Tracking down an IP

[Paulonius]

I am going to get a court order this morning that will give me one or more IP addresses from Google and Facebook for someone that created a fake identity of a friend of mine and used it to commit some crimes.  Next step will be to track down the person(s) behind them, and I don't know how to begin that process.  Anyone have any suggestions/ Direction for me?

[NObama]

Depends on your code-foo and, frankly, how evil you're willing to be. 

If the person is a solo operator in it for cash and profit, chances are they've left a trail online and in brick/mortar drop locations.  If it's a centralized criminal operation, this is not the sort of thing you want to undertake extra-legally - better just to have your friend file a credit freeze and diligently review his/her credit report a couple times a year. 

If this is just some dork jerking around with phony facebook entries, that is typically someone you know pursuing some sort of emotionally-motivated revenge campaign.  I recommend you ignore it and move on with your life.  If the crimes are something the police are already interested in, they could easily contact the ISP associated with the IP and request an ID.  Unfortunately, that only works as far back on the trunk as the first server stop, and the cops have to be interested.

If you end up with a name or address, the police can handle it.  Or, you can PM me for some more tips.

The dark side, this is...

[Paulonius]

My client is the managing editor of the website for a well known glossy men's magazine and the perpetrator used his identity to get nude pictures from girls. I think it is a solo operator going after an ex girl-friend, but they don't want to ignore it. The person or person's hacked an aspiring model's computer got some information about my client, and used it to create Facebook profiles and Gmail accounts.  I am representing the editor and the aspiring model in obtaining the necessary court orders and issuing subpoenas to require service providers to cooperate.  I need to educate myself as to every option available to track someone down with the information I get from them and engage a vendor with the expertise to do it.

My hearing got pushed back to tomorrow morning.  I am in the process of drafting the order now.  Do you have any suggestions for what information I ought to ask the Judge to require Google and FB to produce?  I am asking for anything related to the fraudulent accounts that they have, i.e IP Addresses, user names, contact information, etc. but it would be nice if I could be specific if there is something I must have.

[Scrripty]

Just be specific and vague at the same time.  Any and all information regarding these accounts up to and including names of persons opening said accounts, email address', ip address', or any information that would help in the ongoing investigation to track down the individuals responsible for putting this information on your service...  That way they know you want it ALL and would be required to give you everything.  Not sure what else there would really be if they used all fake info besides ip address and MAYBE an email.  But that's probly fake.  Ip address will probly be your only option, but it's a good one if they have that info somewhere.

[NObama]

I would ask for at least the following, but don't limit yourself to what you see here:

From Google and Facebook:
- Usernames
- Account information
- Account history, to include originating IP, ISP and all access logs
- Friends / Contacts list

From ISP:
- IP address
- MAC Address
- IP Traceroute
- Customer information, to include address and payment information

The key here will be the ISP information.  If your perp is stupid enough not to spoof his MAC, you have a unique identifier the cops can use to hunt him.  Similarly, if he wasn't smart enough to IP in through multiple servers, you've got him there, too.

If he is smart enough to hide in multiple layers of servers, the cops aren't going to be able to do a darn thing. 

Go get him.

 

[Paulonius]

Google got me an IP:  64.241.37.140

So now how do I trace it down?

[JustAnotherFace]

Google got me an IP:  64.241.37.140

So now how do I trace it down?

The below info is the whois lookup for that IP.  It looks like you are probably screwed because it is registered to Panera Bread.  Which most likely means it was someone sitting in their shop using their free wi-fi. 

JaF

Code: [Select]

OrgName:    Savvis
OrgID:      SAVVI-3
Address:    1 SAVVIS Parkway
City:       Town and Country
StateProv:  MO
PostalCode: 63017
Country:    US

NetRange:   64.240.0.0 - 64.243.255.255
CIDR:       64.240.0.0/14
NetName:    SAVVIS8
NetHandle:  NET-64-240-0-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.SAVVIS.NET
NameServer: NS2.SAVVIS.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    2000-02-01
Updated:    2007-09-18

RTechHandle: ZS36-ARIN
RTechName:   SAVVIS Communications
RTechPhone:  +1-888-638-6771
RTechEmail:   

OrgAbuseHandle: ABUSE11-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-877-393-7878
OrgAbuseEmail: 

OrgNOCHandle: NOC99-ARIN
OrgNOCName:   SAVVIS Support Center
OrgNOCPhone:  + 1-888-638-6771
OrgNOCEmail: 

OrgTechHandle: UIAA-ARIN
OrgTechName:   US IP Address Administration
OrgTechPhone:  +1-888-638-6771
OrgTechEmail: 

OrgName:    PANERA BREAD
OrgID:      PANERA
Address:    7930 BIG BEND BLVD
City:       WEBSTER GROVES
StateProv:  MO
PostalCode: 63119
Country:    US

NetRange:   64.241.37.0 - 64.241.37.255
CIDR:       64.241.37.0/24
NetName:    NET-64-241-37-0-1
NetHandle:  NET-64-241-37-0-1
Parent:     NET-64-240-0-0-1
NetType:    Reallocated
Comment:   
RegDate:    2010-04-06
Updated:    2010-04-06

OrgTechHandle: LB231-ARIN
OrgTechName:   Brown, Larry
OrgTechPhone:  +1-314-918-7779
OrgTechEmail: 

[NObama]

Yep - screwed.  Sorry, bro.   

 

[luv2luvlong]

Not screwed if shop has surveliance cameras, footage can be supeonaed and time stamps checked vs. footage and who's in the shop at the time of logs, blah blah blah
just my thoughts

[JustAnotherFace]

Not screwed if shop has surveliance cameras, footage can be supeonaed and time stamps checked vs. footage and who's in the shop at the time of logs, blah blah blah
just my thoughts

Even if the shop has cameras, most places, even banks only archive the footage for 90 days or less.  Even if you get lucky and they still have the video from that date and time, there may have been 20+ people in the shop at that time.  Say this occured in even a small city of 50,000 people....what are the chances of picking 20 people out of 50,000.  That does not even include the chances that this person may have been only traveling through this city and happened in for a coffee, an internet connection and an ID theft.

Long story short, UNLESS the offender was wearing a big ass sign saying "Look at me, I'm stealing an ID while eating a sandwich in Panera bread, oh yeah btw, my name is Mike Smith, my DL # is FL 123456", then Paul and his client are pretty much screwed. You couldnt get a police department within a mile of that case.
JaF

[Paulonius]

Am I right though that this guy was on a laptop in Missouri though? That might help me track him down.  I suspect that he knows the girl that he perpetrated the fraud on.

[JustAnotherFace]

Am I right though that this guy was on a laptop in Missouri though? That might help me track him down.  I suspect that he knows the girl that he perpetrated the fraud on.

He was not necessarily in MO.  That may just be the home office location for Panera IT.  What you could do, would be to call the guys name who is listed at the bottom, Larry Brown with the phone number listed. He should be able to tell you where that IP address was used on the day and time in question.  It may well be that it was in MO, but it may not. It's a pretty good guess that the suspect was on a laptop, assuming of course that the suspect is not an employee of Panera, in which case he could have been on a desktop.  Larry Brown should be able to tell you if the IP is one of his corporate business IPs or one of his Public WiFI IPs.

JaF