Return
to University of Delaware Police cyber crime help home page
If
that Internet crime complaint comes to you on tomorrow’s shift, could you
handle the complaint and solve the problem for the victim?
Increasingly, officers in agencies across the country are being
asked to deal with complaints from citizens about crimes committed against them
by others who have discovered how to victimize people over the Internet.
If one of these complaints should come your way on shift tomorrow,
like any other officer, you will want to engage the bad guy, question him, and
arrest him if you can. You will NOT want to have to tell the victim that you may
not be able to help because this is NOT what you have been trained to do.
So let’s train you! Let’s review the problems you are
likely to encounter, and explore a few ways to solve these problems for our
Internet victims, who just discovered that you, their local officer, now have a
worldwide beat.
Some
Internet problems that might come your way
What is brought to your attention by the victim might be an e-mail
or a newsgroup posting. The problems with e-mails and newsgroup postings is that
people can easily become offensive or even criminal. It is easy to enclose in a
posting or an e-mail vivid images of child pornography, for example, or to post
a threat to a person’s life.
Chat rooms have their own problems, some of which are difficult for
someone with little Internet experience to understand. Some of the most
disgusting goings-on include pedophiles lurking in children's chat channels and
children stumbling into adult-related chats.
What
can I do?
Your initial reaction might be to try and find another officer who
knows more about the Internet. Don't do it! Stay calm, stay focused, and try to
work it yourself.
Why? Because you are about to embark on a journey into little-known
territory that will undoubtedly help you increase your skills.
While you might think this is too technical for you, Internet
investigations are NOT rocket science. Sticking
to the basics and what you already know, all you have to do is look at the
complaint and see if you think an offense has been committed. If the answer is,
“yes,” then there is only one question left to answer:
Who
did it?
As with most police work, you know what has happened and to whom.
All you need to do now is find out who did it - and prove it.
Generally, your
investigation will start from one of three points: an e-mail address, a web
address, or an IP address.
e-mail address - sbunting@udel.edu
web address – http://copland.udel.edu/~sbunting/
or http://128.175.13.92/~43253/
(the latter is expressed using an IP address instead of a domain name format -
both interpret to mean the same address)
IP address - 128.175.13.92 (IP address of copland.udel.edu)
E-mail
address
If the complaint involves an e-mail or newsgroup posting, yes, you
need a printed copy of it. But you also need a digital copy of what’s on the
victim’s machine, because it is only here that you can view what is called the
“extended header” that reveals the IP address of the perpetrator.
The IP address you will use in your search warrant eventually will
disclose the name and address of the person using that account for criminal
activity.
If you can’t physically sit at the victim’s machine to look at
the extended header, you will have to talk the victim through on the phone or by
Internet e-mail on how to do this, then have the victim print or e-mail you the
offending e-mail with the extended headers “revealed.”
However, if you can respond to the scene and look at the victim’s
computer, get that “digital copy” of the evidence using the instructions in
the chart below. The chart gives simple instructions on dealing with a variety
of different e-mail programs to reveal the extended headers.
Once you see the extended header on the screen, use the Ctl A
command to select all the text, Ctl C to copy that text, then, after you’ve
gone into Notepad or Word, Ctl V to paste it there. Then save that to your
floppy. That is your digital
evidence. You can print out a working copy, if you wish, but you will want to
place the floppy into evidence, as it contains the IP address that will lead you
to your suspect.
What
is an IP address?
The reason you need a printout AND a digital copy is that even when
someone has gone to some lengths to hide their identity, there is sometimes a
clue left behind. You may find the “IP address.” IP is Internet protocol and
identifies a computer on the Internet. The IP address takes the form of a
dotted-quad number, something like 128.175.13.92.
What
is a header?
It is a section of code that contains information about where
the e-mail came from and how it reached its destination. It will contain
the e-mail address of the originator and/or the computer the perpetrator was
using.
Here
is what the typical header looks like. What you are looking for in the header is
the IP address,
sometimes conveniently identified as the “Originating
IP.”
We can trace and track someone by sending a search warrant to the
Internet service provider (ISP) with the date and time of the offending e-mail,
along with the IP address of the bad guy's computer. The IP addresses in the
example below are highlighted.
115709 -0500 (CDT)
From - Mon Mar 19 08:17:17 2001
Return-Path: <wHargrove@newarkpd.state.de.us>
Received: from otma1.otm.state.de.us (votma1.state.de.us [167.21.1.115])
by copland.udel.edu (8.9.3/8.9.3) with ESMTP id NAA06271
for <sbunting@udel.edu>; Thu, 15 Mar 2001 13:10:40 -0500 (EST)
Received: from deljismail1.state.de.us (imail.deljis.state.de.us [172.20.66.11])
by otma1.otm.state.de.us (8.11.0/8.11.0) with ESMTP id f2FIA7t28739
for <sbunting@udel.edu>; Thu, 15 Mar 2001 13:10:07 -0500 (EST)
Received: from newarkpd.state.de.us [172.20.132.102] by deljismail1.state.de.us with ESMTP
(SMTPD32-5.05) id A8B32701AE; Thu, 15 Mar 2001 13:23:47 -0500
Received: by NEWARKPD with Internet Mail Service (5.5.1960.3)
id <FY66DSJT>; Thu, 15 Mar 2001 13:08:29 -0500
Message-ID: <777ED2AC6510D311BBB50000D11CB450167AAD@NEWARKPD>
From: William Hargrove <wHargrove@newarkpd.state.de.us>
To: "Steve Bunting (E-mail)" <sbunting@UDel.Edu>
Subject: good morning
Date: Thu, 15 Mar 2001 13:08:28 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
Content-Type: text/plain
X-Mozilla-Status: 8003
X-Mozilla-Status2: 00000000
Which of the IP addresses above should you trace? Usually, the
originating IP ( in this case172.20.132.102) is either called that, and / or is closer to the bottom of the
stack, nearer to the actual body of the message.
Revealing extended headers in different e-mail programs
Keep the chart below on a floppy in your patrol briefcase, or send it to your victim by e-mail if you need to coach them through the process of looking for extended headers.
Return to University of Delaware
Police cyber crime help home page
|
E-mail
Program |
Instructions
for locating the extended headers |
|
Eudora Pro |
·
Click on the message in the inbox and
highlight it. ·
Double click on the message to open
it. ·
Message is now fully opened, but
still does not reveal full header information. Double click on "Blah,
Blah" button to reveal the header
(should be just to the left of the "subject" box). ·
Ctl A to select the text
in the full header. ·
Ctl C to copy the text. ·
Go to your e-mail program and send a
message to sbunting@udel.edu
and paste your message header (Ctl V) into the body of this message. |
|
Outlook Express |
·
Highlight the inbox to see the mail
messages. ·
Highlight the offending
e-mail. ·
With mail highlighted,
go to File/Properties. ·
In Properties box, go to Detail tab,
then "OK." Properties box then displays full header. · Press "Message Source." ·
A new box appears with the
e-mail message, open up window fully. ·
In this view, you can Copy/Paste
message to a text document, print it, or send it to an investigator. ·
Ctl A to select the text
in the full header. ·
Ctl C to copy the text ·
Go to your e-mail program and send a
message to sbunting@udel.edu, and paste your
message header (Ctl V) into the body of this message. |
|
Netscape Mail |
·
Pull down "View" menu ·
View/Headers/All. By default, Netscape headers are set to Normal. ·
See copy/paste routine above to
either save the header, print it, or e-mail it to law enforcement. |
|
Hotmail - web-based e-mail |
·
After logging in, your inbox is
displayed. Double click on a
message to view the message. You will then see the message with no header
information. ·
Click on "Options." ·
Click on "Preferences." ·
Click on Message Headers/Advanced,
"OK." Full header information is now displayed. ·
Copy/Paste into e-mail, or a
document, as explained above. |
|
America Online |
·
Under "My AOL," go to
"Preferences." ·
Go to "Mail" in
Preferences box. Mail
Preferences are now displayed. ·
Click on "Use white mail headers." ·
Full headers are displayed at the end
of the message. ·
Copy/Paste into e-mail, or a
document, as explained above. |
Return to University of Delaware
Police cyber crime help home page
If you run into an e-mail client that is not mentioned in the
chart, simply browse through the program’s menu until you find something that
sounds like one of the areas listed above, and you’ll likely find the extended
header.
More
about that IP address…
The reason IP numbers are IMPORTANT is there are programs available
on the Internet that translate these numbers into something approaching English.
You may get a web address or the details of an ISP, in which case you can send a
search warrant and wait for the fax back that tells you who your bad guy is.
You are likely to get an IP in an inquiry relating to Internet
Relay Chat. People who “chat” can easily 'fake' an e-mail address, but the
IP is the only thing that can be relied upon, as it positively identifies the
computer that the offender is connected through at the time of the offense.
It is very important, once you have traced the IP address back to
the Internet Service Provider, to contact that provider as soon as possible. A
'chat' is live, and there are few records of it, as ISPs tend not to keep
records for very long (hours or possibly days). You will need to know the time
and date of the offense (be careful with time zones – MST, EST, PDT, GMT,
etc.) . Armed with this
information, the ISP should be able to identify which of their customers was
accessing the Internet via that computer at that time.
If all you get on the bad guy is an e-mail address (no e-mail, no
extended headers), then your next step is to find out who it belongs to.
One way to do that is to look it up in “the book.” The Internet
contains white pages that are the Internet equivalent of the phone book. If the
address is not there, it doesn't necessarily mean that it doesn't exist, but
it's worth a try.
There is no one-stop-shop place to search for a person’s e-mail
address to try to come up with a name. Here are a few you can try to see if you
get a “hit:”
www.four11.com
www.bigfoot.com
www.whowhere.com
www.switchboard.com
www.iaf.net
www.freeality.com
http://techcrime.com/
www.copernic.com
…or
search by the key terms Teknion Tracker, a utility with numerous different ways
to search for bad guys on the Internet.
Tracing
an e-mail address to an owner
Often, you can identify someone with as little as an e-mail
address. If that person you are investigating has ever posted to a newsgroup,
signed a guest book, participated in a mailing list or forum, chances are you,
the investigator, can find out a lot of information about your subject with just
an e-mail address. Here are some things that you can try:
1. Go to http://www.google.com,
click on Google Groups, then select Advanced Groups Search. Here,
you can search in one newsgroup, or search all newsgroups (thousands of them) by
words in the subject of the posting, by message ID, or by author.
Type the e-mail address that the subject is using in the AUTHOR box. This
should bring up any articles that he or she has posted. Pay close attention to
this because often the author who has posted an article looking for teen boys,
illegal weapons or drugs will have also posted a few months ago trying to sell a
VCR or some other item, and in this posting, he will have included a home
telephone number, or an indication of what city he lives in. You may also find
web page addresses, other e-mail addresses, an online resume, his work location,
or something that will help you identify him or her.
2. Go to the Alta Vista search engine, http://www.altavista.com
(or your favorite search engine)
and type in an e-mail address. This could show other places on the
Internet that he has posted something using that e-mail address. Again, you may
find a web page or some other important information.
3. If you do happen to find a web page, download it while you are
there because it can be changed or deleted at anytime. There are a number of
utilities you can use that will cache the web page with all its links intact so
that offline you can browse them more easily, and save the digital evidence as
you found it.
4. Go to www.freeality.com
and do a reverse e-mail search, which could pop the subject’s real name. You
can also use this site to do other searches such as reverse phone number
searches and address searches.
5. If you would just like to know where the subject’s ISP
(Internet Service Provider) is located, go to Internic.com and type in the
domain name of the web site or e-mail address. It will tell you whom that domain
is registered to. This, of course, will not be of much help if the subject has a
nationwide ISP such as AOL, Compuserve, Earthlink or Prodigy.
You can also go to ARIN (the American Registry for Internet Numbers
– www.arin.net) and use the whois query tool there to search an IP address you
found in an extended header. If it’s possible your suspect lives overseas or
is operating from the U.S. but using an overseas ISP, use the European whois
site maintained by RIPE.
6. Go to www.search.com, a
“meta” search engine, and type in a name or an e-mail address. If that
e-mail address has been used to post anything to the Internet, you should get
some hits.
Mail server logs - Each message
passing though a mail server is generally logged automatically. Time of
retention for logs varies from site to site, as they take up space on computers.
Access logs - Use of an IP address is generally
logged by access providers. Again, the time of retention for logs varies from
site to site, as they take up space on computers.
The key is to request the information as soon after the event
as possible. Otherwise, the offline backup practices of the site will determine
availability of the information.
Given an IP address and a time stamp, most providers or sites
can find the end user who was using the IP address at the specific time.
Knowing who to ask can save valuable time and ensure availability
of accurate information. You can find an up-to-date, accurate list of ISP
contacts at http://www.infobin.org/cfid/isplist.htm.
Warrants, court orders or subpoenas are typically required to
release exact End-user information to law enforcement officials. These requests
should contain the IP address and a time stamp including time zone.
For e-mail investigations, providing the full e-mail headers is
very helpful.
Try changing the e-mail address to a web address, knock out the
xxxxx@ and replace it with www. You could well find the web site of the user or
their service provider. If you know the service provider, you can approach them
for customer details.
Does
your target have a web page?
If you have an e-mail address for your target, there is a chance
that he or she could have a web page that could give you more information about
the subject. Here are some things that may help you find their web page:
1. If you have an e-mail address of a person such as badguy@hisplace.com,
you could check for it by going to http://www.hisplace.com/~badguy Of course you
would replace the word hisplace with the name of the ISP he is using and the
word badguy with his username. The ~ character (found in the upper left hand
side of your computer keyboard) indicates that the web site is likely put up by
a person, not by an organization.
2. Here are some places that you can look for a home page:
If the person is using AOL, try going to http://members.aol.com/username.
Be sure to replace the word “username” with his or her screen name, or use
the “Find” box here to search by screen name. Teknion Tracker, mentioned
earlier, also has a specialty area to search AOL web pages.
If the person is using an ATT account (user@worldnet.att.net) you
can find out if he has a home page by going to: http://home.att.net/ and search
for a member page or try http://home.att.net/~username. Remember to replace the
word “username” with the actual username of your suspect.
If the person is using an Earthlink (user@earthlink.net) you can find out if he has a home page
by going to http://www.earthlink.net,
and searching by username. Other national ISP accounts work pretty much the same
way.
3. Once you do find a web page, you may want to check the
“source.” Sometimes you'll find real name information in the top part of the
HTML code. With your mouse, right click in the center of the page and go down to
VIEW PAGE SOURCE. If there is any personal information, it will be included in
the META TAGS near the top. Some bad guys will also occasionally place passwords
or instructions to operatives and co-conspirators in the HTML coding, then alert
them to come retrieve that information at a certain time and day, leaving law
enforcement none the wiser. So you might want to check this area for unusual
information.
A lot of the HTML coding will look like gibberish to you, but scan
through it anyway. Not everything that appears in the source code appears on the
screen, and it may be that, intentionally or otherwise, the author has left some
clues in there. A simple example is that if the subject wanted to send a covert
message to someone, he could hide the message in the page by making the text the
same color as the background. The message would be unreadable when viewing the
page itself but clear as day in the source code.
You can also detect other things.
Some of the code will give you a clue as to what software program and
therefore what type of computer the offender was using, his geographic location,
etc.
How
do I trace a web address?
Again, finding a bad guy’s web site, then tracing it, are NOT
rocket science. Get on the Internet and go to the site. Most sites contain
details of the owner’s life, hobbies, interests, location, phone and the like.
If the site does not contain the owner's details, it may provide some clue as to
whom you are dealing with and where in the world they might be.
Go to the Multiple DNS lookup engine at http://www.bankes.com/nslookup.htm
and type in your web page address. It will tell you the ISP to contact.
Officer
safety tips
If you are undercover on the Internet, make sure that you stay
undercover and pay attention to what the target asks you to do. One little slip
up can blow a case very quickly. Here are some things to look out for:
1. If your suspect happens to give you any hyperlinks to follow, be
sure that you use *ONLY* the account that you have created for your undercover
work. If you happen to be at home or somewhere else and must go to an unknown
hyperlink, go to http://www.anonymizer.com/ and learn how to surf anonymously on
the web, which protects your cover and conceals your browsing to outside prying
eyes.
2. If your suspect asks you to type a certain type of document and
attach it to e-mail to send it, use caution! The person downloading it can open
it up in MS Word, check the “properties” and find the name that you used at
the time of the installation of Word – your real name.
3. DO NOT send e-mail from anywhere other than your undercover
account even if you change the configuration of the software. The headers will
show what ISP the e-mail came from. Try it out first by sending e-mail to
yourself.
4. If you are using an
http://www.hotmail.com
or http://www.yahoo.com web-based e-mail account, make sure that you sign completely out
every time or someone can log in and read your e-mail.
The
bottom line…
The Internet is the biggest information resource ever devised, and,
curiously, the biggest and best source of information about the Internet is the
Internet itself. But how do you learn to use it? Easy.
Get on the Internet and play with it. Find its limits, make a few
mistakes, stumble along.
Eventually, you’ll have an arrest resulting from your
efforts, and that will only encourage you.
Have fun with it!
Investigative
sites on the Internet to
help you with your investigations:
Worldwide Web Search Engines
http://www.amdahl.com/internet/meta-index.html
Multiple DNS Lookup Engine
eAmnesia.com – domain search, reverse IP lookup, traceroute
ARIN whois – For U.S. Enter an IP address, find out who the
Internet Service Provider is to send subpoena/search warrant
RIPE whois – For Europe. Enter
an IP address, find out who the Internet Service Provider is to send
subpoena/search warrant
SYSTRAN - translate home pages to English (You might have to query a
Russian or Egyptian ISP!)
CYBERKIT – trace e-mail and web sites
ASK JEEVES – ask this l’il guy a question about anything!
Freeality – e-mail and
phone reverse lookup site (comprehensive)
Copernic – Free meta search engine; very useful
Docusearch – An investigator’s dream!
TechCrime – Glenn Lewis’ Internet investigative sites – mighty
handy!
Teknion
Tracker
A multi-purpose search tool that has a lot to offer! Search for it
by using your favorite search engine.
Return to University of Delaware Police cyber crime help home page