I'm a TV scriptwriter - and not hugely tech-savvy, so please bear with me...
If the police have an email, sent by a suspect over a 3G or 4G network, could they use the IP address (since they know when it was sent) to find out - from the service provider - the precise location the email was sent from?
The problem with this scenario is that emails are typically not sent from the device itself, but from a central service.
In order to do what you want, the investigators would have to make a few hops:
At best, using 3G/4G, investigators might get the cluster of towers the user was in the middle of. No exact location.
BUT, with all that info, it might be possible for investigators to breach the phone's data or the user's other accounts and determine the location of the device using the multitude of location services modern devices have (Find My Phone, Facebook, Instagram, etc.) (Insert a whole host of legal issues currently in the news, like Stingray).
Edit:
You don't specify the country (or reality) you are dealing with. There are some countries that have set up massive detection nets so that every mobile device is physically tracked no matter where it goes. That way, investigators can have a real-time, accurate map of a particular device at any time.
If the police have an email, sent by a suspect over a 3G or 4G network, could they use the IP address (since they know when it was sent) to find out - from the service provider - the precise location the email was sent from?
Yes, this is very easy. However... the key word here is "precise location." Not exactly. Not unless the phone is hacked.
If you're looking for evidence of governments assisting law enforcement with locating devices, then you'd be looking for the NSA's Treasure Map program. This is available to cleared law enforcement personnel, mostly FBI/DEA, but I wouldn't be surprised if they also assist local law enforcement.
The NSA shares intelligence data with local law enforcement and helps them utilize parallel construction to make their cases.
Schroeder covered this pretty well, but let me add to it:
Since you're writing for TV, I feel you should know this part to make it seem more realistic. Anyone can walk into Walmart and buy a throwaway smartphone or dumbphone. From there, they can go to the nearest open wifi, and register under fake credentials. Fake name, fake address, fake everything else. And they can use a prepaid credit card that they purchased with cash to register the device(s).
So you won't be able to find their actual address, or even know who they are, unless you hack the phone (normally a smartphone).
However, if you know the general time-frame that someone bought and created the account, you can request evidence from Walmart, and they're usually almost always happy to help law enforcement. They'll be able to review the security footage to see who bought that device, and when.
But how will they find the time frame? Walmart, and other major retailers, keep track of when things are sold, right down to the very minute. You know when you return an item? They know, because the information is stored in their databases, and looking up the bar code of the receipt is possible. It shows when the purchases happened.
Doing a bit of investigation will probably reveal that the account for that phone was registered at a specific time. If the phone was registered at a specific time, then it may be likely that the perp purchased that phone at a nearby store.
Bringing up a list of stores in close proximity to the open wifi where you registered the phone may reveal where the perp purchased the device. You can then go in and request security footage to look for anyone purchasing the phone(s) in the electronics departments. Better yet, the place with open Wi-Fi may have you on camera at the time you registered.
And then there's Stingray, an IMSI-Catcher.
Since you know the perp's IP, you can likely find the perp's carrier. With the perp's carrier providing the phone number used by that IP address on their network, bringing up your actual cell phone number is not hard. In fact, if you know of an area that the perp has hung out at, you can use a Stingray device to perform a man-in-the-middle attack on the suspect without him realizing it.
Every mobile phone has the requirement to optimize the reception. If there is more than one base station of the subscribed network operator accessible, it will always choose the one with the strongest signal. An IMSI-catcher masquerades as a base station and causes every mobile phone of the simulated network operator within a defined radius to log in. With the help of a special identity request, it is able to force the transmission of the IMSI.
An IMSI catcher is an incredibly easy-to-use, one-button-fatality-man-in-the-Middle-attack-in-a-box. It allows law enforcement and intelligence agencies to act as a tower to catch communications. Having personally seen one in use, I can attest to their effectiveness.
Using normal tools, even those that don't require the help of the NSA, providers can generally help you find the location of any given phone at any given time. It knows the closest tower you're connected to at that time.
If you're able to force the location feature to turn on, which law enforcement can do... how do you think 911 finds you when you can't tell them where you are because you don't know? They can know the general area you're at, within a few hundred feet.
While, yes, it's certainly possible to geolocate a phone's IP address, you should not rely on this because the information returned can be wildly incorrect. Your assigned IP address, even if you're somewhere else at the moment, could be shown as elsewhere.
In fact, when I travel all over the place, and tried to geolocate my IP address, it was always located in the city I registered in. I've tested this both in China, and in the USA. I could be 2000 miles away, but the phone's IP address geolocates to a different state/province.
There's another common way that email leaks location information. If the email includes a photograph that was taken on a smartphone, the photo will usually have location information embedded. Since you're writing the story, you might contrive to have the sender email a photo for some reason.
The JPEG standard (used for virtually all mobile phone photos) contains EXIF data by default. This is mostly technical information about the picture, but it includes all kinds of forensically relevant details, including the camera's make, model, and serial number, the user's name, the f-stop, shutter speed, and the exact time the photo was taken. When the photo is sent, or uploaded to a photo sharing service, all that EXIF data invisibly travels with the image.
Most phones with cameras and GPS units, including all iPhones and Android phones, can include the precise lat/lon coordinates of where the photo was taken. This is called geotagging, and the data is inserted along with the rest of the EXIF data. This option may be turned on by default or set when someone is setting up their phone, and most people are unaware it even exists.
Having the phone include location data with the image is an option that can be turned off, and the EXIF data is easily removed. But I've found that most people prefer the convenience of having their photos geotagged, or they don't care about it and then forget it exists.
Viewing the EXIF data is also very easy, as there are literally hundreds of phone apps and viewers available, many for free. Non technical people are able to use them, so it doesn't require a forensic scientist or computer nerd to be the one to "crack the case".
In addition to what @schroeder wrote, I would like to point out a few things about geolocation.
Among other things, a CDR (Call Detail Record) contains information about the cell tower used by the mobile phone at the time. Note that a cell tower can cover an area of about one square mile, or more.
In some countries, mobile operators might always be able to store (in other countries, this may only be possible with a warrant) the strength of the signal received by the closest cell towers. Under certain conditions, they can use triangulation in order to obtain a higher accuracy in the location from which the email was sent. In other countries, as I have already said, mobile operators might triangulate a user only after a warrant. In this case, the police may obtain the current position of the phone as follows:
1 - Police obtains IP address from the email servers;
2 - using the IP address, they identify the mobile phone;
3 - police obtains a warrant, sends it to the operator, and if the phone is still on, they can triangulate it to its current position.
Another thing that is theoretically possible works like this. Every device which can be connected to the Internet, including a smartphone, has a MAC address.
Now, if you connect to a public Wi-Fi network, the access point (basically, the device which connects the users to an ADSL connection or whatever used by the Wi-Fi owner) may choose to log the MAC addresses of its users and store them for some time.
If this is legal (no idea), and the log is stored for a long enough period of time, and if the mobile phone used that Wi-Fi network, the police may find the cell used by the mobile phone, ask the MAC address log to the access point owner (this may require a warrant, I really don't know) and confirm that the user actually used that Wi-Fi network. Since a typical access point has a range of 100 meters or so, this may narrow down the area. If the police are really lucky, they might even be able to identify the user (who may use a phone whose owner is another person, e.g.borrowed or stolen) by checking the footage from surrounding CCTV cameras.
Please note that, in most cases, these investigations require a significant amount of luck, time, and/or warrants. Plus, a lot of these techniques can be defeated by a skilled criminal, so if the suspect is a "hacker" he/she can further complicate the process.
Earlier answers already describe the process of using triangulation to pinpoint the location of a specific phone better than I could describe it. However there is very little said about whether the investigators can figure out which exact phone the mail was sent from.
In traditional mail services where the user run an email client on their device and use SMTP to send the email to the server, the server will usually include the IP address of the client in the mail headers.
In cloud services where the user access email through a web browser or a vendor specific email app and use HTTP or HTTPS to send the email to the server, the server will usually not include the IP address of the client in the mail headers.
In the later case it is very likely that with a warrant the investigator could get the IP address through the cloud service provider.
But there is another question as to whether the IP address obtained in one of the two ways mentioned above will pinpoint the exact phone.
If your story is set somewhere between 2010 and 2020 it is quite likely that the internet provider is using carrier grade NAT due to shortage of IP addresses. And this can get in the way of figuring out which phone was connected to the server.
The eventual shortage of IP addresses was recognized by network engineers in the early 90s. By 1998 a solution was ready in the new IPv6 standard intended to replace the old IPv4 standard. But rather than working on the upgrade most internet providers have chosen to deploy carrier grade NAT instead, which will allow them to share a single IPv4 address between hundreds or thousands of users, though from the users perspective this will be a bit less reliable.
In case the internet provider the phone is connected to is already upgraded to the new IPv6 protocol, but the mail service only supports IPv4, the internet provider most likely uses NAT64. That is a kind of carrier grade NAT which happens to also translate packets between IPv4 and IPv6.
In terms of your storyline, NAT64 would be no different from carrier grade NAT. Though there could be some interesting arguments between investigator, mail provider, and internet provider as to who is responsible for the inability to find out which exact phone the email originated from. The internet provider could make a sound technical argument that the responsibility lies with the mail provider for not upgrading to IPv6. The mail provider would argue that they plan to do that a few months after everybody else have done it.
If you are going to have specific IP addresses show up in your script, there are three ranges of IPv4 addresses and one range of IPv6 addresses, you can use without worrying about the addresses belonging to somebody in particular.
192.0.2.0 - 192.0.2.255198.51.100.0 - 198.51.100.255203.0.113.0 - 203.0.113.2552001:db8:: - 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
Speaking as a wireless telecom professional, the answer to your question depends on how precise you expect the location to be.
To wrap it up, the idea that you can be precisely located is probably an invention of TV and Movies. Wireless network providers are limited in what info can be obtained due to privacy limitation and general limitation of the network itself.
You should be able to be located to a specific town (unless you are in a very rural area when a specific site covers several towns). In more urban areas you may be able to located within a 2 or 3 block area, but to pinpoint a specific address, it's not really feasible (except during a real time emergency call when your device explicitly provides your specific location via GPS).
To clarify, the above assumes the device was not previously being monitored by law enforcement based on my interpretation of the question (that the user was not specifically being monitored beforehand).
In general, detailed location information is not provided to the network and is not stored so cannot be obtain after the fact by law enforcement.
However, if a specific device was specifically being monitored by law enforcement (with a warrant or legal right to do so), additional information may be extracted in real time. How accurate this location is still related to the density of the network. In a dense urban area, in which you are within range of multiple cell sites, you can be located within a reasonable distance (<50 meters), but the less dense the network is, the fewer cell sites can see your mobile device, and the location becomes less and less accurate.
But the concept of precision (GPS-level) accuracy in real-time is still not realistic and cannot be obtained through traditional means.
Well, if he was already a suspect, you wouldn't need the email to begin with. The investigators could have been watching their mobile phone wanderabouts the whole time (or another agency have already put this guy on watch, and thus the mobile has more data about it).
The other option is that you have an email, but no idea who the criminal is (for example, “They kidnapped my child and now I received this ransom email from kjh03@gmail.com saying they are holding him in Eastasia…”).
Assuming the email was sent through SMTP and not by webmail, the IP address from which it was sent would be directly available to the investigators (show some Received: lines here).
Additionally, they could gather more information from the email provider (Google here), which could provide more information, in addition to other IP addresses from which he has connected, such as a phone number used for account recovery (if they have been dumb), the registration date (the day before, quite uninteresting), that the language used in the signup was German (this would be useful), maybe they even a Google Maps search for an isolated place that would be ideal for hiding someone (make them receive this when the guy is about to kill the poor boy)…
As stated before, geolocation is unreliable for determining where the suspect is (albeit immediate, so I would expect them to query it anyway), but it can be used to know where it isn't. If the IP address is geolocated to the city where the crime was committed, that means the criminal sent it from there, not from Eastasia! That was probably a bluff.
Once they have the IP address(es), they will ask the Internet provider (with a court order) who was using that address at that time. If it was accessed through 3G/4G, then they could ask for the location of such phone at the time of sending, and discover which tower service it (they also asked where it was now, but it's currently powered off).
However, it is also possible that he wasn't connecting through 3G, but through Wi-Fi (or that some of the multiples IP addresses they got from Gmail / several exchanged emails). Maybe it turns out to belong to Starbucks. They may then quite confidently assume -something they could check by connecting themselves from there- that it was sent from the only Starbucks premise in town (later they will find that the phone card was bought in a nearby supermarket). Or it may be a local coffee shop that happens to host their website on the same IP address used to nat the connections on their free Wi-Fi (not a good setup, but it was installed by the owner's nephew, and they only have an IP address). Thus, just entering the IP address in a browser they would learn the precise place from which it was sent. With no delays by legal roundtrips.
Knowing the store "from" which the email was sent may or may not be too useful. There could be interesting footage from security cameras. Perhaps he only went there once. Maybe he lives nearby, or even is able to connect from his home.
Naturally, if the criminal connects repeatedly from there, they can put it on surveillance, as well as immediately going there as soon as a new email is received.
Around ten years ago it was more likely. Back then, many free website-based e-mail providers (including Yahoo) added the IP address of the machine the e-mail was sent from to the e-mail header. I didn't check what every provider does now, but I would guess most providers now put the IP of their server instead of the sender's machine into the header. if I remember correctly, gmail was among the first webmails to do so.
This means, that if the sender is not very tech-savvy and does not actively try to hide (by using proxies or whatever), and using a relatively low-quality free web-based service, it can happen that the sender machine's IP address is added to the e-mail header. And, depending on the internet provider, it might be a static IP address easily linked to a specific household. Much more likely to happen in the early 2000's than now.
There are really a couple of things involved here, that probably involve different companies.
Firstly there is the originating IP address, usually not a hard problem (at least as far as finding the originating mail server).
Most of the better behaved servers will prepend this information in the email header before passing the mail on (There are ways around this). Fire up your email and select to view headers or view entire message to get a flavour of what is in there.
Now time was, people ran their own mail clients, and the headers would tell you their IP address more or less easily (NAT being the slight issue), but these days most mail is sent from one of the big webmail companies, gmail, windows live, whatever, so actually getting the IP address of the senders terminal device is a second level of pain, possibly involving asking a web mail company to cough it up.
So, an IP we can (possibly) get from an email, if the companies in question either cooperate or can be beaten with a lawyer.
Then you look up that IP address in the whois database and find it is in a mobile phone companies address space, so you contact the phone company, which is where things get interesting:
A cell phone can be located (roughly) given its IMSI number (and there are ways to get that from a phone number), either from the cellular networks logs, or in real time if you have access to the SS7 network that the phone companies use for out of band call management (There is even a command in the SS7 extensions for mobile call handling that pretty much exists to make intelligence gathering easier).
Doing this for historical data requires logs from the phone companies or requires you to be the sort of actor who can get the gear at the phone switches to store the SS7 data directly. Doing this live, just requires that you be on the SS7 network and that you have peering in place, and that can just be brought (There are companies who offer cell phone tracking as a service).
Accuracy depends on the ability to triangulate in the basic case, but gps can help (911 and such) which can actually be leveraged from the SS7 network because the security on the relevant queries is basically broken (The request has a field that you control for the authorising party, but the data can be delivered elsewhere.....).
So, Phone number or IMSI -> location is basically either a legal request to the cell company or some work on the SS7 network.
Now the IP address -> IMSI is probably also a phone company matter, so that is again legal paperwork, but and this is a big but, the odds are pretty good that the phone company has many, many users sharing that address, so you are not going to get one IMSI but many, and worse there is an excellent change they will be geographically clustered!
Now, you may be able to get a list of all those IMSIs and then try to match the one connected to gmail or whoever at exactly 09:56:24, but the judge (if they are doing there job) may feel that getting the whole list is too broad!
So, conceptually yes, but you need a cooperative phone company who are keeping the appropriate logs, a originating mail service who will cooperate and probably a judge who will sign the paperwork without reading it.
There is a fun video demonstrating some SS7 shenanigans here (From the chaos computer club conference a few years back): https://www.youtube.com/watch?v=lQ0I5tl0YLY
I would however warn against trying to fake the talk about this sort of thing, it ALWAYS comes off as slightly 'wrong' to anyone who actually knows what they are doing (This among other reasons is why CSI is unwatchable, and Clancy jarring to read).
HTH.
Regards, Dan.
All previous answers are good with lots of technical details. Yet no one mentions the probabilities that the suspect may use Anonymous Remailer.
Though the service itself is a myth in Internet (I never use it myself), it is possible in principle. And there are previous cases against it. In the ideal situation, the suspect may construct a mailing-chain of anonymous remailers from multiple countries.
As stated in previous answers, legal issues are the main problems. Think about that you have to crack, not only a specific email company, but a dozen of them, in countries with different rules and regulations on data safety. It could be almost impossible to retrieve all the relevant data:
Case of Penet remailer:
In September 1996, an anonymous user posted the confidential writings of the Church of Scientology through the Penet remailer. The Church once again demanded that Julf turn over the identity of one of its users, claiming that the poster had infringed the Church's copyright on the confidential material. The Church was successful in finding the originating e-mail address of the posting before Penet remailed it, but it turned out to be another anonymous remailer: the alpha.c2.org nymserver, a more advanced and more secure remailer which didn't keep a mapping of e-mail addresses that could be subpoenaed.
Yet it comes with a price: less reliable delivery and (maybe) lost of 2-way communication. But in certain cases this restriction maybe not so important.
I work in Geolocation and do a lot of work resolving questions as to location of devices.
To get back to the original question posted:
If the police have an email, sent by a suspect over a 3G or 4G network, could they use the IP address (since they know when it was sent) to find out - from the service provider - the precise location the email was sent from?
I think the answer can be a lot more specific.
As Mark Buffalo correctly pointed out; 3G/4G Mobile Networks contain ZERO location data associated with the location of the device. So this is a dead end.
The IP ranges are normally assigned randomly to the Mobile Network Provider and relate to that company's locations - not the device. So a UK Mobile Phone customer when roaming in the US would have an IP address that points to somewhere in the UK.
A lot of the other answers seem to relate to the topic of geolocation generally but are not of much help in this case as we only have IP data to work of.
So Mr/Ms Screenwriter, I think you need to try and see if the "Perp" can use a WiFi connection to connect so you get a "static" IP address (rather than the 3G/4G one) which MIGHT help narrow the search down to a town or possibly even a house if the Police could twist some arms amongst the ISP providers.
Or as another person suggested, if you can get the phone number then in countries like the US you can actually track the user without them knowing about it with Cell Tower Triangulation.
However, IP address on a Mobile/Cell/3G/4G connection will not get you anywhere...
Belated answer: Yes. DROPOUTJEEP, MONKEYCALENDAR, PICASSO, TOTEGHOSTLY, WATERWITCH, WARRIOR PRIDE, TRACKER SMURF, etc. are NSA-developed tools whose existence Edward Snowden and others have revealed.
MONKEYCALENDAR is software used by law enforcement that transmits a mobile phone's location by hidden text message. TRACKER SMURF provides "high-precision geolocation". It can be not merely as accurate as the phone's normal GPS subsystem. It can be more accurate - as accurate as the Wi-Fi assisted location systems. Do regular police have access to this? Yes. As @Mark Buffalo noted, NSA's Treasure Map program provides access.
(Also, there's another possible way to get super-high-precision geolocation: Perhaps the NSA can reprogram a phone to use the military-encoded GPS signals.)
This answer is a little more in the weeds. The exact server you would use to determine where a user is, within the cellular network is called the PGW, or PDN Gateway. This is the server that is used for lawful interception of traffic, it also other information about the every end user on the network, such as billing information.
What hasn't been mentioned in here, is that if the user had sent an image in the email, modern cellphones include GPS location in the EXIF data, this would be an exact location of where the picture is taken. Note that most image sharing sites will strip this EXIF data to protect user identities.
You have plenty of good suggestions here. But at the risk of ruining my script writing career, the most visual scheme to use would be the "silent ping", that is if you want to find the person in real time. I will discuss email as well later in the post.
The silent ping takes advantage of a mode of SMS where nothing appears on your phone. The three letter organization trying to find you pings your phone, then they look for RF energy as your phone replies. Radio detection schemes are used, so you get to have the creepy dudes in the van fiddle with dials and look at screens as they try to find the source of the signal. And they drive around to get closer and closer for a better fix. (cue James Bond music).
Now regarding email, if you could tell where all email originates, there would be no spammers. But 90% of all email traffic is spam. If I sent you an email, even on a mobile device, you would know exactly what server I used due to a parameter called SPF. Now the server could be compromised (maybe the sysadmin doesn't know how to prevent an open relay), so the unauthorized email could be relayed from my server, but it would lack DKIM, a means of authenticating the server in a cypto manner. Any legit email server will have SPF and DKIM. However, a lot of these email forwarding services lose the SPF and DKIM. If they didn't, the entire email service provider world would reject email that lacked SPF plus DKIM. (The mail must go through, no matter how crappy the server that sends it. Nobody wants to deal with bounced messages.)
So I think email is not the way to go unless you want Silicon Valley types in the audience groaning.
I was trying to do forensics on some jerk and discovered that if you use gmail and log into the google server, you lose the IP of the person creating the email. Of course google has that data, but it isn't like I can generate a court order. Pissed me off, but I honeypotted the jerk and found his IP via port 80 access. (There are schemes to hide your IP from port 80 access, such as a VPN, but I block many VPNs on my server. Tor can be blocked as well.)
I'd still go with the silent ping. Everything else is neck beards typing on keyboards.
No, the location is not traced for everyone in logs - unless it's under the watch/hood before. The last resort here - usually, if no previous location trace is enabled - a base stations where the IP-carrying node was active at the moment.
