Ok, I'll admit I'm no expert in the field of networks or forensics here (hence the question), so apologies if I'm butchering any terms and making you roll your eyes. 😉
My wife got an alert over the weekend while we were out getting groceries that a new device had been used to log in on her work email. When we got home she checking from her computer and all her work email had been deleted (unknown at this time if any had been sent as well). When she reviewed the alert which tagged the new login with an IPv6 address it corresponded to the first 64bit (16 characters) of an IPv6 address used by a colleague that she's had some issues with at work (this based on emails she has received from said colleague recently which she had printed out that have the IP stamp embedded in the FROM details). Â
From my (very novice "I googled for an hour") understanding of IPv6, the first 48bit is the Global address, and the next 16bit is the subnet. The remaining 64bits are interface ID and will vary based on the device and when connected (the last 64 will vary dynamic each time a device is connected to the network). So, if I'm understanding this correctly, if the first 64bits (which includes the subnet) of the "culprit" match the IPv6 address of the colleague this should indicate that it was the colleague (well, someone who is connected to her wifi/home network) who maliciously logged in as my wife, correct?
If so, this should be enough "reasonable suspicion" to take to the boss. I think I am right, but given there's already tension with this colleague I wanted to have a little more certainty than my Google-inspired awareness before she presents any evidence/makes an accusation to the boss (for reference this is a small 8 person company so doesn't have an "IT department" she could go to that might be better equipped).
-Thanks