Godwin, You've got mail

June 26, 2009:While the outcome of the Australian Federal Police investigation into "Utegate" will not be known until July 29, the saga has had the side effect of lifting awareness of email security.

An email that was discussed in hushed tones among the political cognoscenti last week has been thrust into the limelight, and been quickly declared a fake by the Australian Federal Police, although the exact details of the forgery are still to be revealed.

Was it a simple case of a public servant taking advantage of an unoccupied computer while the legitimate user was still logged in? Was the message concocted by spoofing an email account or is it just a dummy printout?

According to a report in a News Limited newspaper, "The email was supposed to have been written by Mr Rudd's economics adviser, Dr Andrew Charlton. It now appears the email was "cut and pasted" by a person inside Treasury from other emails written by Dr Charlton, then sent to MrGrech's home computer and then deleted."

Forensic professionals such as Allan Watt, Head of e.forensics at e.law australia, have seen it all before.

Watt offers a simple solution if you are ever unsure if the email you have received is not genuine.

"Reply to the email and request a readers confirmation. If you don’t get one or they reply denying they sent that email, you have an indication that it is a fake."

For the public servant at the heart of this week's political crisis, such a simple solution was not likely available.

However it is hard to understand how the email was given so much credence and then so quickly declared a fake.

If the politicians asked to evaluate the significance of the alleged incriminating email had been astute to the situation, they would have looked closely at the email header information.

"By looking at the header it will show the email server it was sent from. If this differs from the senders email address this will identify an anomaly immediately, though this can be overcome as well. There are also many other details in the header that can assist," said Watt.Watt has investigated many instances where people in business will use fake emails to try and fabricate evidence or alibis. It can often be used for something as simple as creating an invented job reference.

"I once had a person who sent emails to himself to create the appearance he was busy applying for jobs on his computer at the time when it was alleged he was involved in a sexual attack. Unfortunately for him, theIP address in the email header for the sending computer matched his own IP address," said Watt.

A typical email fraud scenario occurs where an organisation has Active Directory with Microsoft Exchange email. Any employee who knows the user's password or has administrator access on the network canlogin to that user's account and send an email.

Then there is the potential to remotely access someone's computer through a Trojan virus, or through applications such as VNC or PCanywhere, which give an external user full control to create and send email.

In most cases if someone receives an email they accept it as true on its face value. It is very easy to spoof an email address viawebmail and send it from anywhere and through any SMTP server.

The massive publicity of the fake "Utegate" email has raised the focus on Australian government information strategies.

The Treasury and the Prime Minister's Department are both TRIM users, although TRIM is used at the Prime Minister's Department to manage archiving of paper documents, and emails that are to be archived are first printed out.

Instead of looking through archives, Federal Police investigating the case of the fraudulent email will be pursuing more traditional police tactics, according to e-law's Alan Watts, a former detective with a Diploma in Policing, and Certified Forensic Computer Examiner

"Police will be seizing all the computers alleged to be involved and forensically imaging them. They will also look to locate evidence from theirISP that the suspect computer was connected at the time to the Internet and what was the allocated IP Address.

"Then they will look for other evidence to indicate who was using the computer at the time. This could be as simple as examining swipe card access to the office or video surveillance, or the culprit may have been silly enough to do some Internet banking on that computer at the same time. This would provide corroborative evidence supporting who was the real user."