Every time a computer user views a web page, uses instant chat or sends an email, details about their location may be revealed to the host or recipient’s server via their Internet Protocol (IP) address. In instances of crimes involving computers, this can be a vital clue in tracking down the perpetrators.
An IP address is a unique numerical identifier assigned to a device by the individual’s internet service provider (ISP) every time it connects to the internet. It doesn’t reveal where a user’s house is, or even on which street, but it will usually reveal the city and country the user is in, and what internet service provider (ISP) they are using.
Sometimes, the IP is static, meaning that it remains the same at all times, but sometimes it is dynamic, meaning the ISP assigns a new IP address every time the user connects to the internet. However, each Internet Service Provider keeps a detailed record of which IP address was assigned to which individual account holder at any particular time.
As such, if a law enforcement official wished to trace the location of an IP address, they would be able to contact the ISP and more detailed information about the subscriber, including the individual’s name, address, and even their bank details if they pay for the connection using a direct debit agreement. Similarly, if a user chooses to use the email address provided by their ISP to send correspondence or to register for an online account with a service provider – for example, john@myISP.com, this would also make them identifiable via their ISP.
In fact, even web-based email may allow officials to trace users to a physical location, since the IP address used at sign-up and login is typically logged by the email provider. IP addresses are in fact logged by most online services, which led to the eventual arrest of a pair of robbers in 2008. During the investigation, computer forensic analysts were able to trace the physical location of a computer that had been used to place the ads used to draw victims to a location where they were robbed at gunpoint.
However, when investigating a computer crime, law enforcement officials have to be wary of a practice known as ‘IP spoofing’ which makes it appear as if a connection or message has come from another location. IP spoofing is commonly used in computer crime such as Denial of Service attacks where very large amounts of data are sent to a particular network, rendering it unusable for the duration of the attack.
In addition, in some cases it may be that an unsecure network has been connected to by an unauthorised party. For example, wireless internet connections can be left unsecure, meaning that anyone near the property within range of the Wi-Fi signal could use that IP address. This is one reason why it is vital that Wi-Fi users install a security key on their network.
In such cases, once a suspect machine has been identified, it is usually the role of computer forensic experts to closely analyse the suspect computer to recover additional evidence of the criminal activity, which could include extracting internet browsing records and recovering deleted files. This means that while criminals continue to develop ever more complex ways to disguise their identity while committing malicious activity online, in most cases, computer forensics is still able to provide vital and essential assistance in bringing them to justice.