Comments on: Computer Forensics : Network Case using Wireshark and NetworkMiner

By: Forensicxs

Forensicxs — Sun, 06 Mar 2022 20:44:06 +0000

In reply to Lucas.

Hi Lucas, thanks for your comment. elishevet@gmail.com and jcoach@gmail.com are not the same person, this is not my meaning here. I was explaining that I had found a way to catch emails associated to some IP/MAC data, and by carefully checking the PCAP records, I found the frame 78990 which helps narrow down to Johnny Coach. Please read the other comments in the chat, especially with “Kinimod”, as we can see that this exercise has some limitations.
Hope this helps !

By: Lucas

Lucas — Sun, 06 Mar 2022 00:33:10 +0000

Hi Forensicxs, can you please explain the part regarding “Now that we have found a way to identify the email adress of the attacker, let’s go through the different frames including the GET /mail/ HTTP/1.1 info and let’s check the email, IP, MAC data. Probably, we will find a match with the already suspicious IP/MAC pair from the previous paragraph ? Here below the result of my analysis in a table, the match is easily found and highlighted in red”

I have not understood what they have in common to prove that they are the same person.

By: Forensicxs

Forensicxs — Mon, 14 Jun 2021 21:00:08 +0000

In reply to o71.

Hi o71, thanks for your message 🙂

Your analysis is good and supplements my article usefully

For the p3p.xml file, you may look here : https://en.wikipedia.org/wiki/P3P. It’s basically a retired privacy protocol

An official solution may have been asked directly on the Nitroba case website, but as there has been no recent comments on this page, I decided to write my “own” solution