anonymous ip logging in forums

Websites are usually not obligated to keep track of ip's, unless they are required to do it , like electronic bank services , or e commerce websites(of course, depends the jurisdiction). In criminal law cases law enforcement agents can order ISP's to show and preserve records.
But at the end, very few investigations will succeed , considering
1) An ip address by itself won't be enough evidence to convict someone.
2) If the supicious or the web server is located in other country than yours, you will first have to determine the applicable law, the natural court, so even if you get the location of the suspicious, the case will have to be very relevant in order to get international cooperation.

There is another important point that I don't think was mentioned. Web servers running forum software typically have more than 1 layer of logging.

So there is the logging in the forum software itself (at least for the major packages) and there is also logging going on by the web server software (typically this is Apache or IIS)

So even if the forum logging is disabled, then the web server might have server logs with IP addresses that the hosting company could provide.

For example here is the Apache log entry of someone logging in and making a post in our forum.

178.45.49.75 - - [02/Jun/2011001445 -0400] "POST /forum/login.php?do=login HTTP/1.0" 200 20758 "http//mail.passmark.com/forum/newthread.php?do=newthread&f=6" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"

178.45.49.75 - - [02/Jun/2011001444 -0400] "GET /forum/newthread.php?do=newthread&f=6 HTTP/1.0" 200 23836 "http//mail.passmark.com/newthread.php?do=newthread&f=6" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"

You get their IP address and a lot of other information besides.

For a busy website, I would keep no more than a few days worth of server logs, and only a subset/statistics thereafter.

There is another important point that I don't think was mentioned. Web servers running forum software typically have more than 1 layer of logging.

So there is the logging in the forum software itself (at least for the major packages) and there is also logging going on by the web server software (typically this is Apache or IIS)

So even if the forum logging is disabled, then the web server might have server logs with IP addresses that the hosting company could provide.

For example here is the Apache log entry of someone logging in and making a post in our forum.

178.45.49.75 - - [02/Jun/2011001445 -0400] "POST /forum/login.php?do=login HTTP/1.0" 200 20758 "http//mail.passmark.com/forum/newthread.php?do=newthread&f=6" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"

178.45.49.75 - - [02/Jun/2011001444 -0400] "GET /forum/newthread.php?do=newthread&f=6 HTTP/1.0" 200 23836 "http//mail.passmark.com/newthread.php?do=newthread&f=6" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"

You get their IP address and a lot of other information besides.

There are two parts to the problem on forums like this, they may have logs despite saying they don't the fact is they wont comply because they're based offshore in a 'safe haven' and the parent ISP won't comply either, at the moment there are alot of issues with this with cybercrime forums based in Romania, Russia and certain NL providers - so this is common.

The easiest way to prove someone is hoping they have the same handle, same link signatures… things like that. You could ask upstream providers to log originators to the website - this is done already i'm sure to some current websites, but it's easy to get a free VPN and hook up TOR - you're then pretty much anonymous… providing credentials and profile data aren't the same as other forums they use.

Many of the gh0stmarket cybercrime forum got caught by having xbox gamer tags the same as handles on the forum ), they were suitably 'safe' with setup but not with forum profile D

Bit of a tough one, but the above are what you need to be aware of, IMO.