🔍 Forensics Case Report #2: Nitroba University Harassment Scenario

This report presents the findings of a mock digital forensics investigation based on the 2008 Nitroba University Harassment Scenario, a simulated case study. The case is designed for educational and training purposes, simulating a university harassment complaint involving digital evidence.

In this investigation, I examined packet capture (PCAP) files using Wireshark to trace the origin of a threatening email sent to a chemistry professor. My objective was to identify the sender and determine how the message was transmitted across the network.

 

Case Summary

Case Name: Nitroba University Harassment Scenario
Analyst: Daniel Weninger
Date: 2025-05-18
Tool Used: Wireshark on Kali Linux virtual machine
Capture Source: Provided PCAP file
Client Concern:
Chemistry Professor Lily Tuckrige received a threatening email. The university's IT team suspects that the sender may be a student or someone connected to the dormitory network. My task was to investigate the network traffic and identify the person responsible.

 

Dorm Network Context

IP Context:
Initial analysis of the public IP address 140.247.62.34 revealed it resolves to a student dorm room on the Nitroba campus:

$ host 140.247.62.34 34.62.247.140.in-addr.arpa domain name pointer G24.student.nitroba.org

Room G24 is shared by three women:

  • Alice, Barbara, and Candice

Although Nitroba provides only wired Ethernet access in rooms, Barbara’s boyfriend Kenny installed an unsecured Wi-Fi router in the dorm, meaning unauthorized users could join the network.

 

Findings

1. IP and Email Correlation

While reviewing the PCAP data in Wireshark, I noticed the following:

  • - The public IP address 140.247.62.34 maps to G24.

  • - Internal network communications tied this public IP to the local IP address 192.168.15.4.

A search for lilytuckridge@yahoo.com in Wireshark’s TCP streams revealed two emails sent via Gmail webmail that contained threatening messages.

2. Webmail Message and User Agent

Following the TCP stream of the email exchange showed the message was submitted through Gmail's web interface.

Within the HTTP headers of the request, I discovered the following user agent string:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

This indicates:

  • Browser: Internet Explorer 6

  • Operating System: Windows XP

  • Service Pack: SP2 (SV1)

Despite the Mozilla/4.0 prefix, this is a legacy identifier used by Internet Explorer for compatibility. The presence of MSIE 6.0 confirms it was Internet Explorer 6, further suggesting an older or poorly secured system.

 

3. Connecting the Dots with TCP Stream & Mail Account

After identifying the email with lilytuckridge@yahoo.com, I traced further communication from the same internal IP 192.168.15.4.

By filtering on this IP and examining additional TCP streams in Wireshark, I discovered:

  • - Webmail activity using the Gmail address jcoach@gmail.com

  • - This email account accessed from the same machine (same user agent and internal IP)

  • - jcoach@gmail.com appears on the class list for Chemistry 109

 

4. Suspect Identification

The name associated with jcoach@gmail.com matches a student in the Chemistry 109 roster:

  • Johnny Coach

Combined findings:

  • - The Gmail session from jcoach@gmail.com occurred from the same machine that sent the threatening email.

  • - Both communications came from 192.168.15.4 on the G24 dorm network.

  • - The device was running Internet Explorer 6 on Windows XP, consistent across both activities.

 

Conclusion

  • - The threatening email was sent via Gmail from IP 192.168.15.4, which maps to dorm room G24 via the public IP 140.247.62.34.

  • - The sender used Internet Explorer 6 on Windows XP, evidenced by the user-agent string.

  • - The same machine was later used to log in to the Gmail account jcoach@gmail.com.

  • - Johnny Coach, a student in Chemistry 109, is associated with this email and is the most likely sender.

  • - The presence of an unsecured Wi-Fi router in G24 makes it technically possible that someone outside the room accessed the network, but the evidence strongly ties activity to Johnny Coach.