Asking for some help and direction reference an investigation involving unwanted access to an MSN email account.
Victim was recently divorced and had accessed his email account from ex's mother's home in the past. Evidently his username and password were saved on her computer due to checking "remember username and password."
The account was accessed and certain files relating only to the divorce were deleted which leads us to the person of interest obviously being the device where the username and password were saved. Victim narrowed the access time and date to within a week's time.
Subpoena was sent requesting all IP's that accessed this email account during the specified time frame. An IP (other than victim's) was revealed to be a Verizon router that was subsequently subpoenaed. Verizon supplied us with numerous pages of data regarding who accessed the (Nat ?)router which looks to be that of an entire region of the southwest part of the country. We are in Tucson, AZ.
We subpoenaed the suspect's Verizon account for device and MAC address info to try to find it in the Verizon report which again , returns to hundreds of users.
Any thoughts and advice on what we may be missing and/or where to go from here.
Thank you in advance for any ideas you may have.
-Eric.
Not at all an answer to your question, but being picky, I guess that it is needed anyway to separate facts from hypothesis
Facts
Victim was recently divorced and had accessed his email account from ex's mother's home in the past.
Basic hypothesis
Evidently his username and password were saved on her computer due to checking "remember username and password."
Basic further hypothesis
The same ex's mother's computer was used to unlawfully access the MSN account.
Alternative hypothesis #1
Victim had the password of that account scribbled on a piece of paper that he/she kept in first drawer of the desk or together with credit cards in wallet/purse and that may well have been accessed, at least once, by the ex.
Alternative hypothesis #2
Base hypothesis is correct but a software was used to extract/unencrypt/etc. the MSN account password making it available as plain text (and as such made re-usable by *any* computer connected to the internet)
In both alternatives the "basic further hypothesis" becomes then a mere possibility.
jaclaz
I must be missing something here, or the rules are different over there.
You have a single IP address that has accessed the email account which you suspect is the unauthorised access. Presumably if you have a single IP address you then also have the exact date and time this IP was accessing the email account?
If you have a single IP address, and exact date/time(s) and you know the ISP, their records should show which subscriber had that IP at that date/time.
At least that's been my experience in Australia.
You also said you subpoenaed the suspects Verizon account details but this returned hundreds of users?? That doesn't make sense, if you get account records for a single person then you should only be seeing information relevant to them. Maybe I misunderstood what you meant there, but that seems unusual.
Of course if you only have a date range and you can't be more exact then you have a problem as it sounds like Verizon cycle their IP addresses between clients very frequently.
If your suspicion is that the email account was accessed from the mother in laws computer can you examine that computer for any evidence to support? Along the same line the home router may have logs showing the IP addresses that have been used to show linkage that way.
You also said you subpoenaed the suspects Verizon account details but this returned hundreds of users?? That doesn't make sense, if you get account records for a single person then you should only be seeing information relevant to them. Maybe I misunderstood what you meant there, but that seems unusual.
Can't go another route and see if you can subpoena records of the ex's ISP? They may have a log of access time to that mailbox, and it may fall within said range
If your suspicion is that the email account was accessed from the mother in laws computer can you examine that computer for any evidence to support? Along the same line the home router may have logs showing the IP addresses that have been used to show linkage that way.
Regarding files on the computer - cookies, typed URLs, URL auto-complete, the URL cache…there can be untold number clues on the ex's mother's PC. Question is, you'd have to prove that the PC accessed the mailbox via match the IP - and that relies on finding the IP in the first place. Am I following you?
Can't go another route and see if you can subpoena records of the ex's ISP? They may have a log of access time to that mailbox, and it may fall within said range
I thought that was what they had already done…I must have misunderstood the original post ?
"Subpoena was sent requesting all IP's that accessed this email account during the specified time frame"
This was sent to MSN/hotmail/Microsoft to get all IPs that accessed the account.
He then subpoena'd the suspect's ISP…for device and MAC address info?
What about
take the MS report of IPs accessing the mailbox within said date range
taking the Verizon report that would have suspect's IP address within same date range
And compare.
Possible?
We subpoenaed the suspect's Verizon account for device and MAC address info to try to find it in the Verizon report which again , returns to hundreds of users.
This is what I'm talking about. Verizon is the ISP so they would have a record of the subscriber who was assigned that particular IP address at any given date/time. However the OP said this report listed hundreds of user accounts which doesn't make sense.
Normally you would do one of two things in this case, ask Verizon for the subscriber details based on IP address (ie which customer was using that IP on a particular date/time)
OR
In cases where the exact date/time is unkown but you have the IP and a reasonable suspect, you ask for the full subscriber details of the suspect (as is indicated by the OP above) and this should include all IP addresses that have been allocated to that user account. You can then search through and locate the applicable IP address, assuming it is there.
I'm sort of waiting for the OP to come back and clarify..