Suppose that, on March 19, 1999, an individual broke into the Museum of Fine Arts in Boston and stole a precious object. Security cameras show a masked burglar entering the museum at 2000 hours and leaving at 2030 hours. The prime suspect claims to have been at home in New York, hundreds of miles away from Boston, when the crime was committed. According to the suspect, the only noteworthy thing he did that evening was to send an e-mail to a friend. The friend is very cooperative and provides investigators with the following e-mail:
From: suspect@newyork.net Date: Fri, 19 Mar 1999 20:10:05 EST Subject: A quick hello To: witness@miami.net I am sitting innocently at home with nothing to do and I thought I would drop a line to say hello.
The e-mail does suggest that the suspect sent the message at the time of the burglary. However, the investigators are familiar enough with e-mail to know that the header will contain dates and times of all of the computers that handled the message. They obtain the full header and examine it for any discrepancies.
Received: from mail.newyork.net by mail.miami.net (8.8.5/8.8.5) with ESMTP id NAA23905 for <witness@miami.net>; Sat, 20 Mar 1999 13:49:19 -0500 (EST) Received: from suspectshome.newyork.net by mail.newyork.net (PMDF V5.1-0 #20971) with SMTP id <01J9206HG9T400NWE6@newyork.net> for witness@miami.net; Sat, 20 Mar 1999 13:49:22 EST From: suspect@newyork.net Date: Fri, 19 Mar 1999 20:10:05 EST Subject: A quick hello To: witness@miami.net Message-id: <01J9206VTW2E00NWE6@newyork.net> I am sitting innocently at home with nothing to do and I thought I would drop a line to say hello.
Sure enough, the dates and times in the header do not match, indicating that the e-mail message was forged on the afternoon of March 20. The suspect's alibi is refuted. The investigators obtain the related log entries from the two mail servers that handled the message (mail.newyork.net and mail.miami.net) as further proof that the message was sent on March 20 rather than on the night of the crime. Additionally, the investigators search the suspect's e-mail and discover messages that he sent to himself earlier in the week, testing and refining his forging skills. Finally, to demonstrate how the suspect sent the forged e-mail, the investigators perform the following e-mail forgery steps, inserting the false date (Friday, 19 March 1999 20:10:05 EST) just as the suspect did:
% telnet mail.newyork.net 25 Trying 10.232.19.48... Connected to mail.newyork.net. Escape character is '^]'. 220 mail.newyork.net - Server ESMTP (PMDF V5.1-10 #20971) helo suspectshome.newyork.net 250 mail.newyork.net OK, suspectshome.newyork.net. mail from: suspect@newyork.net 250 2.5.0 Address Ok. rcpt to: witness@miami.net 250 2.1.5 witness@miami.net OK. data 354 Enter mail, end with a single ".". Subject: A quick hello Date: Fri, 19 Mar 1999 20:10:05 EST I am sitting innocently at home with nothing to do and I thought I would drop a line to say hello. . 250 2.5.0 Ok. quit
After being presented with this evidence, the suspect admits to stealing the precious object and selling it on the black market. The suspect identifies the buyer and the object is recovered.