Email Evidence – Part 3 – Tracing the IP Address

You are now armed with the header information from an email and have located the originating IP address along with the date and time stamp from the header. You have taken that IP address over to a site like to find out the owner of the IP address. Now what do you do?

The next step in tracing the email depends on your results from the Who Is search to determine the owner of the IP.  If the email was sent from a webmail service like Gmail or Yahoo, the owner of that IP address will be those services. If the email was sent from a program like Outlook, the IP address will likely be an Internet Service Provider (“ISP”) such as Cox, Comcast, or Verizon.

Let’s start first with webmail. You enter the IP address into a Who Is search and found that Google owns that address. Now, go back and look at that “From” line in the email – is a Gmail address? If it is a Gmail email address and the IP address is from Google, you may be looking at a legitimate email. However, you are not done yet. Just because it is a Gmail account and an email sent from Google, it does not mean that it was that particular user who sent it. What if someone left their account logged in at the public library? What if someone hacked their account? There are still many possibilities, so we must continue our search.

At this point, you need to subpoena Google. You need to find out the IP Address of the user that was logged in to that Gmail account at the time the email was sent. Once you get that IP Address from Google, plug it into a Who Is search to find out who owns that IP Address. Most likely, it will be an Internet Service Provider. (This is the same process for other providers such as Yahoo, or Microsoft that provide webmail services)

Having either directly found the ISP from the header, or subpoenaed a service like Google to get the ISP, you are now ready to track down the sender’s physical location. You must now subpoena the ISP to find out where that IP Address was assigned at that date and time (Remember Part 2 when you leaned IP Addresses can change).

The ISP will take the IP Address you provided, along with the date and time, and find out which MAC Address had that IP Address. A MAC address is a unique identifier assigned to each network card. A typical laptop will have two MAC addresses – one for the network card where you plug in a network cable, another one for the wireless network card. Your home modem that you plug in to get Internet access has a MAC Address. Your ISP has that MAC Address registered to you so they know what services to provide when it sees your MAC Address connect to the network.

The ISP has that MAC address associated with a physical address. When you send the subpoena with IP Address, date, and time, the ISP finds which MAC Address had at that IP Address at that date and time. They then lookup who owns that MAC Address and return a customer’s name and address. You have now traced an email to a physical address.

In the next post, we will learn about possible issues at the physical address you found. I will also cover areas where there could be error and some typically questions you might ask if you are defending against email evidence.

For those of you feeling overwhelmed – don’t worry. I will be offering some tips to simplify things for your area of practice. Send in your questions and I will cover them in future posts.