Forensic Predicament

[F4LSE]

I have previously done digital forensic work for friend of the family. There was a teen at my friends house and he ended up obtaining her credit card information. He began purchasing points for an online game, over $350 worth. She asked me to see if i could prove to the mother of the teen that he was the one that stole the credit card information and bought the points, however, the mother was in denial that her own kid had done it. I was able to gather enough information to prove he was the one that purchased the points. I obtained his credentials for his yahoo account and the account he had on the online games website. His email contained receipts of the purchases and his conversational attempts with the online game site to get the money refunded, knowing someone was aware of his doings. It was common sense with the proof i had that he was the one that made the purchase. However, in all the information i had his name was not stamped on any of it. The only credentials that i found were that of the credit card owner. So, on paper it looks as though my friend was the one that purchased the online points and not the kid, for his name was not on any of the transactions or account info. Thus, the parent remained in denial and refused to repay my friend. My question is this; in a situation such as that what else can be done if no matter how much information i gather, his name was not on any of it to "fully" prove it was he who made the transaction?

[ayu]

You could contact the police and they can probably get the IP where the payment was done from, which I assume is the kids house, thus another proof that it was him.

Although the police wont like that you have been in his mail account, so you can't really use that as proof.

There should be some record somewhere of the IP anyway, so you should be able to get a hold of it somehow, either through the game site or the credit card company.

[DNR]

The online game host might log his IP - but again - it sounds like he was using the CC at your friend's house - thus the IP will be of your friend.

The online game server might have registered the user - and it might point to the suspect, not your friend.

Lastly - as a detective - never assume any party is innocent, everyone is a suspect - including your victim.

This also should have been disputed with the credit card company - most will block or refund your money if you report a suspicious transaction within 48 hrs. Since your friend chose not to, it is suspicious.

DNR

[floodhound2]

This is enough information to sentence someone to prison for rape then its enough to get this guy.

I would set up a honey pot. He may do it again and you can then be ready to log everything. This would allow him to own the first incident and you could prove it with the new data.

Also the small amount of cash loss is not going to motivate the police in times like we are in now.

[bad_brain]

yeah, police will not do much because of the "small" amount, so you will have to get him on the civil law side. contact a lawyer that is specialized in internet criminality (like fraud, copyright violations), you have 2 possibilities then:
- you can supply him with the emails and let him write a nice letter to the parents of the kid, but this is of course a little like poker because either they are impressed by it and pay the money back (which is likely imo) or they still deny everything and then you would have to walk the walk and go through a lawsuit if you don't want to deal with the additional loss from the lawyer fee. the lawsuit would be won with a 99% chance I would say, because the evidence is clear (of course you should say nothing about getting illegal access to the yahoo account).

- or you make the lawyer contact the gaming site, he can demand the access data from the payment, and then contact the ISP for the user data.
if the kid made the transfer from his home (which is very likely I would say) it is a 100% safe bet the parents will pay then, because it's totally pointless to say "someone broke into the house and used the computer"..

oh, and maybe a 3rd option too....actually this is the one I would use before I would go further to one of the earlier options:
- have a serious talk with his parents, and tell them that all access data is logged by the ISP and stored for at least 6 months (which is true), and so it's no problem to retrace the whole transfer. give them a last chance to pay the money back, else you would have to contact a lawyer which would only mean additional costs for them in the end. give them 2 days time to consider their next step, and I bet my ass they will have a little talk with their kid again...and when the kid knows that it will only get worse if he's not confessing now he will most likely do it.

[Hex00010]

I am very sorry as i do understand this is a very serious matter so do please forgive me for going off topic im sorry.


Im starting to get Forensics ive been messing around with SleuthKit

so far i like it ive been able to load .imgs and search and find deleted files and what not and output the deleted files into a .txt file or such

What im getting at here is What do you use? If you could point me in the right direction that could truly improve my somewhat based skills and actually read something that is very good it would be very great full if you can do that.


Or do you just use the Software on Backtrack?

[DNR]

besides using tools like sleuthkit, you can manually inspect places that are known to leak data of where the user has been and done. The tools just automate that inspection for you - its not lame to use some of these tools as it is hard to 'memorize' ALL the places for software to hide or leak data.

Start with the Registry
HKEY_LOCAL_MACHINE\SOFTWARE
HKEY_CLASSES_ROOT\

of course becareful in the registry as you can make your windoze unstable.

DNR