±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 1
Overall: 27316
Visitors: 53

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

MAC Address to track an Email?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

MAC Address to track an Email?

Post Posted: Sat Nov 23, 2013 9:16 pm

I have a lawyer who wants me to document the MAC address of every digital device in his client's home at a specific point in time. The client is accused of sending an email that contained a violent threat to a sitting judge and the judge is taking action.

The client denies sending the email and insists that it was really her ex-husband using her gmail account when he arrived to pick up the kids for visitation.

Both the client and the ex-husband own laptops, tablets, and smart phones cape able of sending the alleged email.

Further, the ISP is telling the lawyer that they can "see" and retain the MAC addresses for any connected device downstream of the modem they provide to the client and also downstream of the client's router and subsequently they claim to have a record of the MAC address from which the alleged email was sent.

This is new to me. Of course I know that the local router sees the MAC addresses but I did not know that any ISP could see, gather, retain, and use that data in such a way.

I am not sure that I believe them.

What do you think?

FYI... This is taking place in the Independent Nation of Texas, formerly part of the USA.

Thank you.
_________________
"One of the best computers in the world sits directly in between your ears" 

DFORENSICS1
Newbie
 
 
  

Re: MAC Address to track an Email?

Post Posted: Sun Nov 24, 2013 3:41 am

- DFORENSICS1
Further, the ISP is telling the lawyer that they can "see" and retain the MAC addresses for any connected device downstream of the modem they provide to the client and also downstream of the client's router and subsequently they claim to have a record of the MAC address from which the alleged email was sent.

This is new to me. Of course I know that the local router sees the MAC addresses but I did not know that any ISP could see, gather, retain, and use that data in such a way.


So what exactly is the device (the 'modem')? Is it a plain DSL modem? Or perhaps nothing but a LAN switch, connected to a apartment house LAN? In that case, there is usually some kind of Ethernet-based 'logon' (PPPoE), which may expose the MAC address. Or, without a logon, all DHCP requests are probably served by the ISP, in which case they also see all MAC addresses, and know the IP addresses associated with them.

Or is it a DSL modem+router that does its own DHCP serving? If so, is it a device owned and managed by the user or by the ISP? The latter is a technical possibility, especially if the ISP provided the router in the first place. In that case, the router could (against, technically speaking) cooperate with the ISP to document the number of different devices on the LAN (the MAC addresses), for example by keeping DHCP logs for X months in case the question of number of connected devices ever arises.

But if is a router, and it was bought and set up independently ... I'd probably not believe the claim without checking the configuration closely.  

athulin
Senior Member
 
 
  

Re: MAC Address to track an Email?

Post Posted: Sun Nov 24, 2013 11:04 am

- DFORENSICS1
FYI... This is taking place in the Independent Nation of Texas, formerly part of the USA.

AFAIK everything in Texas is bigger (or taller) same could apply to the story of the ISP Wink .

Seriously, it greatly depends, as athulin posted, on the actual devices/type of connection/subscription/service the ISP provides.
In theory MAC addresses should never "leave" the router (i.e. go "outside"), but some ISP's may well have access to the "inner" side of the router that may hold this kind of data.

Just as an example I do have in one office a connection through a "HAG" (Home Access Gateway) that carries both internet traffic and VoIP (connected to a "normal" PBX), which is "completely" managed by the ISP, with no possible access from "my side", but the WiFI is managed through a separate ethernet router and DHCP server, so all the ISP can "see" (possibly) is the MAC of the router (actually only the MAC of the "outbound" ethernet card in it), and certainly not the MAC's of devices hooked to the WiFi.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: MAC Address to track an Email?

Post Posted: Sun Nov 24, 2013 5:44 pm

Surely as already said, very unlikely ISP would have actual MAC and IP address if the device was behind Routers NAT and assume DHCP unless they (ISP) manage the device. Then someone have to prove who used the device. ISP is bluffing.  

questnz
Member
 
 
  

Re: MAC Address to track an Email?

Post Posted: Mon Nov 25, 2013 2:37 pm

Thank you all for replying.

My first step will be to determine the nature of the device supplied to the client by the ISP.

If it is a DSL MODEM/ROUTER all in one box then perhaps they can see the MAC addresses.

If the client supplied her own router for attachment to ISP's DSP box then I will be skeptical.

And as the last guy said just knowing which device is the guilty device does not make anyone guilty of sending the email in question. After all the victim and suspect STILL live in the same house.

Makes me wonder why I do this for a living!!

Thank you again,

Mike
_________________
"One of the best computers in the world sits directly in between your ears" 

DFORENSICS1
Newbie
 
 
  

Re: MAC Address to track an Email?

Post Posted: Mon Nov 25, 2013 3:15 pm

Mike, here is the link to Webinar by Gary Kessler few years ago about tracing IP addresses,
Tracing IP address.  

questnz
Member
 
 
  

Re: MAC Address to track an Email?

Post Posted: Mon Nov 25, 2013 3:27 pm

- DFORENSICS1

Makes me wonder why I do this for a living!!

Possibly the hours are good? Wink

fringe.davesource.com/...nplay.html
[Vogon Guard] Resistance is useless!
[Ford Prefect] Aw, give it a rest! Do you enjoy this sort of thing?
[Vogon Guard] What? What do you mean?
[Ford Prefect] I mean, does it give you a full, satisfying life?
[Vogon Guard] Full, satisfying life?
[Ford Prefect] Yeah, stomping around, shouting, pushing people off spaceships.
[Vogon Guard] Well, the hours are good!
[Ford Prefect] They'd have to be!
[Arthur Dent] Ford, what are you doing?
[Ford Prefect] Shh! So, the hours are good, are they?
[Vogon Guard] Yeah. But now you come to mention it, most of the actual minutes are pretty lousy. Except some of the shouting I quite like. RESISTANCE ... !
[Ford Prefect] Sure, yes, you're good at that, I can tell. But if the rest of it is so lousy, why do you do it? The girls? The rubber? The machismo?
[Vogon Guard] Oh, I don't know, really. I think I just sort of ... do it. You see, my aunt said that spaceship guard was a good career for a young Vogon, you know, the uniform, the low-slung stun-ray holster, mindless tedium.


... though I don't think you can have that much shouting....

Very Happy

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 3
Go to page 1, 2, 3  Next