Identifying a Person Using an IP Address
Cases such as copyright violations, computer hacking, and distribution of child pornography often involve using an individual's IP address to identify them. But, what is an IP address and how reliable are they at identifying individuals?
Each computer or device on a network is assigned an IP address that allows other devices to speak to it. These addresses are usually represented as four numbers separated by periods. For example, when I connected to Google's web site just now the address was 18.104.22.168.
It's important to understand that there is not a 1-to-1 correspondence of computers to IP addresses. In fact, using IP version 4 (the most common version of the IP protocol), there are only four billion possible addresses which is far less than the number we would need to assign a unique address to every device in the world. The way that we work around this limitation is to use a technology called NAT that allows several devices to share an IP address.
If you have a wireless network at home, you probably have several devices that use the network: your phone, laptop computer, Blu-ray player, etc. Each of these devices has a different internal IP address that is unique within your home network. But, as far as the outside world is concerned, they all share a single IP address: the one assigned to your modem by your Internet service provider. That's NAT in action. NAT can be used for small networks like your home WiFi, or large networks such as a corporation or school district. It's not unusual for hundreds or even thousands of devices on a network to share a single address when communicating with the outside. Some ISPs even use "carrier-grade" NAT to allow multiple customers to share an address.
Another important thing to understand about IP addresses is that they are not permanent. Most computer networks "lease" IP addresses for a short period of time then make them available for reassignment. So, the IP address that is assigned to the modem on your home network may not be the same address that was assigned yesterday. How long an address stays assigned depends on the parameters set by the network provider and on whether the device is consistently or intermittently online. On your home network, your modem might keep the same address for a month if it never disconnects. On a public wireless network (e.g. at your favorite coffee shop), your phone or laptop will almost certainly get a different address every time you visit.
To sum this up, we can say that an IP address identifies either an individual device, or a group of devices, at a specific point in time.
ISPs can usually identify the customer who was assigned an IP address at some point in time (assuming it's not too far in the past), but this isn't always 100% accurate and it doesn't necessarily identify the person responsible for some particular activity. The information provided by an ISP is usually based on logging the hardware address of the modem that an IP address is assigned to. When they receive a subpoena or other request, they find the hardware address in their logs then look it up in their billing records to see which customer it belongs to. One reason that this information can be wrong is theft of services. People sometimes spoof the hardware address of another customer in order to get free service or to steal a higher tier of service. ISPs try to prevent this, but some providers are more secure than others and theft does happen.
Assuming the ISPs results are correct, we shouldn't assume that a particular person is responsible for the activity in question. While an ISP may have one name on their billing records, the home may have many residents. The residents may allow guests to use their home network. And if the network is not secure, or they leave their wireless network open, other people (e.g. neighbors) may use the network without leave.
In other networks, for example a corporate network or a school district, it may be necessary to correlate records from multiple sources in order to identify the device that was assigned an IP address at a particular time. This can be very difficult and error-prone. I worked on an internal inquiry where the records showed that an employee was online at five different physical locations. After investigating further, we discovered an issue with the way the network was configured that would sometimes cause a user to continue to be associated with an IP address long after it was reassigned to someone else. Oops.
Getting a network owner to identify the user or customer associated with an IP address is not nothing. But it's not the end of the investigation either. The next step is to prove that a particular physical device is the right device by showing that it was actually assigned the IP address in question or that it contains records associated with the activity being investigated. The investigator or forensic examiner should also attempt to show that other activity, during or immediately adjacent, connects to an individual (e.g. by developing a timeline of email or social media activity on the device).
Steven has performed forensic examinations on computers and mobile devices in response to criminal proceedings, computer misuse investigations, security incidents, and e-discovery requests. He has over twenty years of experience in technology and has several certifications in forensics and information security. He has multiple publications and has presented at several conferences and workshops.
Copyright Trace Digital Forensics, LLC
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.