July 01 2015
In the fight against cybercrime, records of who accessed accounts, from communication providers such as Facebook, Twitter, and Microsoft, can be critical in helping the Police track down who is responsible. This evidence is in the form of IP Addresses, each of which uniquely identifies an Internet connection. The Police must then ask the Internet Service Provider for the name and address of that subscriber.
This process is a fairly straightforward, but each step introduces the opportunity for misinterpretation or even simple transcription errors. The Interception of Communications Commissioner’s Office (IOCCO) has reported that 17 serious errors were made in requests for individuals' communications data in 2014 (read about the report on Sky News here).
This comes as no surprise to KBC; we regularly see errors in critical IP Address evidence. When used properly, it can be compelling evidence of the physical location from where a cybercrime originated. But if mistakes are made, innocent people can end up in the crosshairs, and too often the evidence is simply accepted as correct. Often, the errors are typographical errors – the Police have mistyped the IP Address when asking the ISP for their customer details. Another common error is misunderstanding how IP addresses work and the importance of requesting IP details for the specific time of the offence; an IP address could be assigned to a different customer at any time. Also could anyone else have accessed the accounts of interest?
It is sometimes misunderstood that an IP Address identifies the Internet connection, not the specific device. The errors noted by the IOCCO came to light when the computers were examined and no evidence of the alleged crime found. But many cases are prosecuted on the IP evidence only; whether down to perceived strength of this evidence or budgetary restraints. This means that errors may not come to light.
It could be critical to your case that from start to finish the IP Address evidence is checked for errors. Each stage of the process, from the initial evidence from the communication provider, to the ISP IP lookups produces documentary evidence that should be served on the defence (but usually isn’t unless you ask!). Keith Borer Consultants provides a service to review this information and provide you with a report. In addition, our Digital Forensic Investigators can examine any computers and other devices such as mobile phones or tablets, whether or not seized by the Police. This can help you build up a fuller picture to demonstrate your client was not the cybercriminal they are alleged to be.
Author
Ross Donnelly
BSc (Hons), CFCE, CAWFE, ICMDE