1. How can you establish if a pc has been accessed remotely?
2. How reliable is an IP Address as evidence?
I am reading about a case, where the police established that a hotmail account had been accessed from a specific IP Address. However, the ISP company stated that the IP Address may not be accurate, stating
"Although (Company Name) has taken every care in providing the information supplied, due to the complex nature of these type of enquiries (Company Name) cannot guarantee the true accuracy of IP information provided".
The other issue was that the computer that was suspected to have been used to access the email account on this specific date was not examined by the police. So how could a court rely upon this as accurate evidence?
It's very interesting that they did not examine the computer…. a mistake or a deliberate action as they feared it may clear the suspect?
Or, is the IP Address enough?
Hi,
In relation to your first question. Look into the system event logs, there will be a logon type code which indicates if a user was physically at the machine, over a network or remote desktop. You may have to research on the microsoft software for the different type codes and their explanations.
For your second question, (i don't know the law fully on this) my personal opinion would be; not very. IP addresses can be spoofed!
IP addresses can be spoofed!
Spoofing an IP address for anything where you hope to make a TCP connection is not trivial. Its not as easy as this sentence would suggest.
Also, Aquaman, you've asked a lot of seemingly unrelated questions. Are you a forensics student?
Yes IP addresses can be spoofed but for TCP connections it isnt going to happen. Machine A sends packet to machine B with a spoofed IP source address of machine C, Machine A will then reply to machine C not your machine B.
You couldnt just rely on an IP address as evidence in a court case, for one how would you prove who was sitting at the keyboard when the offence took place?
These sound like homework questions, think about them yourself a bit first and post what your ideas and answers might be.
I'm not a forensic student, but a keen hope to be. I also have a keen interest in case law and have been reading how related IT matters have impacted on stated cases.
I have 2 computers and am looking for the type of evidence used in said cases and then applying what I have learned.
Thanks for all your suggestions and help. I find this type of work so amazing.
I am reading into one case where a suspect used various computers in a financially related crime and I'm going through the steps that I think could prove innocence or guilt….. It's fascinating stuff. I'm hooked!!!
It's very interesting that they did not examine the computer…. a mistake or a deliberate action as they feared it may clear the suspect?
If they thought it may clear the suspect, then that computer would have been the first thing to be examined, because firstly it may cut down on other computers examined - reducing workload, and secondly there would be a lot more front line investigation needed and that computer could contain vital information to the case. The usual reason for the police not examining a computer is that it is not available to them or there was no suspicion of any evidence (incriminating or exculpatory) on it.
If you are keen on pursuing this subject, then it might be useful to learn that the police aren't on the side of the prosecution, they are neutral in the matter and are there to see justice done - they investigate both sides. You may not hear much about them investigating on the side of the suspect, but that's because if they find anything that shows the defendant is not guilty then the prosecution doesnt go anywhere and you don't hear of it, if they don't find anything then the work they did in finding that fact is not usually mentioned anywhere either. Anything you see on tv is wrong!
Hey guys, this chap is obviously not guilty. Lets brush that under the carpet and waste time framing him seeing as we dont have much work on and crimes are hard to come by.
Interesting thoughts!
Follow the evidence I say. But that's only my opinion. Thanks for yours.
IP addresses can be spoofed!
Spoofing an IP address for anything where you hope to make a TCP connection is not trivial. Its not as easy as this sentence would suggest.
Spoofing working TCP connections can be done on a Wifi network.
But why would you, if you're on the same network anyway?
IP address valid as evidence depends.
I've seen cases with ISP's that almost randomly distribute IP addresses, with a DHCP lease of 24 hours. Some people reset their modem, and hey presto, a new IP..
On corporate networks, only IP addresses are often useless, you need more data what user was logged in at that address at that time?
If you're lucky they use tokens/cards for authentication..
-Roland
The international perspective is that an IP address is not enough, for the all the reasons previously mentioned. For example, In UNCITRAL's "U.N. Convention on the use of electronic communications in International contracts", you 'll find that "the fact that someone uses a DNS or email address from a Country top level domain, doesn't mean that it's residence is located in that country"……
This applies to IP adresses….