Wk3 Findings Assignment Mitchell K
pdf
keyboard_arrow_up
School
American Military University *
*We aren’t endorsed by this school
Course
455
Subject
Information Systems
Date
Apr 3, 2024
Type
Pages
7
Uploaded by SuperHumanMoonGoldfish41
3.3 Email 2: Sabre Project - - hours On , at hours, identified HIS mistake and replied to HIS original email at hours to explain HE wrote
in error. Within the email, HE mentioned that wrote to SCOTT and the account is being set up to wire to JD (Forensic Comment: APUS believes is a typo for for ). Analyzing the raw email message information, the email was delivered to (Figure 4). T
he message originated (“x
-originating-
ip” located in the raw email header) from , an , United Arab Emirates (Figure 5 and 6). The timestamp on the message in Figure 4 is Tuesday, , 3:38:14 AM, indicated that SCOTT’s local client is operating in the +0800 (UTC+8) time zone, which corresponds with local time and HIS signature block location. SCOTT sent the message to cover up the mistake made in Email 1. In this second message, SCOTT changed HIS IP address, which indicates a VPN or Proxy; however, Figure 5 below reported the IP was not a proxy or VPN.
Figure 1 - jimhalpert@jlaenterprise.com auto-forwards to officeman1987a@gmail.com and SCOTT
’s IPv4 address Figure 2 - IP Address Lookup Details - 83.110.250.231
Figure 3 - IPv4 Geographical Location - 83.110.250.231 Figure 4 - Email 2 - Michael SCOTT to Jim Halpert (Covering Mistake)
3.4 Domain Created - - hours On , at hours, the counterfeit domain (Forensic Comment: Switching the to ) was registered and set up to use Microsoft Office 365/online Outlook mail according to an (Mail eXchange) query that shows was registered as “
.” It is very significant since Outlook 365 includes “x
-originating-
ip” headers on all sent messages, which include the IP address sending the messages. According to WHOIS (Figure 9), the domain was registered with and a creation date of at hours. Figure 10 displays the geographical location as , coinciding with headquarters.
Figure 5 - MX Query - JLAENTREPRISE.COM Figure 6 - Whois Information (jlaentreprise.com)
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Figure 7 - IP Geographical Location - 50.63.202.52 (jlaentreprise.com)
3.6 Email 4: Sabre Project - - hours On , at hours, sent an email from HIS counterfeit account to and (Forensic Comment: APUS confirmed in later emails that belongs to Pam Beesly). SCOTT included on carbon copy HIS email (michael@dssvc.com) and the counterfeit email addresses for ( ) and ( ). In the email, Jim Halpert (Forensic Comment: APUS believes SCOTT wrote this email) told Dwight he discussed with , that JE (Forensic Comment: APUS believes JE to be JLA Enterprise) will need the transferred to a trading account in EHC (Forensic Comment: APUS believes EHC to be ) bank and attached the wiring instructions (Appendix A). The message ori
ginated (“x
-originating-
ip” located in the raw email header) from , Hosting Services, Inc, located in Fremont, CA, which is confirmed as a VPN as shown in Figure 14 and 15. This is the first attempt by SCOTT to use a VPN. Since SCOTT used several different emails, the VPN showed a different location than when HE emailed directly from michael@dssvc.com.
Figure 8 - IP Address Lookup Details - 23.239.21.243
Figure 9 - IPv4 Geographical Location - 23.239.21.243
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Figure 10 - Email 4 - Jim Halpert
(Counterfeit Account) to D
wight Schrute
(Phishing Attempt)