Covert Investigations

2010-08-07T10:45:00.000-04:00

Investigations Involving the Internet

2009-05-08T21:02:00.096-04:00

When an individual uses the Internet as a common way of communication, they leave what we call "footprints. “We’re able to gather that personal information for your review. An Internet profile reveals where they've been on the Internet including their interaction with social networking groups (e.g. MySpace, Facebook, etc).

While on the Internet they may have admitted committing a crime, denied knowing a person of which they've previously had conversations with, or placed pictures online of which could be very damaging to his or her reputation.

TRACING AN EMAIL

There are two types of email traces, an "EMAIL ADDRESS" trace and an "EMAIL MESSAGE" trace. Below is the explaination of both:

Tracing an "EMAIL ADDRESS" reports only the mail server for the address. This is useful for identifying both the company and the network that provides the service for the email address. What it doesn't do is provide information about who sent the email.

Tracing an "EMAIL MESSAGE" provides a lot more information on the sender. Every email message includes a header with valuable information. This allows you to analyze the email header and the IP address of the computer where the message originated. Also it may come down to how much of a "Footprint" the sender has left on the Internet.

With that said you never know if the sender temporarily created the email address to use as a communication tool only to delete it a few minutes later, thus leaving no "Footprints" on the Internet. Additionally many times a sender CAN be physically and/or geographically pin-pointed by producing a subpoena to the host ISP.

*********************************************************************************

TRACING AN IP ADDRESS OR DOMAIN NAME

*Resolve domain name
First up on your list is to try and resolve the domain name (e.g. www.resolve.com) to an IP address. Many software tools are available to aid investigators in resolving domain names into IP addresses.

NOTE: Be aware that inquiries made on these Websites could be monitored and recorded. It’s important to perform inquiries from a computer that cannot be traced back to you.

Determine and record domain name registrations. Information that's available is the registrar’s name and addresses, billing information, administrative contact such as telephone and fax numbers, the range of IP addresses associated with the domain name, and technical contact information. The list of contacts may also provide additional information regarding the specific computer being investigated, including both the location and the person designated to receive legal process.

NOTE: The very same process can also be used to resolve an IP address to a domain name to obtain contact information.

*Where’s the evidence?
Information can be found in numerous locations, including the user’s computer, the ISP for the user, and the ISP for a victim and/or suspect.

Log files can be contained on the victim’s, and/or the suspect’s routers, firewalls, web servers, email servers, and other connected devices.

Most ISPs can identify the registered user assigned to the IP address at “the specific time,” enabling the investigators to request additional information. However, the investigator may have to use “traditional investigative methods” to identify the person using the account at that time.

*Provide legal service of process
The third step is to determine who the appropriate parties are, so as to contact and/or serve the legal documents. Warrants, court orders, or subpoenas are usually required to release the exact end-user information to law enforcement agencies. Many of these requirements are governed by the ECPA, (Electronic Communications Privacy Act), and other applicable Federal and State laws. A preservation letter may assist in preserving information until the proper legal requirements can be met. These requests should specify the IP address, the date, and the time, including the time zone. Be aware of the need for expeditious service of preservation letters under 18 USC § 2703(f) (appendix G).

Information that may be obtained from the ISP may include the registered owner, the address, payment method, dates, connection times, and the IP addresses.

*********************************************************************************

SPOOFING, MASKING, AND REDIRECTING

Advanced methods of hiding activities on the Internet include hiding the IP address, pretend to be someone else, and sending traffic through another IP address. These methods are commonly referred to as:

a. "IP Masking" is a method of hiding or obscuring the true source IP address.
b. "IP Spoofing" is a method of impersonating another system’s IP address.
c. "IP Redirecting" forwarding/routing Internet traffic to an obscured IP address.

Advanced training is needed to investigate or identify when these actions have occurred. Even after completing legal process, “traditional investigative methods” still may be necessary to identify the end-user. In many cases, masking, spoofing, or redirecting may prevent the identification of the user.

*Dynamic and static IP addresses
"Dynamic IP Addresses" are temporarily assigned from available addresses registered to an ISP. These addresses are assigned to a device when a user begins an online session. As a result, a device’s IP address may vary from one logon session to the next.

"Static IP Addresses" are permanently assigned to devices configured to always have the same IP address.

A person, business, or organization maintaining a constant Internet presence, such as a Website, generally requires a static IP address. Both the date and time an IP address was assigned MUST be determined to tie it in to a specific device or user account. The ISP may maintain historical log files relating these dynamically assigned IP addresses back to a particular subscriber and/or user at a particular time.

*********************************************************************************

LEGAL CONSIDERATIONS

All investigations involving both computer evidence and the recovery of computer information, specific legal requirements and reliable forensic procedures must be followed to the tee.

*Sample language:
When drafting legal process, the following "sample language" may be useful. However, the ISP may require other specific language.

*ISP account information: “Any and all subscriber information relating to the account of (Name) including but not limited to user identity, user account information, screen names, account status, detailed billing records, e-mail account information, caller line identification (ANI), account maintenance history notes, and IP history from (Date) to present.”

*Email address information: “Any and all subscriber information relating to the individual who registered and maintains the e-mail address of (JonDoe@Email.com) including but not limited to user identity, user account information, screen names, account status, detailed billing records, e-mail account information, caller line identification (ANI), account maintenance history notes, and IP history from (Date) to present.”

*IP address information: “Any and all subscriber information relating to the account of the individual who was assigned the IP address of (IP Address) on (Date) at (Time and Time Zone) and the IP address of (IP Address) for (Date) at (Date and Time Zone) including but not limited to user identity, user account information, screen names, account status, detailed billing records, e-mail account information, caller line identification (ANI), account maintenance history notes, and IP history from (Date) to present."

*Domain name information: “Any and all information relating to the identity of the individual who registered and maintains the domain names of (www.xxxxxxxx.com) and (www.xxxxxxxx.org) including but not limited to all account information, billing records including credit card number or other payment information, user identity, IP history, and caller line identification.”

*Web page information: “All information on the individual who created and maintains the (ISP) Web page (Web page name) including but not limited to user identity, user account information, billing records, e-mail account information, caller line identification, usage logs, and IP history.”

*Telnet session providers: “Any and all IP history relating to Internet traffic of (xxxxx.net) and user logs of (xxxx.net’s) Telnet sessions for (Date) and (Date) including but not limited to user identity, user name, user commands issued, and user address.”

*Point of Presence (POP) information: “Any and all information relating to the (ANS.NET or other ISP) Point of Presence location that issued the IP (IP Address) on (Date/Time) including but not limited to dial-in access phone number, physical address, and (Telephone Company) to whom the dial-in access phone number is subscribed.”

*Outgoing telephone records: “Any and all information including but not limited to subscriber information and billing information for the address of (Address of Subscriber). Any and all information including, but not limited to subscriber information and billing information for the telephone number of (Telephone Number). Include a listing of any local outgoing calls made from the above address. Include above information for any and all telephone numbers listed for the above address for the period of (Date/Time).”

NOTE: In determining legal issues, at a minimum the following should be considered:

The Fourth Amendment
If the e-mail resides on the sender’s or recipient’s computer or other device, then the steps taken to secure that evidence must be analyzed under the Fourth Amendment and State constitutional requirements. The investigator must consider whether the person on whose computer the evidence resides has a reasonable expectation of privacy on that computer. The Fourth Amendment would require a search warrant or one of the recognized exceptions to the search warrant requirements such as consent or exigent circumstances.

Electronic Communications Privacy Act
If the e-mail is stored by an Internet Service Provider or any other communications network, retrieval of that evidence must be analyzed under the Electronic Communications Privacy Act (ECPA). ECPA creates statutory restrictions on government access to such evidence from ISPs or other electronic communications service providers.

ECPA requires different legal processes to obtain specific types of information. Basic subscriber information (name, address, billing information including a credit card number, telephone toll billing records, subscriber’s telephone number, type of service, and length of service) can be obtained by subpoena, court order, or search warrant.

Transactional information (such as Web sites visited, e-mail addresses of others from whom or to whom the subscriber exchanged e-mail, and buddy lists) can be obtained by court order or search warrant.

A search warrant can be used to obtain content information from retrieved e-mail and must be used to obtain unretrieved stored e-mails. Real-time access (traffic intercepted as it is sent or received) requires a wiretap order under the provisions of Title III.

Pen Register and Trap and Trace Statute
This applies not only to telephone communications, but also Internet communications. For example, every e-mail communication contains to and from information. A pen/trap device captures noncontent information of communications in real time.

Title III wiretaps
Title III may need to be considered, depending on how an ISP executes a request to obtain a subscriber’s e-mail. However, to obtain e-mail in real time as it is ingoing and outgoing from the ISP, a Title III wiretap order is always required.

Information obtained from an e-mail message can be valuable evidence. This chapter provides techniques to obtain one piece of the investigation puzzle. Once the e-mail account subscriber is identified, however, other investigative techniques should be used to actually place an individual at the keyboard at the time the message was sent. Keep in mind the legal procedures that must be followed to ensure the evidence gathered can be used in court.

****************************************************************************************************************
PERVERTED JUSTICE RECENT BUSTS

Cyber-Tr@ce Technologies

Covert Investigations

Investigations Involving the Internet