We could take advantage of forensic tools to examine and analyze the evidence, but heavily reliance on forensic tools is risky. It's us that determine what clue is important or not, not forensic tools. There is a scenario about malware and hacker. Agent 007 finds Carrie's computer infected by CryptoLocker, and he try to figure out what's going on. 007 use lots of forensic tools to analyze for a very long time, and he recover the malware in partition D. Unfortunately he could not find where the malware is from.
Agent 008 take over this case and start to review 007's report. 008 go back to the evidence and take a look at all e-mails in .pst files. Fortunately he found what's going on between Carrie and her colleague Rick, and the malware pretending a normal anti-virus update file. Look at the pic in my blog as below link.
http//
You could see that the caption of sender is "Sysadmin@mnd.gov.tw", but when you look into the mail header, you will know the authenticated sender actually is "rick@mnd.gov.tw".
What forensic tools do is reduce the scope and you could analyze the evidence efficiently. Forensic tools could not "tell" you that it is very suspicious the actual sender is Rick, not Sysadmin, you have to figure it out on your own.
By the way, an experienced forensic guy knows that the caption of sender could be faked, so he/she will take a look at authenticated sender to see if anything strange. The more experience about computer hardware/software, the fewer mistakes you will make.
… except that X- SMTP headers are optional, and non-standard.
Maybe it wasn't Rick. Carrie caused the problem, injecting the X- line to frame Rick…
Of course, there could be additional corroborating/contradicting evidence
X-Mailer Microsoft Outlook Express 6.00.3790.1380
Suggesting that the machine was an MS XP Pro 64-bit, 5.2.3790.1380 edition. Is Rick or Carrie has access to that?
mrgreen
Hi jhup,
Thanks for your comment. What I'm trying to say is that forensic tools won't "read" e-mails for forensic guys, but sometimes the clue/answer is really very simple. When agent 008 read all e-mails and he realize that Carrie and Rick can't get along well for a very long time…that could be the motivates…
Also forensic tools won't send alerts to forensic guys that caption of sender is different from the actual authenticated sender…