MAC Address to trac...
 
Notifications
Clear all

MAC Address to track an Email?

15 Posts
7 Users
0 Likes
676 Views
(@Anonymous)
Posts: 0
Guest
Topic starter
 

I have a lawyer who wants me to document the MAC address of every digital device in his client's home at a specific point in time. The client is accused of sending an email that contained a violent threat to a sitting judge and the judge is taking action.

The client denies sending the email and insists that it was really her ex-husband using her gmail account when he arrived to pick up the kids for visitation.

Both the client and the ex-husband own laptops, tablets, and smart phones cape able of sending the alleged email.

Further, the ISP is telling the lawyer that they can "see" and retain the MAC addresses for any connected device downstream of the modem they provide to the client and also downstream of the client's router and subsequently they claim to have a record of the MAC address from which the alleged email was sent.

This is new to me. Of course I know that the local router sees the MAC addresses but I did not know that any ISP could see, gather, retain, and use that data in such a way.

I am not sure that I believe them.

What do you think?

FYI… This is taking place in the Independent Nation of Texas, formerly part of the USA.

Thank you.

 
Posted : 24/11/2013 7:16 am
(@athulin)
Posts: 1156
Noble Member
 

Further, the ISP is telling the lawyer that they can "see" and retain the MAC addresses for any connected device downstream of the modem they provide to the client and also downstream of the client's router and subsequently they claim to have a record of the MAC address from which the alleged email was sent.

This is new to me. Of course I know that the local router sees the MAC addresses but I did not know that any ISP could see, gather, retain, and use that data in such a way.

So what exactly is the device (the 'modem')? Is it a plain DSL modem? Or perhaps nothing but a LAN switch, connected to a apartment house LAN? In that case, there is usually some kind of Ethernet-based 'logon' (PPPoE), which may expose the MAC address. Or, without a logon, all DHCP requests are probably served by the ISP, in which case they also see all MAC addresses, and know the IP addresses associated with them.

Or is it a DSL modem+router that does its own DHCP serving? If so, is it a device owned and managed by the user or by the ISP? The latter is a technical possibility, especially if the ISP provided the router in the first place. In that case, the router could (against, technically speaking) cooperate with the ISP to document the number of different devices on the LAN (the MAC addresses), for example by keeping DHCP logs for X months in case the question of number of connected devices ever arises.

But if is a router, and it was bought and set up independently … I'd probably not believe the claim without checking the configuration closely.

 
Posted : 24/11/2013 1:41 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

FYI… This is taking place in the Independent Nation of Texas, formerly part of the USA.

AFAIK everything in Texas is bigger (or taller) same could apply to the story of the ISP wink .

Seriously, it greatly depends, as athulin posted, on the actual devices/type of connection/subscription/service the ISP provides.
In theory MAC addresses should never "leave" the router (i.e. go "outside"), but some ISP's may well have access to the "inner" side of the router that may hold this kind of data.

Just as an example I do have in one office a connection through a "HAG" (Home Access Gateway) that carries both internet traffic and VoIP (connected to a "normal" PBX), which is "completely" managed by the ISP, with no possible access from "my side", but the WiFI is managed through a separate ethernet router and DHCP server, so all the ISP can "see" (possibly) is the MAC of the router (actually only the MAC of the "outbound" ethernet card in it), and certainly not the MAC's of devices hooked to the WiFi.

jaclaz

 
Posted : 24/11/2013 9:04 pm
(@questnz)
Posts: 34
Eminent Member
 

Surely as already said, very unlikely ISP would have actual MAC and IP address if the device was behind Routers NAT and assume DHCP unless they (ISP) manage the device. Then someone have to prove who used the device. ISP is bluffing.

 
Posted : 25/11/2013 3:44 am
(@Anonymous)
Posts: 0
Guest
Topic starter
 

Thank you all for replying.

My first step will be to determine the nature of the device supplied to the client by the ISP.

If it is a DSL MODEM/ROUTER all in one box then perhaps they can see the MAC addresses.

If the client supplied her own router for attachment to ISP's DSP box then I will be skeptical.

And as the last guy said just knowing which device is the guilty device does not make anyone guilty of sending the email in question. After all the victim and suspect STILL live in the same house.

Makes me wonder why I do this for a living!!

Thank you again,

Mike

 
Posted : 26/11/2013 12:37 am
(@questnz)
Posts: 34
Eminent Member
 

Mike, here is the link to Webinar by Gary Kessler few years ago about tracing IP addresses,
Tracing IP address.

 
Posted : 26/11/2013 1:15 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Makes me wonder why I do this for a living!!

Possibly the hours are good? wink

http//fringe.davesource.com/Fringe/Entertainment/Books/HitchHikers_Guide_To_The_Galaxy/1.Screenplay.html

[Vogon Guard] Resistance is useless!
[Ford Prefect] Aw, give it a rest! Do you enjoy this sort of thing?
[Vogon Guard] What? What do you mean?
[Ford Prefect] I mean, does it give you a full, satisfying life?
[Vogon Guard] Full, satisfying life?
[Ford Prefect] Yeah, stomping around, shouting, pushing people off spaceships.
[Vogon Guard] Well, the hours are good!
[Ford Prefect] They'd have to be!
[Arthur Dent] Ford, what are you doing?
[Ford Prefect] Shh! So, the hours are good, are they?
[Vogon Guard] Yeah. But now you come to mention it, most of the actual minutes are pretty lousy. Except some of the shouting I quite like. RESISTANCE … !
[Ford Prefect] Sure, yes, you're good at that, I can tell. But if the rest of it is so lousy, why do you do it? The girls? The rubber? The machismo?
[Vogon Guard] Oh, I don't know, really. I think I just sort of … do it. You see, my aunt said that spaceship guard was a good career for a young Vogon, you know, the uniform, the low-slung stun-ray holster, mindless tedium.

… though I don't think you can have that much shouting….

D

jaclaz

 
Posted : 26/11/2013 1:27 am
(@c-r-s)
Posts: 170
Estimable Member
 

Aside of a misapprehension on the part of the ISP, I see two ways to gather some circumstantial evidence

1. The ISP uses a (today widespread) remote management solution (unusually) to retrieve switch and AP log files from the router device. This can be a client (router) initiated action, when connection changes occur, or only when new devices are recognized (an unauthorized user possibly connects for the first time).

2. IPv6 without privacy extensions.

The message itself might contain the IP of the end user device, which either can be associated with the client's MAC through the log files or is inherently "MAC specific", according to these two possibilities. The log files are bound to the message by the IP of the router device, which should show up in the header.
Second, but unlikely, a messenger software was used that generates unique message IDs from the client's MAC.

 
Posted : 26/11/2013 4:06 am
(@Anonymous)
Posts: 0
Guest
Topic starter
 

You are right! The hours are good but it's the pay that sucks!

It was a combination DSL modem and router supplied to the client by the ISP. I wonder if they have a privacy policy? Why would they be looking at their customer's MAC addresses anyway?

Thank you all

Mike

 
Posted : 26/11/2013 6:30 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I wonder if they have a privacy policy? Why would they be looking at their customer's MAC addresses anyway?

I guess a line needs to be drawn *somewhere*.

Let Privacy alone 😯 , a MAC address is a number and nothing else, it cannot represent a "privacy" issue until you "couple" it to a given device and then (more difficult) tie the device to the individual "behind the keyboard".

I see a number of reasons why a ISP that provides the DSL/router may have access to the MAC's of devices connected to the router that is provided together with a subscription, mainly for troubleshooting/issue solving commercial reasons ( just as an example a given ISP contract may allow max - say - 8 devices connected if it is a "home" subscription).

What I find less probable is that the connections are logged, and that even if they are, the logs are stored and not deleted in a very short timeframe.

jaclaz

 
Posted : 26/11/2013 6:11 pm
Page 1 / 2
Share: