NITROBA STATE UNIVERSITY HARRASSMENT CASE
Case Summary
You are a staff member at the Nitroba University Incident Response Team.
Lily Tuckrige is teaching chemistry CHEM109 this summer at NSU.
Tuckrige has been receiving harassing email at her personal email address.
• Tuckrige’s personal email is lilytuckrige@yahoo.com
• She thinks that it is from one of the students in her class.
Tuckrige contacted IT support.
• She sent a screen shot of one of the harassing email messages.
• She wants to know who is doing it.
Analysis
A pcap file is available for analysis.
On going through the case, the IP address identified is 140.247.62.34 as shown below:
Using this IP address as a filter in the pcap file provided, the following is obtained:
The common internal ip address 192.168.15.4
Looking for the email recipient tuckrige using ‘frame contains “tuckrige”’, the following packets are identified:
Below is the email content from the source willselfdestruct.com and ip 192.168.15.4.
Looking at the source and destination addresses from the ethernet information in the frame, the following is identified:
The source ip address is192.168.15.4 and mac address 00:17:f2:e2:c0:ce, an apple device.
Following http stream, we find a sender’s email
However, this email address is not quite helpful at the moment as it does not help identify the sender.
Looking for other hunches, we know that this content is an email, lets look for something like mail in the packets using the filter frame contains “mail”
There was a packet whose source ip address was similar to our ip address and so was the source mac address as whose info was GET /mail/http/1.1 which ideally implies getting a mail as indicated below:
Looking at the truncated cookie, the session cookie contains an associated email address which is jcoach@gmail.com.Looking at the list of students provided we have a Johnny Coach, whose email could be jcoach@gmail.com concluding that Johnny Coach is the one who sent the harassment emails.
It was possible to identify this email address as cookies were sent in plaintext. Information from the email headers provided and use of unsecure protocol http made getting this user a bit easier.
References
wireshark-filter — The Wireshark Network Analyzer 3.4.9. (n.d.). Www.wireshark.org. https://www.wireshark.org/docs/man-pages/wireshark-filter.html
