Tracing 316.70.50.1
Posted : Monday May 4th, 2009

As computers and the internet are so much a part of our lives it's not a great surprise to see technology becoming more a part of the fabric of stories in entertainment media. Television shows, movies, both show the use of technology in good and bad lights. So given that and the current popularity of police and forensic work themed shows it's not terribly surprising that the use of the internet and computers are often shown helping to capture criminals.

One of the most popular uses in this regard shows the police (or the like) using posts on a website, or emails, or other internet activity to find and locate a criminal, right down to their front door. For example

Person A : Oh our suspect posted on forum X yesterday.

Person B : Can you find them?

Person A : Sure no problem. We'll just *click* *click* get their IP address and now find them (picture of geolocation map zooming inexorably in to a specific address. Got 'em

There are actually a number of myths prevelant in the approaches shown and I think I'd like to bust them here. I should be clear I'm not picking at the myths here because I want to nit-pick every piece of staged entertainment. But I do think that the false portrayal given in examples like above are harmful to the general public in terms of understanding real issues regarding privacy, big brother and security on the internet.

Myth #1 - Anything you do on the internet identifies your IP address clearly

This the first problem with the way the use of technology is portrayed, the ease with which the investigators can get a valid IP address. Often enough in the scenarios presented investigators are able, in seconds to get an IP address based on a forum post or blog entry. The problem is that if that information is retrievable (and there are some cases in which it really wouldn't be) more often then not it's going to take significant time to find it. For about 99% of cases it would take serving the related ISP with a summons to produce the log files for the relevant period. In other words this information isn't available one click away, again assuming it's available at all.

Sometimes other sources are used for identifying IP addresses, email seems to be a popular one. If you've ever looked at the headers for an email messages you may have noticed that each message contains a number of IP addresses and this information is used by mail servers. So in this example surely if you have an email address you can identify the IP address of the sender? Right?

Well, not so much. An email may well contain the IP address of the sender but for a whole bunch of quite common reasons it may not. For one thing it is possibly (and relatively easy) to just outright lie. The ease with which one can insert or alter fake email headers and still have email sent is proved by the amount of email spam in existence. Any sort of competent criminal wouldn't be traceable via email headers.

Even with a less conspiratorial act emails can be useless for tracking orginal senders because the user used another system to send. As an example of this think of hotmail or gmail. Someone using one of these systems will not be traceable by email headers, the originating IP address used by the sender is never included as part of the headers. Which leaves one at best back to getting an IP from the company running that webservice, if it can be found again at all.

In short, it's not usually impossible to identify an IP address based on an email or forum post or other activity but more often then not it's going to be much more involved then portrayed. And in some cases it will be impossible.

Myth #2 - Using an IP address I can track you to your door

Assuming investigators were able to find a real IP address for you, overcoming the above and assuming you didn't use a proxy of some sort and number of other assumptions the use of this IP address to track you to your door is truly fantastic.

There are plenty of sites and services that use geolocation by IP to identify your country of origin. This does work, with some caveats. IP geolocation is done by looking up the location of the netblock owner. A netblock is a range of IP addresses and IP addresses are assigned at the internet level of things by netblocks. The problems with this though are two-fold. One the information is not always correct. Sometimes netblocks have been re-assigned and re-sold so many times that it's near impossible to find out what country the IP is actually in. Second though and more importantly is that again what that information tells you (when it's correct that is) is the location of the netblock owner. That is it will probably help to identify the location of the ISP that the suspect uses, it does not contain the information that could be used to supply a specific address for the suspect. Taking the IP and a summons to the ISP might enable one to identify the suspect address but again that's not a point, click and zoom excersise and involves the use of several assumptions.

At any rate, entertainment is great, and I'm all for the suspension of disbelief but don't get caught thinking that either big brother government or criminal elements can use information you "leak" when using the internet in any form to quickly identify and find you. It just doesn't actually work that way.

Tags

busting  entertainment  internet  media  myth 

Categories

Technical  Security  Privacy  Personal 

Comments