Having followed the steps in Parts 1, 2, and 3 of this series, you have now traced an email back to a physical address. The investigation is almost complete. As a tip to those criminal defense attorneys out there – many law enforcement agency stop their investigation at this point and do not continue on to the steps I outline below.
Once you trace to the IP address to a physical address, you have to confirm what devices are located at that physical address. Most homes now have a wireless network. Every device connected to that wireless network will appear to have the same IP Address on the Internet. Wireless and wired routers allow many computers or devices to use a single IP Address and there are routers everywhere. If there is a wireless router located at the physical address, you need to determine if it is password protected or not. If there is no security on the wireless network, anyone within range could connect to that network and get the IP Address associated with that physical address. If the physical address is an apartment, there could be many people living within range of that wireless network. See my post on open wireless networks to learn more about how common these networks are and how easy it is to access them.
You must also consider physical security at the address. Are there many people at the address? Are there people coming and going from that address? If that address is a business – do they have card access? Security cameras? Sign in/out logs? There are many factors to consider that could help you determine the true sender of the email or rule out other possible senders.
When you are defending against email evidence (especially in criminal cases), ask these questions to the other side’s witness. Are they able to rule out other possible senders from that physical address?
This concludes the majority of most email investigations. However, every investigation is different. There are factors in every case that change things. Business locations are different from homes, which are very different from open wireless hotspots that you will find at places like coffee shops.
Other factors can complicate these investigations. Sophisticated users can do things like change their computer’s MAC Address, use services that hide their true IP Address, and alter the date and time of the email.
Here are a few tips for defending against email evidence:
- Obtain the headers from the other side, not just a print out of the email. Print outs can be altered.
- Look closely at each step of the email investigation
- Look at the report from the Internet Service Provider. They frequently include a statement that their records are for business purposes not maintained for law enforcement or litigation matters.
- Did the officer/investigator look at the network setup a the physical address? Was there a router? How many devices were at the physical address? Was there an open wireless router?
- Was a forensic investigation completed on the suspect’s computer to look for evidence that he or she sent the email?
When introducing email evidence, look at the contents of the email. Does the email contain facts only the accused sender would know? This will help to establish the sender of the email. Frequently there are facts in the email that makes it likely a particular user sent that email.
This series does not cover all of the issues associated with email evidence, but it does touch an all of the major points. It would be impossible to cover every possible issue in such a series. For those of you in Tucson, Arizona – you can attend my CLE on email evidence to learn more.
If you are faced with either obtaining or defending against email evidence, look to the factors discussed in this email series. Often you will be able to gather enough information without an expert to move forward with your case. If you have questions, need help, or need to retain an expert witness, contact Chase Technology Consulting and we can help. We are happy to answer simple questions over email for no charge.