MAC Address to trac...
 
Notifications
Clear all

MAC Address to track an Email?

 Anonymous

I have a lawyer who wants me to document the MAC address of every digital device in his client's home at a specific point in time. The client is accused of sending an email that contained a violent threat to a sitting judge and the judge is taking action.

The client denies sending the email and insists that it was really her ex-husband using her gmail account when he arrived to pick up the kids for visitation.

Both the client and the ex-husband own laptops, tablets, and smart phones cape able of sending the alleged email.

Further, the ISP is telling the lawyer that they can "see" and retain the MAC addresses for any connected device downstream of the modem they provide to the client and also downstream of the client's router and subsequently they claim to have a record of the MAC address from which the alleged email was sent.

This is new to me. Of course I know that the local router sees the MAC addresses but I did not know that any ISP could see, gather, retain, and use that data in such a way.

I am not sure that I believe them.

What do you think?

FYI… This is taking place in the Independent Nation of Texas, formerly part of the USA.

Thank you.

Quote
Topic starter Posted : 24/11/2013 7:16 am
athulin
(@athulin)
Community Legend

Further, the ISP is telling the lawyer that they can "see" and retain the MAC addresses for any connected device downstream of the modem they provide to the client and also downstream of the client's router and subsequently they claim to have a record of the MAC address from which the alleged email was sent.

This is new to me. Of course I know that the local router sees the MAC addresses but I did not know that any ISP could see, gather, retain, and use that data in such a way.

So what exactly is the device (the 'modem')? Is it a plain DSL modem? Or perhaps nothing but a LAN switch, connected to a apartment house LAN? In that case, there is usually some kind of Ethernet-based 'logon' (PPPoE), which may expose the MAC address. Or, without a logon, all DHCP requests are probably served by the ISP, in which case they also see all MAC addresses, and know the IP addresses associated with them.

Or is it a DSL modem+router that does its own DHCP serving? If so, is it a device owned and managed by the user or by the ISP? The latter is a technical possibility, especially if the ISP provided the router in the first place. In that case, the router could (against, technically speaking) cooperate with the ISP to document the number of different devices on the LAN (the MAC addresses), for example by keeping DHCP logs for X months in case the question of number of connected devices ever arises.

But if is a router, and it was bought and set up independently … I'd probably not believe the claim without checking the configuration closely.

ReplyQuote
Posted : 24/11/2013 1:41 pm
jaclaz
(@jaclaz)
Community Legend

FYI… This is taking place in the Independent Nation of Texas, formerly part of the USA.

AFAIK everything in Texas is bigger (or taller) same could apply to the story of the ISP wink .

Seriously, it greatly depends, as athulin posted, on the actual devices/type of connection/subscription/service the ISP provides.
In theory MAC addresses should never "leave" the router (i.e. go "outside"), but some ISP's may well have access to the "inner" side of the router that may hold this kind of data.

Just as an example I do have in one office a connection through a "HAG" (Home Access Gateway) that carries both internet traffic and VoIP (connected to a "normal" PBX), which is "completely" managed by the ISP, with no possible access from "my side", but the WiFI is managed through a separate ethernet router and DHCP server, so all the ISP can "see" (possibly) is the MAC of the router (actually only the MAC of the "outbound" ethernet card in it), and certainly not the MAC's of devices hooked to the WiFi.

jaclaz

ReplyQuote
Posted : 24/11/2013 9:04 pm
questnz
(@questnz)
Junior Member

Surely as already said, very unlikely ISP would have actual MAC and IP address if the device was behind Routers NAT and assume DHCP unless they (ISP) manage the device. Then someone have to prove who used the device. ISP is bluffing.

ReplyQuote
Posted : 25/11/2013 3:44 am
 Anonymous

Thank you all for replying.

My first step will be to determine the nature of the device supplied to the client by the ISP.

If it is a DSL MODEM/ROUTER all in one box then perhaps they can see the MAC addresses.

If the client supplied her own router for attachment to ISP's DSP box then I will be skeptical.

And as the last guy said just knowing which device is the guilty device does not make anyone guilty of sending the email in question. After all the victim and suspect STILL live in the same house.

Makes me wonder why I do this for a living!!

Thank you again,

Mike

ReplyQuote
Topic starter Posted : 26/11/2013 12:37 am
questnz
(@questnz)
Junior Member

Mike, here is the link to Webinar by Gary Kessler few years ago about tracing IP addresses,
Tracing IP address.

ReplyQuote
Posted : 26/11/2013 1:15 am
jaclaz
(@jaclaz)
Community Legend

Makes me wonder why I do this for a living!!

Possibly the hours are good? wink

http//fringe.davesource.com/Fringe/Entertainment/Books/HitchHikers_Guide_To_The_Galaxy/1.Screenplay.html

[Vogon Guard] Resistance is useless!
[Ford Prefect] Aw, give it a rest! Do you enjoy this sort of thing?
[Vogon Guard] What? What do you mean?
[Ford Prefect] I mean, does it give you a full, satisfying life?
[Vogon Guard] Full, satisfying life?
[Ford Prefect] Yeah, stomping around, shouting, pushing people off spaceships.
[Vogon Guard] Well, the hours are good!
[Ford Prefect] They'd have to be!
[Arthur Dent] Ford, what are you doing?
[Ford Prefect] Shh! So, the hours are good, are they?
[Vogon Guard] Yeah. But now you come to mention it, most of the actual minutes are pretty lousy. Except some of the shouting I quite like. RESISTANCE … !
[Ford Prefect] Sure, yes, you're good at that, I can tell. But if the rest of it is so lousy, why do you do it? The girls? The rubber? The machismo?
[Vogon Guard] Oh, I don't know, really. I think I just sort of … do it. You see, my aunt said that spaceship guard was a good career for a young Vogon, you know, the uniform, the low-slung stun-ray holster, mindless tedium.

… though I don't think you can have that much shouting….

D

jaclaz

ReplyQuote
Posted : 26/11/2013 1:27 am
C.R.S.
(@c-r-s)
Active Member

Aside of a misapprehension on the part of the ISP, I see two ways to gather some circumstantial evidence

1. The ISP uses a (today widespread) remote management solution (unusually) to retrieve switch and AP log files from the router device. This can be a client (router) initiated action, when connection changes occur, or only when new devices are recognized (an unauthorized user possibly connects for the first time).

2. IPv6 without privacy extensions.

The message itself might contain the IP of the end user device, which either can be associated with the client's MAC through the log files or is inherently "MAC specific", according to these two possibilities. The log files are bound to the message by the IP of the router device, which should show up in the header.
Second, but unlikely, a messenger software was used that generates unique message IDs from the client's MAC.

ReplyQuote
Posted : 26/11/2013 4:06 am
 Anonymous

You are right! The hours are good but it's the pay that sucks!

It was a combination DSL modem and router supplied to the client by the ISP. I wonder if they have a privacy policy? Why would they be looking at their customer's MAC addresses anyway?

Thank you all

Mike

ReplyQuote
Topic starter Posted : 26/11/2013 6:30 am
jaclaz
(@jaclaz)
Community Legend

I wonder if they have a privacy policy? Why would they be looking at their customer's MAC addresses anyway?

I guess a line needs to be drawn *somewhere*.

Let Privacy alone 😯 , a MAC address is a number and nothing else, it cannot represent a "privacy" issue until you "couple" it to a given device and then (more difficult) tie the device to the individual "behind the keyboard".

I see a number of reasons why a ISP that provides the DSL/router may have access to the MAC's of devices connected to the router that is provided together with a subscription, mainly for troubleshooting/issue solving commercial reasons ( just as an example a given ISP contract may allow max - say - 8 devices connected if it is a "home" subscription).

What I find less probable is that the connections are logged, and that even if they are, the logs are stored and not deleted in a very short timeframe.

jaclaz

ReplyQuote
Posted : 26/11/2013 6:11 pm
jhup
 jhup
(@jhup)
Community Legend

Presumably we are talking about MAC as in Media Access Control addressses (MACs), can we agree to -
at the first router the information is lost as MACs are non-routable over IP,
the ISP cannot see the MACs unless they can see both sides of the nearest router to the client, most likely the default gateway.

The implementations I have seen, other than various dial-up, DSL, T1, etc. solutions the vendor provides the "switch/AP/router" device. These are combination WiFi AP, possibly a switch, and also as the default gateway for the house.

Cable TV carriers (Comcast, Time Warner, etc.) usually have a coax cable running directly to this device, and have the modem built into it. Yet, the router is still at this point.

For fiber/fibre carriers (Verizon, U-Verse, etc.) the "modem" or media converter for the network and the actual switch/AP/router" device are split. This is because the media converter provides both Ethernet port and coax. It provides coax because most houses are already wired for this.

Either case the "switch/AP/router" devices, or broadband routers are often "rented" by the customer - which means it is owned and managed on both sides by the carrier. There is no reason the carrier could not send the MAC information in some encapsulation to their POP.

I know the Verizon Actiontec MI424WR allows naming of the devices by MACs, not IPs on the inside. This information appears on the Verizon portal for usage statistics. Clearly, the portal does not reside at the customer's home, so the MACs (and usage stats) are shipped up to the mothership.

There is a faulty presumption with tracking the MACs, considering all still reside at the location. If the individuals are not tech-savvy it is highly possible that their systems are almost always connected to the local network.

Think about it - laptops are almost always on, at best sleep mode, tablets and cell phones are also always on for WiFi so as to make sure they do not use precious cell data air time.

How will you separate regular online of one these MACs from the specific e-mail MAC time?

To further complicate things, what about simply changing MACs on the machine?
Or just walk up to the other person's machine and type it up quickly and hit send?
Or…

Too many variables, too little corroborating information to narrow it down.

If I was the judge, I would do a Solomon judgement.
Both fined and charged with contempt of court.

ReplyQuote
Posted : 28/11/2013 12:11 am
jaclaz
(@jaclaz)
Community Legend

If I was the judge, I would do a Solomon judgement.
Both fined and charged with contempt of court.

That's actually not a "Solomon" judgment is a "catch all" one 😯 .

jaclaz

ReplyQuote
Posted : 28/11/2013 12:42 am
jhup
 jhup
(@jhup)
Community Legend

If I was the judge, I would do a Solomon judgement.
Both fined and charged with contempt of court.

That's actually not a "Solomon" judgment is a "catch all" one 😯 .

jaclaz

Sure. Will call it catch all. I was thinking of King Solomon's initial decision to slice the baby in half would have punished both women. That is why I called it Solomon judgement.

ReplyQuote
Posted : 29/11/2013 7:31 am
jaclaz
(@jaclaz)
Community Legend

Yep D , but the essence of the wiseness of the judgement was the "faking" initially a very unfair decision in order to trick the mothers into showing their true nature
http//en.wikipedia.org/wiki/Judgment_of_Solomon
and later fairly give the child to the only true mother, this latter is the actual King Solomon's judgment.

What you are suggesting is more like Homer Solomon wink
http//www.youtube.com/watch?v=eggewbyOpXQ

jaclaz

ReplyQuote
Posted : 29/11/2013 4:38 pm
macandrew2014
(@macandrew2014)
New Member

I doubt you can trace it back. The only information you have available is what's in the header, and for privacy reasons Gmail does not include the IP address. Of course the IP wouldn't help anyway if it's just the IP of the router and not of any of the PCs behind the router.

If the router has detailed enough logs, you might be able to track backwards from there, but that's totally independent of Google or Gmail. That would simply be trying to trace network traffic through your network. Only the router would know the MAC addresses of the computers connected to it.

ReplyQuote
Posted : 04/12/2013 1:42 am
Share:
Share to...