Defamatory post - obtaining evidence tracing perpetrator right to his laptop

Question

A month ago, someone posted an ad with my personal details, including my home address, my phone number and my photo on an ad with very a very defamatory write up.

What followed was a week of calls from strangers and friends calling me up asking me if such a thing was true. It took forever for the admins of those ads to take the ads down and the police, whilst helpful to reach out for official request of info, are not very helpful in proposing to me the steps that I must take to link the evidence directly to the perpetrator.

I had to do a lot of digging for info myself, learn how IP addresses work, etc.

I know the person posting it did it from a hotel via wifi. The problem is, I don't know how to prove that it was HIS computer that did it. There are probably 50 guests in that cheap budget hotel that night, any one of them could've posted it. I've called various authorities locally in my country to ask for help and most of them brush me aside with this nonchalant attitude, that it is just a small case. It is unfortunate that I do not have tones of money to blow on this, nor the right 'friends in high places' to push this through.

I read several posts here and I was hoping some of you can help provide me some guidance in this area.

1. Do you know if ISPs store the MAC addresses of the laptops/computers that uses the IP address to do certain internet transactions? I've read somewhere that ISPs only store the MAC add of the router and not individual computers. Some other sites have indicated ISPs do store the MAC addresses of the individual computers. Which of the two are correct?

2. The person who posted the ad verified the ad via a dummy email address that was created specifically for that purpose. Do you know if ISPs store historical trail of other websites that he accesses whilst hooked on that IP address. For example, if historical records via the ISP can show that the same user who used that computer accessed his personal email or his internet bank records, then at least the evidence is stronger to show that it was that person who did the defamatory posting.

Any advise you can post here would be much appreciated to help me out. I've badgered the police to raise the request to our local ISP to trace the IP address (I had to chase twice before they did this and that took almost 2 weeks!) and while we're waiting for the results to come back, I'm just afraid that the trail will end at the hotel location. I do not know what other option is there for me to link the ad posting and IP address directly to the perpetrator's computer. Without that evidence, the perpetrator cannot be charged and all that I went through for that whole week, would've been for absolutely nothing :(

*Update ***15th March 2014 Hey guys, it's me again. The ISP has finally come back to the police officer and whilst the information is not revealed to me who that person is, the police officer has indicated that the IP address leads to a particular individual...and get this...the idiot used his own internet connection from his house. I almost clapped my hands with glee when the police told me the trace leads directly to the person's user account with the ISP. Unfortunately, because the whole case is under investigation, the details of this person cannot be revealed to me yet. The next step is to see if the police will seize the computer to try and match the MAC address listed in the ISP...or was it seize the router to try and match the MAC address. I'm not too sure of the details. I'm just told that there was a MAC address that was provided from the ISP in their trace report.

I'm so excited! I'm one step closer to getting this person charged for what he did. I'm going to keep pushing for this case until the police takes the next steps, but I'm very relieved that at least I've managed to get the results of the IP trace that clearly identifies an individual.

Now's just how to make sure the evidence is 'beyond reasonable doubt'for a criminal charge. And trust me, I'm going to do everything in my power to push for them to charge him from a criminal perspective before I slap him with a civil suit for defamation.

Thanks for all your helpful advise here. Wish me luck! And if things progress better, I'll come back here and repost an update :)

Answer 1

1: The ISP only knows the MAC addresses for the address of the hotel's router. It may store that, but who cares. The hotel could store mac addresses for connected devices, and many do for captive portal use, but that history is typically forgotten after only a couple of days. The only way to know is to ask the hotel. (they probably won't know how to access it, though)

2: ISPs are theoretically allowed to store some browsing history records for law-enforcement use, but there is no mandate to do so. If they did, you'd almost certainly have to get a court order to retrieve them, though again it's up to the ISP. Here again you may want to try the hotel. They might keep something.

Also note that hotels are typically in the hotel business, not ISP business. Hotels will often outsource management of their WiFi to some third party who may or may not be willing to work with you, and may or may not even have anything useful anyway.

Also note that hotel wifi passwords don't frequently change; the perpetrator needed to only either have been a hotel guest at one point in time or even have learned the password from someone else. Since it's wifi, he doesn't need to actually be in the hotel.

Also note that MAC addresses are by default unique, but are easy to change. If the perpretrator knew what he was doing (and it sounds like he did) then he could temporarily change his MAC address and have left literally no evidence at all that could trace the action back to him. He could also have used a read-only boot disk in which case no evidence would exist on his computer either even if you did manage to get a warrant.

Of course, not all criminals are this tech-savvy, but you often don't hear about the ones who are because they typically don't get identified. The only way to find them is to follow a pattern. But of course there is no pattern in a one-time occurrance.

Answer 2

The answer to your question would be: There is no way of tracing this back to a single person. At best this will provide you with circumstantial evidence. The only way to be get some kind of evidence would be to perform a forensic analysis of every single person registered at the hotel. And even then there would be no certain way of knowing if the person was actually a hotel guest (he could simply have been wardriving). Pinning an IP address to a person is hard and in most cases will not hold up in court.

Furthermore performing forensic analysis of 50 computers is time and resource consuming. Just for solving an (admittedly annoying) prank, this is kind of not feasible. Remember that the police isn't working for free. Resources spent on those 50 computers might mean that they can't perform analysis of computers of, for instance, alledged pedophiles.

To be honnest the only thing I can tell you is to let it go.

Answer 3

Warning : I am not a security expert. Just someone with a basic idea of computers trying to give some (possibly inaccurate) pointers. Hopefully someone with more knowledge can help you more.

1) The Hotel's ISP will only know the MAC address of the hotel's router because it needs the MAC ID to assign to assign IP addresses to a router. Also if 50 people were using the internet, from the ISP's point of view, all the traffic is coming from 1 IP address; So the ISP really has no idea whether 5 or 500 computers were accessing the Internet at that time. The only one who can have any idea is the hotel- or more specifically the hotel's router. But routers (most of them) are quite simple devices that don't maintain detailed logs of such activity. The router might have a log of the mac addresses of the devices that recently connected to it. But thats pretty much all you can expect the router to tell you. If this happened a month ago, those logs are probably long gone as well. If the hotel has a more complicated setup like a firewall or a special login system, it might have more detailed logs but that is probably a long shot.

2) ISPs do store information about visited websites for law-enforcement purposes. You probably need a lawyer to get that information. But again your attacker's activity is probably mixed up with the activity of the 50 or so patrons of the hotel at that time. It would probably be hard to single out your attacker from it.

Your case sort of reminds me of the case of tracking down Paula Broadwell. She was tracked down by the FBI because she accessed the offending email accounts from multiple hotels. The FBI cross-referenced the guest lists from all the hotels that accessed the email account, and hers was the only name. Whether you can get the account activity from the email provider, (without a warrant) I don't know.

Of course, in that case the stakes were pretty high (the scandal ended up costing the CIA director his job). Whether you can achieve all this "without the right connections" or hiring a lawyer or private investigator i don't know. And whether it is really worth it, is a question you have to decide.

Good luck.

edit: It might be noteworthy that even in the Broadwell case, the DoJ ultimately ended up dropping charges against her.

Answer 4

MAC addresses are link-level addresses - a series of 6 bytes (12 hexadecimal letters 02:46:8a:ce:fd:b9) that only get sent to the direct router at the other end of the connection (e.g., on ethernet the router at the other end of your cable; on wifi the router listening to your wireless radio transmission). The MAC address is only used from the router to identify each device it is talking to. The ISP cannot in principle see this; only the router at the hotel potentially could see this information. It's also trivial to change the MAC address on most network cards to any other value; granted usually you can still see the default MAC address that was assigned to the router if you have physical access to the network card.

The potential ways to identify users on a shared IP address in this scenario are if the hotel's router kept detailed logs at the time of the incident -- what computer connected to their router and visited the sites in question as well as some method of associating that computer to some guest's name.

1. It was a captive portal that required users to login with a unique login/password given to each guest
2. The MAC address was logged and the scumbag wasn't smart enough to change it before using it. Granted, you'll have to have access to their device to compare their router against it.

A third method if you strongly suspect a specific individual and the online posting was vicious enough is to obtain a warrant so the police can search that individual's computers. Quite possibly they'll have some evidence on their computer still (e.g., the photo of you that was uploaded, something in their browser history; possibly deleted from the hard disk but if done quickly a full disk scan of the device in question would be able to detect that the image was there).

The fourth method in principle is if the site operators took detailed logs of the time the user visited in question and used some third-party service that identified the user while they were connected to your site. Granted that would require the third-party service to have kept detailed logs that they are willing or allowed to share with you. That is many sites use third party cookies to integrate a page with some other service; either to log you in (sign in with google/facebook), or just track your users (google analytics), or to let you easily share the article (share on facebook/twitter). I doubt this will be a fruitful avenue either without getting law enforcement involved and committed to researching this for you as this information will not be readily available -- and again if the user was smart enough to just go into a private browsing mode or the site didn't use any third party services that used identifying cookies.

As much as it sucks, you probably are going to have to let it go as Lucas suggested. Possibly if you are harassed again similarly, you'll be able to identify a pattern (one guest at both hotels).

Answer 5

Since I clicked this just out of interest, and the other answers seem to cover the difficulties in actually doing such tracing, I'll add my 2 cents on what the average person can do if they can be bothered. After some UK govt.official came out recommeding this sort of thing to lower identity theft damage impact, I'm not as hesitant to recommend it as before:

The only way to perform this sort of tracing on the cheap is to prepare to do it in advance, and even then it won't be perfect and it can be a hassle unless you plan and practise it well.

Eg. Setup your email and other information you give away to people so that you give slightly different information to different people. Since that may not be practical unless you have a good some system for memorizing who gets what information (or carry application with you that creates new email accounts and phone numbers, misspelled addresses and names etc for every person you are in contact with), the next best thing is to just have eg. three sets of emails and misspelled names,addresses,phone numbers: one set for for entities and persons likely to use them for commercial (pretty much any "free" web service) or malicious purposes, one for those who you are likely to have a closer relationship with and then one for where you know you are going to need accurate information (banking, government, any kind of money where you may want to have some recourse if something goes wrong).

It was somewhat amusing to read that a UK government information security official had made a comment to the direction that common people might want to consider whether using a real name everywhere on the internet is a good idea. While from legal perspective there might be little difference, from practical perspective, there's a whole lot of difference between handing out accurate information to some free service probably selling it to other companies vs those times where decent amount of money is involved. If there's some cheap-not-free web service, they are likely to also sell your information but are more likely to get your accurate information since they weren't free. In those cases it's best to study the small print or have some way to pay them while keeping something misspelled and have a dedicated email address for them, so that when they happen to leak your info you know it was them. Not likely you can do anything with that but atleast the damage was limited.

Answer 6

Unless your target is very paranoid about his privacy, busting his ass should be easy.

Tracking Cookies.

The vital part, that allows them work is the Referer header.

If you have a website, hosted on "foo.com/index.html", that includes an image, hosted on "bar.com".
For example like this:

<html>
<body>
<img src="http;//bar.com/some_image.png"></img>
</body>
</html>

The server on "bar.com" will see an incoming Request, that looks something like this:

GET /some_image.png
User-Agent: curl/7.30.0
Host: bar.com
Accept: /
Referer: http;//foo.com/index.html
Cookie: id=1234567

containing, not only the information what image to get, but also the precise address of the webpage it is embedded in.
Combine this with cookies, and bar.com can also distinguish between individual browsers.

If you are "bar.com", and manage to convince a lot of webmasters to include a pixel sized image, hosted on your servers you can pretty much trace millions of people, in realtime, as they surf about the web.

This is the business model of so called tracking companies.

There are literally 100's of companies out there who should be able to uniquely identify his browser.

The ghostery firefox plugin makes them visible to you.
( try it, and watch yourself become paranoid in a matter of days )

---

You already have contact to the site that, the ad was placed on?
Let's call them C.

Most sites, even those concerned with not selling out their users, tag them with unique ids to observe their behavior and improve their site accordingly.

If C is willing to help you, you can set up a sting, with a specially prepared webpage that you only send to the offender, and that contains some hidden resource hosted on the C's site.

If not, and you get only the cooperation of one of one tracking pixel companies, lets call it T, there will most likely be an easy way to map the offenders user account on C to the id assigned to him from T.
( could be exposed in a GET variable, or simply identify him because he is the first one who used browsed the ad in question )

Then you set your sting up with something like a funny cat picture hosted on any public site, that also has a tracking pixel from T.

There are a lot more possible scenarios, but you will need the cooperation of a tech person, in at least one of the companies, in any case. They will be able to walk you through the technicalities and explain the details of why and how this works.

---

Sent from my Firefox with tons of privacy plugins.