Monday, September 5, 2011

IP Addresses - Evidence or Clue?

There are any number of cases that involve IP addresses.  The question is: are the IP addresses associated to the computer's evidence or just a clue?  A recent Child Pornography case led investigators to the home of two gentlemen that were accused of down loading several hundred pornographic images from a file sharing site.  The normal response in most of these cases is "Oh Some Other Dude Did It".  This case would appear to be pretty easy to determine that the accused was guilty.  Just go get the owner of the computer do a forensic investigation that shows there is child pornography residing on the hard drive.  Arrest the accused and charge him.  BUT WAIT!

  • How was the computer connected to the internet?
    • Directly to the router?
    • Through a wireless network?
  • If it was connected through the wireless, was it a secure or open network?
  • There were two individuals in the household that had access to the computer.
  • What was the version of Windows that was in use at the time? (It makes a difference.)
  • Were there different logins for each of the users?
    • Did they use them?
A motion picture company filed suit against thousands of file-sharers who allegedly exchanged copies of a movie.  The accused were targeted via their IP addresses.  So what's wrong with this picture? (Pun intended.)

  • How was the computer connected to the internet:
    • Was it a direct connection through the router?
    • Was it on a wireless?
      • Was it a secure connection or open?
  • What time of day were the files downloaded?
  • Can the motion picture company prove that the files reside or resided on the accused computer?
Here are a couple of examples of how things can go wrong:


A hotel receives a notification that they have been one of the thousands of accused file-sharers.  They can pay a couple of thousand dollars settlement and be done with the issue or fight it.  The hotel is not guilty of the act of downloading the movies.  Their clients are as they used the internet to download the movies.


A business receives the same notice regarding downloading the movie from their IP address.  The business makes claim that they had an open wireless network (something their IT Guy should not have allowed.) and that the movies were downloaded during the times that the business was closed.  That they had seen several cars in the parking lot after hours that had people in it using laptops.

I'm a bit suspicious about the cars in the parking lot downloading movies from an open network.  I would be more inclined to think that they were attempting to steal personal or business information.

There are a couple of points to this article.  The first is that IP addresses can be a great clue, and often times connect the dots so to speak.  The IP addresses cannot be really more than a clue.


The second point is there are so many avenues to search that without a competent computer forensic expert to assist you may miss the real evidence. 



Computer Forensics Northwest White Papers
Posted by at 1 comment:
Subscribe to: Posts (Atom)