Everyone uses the Internet, says Gary Kessler, instructor of upcoming “Tracing IP Addresses” webinar—but few people understand how it actually works. And while investigators don’t need to know how the telephone system works to get a warrant for phone records or even wiretapping, the Internet is far more complex–but far more accessible to the investigator.
“Computer forensics starts ‘under the hood’,” he explains. The investigator must know about file allocation tables, storage space on a hard drive or other digital device, and so forth, before being able to use the appropriate tool to recover evidence.
And because the Internet figures into so many forensic examinations—those involving child pornography, cyber bullying and harassment, etc.—it is one of the working parts “under the hood.” “No longer are there standalone computers,” says Kessler, “so conducting online investigations involves the application of some forensic principles.”
Tying digital evidence to individuals
These include both legal and technical aspects. “Investigators need to be able to understand the networking clues left on the computer,” says Kessler, “such as where to look, and how the clues can mislead. For example, the email header doesn’t prove who sent the email, but it can indicate where the email came from.”
In fact, he adds, everything in digital forensics is about finding patterns of behavior. “When taken together, those patterns can lead a reasonable person to what a suspect did,” says Kessler. “Digital forensics provides exculpatory or incriminating information which might take an investigation in a direction it may not otherwise have gone.”
In the case of IP tracing, this can even include geolocation. “An IP address can provide a general location from where an individual accessed email, for example,” says Kessler. “In one homicide investigation, this was key when the suspect denied an email account was his. Not only was the account established as his, but the IP addresses also showed the account being accessed from locations which coincided with his business trip calendar.”
Seeing evidence from every angle
Kessler says there are few misunderstandings about IP address tracing, but that investigators don’t always correctly interpret the evidence. “As an example, a traceroute showing data packets going from Point A to Point B will show a different set of addresses than the packets going back from Point B to Point A,” he explains, “which could be interpreted as a completely different route. The investigator has to know how to interpret the information, which is simply the same route being reported in a different way.”
The takeaways from Kessler’s webinar: how IP addresses relate back to online activities, along with tools that show how addresses relate to Web domains, how the domains relate to individuals, and how IP addresses relate to geographical locations.
In addition, Kessler will cover how criminals use the same tools. “An investigator uses the tools in a criminal case, but a hacker uses them to discover vulnerabilities,” he explains. So in all, while IP address tracing may seem trivial, it is important in any case with a networking component.
Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.
Image: curiouslee via Flickr