Internet Sleuthing - Online Postings Carry Hidden Clues


NEW YORK (AP) -- With basic tools and skills, Internet sleuths can learn much from Web sites and online discussion boards beyond what terror groups and their sympathizers may be saying in the open.

All computers on the Internet have a unique identification number known as the Internet Protocol, or IP, address. By determining the IP address for the computer used to post a message, image or video, investigators may be able to track down a suspect.

First, an online gumshoe would go to the company that hosts the forum where a message appears. Records there should show the IP address associated with each request for each Web page, said Richard M. Smith, a security consultant in Cambridge, Mass.

Once investigators figure out the poster's IP address, they can check public databases to determine to whom, usually an Internet service provider, that address had been assigned.

The ISP may know the customer who used the address at a particular time and have credit card, address or phone information on that customer.

If the IP address belongs to a university or a business, officials there may have additional information about its students or employees. If it traces to a cybercafe, its owner may have customer records. At minimum, investigators can narrow the location.

In the case of slain Wall Street Journal reporter Daniel Pearl, investigators traced e-mails sent by his kidnappers to a service provider in an apartment complex in Karachi.

Investigators then asked each subscriber to retrieve their e-mails, and copies of the kidnappers' messages turned up on the laptop of one subscriber, who was then arrested and later convicted.

Jimmy Doyle, a former computer crimes investigator with the New York Police Department, listed a few tools he considers part of Computer Crime Investigator 101:

- Tracerouting, a technique for tracing the path taken by e-mail, Web traffic and other data. Investigators may know the IP address of a Web site; tracerouting helps investigators locate companies providing hosting and other support services.

- Whois databases, which store records on domain names and IP addresses. These records are generally publicly accessible.

Doyle, now director of professional services for Guidance Software Inc., said his company's product, Encase, can also help recover deleted files. Let's say a posting is traced back to a cybercafe or a university. Encase and competitors' products can help recover bits from computers there for additional clues.

Smith said clues can also come from the makeup of Web sites and video posted.

Sophisticated users try to cover their track.

"The problem is that there are so many little ways you have to cover yourself," Smith said, "you could slip up."

Associated PressCopyright 2014 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Recommended Investigations

Join the discussion