Thanks for correcting that. I think there is some
technical confusion though, because the email sent from Cheryl D was not
forwarded and he didn't even print the full header.
He probably did get the whole header, we just don't get to see it yet - just
like we haven't seen everything in this case.
And all he would need to do with the Franck mail is go into the account
she forwarded from, easy enough, for a good computer forensics detective, I
would think.
You would have to know which account the email was sent from, and if they saved sent messages, and even if they did, she would have deleted it. It could have been one of her accounts, Cindy's, Lee's or any of a number of people. They would have to be able to get into all of these peoples accounts or request maillogs from all of the aboves isp's, and free email accounts.
If full headers are not shown, and are not available, the best computer forensic scientist would not be able to get them simply logged into a users account. You cannot get blood from a turnip, they would have to ask Yahoo for it's logs. They would most likely (depending on Yahoo's server and software setup) request sending maillogs and receiving for the specified time in question.
Which brings another question: how long does a free service actually keep
log files and email backups for?
Wouldn't it be a simple thing for the detective to determine if Casey
created a fake email? I think so.
Yep. But we don't get to see this info yet.
[/QUOTE]
I see that he printed the full header of the mail from Ka H
which originated through Road Runner in VA. See, even I can find that out. Now,
if it is a masked email or hacked, I'd need to ask my geek friends for help. But
Melich didn't even seem to have done what I am capable of doing.
Since we don't have the headers for the other emails, let's look at the one we
do have.
For giggles, I did a traceroute on the ip address 70.119.59.160 - the Roadrunner ip from khart's email (which I believe is faked as well) - and it hits what looks to be a firewall at what I think is a computer/backbone on Curry Ford Road in Orlando:
24.95.233.65 58ms 58ms 58ms TTL: 0 (gig4-0-0.orldflcfrd-
10k1.cfl.rr.com
The chances that this is from someone's home computer are excellent. The chances that this backbone is the backbone that the A's or Lee's isp uses is even better - it's roughly 10 minutes away from Hopespring Drive.
This ip is lumped under Roadrunner communications out of Va.
The registration and updated dates for this Roadrunner block of IPs is:
RegDate: 2004-09-17
Updated: 2006-06-06
So it was not a Universal studios address in the last few years, if this is what
you're thinking.
If you look at the email from the system admin guy (Leonard) at
universalorlando.com. this ip address is leased by NBC Universal, who gets their IPs from Qwest. This info is shown when you look up their IP whois info - NBC leases blocks of IP addresses from Qwest.
If KC was employed by a company within Universal Studios, they would have been on Universal's network, and had been using ip addresses from NBC universal or Qwest. If khart was at home, sending the email, she would have used Universal Orlando's webmail. The email from khart, who has a signature of Human Resources Manager /Universal Studios , was sent Dec 17, 2007. Universal Studios was using NBC Universal/Qwest IP's at this point:
NBC Universal registration date:
RegDate: 2007-07-23
Updated: 2007-07-23
Qwest registration date:
RegDate: 2001-02-13
Updated: 2005-11-15
Khart, if in fact a legitimate employee of Universal Studios, would have sent an email from a universalorlando address, if they are even allowed to work from home. In fact, I would bet that Universal Orlando has an employee handbook somewhere that states all business correspondance (including emailing employees or former employees) must come from their email addy's. That credibility/professionalism thing again.