Router, also known as Tor Project. A suspect using
any one of these methods may not only be effectively hiding their actual IP address but also placing
other persons at risk of being wrongfully identified.
Relying upon IP addresses in which a VPN or Tor
was used will most likely result in following inaccurate investigative leads.
A MAC address, on the other hand, is the
number assignment given to network interface
cards which usually can be traced back to a physical
machine. The MAC address is much like a serial
number imprinted on a physical device, but like
IP addresses, it is also possible to change MAC
addresses to obscure tracking methods. So, a MAC
address is also not a person.
Tor is free software that uses a network of virtual
tunnels by which a Tor user’s IP address is effectively hidden through many anonymous relays. Relying
upon an IP address that is a Tor exit relay will not
be the suspect’s IP address but only the last relay
that was used.
An unfortunate Tor exit relay case example
occurred during the spring of 2011. Immigration
and Customs Enforcement agents served a search
warrant and seized six computers in a child pornography investigation in which the suspect and
location was identified by an IP address (Hofmann
2011). The IP address was a Tor exit relay, which is
just the last computer in which traffic goes through
before reaching its destination. In this case, the
alleged suspect allowed his computers to be used as
a Tor exit relay for other Tor users. However, the
alleged suspect had no knowledge or control of the
data exiting his Tor relay and accordingly, was not
involved in child pornography.
Investigators relying upon IP addresses are advised
to check the Tor Project Web site ( http://www.tor-project.org) to compare a suspect’s IP addresses with
a list of known Tor exit relays. This will reduce the
risk of focusing on an IP address and person that is
of no relation to the actual suspect, other than being
the last exit relay in a long chain of relays.
A computer user account is also not a person.
User accounts are simply a convenient method
where multiple users can have their data confined
and protected from other users of the same computer. Or it may be to give different users of a system
different access rights. Either way, it is only a convenience and not a surefire method to allow only
authorized users to access their own account.
In a residence where multiple persons have
access to a computer, it is possible that all residents
use a single user account or that they may share all
of the accounts. In a business location, users may
inadvertently leave their computer open to access
by any passerby. Any of these situations allow for a
user account to be considered a clue as to the actual
computer user, but not affirmatively tied to any
person without corroborating evidence.
So what is a person? A person is a human, not
a number such as an IP address, MAC address, or
name on a user account. As an investigator, remember that you are working toward identifying the
person that committed violations in question and
placing that person at the keyboard.
Who? What? When? Why? Where? And
A key factor in placing any person at the scene of
a crime is obtaining evidence that can place an
identified suspect as it relates to the scene of the
crime. Previously discussed methods of physical
surveillance and obtaining records are usually the
best evidence of placing a suspect at a specific place
and at a specific time, but as most investigations involve reacting to incidents, this may not be always
Second best evidence is the examination of an
electronic device that had been possessed by a
suspect. The only reason why this is not as good as
physically placing a person at a scene is because unless there is additional corroborating information,
a forensic examination of electronic media by itself
cannot place a person at that device.
Investigations need to establish where the
electronic device has existed by date, time, and
location based on the device’s activity. As there will
be a multitude of dates and locations collected, our
ever growing timeline of suspect activity comes into
play to keep track of the evidence chronologically.
In a case where several electronic devices have
been used by a suspect, the amount of data expands
With our goal of placing devices in the hands of
the suspect, the more devices we have to examine,
the more likely we will be able to accomplish this
task using all available information. By obtaining
the likely physical location of an electronic device
through forensic analysis and also obtaining the
physical locations of a suspect through means other
than a forensic analysis, inferences can be made as
to the likelihood the suspect controlled the device.
Not a certainty, but definitely a piece of circumstantial evidence to build upon.