Posted by By Nelson Banya
Update via SW Radio Africa.
Defence lawyer Beatrice Mtetwa argued the emails were ‘fake,’ and moved to show the court how easy it is to create emails as though they were coming from a particular email address.
Hitschmann, various MDC officials, including Giles Mutsekwa, who is now the MDC co-Home Affairs Minister, and some police officers were arrested in 2006 in connection with this case but were acquitted. However Bennett is still facing the same charges of attempting to commit acts of banditry and terrorism.
Last week the judge said Hitschmann’s confessions implicating Bennett were invalid, after the state’s star witness said he had been tortured into linking Bennett to the crime. But in his ruling on Wednesday the judge said the emails were allegedly sent before Hitschmann’s torture and therefore could not be tainted by the alleged abuse suffered by the firearms dealer. Justice Bhunu therefore ruled that the disputed emails are admitted as evidence.
The defence lawyer then produced some ‘fake emails’ during the cross examination of State witness Precious Matare, to show the court how easy it is for anyone to hack into an email address and send emails from that address.
One of the false emails used by the defence to prove this point implicated the Attorney General Johannes Tomana, who is also the prosecutor in the Bennett case. When Matare began reading the fake email, the Attorney General quickly jumped up to oppose and to block the defence’s line of argument. Tomana argued that it was inappropriate to ‘caricature’ the person of the Attorney General in these proceedings.
Observers in court said it was pretty clear that Tomana saw that this kind of evidence would be damaging to his case and likely make a fatal flaw in his argument. Mtetwa maintained she was attempting to demonstrate that the alleged emails between her client and Hitschmann could have been produced by anyone.
The High Court judge adjourned the hearing to Monday where he is expected to make a ruling on whether the defence can continue to show the fake emails.
HARARE – Zimbabwe’s High Court on Wednesday admitted disputed email evidence implicating opposition politician Roy Bennett in a plot against President Robert Mugabe’s government.
Bennett, a white farmer and a senior official in Prime Minister Morgan Tsvangirai’s Movement for Democratic Change (MDC), faces a possible death penalty if convicted of illegal possession of arms for “terrorism, banditry and sabotage”.
Defence lawyers had asked the court to reject emails linking Bennett to the alleged crime, arguing that they had been doctored and that a key state witness, Peter Hitschmann, who is alleged to have conspired with Bennett, disowned them.
The court had previously thrown out confessions by Hitschmann linking Bennett to the crime, on the grounds that the statements had been extracted under torture.
High Court judge Chinembiri Bhunu ruled that the emails were created before Hitschmann’s alleged assault.
“The emails cannot be tainted by the alleged abuse suffered by Hitschmann,” Bhunu said.
“They are relevant and vital to the fair resolution of the case and are hereby admitted as evidence.”
The arrest and trial of Bennett, MDC nominee for deputy agriculture minister in a government set up by Mugabe and Tsvangirai, has raised tensions in the power-sharing administration.
The state charges Bennett with funding a 2006 plot to blow up a major communication link in the country and assassinate key government figures. He is accused of having deposited funds in Hitschmann’s Mozambican account for the operation.
Bennett denies the charges, which he says are politically motivated. Hitschmann, an arms trader and key state witness who faced the same charges but was convicted in 2006 on a lesser charge of possessing dangerous weapons, has absolved Bennett.
Editors Note:
This explanation of an Emails “Header” Data is courtesy of one of our readers. (M.Mugabe).
The complete headers provide much information on the origin of a message and are a useful tool for tracking and stopping SPAM and virus-laden e-mail. Most e-mail readers only show the To: and From: headers, which can be easily forged. The complete message headers will look something like this:
Return-Path: [fake@address.com]
Received: from server.mymailhost.com (mail.mymailhost.com [126.43.75.123])
by pilot01.cl.msu.edu (8.10.2/8.10.2) with ESMTP id NAA23597;
Fri, 12 Jul 2002 16:11:20 -0400 (EDT)
Received: from aol.com (127-34-56-98.dsl.mybigisp.com [127.34.56.98])
by server.mymailhost.com; Fri, 12 Jul 2002 13:09:38 -0700 (PDT)
Date: Fri, 12 Jul 2002 13:09:38 -0700 (PDT)
From: Hot Summer Deals
To: My.Friends@pilot.msu.edu
Subject: Just what you’ve been waiting for!!
In particular, the header lines beginning with Received: provide a trace of the message from its origin to your mail server. In many cases with spam and virus e-mail, not all of the information in the “Received:” headers can be trusted, but it can still provide many valuable clues as to the message source.
The first step in the analysis process is to find the full e-mail headers. The method for doing so varies depending on your mail reader. Consult the document Finding full e-mail headers for details.
What not to trust in mail headers
The above example is contrived, but illustrates several of the aspects of common forged e-mail headers. Of course, you may be lucky enough to have received a message from a verifiable source; if so, you will find some consistency to the results seen when analyzing the headers.
In the above example, the following headers are contrived by the sender’s system:
To: My.Friends@pilot.msu.edu
The contents of the To: header can be arbitrary. There is no account “My.Friends” at MSU. The true recipients of a message are determined by the e-mail “envelope” address, which is not displayed in these headers.
From: Hot Summer Deals
Likewise, the sender’s name is arbitrary. There may or may not be an account named “hot_deals” at AOL, and the sender may not be the valid owner of the account if it does exist.
Analyzing the “Received:” headers
The most useful clues to a message’s origin come from the headers that begin with Received:. Each mail server which handles an e-mail message adds a Received: header set to the front of the message; the first set is therefore added by your mail server. For this example, we’re assuming you read e-mail delivered to MSU’s Pilot e-mail system.
Let’s start with the first header:
Received: from server.mymailhost.com (mail.mymailhost.com [126.43.75.123])
by pilot01.cl.msu.edu (8.10.2/8.10.2) with ESMTP id NAA23597;
Fri, 12 Jul 2002 16:11:20 -0400 (EDT)
In this header, you see that the message was received by a Pilot mail server (pilot01.cl.msu.edu); the remainder of this line contains version information and the message id assigned by the Pilot mail server. The time stamp shows when the message was delivered to Pilot.
The first line shows three important pieces:
Mail server IP address: 126.43.75.123
This is the Internet IP address from which Pilot received the message.
Mail server domain name: mail.mymailhost.com
This is the domain name (DNS name) which matches the above IP address.
Mail server identification: server.mymailhost.com
This is what the server claimed its name to be. This may or may not agree with the domain name; a mail server may have more than one identity.
The second header gives more clues:
Received: from aol.com (127-34-56-98.dsl.mybigisp.com [127.34.56.98])
by server.mymailhost.com; Fri, 12 Jul 2002 13:09:38 -0700 (PDT)
In this header, the receiving mail server name (server.mymailhost.com) matches the name shown in the first header (so far so good). The first line of this header reveals the source:
Originating IP address: 127.34.56.98
This is the Internet IP address from which the remote mail server received the message.
Originating domain name: 127-34-56-98.dsl.mybigisp.com
This is the domain name (DNS name) which matches the above IP address. This reveals that the IP address may be owned by an organization known as “mybigisp.com”. This would appear to be a high-speed DSL subscriber to mybigisp.com, but only that organization can tell you for certain.
Originating system identification: aol.com
This is what the originator claimed its name to be. In this case, the sender is claiming to be “aol.com”, but the source IP address and domain name do not fit.
From these headers, the most reliable identification of the message source is the sender’s IP address, 127.34.56.98. A number of tools are available for verifying the owner of an IP address. The authoritative reference for IP addresses is the American Registry of Internet Numbers. Using ARIN’s “Search WHOIS” tool (or one of the other tools), you can find the identification of the IP address owner. In most instances, a message to “abuse@organization” will do the trick; be sure to include the message with its complete headers.
Note that there may be additional Received: headers that were generated by the originator of the “spam” e-mail (or by a mail virus). In general, you can only trust the “Received:” headers as far as you can verify them. If you are uncertain about their authenticity, you should go with the last one which is verifiable.
Thanks for this M Mugabe. Very Informative. (Editor)
FOOD FOR THOUGHT REF: JUSTICE BHUNU
Previously I’d have said not, because if mail is sent via an ISP or a web-based mail service, the date and time will usually be correct. However, if you are running a mail server, then you probably can backdate an email, perhaps by setting your PC’s clock to an earlier date. Even then, an email will be forwarded by a number of other machines on its way to its destination, and these will add their own date and time.
I believe it is possible to insert fake Received: lines to try to hide when and where a message originated, but the real entries can’t be faked, because they are not under the sender’s control. If an email seems to have been backdated, check the “Received:” entries to see if it had a spurious start date or was delayed somewhere en route.
Some days ago..we received a comment from a reader who explained the details contained in an Email “Header”. I have reproduced it in the body of the article above. (Editor)
Like or Dislike:
0 
0
Me thinks Justice Bhunu is playing with Tomana. He knows his (Tomana’s) weaponry will not hold out in the long run, so he will give him as much slack as possible and then let the defence shoot his arguments down like clay pigeons. Ha-ha-ha
Like or Dislike:
0 
0
We know what we will do with Bennett
Like or Dislike:
0 
0
This is a very interesting turn of events. What on earth led to this Judgement? I expected the Judge to allow Tomana to first prove that the e-mails were authentic before they can be admitted as evidence. His ruling that the e-mails were created before Hitschmann had been totured is laughable as it suggests that they are indeed authentic. With due respect the Judge made a very biased judgement as he has now shifted the burden of proof to Bennet. The strategy by Beatrice to create a counter fake e-mail is very strategic. It would go a long way to prove that there was miscarriage of Justice if this obviously biased Judge suddenly convicts Bennet based on this hoax. We all know that the Judge may rule that Mtetwa’s e-mails are not admissible because they are fake,but, wait a minute, how will he prove that they are fake?
Like or Dislike:
0 
0
Mthwakazi comments are a very telling insight. If Mtetwa’s e-mails are not admissible because they are fake, how will Justice Bhunuhe prove that they are fake?
Hopefully Isabel observation “Me thinks Justice Bhunu is playing with Tomana” proves correct.
Like or Dislike:
0 
0
Three important elements in Email forensics- Originating IP, Geo-location of IP and Electronic ID of the computer that sent the email [which every computer submits to the server]. Even if the state gets all three right, they will need to prove that Hitschmann was indeed on the keyboard on the day and time at which emails were sent. Proving that they were sent from his computer is not good enough as he could have been in prison on the day [or in Mutare with a solid alibi when Geo-location of Originating IP shows emails were sent from Harare] The email that Mtetwa brought to court to prove emails can be forged cannot pass that test unless they generated it from a computer that can be directly linked to Tomana through Electronic ID, ISP, Time and Geolocation. I hope the prosecution and defence both have the necessary expertise.
Like or Dislike:
0 
0
I see some law students trying to exercise their little acquired skills by splitting hairs here.We are advantaged in having search engines on the net nowadays where one can simply search for cases worldwide where e-mail evidence has been used.Dont think just because your preferred person is on the wrong side of a judgment then the world must go upside down.
While you are at it, also google up the patriot act of the US and educate yourself what your masters of democracy think of mail and telephonic laws.
Otherwise events will overtake you while you waste time discussing IP headers which I suspect some of you are clueless about.If we publish our researches on IT security here you will think we are showing off.
Like or Dislike:
0 
0
No need to publish a thesis, and Zimbabwe is not a part of the United States so no need to tell us about the “patriot act”. I am sure the people in Harare know what they are doing, and email forensics are not a matter of opinion, they are just as good as DNA.
Like or Dislike:
0 
0
A point of correction here, what simply happened was that Justice Bhunu allowed the emails to be produced as evidence, but that does not mean that he has made a ruling on the authenticity or truthfulness of the emails. In his judgement (after the trial) he will examine all the evidence before him, he will also examine and make a ruling “beyond reasonable doubt” on whether he believes in the emails.
The Judge will then make a ruling ‘beyond reasonable doubt” on the strength of the entire evidence against the accused, and he will then pronounce Bennett “guilty” or “not guilty” From the evidence that we have all gleaned through the press I think that the state has not made out its case, of noteworthy is the fact that Tomana was forced to declare his key witness “hostile” (impeach) that in itself means that the Judge will not put a lot of weight on the evidence that came out of the cross examination unless there is some other secondary evidence to corroborate the evidence from the cross examination.
I believe that Beatrice Mtetwa will apply for discharge at the close of the state case and she may get it because it is against our law to permit the State to make its case from the defence case. (please note; If Mtetwa makes the application at the end of the state case, the Judge will make a decision on whether a , “prima facia” case has been made or not, and this is not measured by , “beyond reasonable doubt”)
Like or Dislike:
0 
0
Dear Abel. Where have you been hibernating my friend? We really miss your condescending attitude here. You are a very learned chap (that’s obvious) but alas you can not know everything. It was silly for your favourite “lawyer” to bring a typist as an expert witness. As Tich has pointed out, by admitting these e-mails as evidence, the Judge has only given Beatrice and her very talented defence team to tear the so called evidence apart and further punch holes into Tomana’s fake case. It is so unfortunate that we have to refer to a case before a Judge as fake but unfortunately that is what we have. As for you dear Abel, is there nothing to say about our dear girl of the week?
Like or Dislike:
0 
0
Dear Mthwakazi, I am a bit scarce nowadays because my research project is nearing its end and most decisive part so I am a bit busy.Once in a while I like to come and let out some steam but unfortunately some of my comments may not be in compliance of the rules of submitting comments.
Anyway as for Tomana, I am sure you remember me telling you that I know that fella personally becasue he was a lawyer for a company I worked for once upon a time.The company lost a lot of cases with him representing it so I was quite suprised when I heard that he had been made AG of the whole of Zimbabwe!!!!!
To get to a stage where one relies on e-mail for such a case is quite sad to say the least.We need more concrete evidence because if found guilty for treason someone could hang.
The girl of the week has been there for too long.I think the editor has abandoned that part of the paper to concerntrate on politics full time.
Like or Dislike:
0 
0
Zimbabwe is not a part of the United States so no need to tell us about the “patriot act”!!
Like or Dislike:
0 
0