Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Is there any way to find who is the user of a hotmail acccount? 2

Status
Not open for further replies.
ALEKSJAY

ALEKSJAY

Programmer
Feb 4, 2002
120
PR
Hi,
I am working as an E-mail Administrator and recently one of the employees received some emails with sex-related content. This email came from a hotmail account and I would like to know if there is any way to track this person. I think the person works here, because in one of the emails, he talks about what this person (the one who received the message) was wearing that day.

I think this is the right forum to post this, but my apologies if this is being posted in the wrong forum.
 
Sort by date Sort by votes
forward the email (especially along with the headers) to hotmail and have them look into the originator.

granted most psrts of an email can be spoofed but the message id from the server is helpful in locating the originator.
 
Upvote 0 Downvote
What time were the mails sent? If during work time and you have a proxy server, check the logs and see who was accessing hotmail and the time. Chances are they will be the culprit! That's how we caught one of ours!

Stu..

Only the truly stupid believe they know everything.
Stu.. 2004
 
Upvote 0 Downvote
If you still have the original e-mail, look at the full header. One of the Received: from fields could possibly show the originating IP and/or machine, even if it's from Hotmail. Depending on your network layout, you should be able to find the culprit by the IP or machine name.
 
Upvote 0 Downvote
In the future if this still occurs...

Have a firewall rule to alert if going to one of the hotmail sites.

If you think you may have the culprit seize the machine, make a copy of the drive, and check out the contents.

Like the above people have said...check the headers for clues.

Hotmail probably won't help unless it is from law enforcement.

Run IDS and create some rules looking for hotmail (or other 3rd party apps) and alert.
 
Upvote 0 Downvote
ALEKSJAY,
If based on this e-mail your company is thinking about termination if said employee is within your organization. I would hire a computer forensics firm who can research the hotmail account and provide assistance in gathering evidence from the companies computer if this indeed was authored on a company pc. If you are not trained in analysis and detection if this case was to come up in court you would not have enough backup to prove your case. Images must be taken of the drive and data integity must be held to prove the data maintains the exact copy of the image. If this e-mail contains sexual harassment information you may forward onto your local law enforcement or state for detection in which hiring a computer forensic team would not be needed. Make sure you policies are up to date that states you are allowed to access company pc's and monitor access at any point, otherwise if polcies are poorly written than law enforcement will need a search warrant in order to access material.
 
Upvote 0 Downvote
Some responses to some of CCIS's comments...

Forensics teams are extremely expensive. Most large companies will cringe when even thinking of the price tag of a team of highly paid individuals showing up. Knowing what you have available is just good business practice. Auditing is crucial such as firewall logs, proxy logs, server auditing of logins/logouts and etc., workstation auditing, IDS, firewall, application logs, cameras, sign-in sheets, and the list goes on. These are the items that the forensics folks will try and locate. It is best when you can correlate incidents between multiple logs and etc.

You have to find out what IP it came from. Correlate and PROVE it came from a specific workstation (don't forget DHCP...save those logs!). Once you got the box...bag and tag it (note the time/date on box first). Turn off and store machine in secured location (note the turn off not shut down). Digital pictures of the box are always nice to have. Keep a journal(HANDWRITTEN) of everything has happened and everything you see and done. If multiple people involved...keep separate logs. Turn over drive to a forensics company if you are not trained. If you have firewall logs, proxy logs, and etc. save them. Again, audit logs are your friends :)

Sexual harassment may be criminal so I agree that a corporate lawyer should be consulted prior to reporting it. Now, corporate may believe this is an HR issue and not a legal issue...that is not unusual. HR can just fire the employee if he/she "broke the rules". Easier to fire then prosecute and less "messy".

Most law enforcements do not have computer forensics training and many times ship it out to another law enforcement group (FBI, another region, etc etc). There workload is sometimes extreme and they may turn down the case depending upon many factors (dollar figures, type of crime, willingness to prosecute the person by the company, etc. etc.) Again, consult the lawyers and find out what the corporate stance will be.

If your policies aren't up-to-date or basically non-existent you will fight an uphill battle. You can't just update the policies and then attempt to apply to a previous situation...it just don't work good :) Same with auditing...turning on auditing to catch someone specifically may cause you a lot of grief in court but you do what you must to isolate the source.

If the computer belongs to the company then it is theirs...taking it back should be no issue :) Again, consult the lawyers as your mileage may vary.

This is just a few items off the top of my bald head. I wish you the best of luck in stopping the person :)
 
Upvote 0 Downvote
a lot of info (some valid, some not quite) was just given. if you do have a company policy covering the content of the email and you do identify the sender, a full blown forensic investigation is not necessary.

however, some reasonsable basics are all that you need to take to HR & legal if the sender does work for your company.

logs are necessary that place the sender at the machine during the time identified on the logs. if you really want to examine (capture the index files) the person's (you suspect) machine do it after work hours. if you want to catch the person in the act put a keylogger on (after work hours) and monitor it.

if it is much more than what you originally posted you need to then look hiring a forensics consultant to give you more specific suggestions based on your particular company and systems. their cost is less than a full blown team.

 
Upvote 0 Downvote
Eyec makes a very important point. You really need to identify a person at the machine at the time of the email. Simply locating the machine/IP might incriminate the wrong person. Even if they were signed on using a login/password, who's to say that the password wasn't stolen or borrowed? It'd seem you'd almost need a combination of logs, keylogger, camera, etc.

Though for different reasons I'm sure, our company set up a firewall that prevents us from accessing any personal email accounts from our PCs.

Kelly
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
2
  • Locked
  • Question
Loss of my privacy
Replies
12
Views
816
Rick998
Rick998
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
301
Johnkite
Johnkite
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
244
Sparrow4
Sparrow4
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
245
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top