Locating source of fake email

Hi!
There is a program called email tracker. I'm not sure if it will work, but when I tried it worked fine. Sending emal from my gmail to my homemail. It stated that it came from gmail.
http//www.emailtrackerpro.com/

Hi!
There is a program called email tracker. I'm not sure if it will work, but when I tried it worked fine. Sending emal from my gmail to my homemail. It stated that it came from gmail.
http//www.emailtrackerpro.com/

as already mentioned, THE FAKE EMAIL CAME FROM PUBLIC WEB EMAIL SERVICES LIKE HOTMAIL, YAHOO ETC. (ALREADY DETERMINED WHICH ONE BECAUSE THAT WAS SHOWN AS SENDER ADDRESS)

the issue is more technical as it has to be detrmined from which location, which pc and by whom it was sent. at first, the first two things have to be found out then the third is a question of detailed work.

The procedure could be Using the full headers of the received email identify the sending IP. From there, subpoena the ISP of the owning IP address. Identify the customer that was using the IP at the time the email was sent. Obtain a court order to forensically duplicate then examine all the PC's that were using the IP.

Several points. 1) The return address means little, it's pretty easy to forge. The headers tell much more of the actual source. 2) A computer cannot be WiFi and stand alone at the same time. It either has a connection such as WiFi or it doesn't. 3) Most current web email services have pretty good password security. If the orgin was from one of them I'd consider that pretty conclusive as to which account was used.

The procedure could be Using the full headers of the received email identify the sending IP. From there, subpoena the ISP of the owning IP address. Identify the customer that was using the IP at the time the email was sent. Obtain a court order to forensically duplicate then examine all the PC's that were using the IP.

Several points. 1) The return address means little, it's pretty easy to forge. The headers tell much more of the actual source. 2) A computer cannot be WiFi and stand alone at the same time. It either has a connection such as WiFi or it doesn't. 3) Most current web email services have pretty good password security. If the orgin was from one of them I'd consider that pretty conclusive as to which account was used.

Thanks. the piece of reminder that the return address could be anything, was quite useful.

so far, the PC that had the IP address belonging to its has been identified and the owner cleared after full inquiry.

so, it is very clear that someone else has hacked into his IP address, which I believe is fairly easy for wi-fi connections, and sent the message from another PC at another location, using the owner's IP address, which led to the owner being put under the scanner in the first place. the owner's PC is clean.

when i said it was a stand alone, i meant that it was not networked with PCs of some others who might be working with him in office or so.

I am wondering if the email service based on the return address or the secondary headers cud be subpoenaed. but even in that case, wud the servers of the email service have all messages transacted through that email add.

seems to be a tough one.

thanks

A QUESTION
If the email was sent hacking the IP address of the owner but from another PC, WOULD THE HEADERS REVEAL ANYTHING? IF IT WAS A WI-FI CONNECTION, THE HEADERS WOULD ONLY SHOW THE PRIMARY HEADERS WITH THE HACKED IP ADDRESS. Is that not so?

Are you thinking that someone hacked his IP address by using his wi-fi router? If so, check the router logs. That may give some leads.

(1) Have you established that the Bad Guy did not have control of the source PC? VNC is just one tool. If I were to attempt such skullduggery, and if I were to find such an open Wi-Fi network, that is the first task. So the "innocent" PC is the source of all evil things. Period.

(2) This fixation with IP addresses has me concerned. Consider this common hardware item

http//tinyurl.com/3qyzl4

Such devices have their own MAC addresses. So if the Bad Guy really wanted to hide his tracks he would have a pocketful of these puppies. Use once, throw away– or grind into powder, depending. That particular item connects to a RJ-45 connector, such USB wireless NICs are also common. Which I am certain anyone reading this post knows.

Unique ID is only established by the pair of IP address and MAC address. A perhaps simplistic analogy is an Evil Phone Call from a pay phone. Unless there is other evidence such as a video of the callers car parked outside said phone, exactly what have you got to work with?

Such devices have their own MAC addresses. So if the Bad Guy really wanted to hide his tracks he would have a pocketful of these puppies. Use once, throw away– or grind into powder, depending.

Just a thought but given how easy MAC is to spoof, why bother? Besides, MAC won't be of any help in a case like this since it's not recorded in the email header.

OP, a bigger question is why bother? If the owner of the email address was cleared, it's probably a dead end case without significant investment in investigation costs.

br945,

I feel your pain, no one seems to be answering your question.

No, if you've already tracked back to the original node [read IP/network] which was responsible for generating the e-mail, and the owner of said node is not responsible, there are not any other ways you could use the header to determine more accurately who was responsible for generating the e-mail. If a wi-fi connection existed on that node and it was unsecured, someone could have very easily accessed it and sent the e-mail and, assuming the AP does not generate logs, it would be untraceable.

Hypothetically, if the access point/router/gateway/whatever did generate logs and you would able to pinpoint the specific connection which generated the e-mail using date/timestamps, you would get the MAC address of the computer's wireless NIC and [possibly] the hostname of the computer. If the person was smart, they'd use a PCMCIA Wirleless NIC and simply discard it after they were done and there would go the MAC link.

Another hypothetical - if you suspected an individual in particular, you could do a forensic analysis of their machine and possibly identify artifacts related to the sending of the e-mail. But this would work in reverse..ie. only after you have someone in custody and would not allow you to identify someone before then, as you seem to want to be able to do here.

You could always go the circumstantial route - if you have the IP address of where the e-mail came from (assuming it wasn't spoofed), and the date an time the e-mail was sent, then you could use other means to determine who the perp was. For example, if the IP address was from a gated residential area or a business, maybe there were cameras which recorded who was in the area at the time. Or maybe knocking on doors in the area would lead to someone remembering a suspicious car parked outside or maybe it was a neighbor, etc. Like I said, circumstantial, but it's a route.

Jeff

Thanks all as each one has given some valuable insight into the problem.

As said earlier, the PC owner and his PC have been proven to be clean. PC not left alone either so bad guy was not in physical control of that PC.

and as no suspect in sight, no way to do forensics on his machine.

it was reported that a couple of persons not living in the building were indeed seen in the building on the day of the incident.

so basically, the conclusion one reaches is that it is good old police detection work as in any other crime and there is no way to use computer forensics on this one UNLESS a suspect perp. is located and PCs under his control examined.

all of you have given excellent advice and thoughts and if any further bright ideas are there, I shall be on the look out for them.

thanks/