Jump to content

Forensics on an email server


Jeber

Recommended Posts

I have a friend (no, really) who has found out that a third party has access to his work emails. This man's a lawyer, so this is a fairly serious issue.

 

The emails were sent from his work server to another attorney. His server is on a privately owned domain and maintained by a friend of his. We don't know what setup the other attorney has for her email.

 

I told him, and I hope I was correct in my advice, that the maintainer of the server should be able to look at the logs for that domain and see which IP addresses logged in during the month in question. Eliminating the IPs that are known should expose the unknown. Turns out the server logs are only kept for 60 days, and these emails were from December of last year. Of course they could have been accessed any time since then, but we'd only be able to find the culpret if the access was within the last 60 days.

 

So without discusiing hacking techniques, what advice can I give him on how best to determine how those emails were obtained? I suspect if the hacks were made more than two months ago he may never find out who did it or how. What are your suggestions for methods to harden their server against future attacks? Obviously, being lawyers, their emails are frequently very sensitive and I believe they would spare no expense to make sure this doesn't happen again.

Link to comment
Share on other sites

securitybreach

First off, your advice was spot on. That said. if the logs are cleared every 60 days then it would be basically impossible to know who logged in without them.

 

Next he needs to change all his passwords and treat all of his accounts as if they were compromised (they probably are). Since he knows who maintains the server, he needs to have it setup with either two-factor authentication or to only allows certain IPs to access the account.

 

Remember if they were accessed then, the cracker has had access since then.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...