Discovering Digital Identity Using IP Addresses
In the physical world, we have many attributes to determine our identity: phone number, social security number, driver’s license number, etc. However, in the online world, there is often an assumed level of anonymity. Someone can develop an Internet pseudonym, post defamatory information to a website, and no one will know who they are, right?
The truth is, there are numerous details that can be used to determine the person behind the keyboard, regardless of the creative online identity. With an understanding of the details available, and how to obtain this information, “sportsfan1234”, for instance, could be tracked down to a real person or, at least, to the location and device that was used.
Personally Identifiable Information
When using the Internet, there are many pieces of information logged at each website visited. This information is available from Facebook, Google, Hotmail, Twitter, Topix, blogs and mobile apps, just to name a few. It is difficult to visit a website without leaving detailed information related to the device that visited the website. These details can include device information such as Internet Protocol (IP) address, operating system, Internet browser used and software installed.
Many understand the category of personally identifiable information (PII) as consisting of details such as name, address, date of birth, social security number, driver’s license number, etc. However, the online world also has an identifiable feature, known as an IP address. Due to the potential of this also being a personally identifying attribute, many feel that it should be protected at the same level as social security and driver’s license numbers by being categorized as “PII”.
For this article, we are going to focus on the IP address and the value it can provide in your quest to determine the culprit behind the activity. What is important to understand is that no device can participate on the Internet without an IP address. This includes computers, laptops, iPads, mobile phones, etc. This IP address can be traced to a location and sometimes a person.
Types of IP Addresses
There are two types of IP addresses; static and dynamic. Static IP addresses do not change where they are assigned. Dynamic IP addresses can change, and be assigned, to another location or device based on various factors. We will assist in getting around the tracing of a dynamic IP address: the providers often know where the IP address was assigned at any point in time.
Once you have an IP address of interest, you can “geotag” the general location of the IP address in most cases. The IP address can be “loosely” geographically traced to its physical location and in some instances, the location is exact (demonstration later). However, when dealing with mobile phones on the provider network, it is sketchy at best.
Although IP addresses are often assigned to devices, a single IP address may represent an entire network of computers in which every device on that network shares the same Internet IP address. The best analogy we’ve found to explain how IP addresses work in this scenario would be similar to your business telephone network. As an example, the phone number for an individual’s direct company phone line could be 865-555-1234. However, when someone makes a phone call to your office from inside the company, the number you see on your caller ID is 865-555-1000, the company’s main number. Regardless of which phone within the company calls you, the number will always appear as 865-555-1000.
This is similar to how IP addresses work for many businesses. Although there are numerous IP addresses within the network, only one IP address is publicly visible that represents the many devices that share it. This is referred to as a “proxy” IP address. This situation is likely the same for your home if you have more than one device accessing the Internet.
Getting IP Address Information
How do you proceed once you have an IP address about which you have determined you want more specific information?
Once you have gathered as much information as possible from public sources, a subpoena will likely be needed. There are some intricacies involved with requesting specific IP information via subpoena. For starters, the source of the IP address (provider) may only retain this information for a limited time based on its data retention policies.
The additional issue to consider is that you may need to issue two subpoenas. The first subpoena to the website provider may return an IP address that you determine is assigned to an Internet service provider (ISP). Examples of ISPs are Comcast, Charter, Verizon, etc. You will then need to subpoena the identified ISP to determine where that IP address was assigned during the time frame of interest.
Once you obtain the IP addresses from your source, they may provide the ability to track online activities to a specific computer and their user. However, there are issues that can make this quest a challenge and potentially unsuccessful.
IP Address Forensics Challenges
The first challenge is an IP address being assigned to mobile devices from the provider network. IP addresses assigned to mobile devices are volatile. Each time a mobile device changes towers for coverage, there is an opportunity that the IP address will change. Additionally, it is possible for multiple mobile devices to share the same IP address from the tower, and the provider may not be able to determine what device had that IP address at any given time.
A second challenge in tracking down “sportsfan1234” is that he performed his nefarious activities from a “free wi-fi” hotspot such as Starbucks, an airport, a library or his local tire shop. If an IP address is traced back to a location such as this, identifying the computer or user will be nearly impossible, as most wi-fi hotspots do not maintain who was using their wireless network at any given time.
It is also very difficult to track all activities of a person by a single IP address. If, in a single day, you access the Internet from home, at your office, at a wi-fi hotspot and from your mobile phone, you will use a minimum of four IP addresses. Lastly, those that are technically savvy can obfuscate IP addresses. However, an experienced forensics analyst can often detect when this tactic is being employed.
Enough with all of the talk, let’s do an exercise to demonstrate the details of this article.
- First, you will determine the IP address currently being used by your device. Open your web browser and go to http://www.ip-adress.com (misspelling is intentional). Toward the top half of your screen you should see a statement that reads, “Your IP Address is” following by a series of numbers (i.e 220.127.116.11). This is the public IP address that represents your device. Stay on this page.
- Now let’s determine the geographic area and what organization your IP address is assigned to. Scroll to the bottom of that web page. Go all the way to the left on the red bar on the bottom of the page; follow the “IP Tracing” link. This will open a webpage that still has your IP address but provides more information such as the country, city, state of the IP address and the owner (along with a nice Google map).
- For extra credit, you can choose the whois link beside the IP address to get the contact information for the organization in regards to the IP address.
- You now have more information on the IP address such as geographic vicinity and you likely know the organization in which a subpoena should be sent for more information.
- For a demonstration of multiple devices using the same Internet IP address, perform step 1 from another device within your office or home. You will likely see the same IP address as your device.
In the online world, many feel their identities are obfuscated and their activities are private. Fortunately with a little effort, IP addresses are a mechanism that can be used to associate a person with nefarious online activity. Every device must use an IP address on the Internet. Although obstacles such as mobile phones and multiple devices using the same IP address exist, there is still potential in tracking down the culprit by an IP address.