little_details: IP tracking, Internet-Café Criminal, and UK Police

Araniell (

moon_very_thin) wrote in

little_details,
@ 2009-05-30 21:14:00

IP tracking, Internet-Café Criminal, and UK Police
Setting: Modern-day London.

Research done: Have been reading up on the Convention on Cybercrime and some case studies for international co-operation, but IANAL and not especially savvy on the tech side either, so I'd appreciate a little clarification.

During a murder investigation, a suspect is posting incriminating messages to Facebook groups. He's using net cafés around the city. How difficult would it be for the police to track the IPs? Would they need cooperation of the California police (I think that's where Facebook is based?) to get the IPs, or is there a simpler way? How long would it be likely to take? (this case study helped, but it's between UK/Norway/Spain.)

Secondly, am I right in thinking that machines in internet cafés have static IPs, so that the police would know which specific machine had been used?

This guy is coming and going with a reasonably large group of gamers (making them all suspects). In one of these places, the owner is in the habit of tinkering with his computers and switching out parts. He's not particularly careful about putting the towers back in the same numbered stations from which he took them. Could this cause confusion if the police tracked the IP to a particular machine, which is now in a different place than it was when the crime was committed? (As in, they'd suspect the guy who was using Computer 3 that night based on the IP, not realising that the machine which is now Computer 3 was previously Computer 16?)

(22 comments) - (Post a new comment)

gargoylekitty
2009-05-31 01:16 am UTC (link)

To what extent? They could probably figure out what cafe it's coming from though I'm thinking they'd need help from Facebook. Even then I'm not entirely sure Facebook would keep tabs on that.

Internet cafes tend to act as a hot spot working off the same connection, all the machines in the place would show as using the using the same IP address. Though chances are, if he was coming and going with a large group as you said, the staff would have taken notice and would be able to assist the police(or whoever you have looking for him) in knowing which machine he was using.

Edited at 2009-05-31 01:17 am UTC

(Reply to this)

reynardo
2009-05-31 02:19 am UTC (link)

Facebook requires you to log in, and have an account that's linked back to an email address. Now while, of course, you could use a Gmail or Yahoo address, THEY also track the IP of messages sent from them. So you'd easily *get* IP addresses - the problem would then be, as you've stated, linking that back to a person.

Some Internet cafes use static IPs, some use dynamic, but in each case the IP can be traced back to a machine without too much trouble (the router or whatever's being used will have a log). Yes you'd have the IP confusion about tinkering with the machines, but often in these places you'll have big numbers on the front of the tower/base, so even if machine 16 was put in machine 7's place, you'd see that the numbers didn't match.

IF the guy doing the deed is like the others, and friends with the others, and doing what they do (gaming, giggling over pr0n, etc) then he'll blend in. If he's like that middle-aged woman in the business suit who was at the Internet place last year, switching between writing up her resume and playing WoW, then yes, they'd probably stick out a bit :-) (That was me)

(Reply to this)

	ennifer_jay 2009-05-31 02:42 am UTC (link)
	I'm going to say not that hard at all. If I really wanted to, I could figure out your IP address. Because of websites like this, I'm sure there's the opposite as well. (Reply to this) (Thread)

moon_very_thin
2009-05-31 10:52 am UTC (link)

You could do that from a post I'd left at LJ? Is there any chance you could explain to me how that would work? Just sort of the basic process behind it.

Because what I really need to know is whether there's a way for the police experts to get hold of the IP themselves, or whether they're going to need the help of Facebook to get the information.

I've seen websites like that, and other gadgets, like a hidden pixel which monitors IP hits, but in this case the guy they're trying to trace isn't going to be induced to click a link sent to him.

(A propos nothing, I've just noticed that TraceMyIP gives my location in the wrong district and as a city about 70km away. Reassuring to see it so roughly ballparked.:) )

(Reply to this) (Parent)(Thread)

murstein
2009-05-31 02:06 pm UTC (link)

You could do that from a post I'd left at LJ? Is there any chance you could explain to me how that would work? Just sort of the basic process behind it.

Here's the easy way to trace an IP address:

Facebook is an application running on a Web server.* So is LiveJournal, and every other blog out there. When you post (or comment or edit or whatever), the web server will log who (as in account name) posted, when, and what IP address they were using to post from. There will also be some unique identifier, that lets them cross-reference every post to its log entry. (There might be a bit more, but that's the minimum data that every server will track.) So the easy way is to have Facebook run through the logs and figure all this out. The hard way is to hack into Facebook's systems, and then figure out how they run their logs, and then find that same information. The hard way is both illegal and more work for Officer Friendly.

Now, when your computer sends something out on the network, the information is assembled into something called a "packet." Each packet will have information on where it's from, and where it's addressed to, sort of like an envelope around a letter. It will also have a unique identifier, called a packet ID. The police will need those packet IDs when they visit the Internet cafe; the router logs for packet IDs will tell which machine they were sent from, and when (which, 99% of the time, will be within a second or two of the time the packet arrived at the Facebook server).

Now, I've not had occasion to go through router logs, so I'm going to speculate on them, based on what I know of how TCP/IP works. I believe that they will identify the computer it came from, based on a unique identifier that every network card has. (Or motherboard, if it's a particularly inexpensive computer; the bargain systems put all the functions on the motherboard. This cuts down on costs a little, with the main problem being that upgrades or failures of one chip are more difficult.) If your Internet cafe tech has occasion to swap network cards/motherboards from one computer to another, that could cause some confusion. After all, the router sees something like "00:11:43:04:ca:e2,"and has no idea that is in a case with 43 on the cover, but was in a case with 2 on the cover yesterday.

(A propos nothing, I've just noticed that TraceMyIP gives my location in the wrong district and as a city about 70km away. Reassuring to see it so roughly ballparked.:) )

Now, for that IP address being off. The location given is most likely where your Internet provider's building is. (At least the one you were using when you checked; mine tends to wander between Detroit and Southfield, MI. One presumes the migration is due to which office gives me the best connection, at the moment it happens.) When the police ask an internet provider "Who was using IP address X at Y time?" they have logs to look it up. The logs will, at a minimum, have the user account that was logged in; some, at least will have commentary on the technology they used to connect (DSL or Cable or dial-up or T-1 or whatever).

Now, once upon a time, there were businesses that ran with all those logs turned off. This has been illegal in the US since the PATRIOT Act. I presume there are parallel laws in the UK. Whether your Internet cafe complies or is a scofflaw that hasn't been caught yet might be a plot point.

[Edited because I mucked up my blockquote HTML. Doh!]

* Actually, probably a lot of them, but that's the kind of detail you only need if you have one of Facebook's Internet security folks as a viewpoint character. I strongly urge against this, because there are eleventy dozen ways of dividing the work between servers, and the few readers who will care are also the ones who will lose their suspension of disbelief when you get a detail wrong.

Edited at 2009-05-31 02:10 pm UTC

(Reply to this) (Parent)(Thread)

scribefigaro
2009-05-31 08:12 pm UTC (link)

It's been a while since I've read up on this, but residential routers - the type that resolve many internal IP addresses into a single external IP address - mostly uses port address translation. Packets have a to/from IP address and port number, and the router keeps track of packets by assigning each computer in its network a particular port for a particular space of time.

Router logs are usually kept for network administrative purposes to aid in troubleshooting a problem; like security cameras there's no assurance these logs are held for any particular period of time or even made at all. The router's NAT stores entries only as long as necessary to facilitate the connection.

(Reply to this) (Parent)

	ennifer_jay 2009-06-01 03:22 am UTC (link)
	murstein just explained this better than I ever could lol. Also, TraceMyIP gives me "Philadelphia", but I really reside in a suburb of Philadelphia. It also says "hub city" - not location. Meaning that's probably the major city/town it runs through. Am I making sense lol? (Reply to this) (Parent)

	ennifer_jay 2009-05-31 02:44 am UTC (link)
	Also, if the person is doing it from several cafes, all you'd need to do is pull up the security/surveillance videos from the cafes, and compare them to see if there's any common people. Then track down those people. Done. (Reply to this) (Thread)

	corvideye 2009-05-31 05:05 am UTC (link)
	Not all cafes have security video...iI don't know of any in my mid-sized town that do... (Reply to this) (Parent)(Thread)

	ennifer_jay 2009-05-31 05:24 am UTC (link)
	True. (Reply to this) (Parent)

	enismirdal 2009-05-31 11:46 am UTC (link)
	Although given this is London - everywhere has CCTV, more or less. There'll probably be a camera outside the café too, if nothing else. (Reply to this) (Parent)

	corvideye 2009-05-31 05:03 am UTC (link)
	I don't remember the technicalities, but a friend of mine had an actual experience with this... She owned an internet cafe, and one day the FBI came in because someone on America's Most Wanted had sent email from the cafe. They confiscated the hard drive, IIRC. It was freaky. (Reply to this) (Thread)

corvideye
2009-05-31 05:13 am UTC (link)

correction: the FBI copied the hard drive, but gave it back. Anyway, definitely traceable. However, the criminal never came back into that cafe, so I don't know if it ever got the investigation anywhere. But someone residing in the same area and hitting the same spots repeatedly, I would expect them to be catchable. Especially if you have a smaller place with owner-operators (as opposed to bored employees); they tend to know their regulars really well, and a group of people who comes in often together would be memorable. There would also be the possibility of tracing the customers via whatever they used as payment, unless they paid entirely in cash (which would also be memorable, if they paid for more than a cup of coffee).

(Reply to this) (Parent)(Thread)

lied_ohne_worte
2009-05-31 07:23 am UTC (link)

unless they paid entirely in cash (which would also be memorable, if they paid for more than a cup of coffee)

I'm not that sure about this. People in many countries use cash far more frequently more than people in the US - here in Germany, you would get looked at funny and perhaps remembered if you tried to use electronic payment for sums smaller than, say, 20 or 30 €, which should be quite sufficient for surfing the internet for an extended time. Now, it has been a while since I was in the UK, but I think they use more cash than US people, too.

(Reply to this) (Parent)(Thread)

	lucy_k_p 2009-05-31 08:09 am UTC (link)
	(UK resident here) Yeah, I only use my card if I don't have enough cash on me for what I'm buying (and I generally try to have the cash on me - I'll go to the cashpoint if I know I'm going to spending money, rather than thinking I'll pay with my card.) I don't know anyone who'd use a card for less than £50 unless they didn't have the cash on them. (Reply to this) (Parent)(Thread)

	sollersuk 2009-05-31 08:23 am UTC (link)
	A lot of places say they won't accept cards for less than a certain amount. I don't have experience of UK cyber cafes but I've just come back from Spain where I used a lot of them, and cup of coffee or glass of beer plus a reasonable session left me with change from a 5 € note. (Reply to this) (Parent)(Thread)

	scarlet_carsons 2009-05-31 10:13 am UTC (link)
	Yup - a lot of small business I've seen don't take credit card for anything less than £10-£20, because of the costs of using those little credit card reader machine thingies. Speaking as a retail goon, very few customers actually want to use a card for amounts less than £20. (Reply to this) (Parent)

	janewilliams20 2009-05-31 10:25 am UTC (link)
	I usually use plastic for anything over £10. (Reply to this) (Parent)

nomadicwriter
2009-05-31 09:53 am UTC (link)

Yeah. Certainly for sums under £20 it would be very normal for people to pay cash. Paying an amount under £10 with a card is not totally unheard of, but it does make people roll their eyes a bit (I guess it holds up the queue slightly and creates the perception that you're too disorganised to have brought the right cash with you) so yeah, that's far more likely to be remembered by a busy and/or irritated staff member than somebody paying cash for any sum you could possibly incur in a cyber café. And as

sollersuk notes, it's quite common for businesses to refuse to accept card payments for under £5.

Edited at 2009-05-31 09:54 am UTC

(Reply to this) (Parent)

	sollersuk 2009-05-31 10:43 am UTC (link)
	Again, I can only speak for Spain (I use my trusty laptop in the UK), but there if anyone was using more than 20 € worth they would be noticed however they paid - and even in Madrid would still be on the machine when the place closed! (Reply to this) (Parent)

	corvideye 2009-05-31 02:48 pm UTC (link)
	Good point, I was forgetting the setting. (Reply to this) (Parent)

	Ip-details arun11 2009-07-21 11:42 am UTC (link)
	hai, U get the details of finding ip address's,domain name host's whois information including city, country, global latitude & longitude coordinates from http://www.ip-details.com/. (Reply to this)

(22 comments) - (Post a new comment)

Username:		Create an Account Forgot your login or password? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

LJ Labs

Store