±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36317
New Yesterday: 0 Visitors: 180

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Potential Manipulation of Email Name

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

UnallocatedClusters
Senior Member
 

Potential Manipulation of Email Name

Post Posted: Nov 11, 19 23:52

Opponents in a civil case I am working on have produced multiple emails with different "aliases" and are suspected of fraud:

James Smith <[email protected]>
JS <[email protected]>
JSmith <[email protected]>
MyCompany <[email protected]>
JamesSmith <[email protected]>

I have performed email header analysis and some of the above emails include an Apple Mail designation in the header, whereas other email headers refer to Google.

The suspected fraud includes the manual manipulation of the sent emails.

QUESTION:

What would cause the "alias" (if I am using the correct terminology) of emails to differ such as "James Smith" versus "JS" versus "MyCompany"???  
 
  

athulin
Senior Member
 

Re: Potential Manipulation of Email Name

Post Posted: Nov 12, 19 06:49

- UnallocatedClusters
QUESTION:

What would cause the "alias" (if I am using the correct terminology) of emails to differ such as "James Smith" versus "JS" versus "MyCompany"???


What you call 'alias' is generally called 'display-name' from the term defined by RFC 2822 specification (section 3.4). It's a name intended for human eyes only. It's typically (but not exclusively) added by the email client when it sends a mail to its MTA, the outgoing mail server for transport, and is, generally, based on information the user has supplied when that specific account setup was done.

(Added: RFC 2822 has been obsoleted. But 3.4 in RFC 5322 says the same thing ...)

If you set up multiple clients, (or multiple accounts on the same client) and give those accounts different display names, different names will be used in From: addresses in mails sent.

In To: addresses, they are not technically significant: they're typically what the replying part writes in/ copies from a mail, or has in his address book. And that in turn is often dependent on what an earlier mail contained, and that, as already noted, may depend on which of multiple clients the sender was using. But ... as most email clients allow users to enter display names in recipient addresses, it can be just what that user does enter -- multiple clients need not be involved.

Often, when beginning email users learn what the names they entered during client account set up, they go back and change it. I've seen 'WhatTheF...ShouldIWriteHere' (or words to similar effect) as display-name in mail addresses. As a user is usually given the ability to do that at any time or any number of times, using that ability is, on its own, hardly an issue.

Thus, significance of display-name is in general low. It's first when you know that it has not been supplied by hand, nor faked by a name generator, and does rely on earlier mail the sender received, that it may start to mean anything.



I have performed email header analysis and some of the above emails include an Apple Mail designation in the header, whereas other email headers refer to Google.

The suspected fraud includes the manual manipulation of the sent emails.


So, without further details, I would expect the Apple Mail client to have been set up to use one display-name, and a Google mail account to set up to use another. Add additional account set up, or a user who hasn't decided what his display-name should be, and changes it, to make up for the rest.

I can see no fraud involved in changing a display-name, at least not without further details. I'd need at least a display-name definitely associated with an entirely different person, and some form of assumption that that false display-name be taken for a real one, and so a mail from user A be taken for a mail from user B, before I would even entertain the idea.

If the display-names you mention are real (or at least reflect reality), I'd suspect a user with multiple mail accounts, set up at different times, on different stationary and mobile devices ... and even some web mail accounts, and who didn't think having the same display-name would be of any significance whatsoever. If they mails were sent (?) over a very short time, say a few hours, I might want to ask what problems he was experiencing at the time. If they are from a much longer period, I'd might want to ask how many mobile phones had been replaced over that period.

If I knew that the recipient used display-name for mail filtering (instead of the real sender address -- which seems to stay the same) I might suspect attempt to bypass a mail filter. But I'd also expect some wildly new display-names, not ones that are closely-related with 'the real one' (if one exists).  
 
  

UnallocatedClusters
Senior Member
 

Re: Potential Manipulation of Email Name

Post Posted: Nov 14, 19 20:37

Thank you - very helpful.

So basically one can input different "Display Names" on different email clients:

I could input "John Smith" as a display name using an Outlook client on one laptop and input "JSmith" as a display name using Outlook on a separate desktop computer, which would result in the different display names appearing depending upon which Oulook client was used to send a given email.  
 
  

athulin
Senior Member
 

Re: Potential Manipulation of Email Name

Post Posted: Nov 15, 19 20:13

- UnallocatedClusters
I could input "John Smith" as a display name using an Outlook client on one laptop and input "JSmith" as a display name using Outlook on a separate desktop computer, which would result in the different display names appearing depending upon which Oulook client was used to send a given email.


I'm not sufficiently expert in Outlook client management to answer in the affirmative for all cases. For example, Outlook in corporate environments may have display name stored in AD, and so be dependent on AD user account information, and AD setups may also allows for admins to prevent alteration of some information by the end-user. That kind of possible complication would need the knowledge of an Outlook admin to be able to be reasonably confident about. (Added: With Microsoft 365, there apparently is an AD around even if the customer may not be aware of it ... potentially more complexity.)

Local admin user rights might also be a complicating affair.

I'd basically want to talk to anyone who was mail admin for any organizatorial infrastructure to get my head around how these things were set up, if there were any policies or recommendations or guidelines to use, or to learn that it was free-for-all, and dependent on whoever got the relevant ticket to help the user.

If there is no such infrastructure, and for standalone installations on separate computers/platforms, I believe it to be correct.  

Last edited by athulin on Nov 16, 19 16:20; edited 1 time in total
 
  

gungora
Member
 

Re: Potential Manipulation of Email Name

Post Posted: Nov 16, 19 03:15

- UnallocatedClusters

The suspected fraud includes the manual manipulation of the sent emails.


If this manual manipulation took place after the email passed through the MTA, I would check to see if the email passes DKIM validation. If DKIM fails, and if you have information on what the display name should look like, you can even take this a step further and see if DKIM verifies with the display name you assume to be correct.

I had a quick writeup on this here:
Leveraging DKIM in Email Forensics
_________________
Arman Gungor

Metaspike
Developers of Forensic Email Collector
www.metaspike.com 
 

Page 1 of 1