upload the mail to Yahoo servers?

In any case, and given that the theory is valid and that the tests succeed, even if you were (no offence intended Smile ) technical savvy enough to test and find out the above, the results would be anyway hardly be presentable in Court, so you need anyway a professional to do the tests, write a proper report about them and eventually testify as an expert witness in Court.

Of course it is well possible that the way the Yahoo mail servers currently works differently (different settings, timerouts, etc,) from the way they worked six years ago, and even if all the tests confirm the theory, it would only be a possible (reasonable) explanation of what happened, not so easy to affirm that it represents what could have actually happened.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 5 of 5
Go to page Previous  1, 2, 3, 4, 5