What sort of data from ISP


keschrich

New Member
Nov 4, 2008
12
0
#1
--Project warning-- :)

I'm working on a masters in computer forensics, and this is my first class that actually touches a computer (up to now just general CJ stuff, and so far this class is very basic). I obviously do not expect, nor do I want somebody to do the project; I'm just looking for some background info on a specific question I have.

We have a case of suspected CP. We have the physical computer, but the hard drive has been removed- the only data we have is on a USB key recovered from the scene. Since there is no hard drive, I have no browser cache or anything of that sort, but would still like to get some idea of his internet activity.

If I subpoena his ISP, what sort of data might I be able to get from them? My guess is that I'd only be able to get a list of the IP's assigned to him with timestamps over the last few months or so, and maybe the time and IP of hosts he's connected to.

If the susp. uses his ISP for email, I may be able to recover header information from email's sent/received, but that would rely on him not using a third party email system.

I further expect that I would not be able to get a list of URL's from the ISP, as that would require that some sort of packet inspection was in use and monitoring the guys traffic to begin with. I think that the best I could hope for is to get the IP's that he's connected to, cross reference that against some database of known bad sites, and then subpoena the site for their webserver access logs.

Am I correct on any/most of this or way off base? If somebody could point me to any current related resources that would be fantastic.

Thank you!
 
Dec 31, 2006
3,405
0
#2
Two points here; are you playing this from the side of LE and what country are you using for the basis of your examination?

In the United States SWECTRA and the USA Patriot Act are typically used if the ISP refuses to cooperate with LE. However even if they cooperate the amount of data that is retained and the length of time the data is retained vary widely from one ISP to another.
 

keschrich

New Member
Nov 4, 2008
12
0
#3
I am taking this from the perspective of LE within the US. Also I am assuming that the ISP is cooperative.

Even if they agree to show me everything they've got, so to speak, what kind of data could I expect to receive?
 

Complete

Administrator
Aug 19, 2006
861
0
#4
www .cox.com/Policy/leainformation/default.asp

Check out the retention rates and what type of info they collect. You won't get a history of sites visited or connections made. You could probably get a better "content" response through email history.
 

keschrich

New Member
Nov 4, 2008
12
0
#5
IP Assignment Logs Up to 6 months
Subscriber Information 3 years
Call Records 18 months (36 in certain states)
Preservation Requests 90 days
Given this, it looks like the only information I would be able to get from the ISP would be the IP assignment logs (presumably the subscriber information wouldn't mean much in this case since I already have the computer and thus know the physical address).

Even the IP assignment logs would probably not be useful, since they would only tell me his address and not where he's been. So it seems that in this particular case contacting the ISP at all would be a waste unless I was planning to allow the guy to hold on to the computer and get the ISP to monitor his activity.

Of course email may be a better lead, as you said. The policy you linked to doesn't mention email at all, but I'm sure it would definitely be worth seeing if I could access at least the logs, if not gain access to his email account.
 
Dec 31, 2006
3,405
0
#6
Remember that is just one ISP. If you are using AOL or MSN as the target ISP, what they retain is quite different. However if you are using a mom 'n pop ISP as the target, you may find they retain almost nothing and have no idea how to give you any assistance even if they are cooperative.
 

Complete

Administrator
Aug 19, 2006
861
0
#7
PU is quite right, however, I don't think you'll ever get a listing of websites visited or connections made. Retaining that information would be too taxing on resources. It also has no bearing on billing and would be a privacy nightmare if that type of customer info was leaked.
 

keschrich

New Member
Nov 4, 2008
12
0
#8
Thanks so much for your input. This is a group project and the others in my group all came straight from undergrad with a CJ background- they were imagining getting all kinds of useful data back from the ISP.

I come from a computer science background and have worked as a systems administrator in the past, so what they expected seemed a bit far fetched to me..
 

RobertR

New Member
Jun 3, 2007
447
0
#9
you wont get connections info (URL's visited) with a subpoena anyway....... you need a 2703d court order or search warrant for that..... look over the DOJ's electronic and digital evidence court guide for what you can and cant get with what and when.. (you might be able to get them based on time)

Dependent on what is on your USB drive... you might be able to find info on there to help you out.... there is alway the option of getting the payment info from the ISP with your subpoena... then subpoena the records for the accounts that were /are used for payment and see if there were other payment to suspected sites, businesses... then subpoena their records for their subscriber and login associated with the payment info and look for common ip addresses and times


blah... blah... blah

Alot depends on what is on that USB drive..... both allocated and unallocated....
 

athulin

Member
Experienced Member
Oct 18, 2007
734
Ratings
11
18
#10
keschrich said:
My guess is that I'd only be able to get a list of the IP's assigned to him with timestamps over the last few months or so, and maybe the time and IP of hosts he's connected to.
I'm not LE, but I've worked as an ISP once and I've worked with several others.

IP assignments, very probably. The period of time they are retained would probably be controlled by legal requirements , if the ISP knows about them. I've seen anything from one year plus (small ISP who didn't have to bother about storage requirements) to a few hours (major ISP, who was mainly concerned with resolving customer errors, not supporting LE).

But note that there are such things as ISPs with fixed IP assignments. They are not very common, but they do exist: they serve people withing a fairly limited area, of course.
If the susp. uses his ISP for email, I may be able to recover header information from email's sent/received, but that would rely on him not using a third party email system.
Header information .... depends on the mail server, I think, and what information is retained. Don't count on more than a) mail in from the subscriber, and b) mail out to another mail server. If any header information is retained it is usually because it helps track down problems faster. ("I sent a mail to John Doe yesterday, but he hasn't received it. What happened?"), but there's no point in retaining such information for more than a week or so, if it can be removed easily.
I further expect that I would not be able to get a list of URL's from the ISP, as that would require that some sort of packet inspection was in use and monitoring the guys traffic to begin with.
Some ISPs provide extra security services -- for instance, web filters (like Bluecoat) to lock out web sites on various blocking lists. I would expect this to be fairly rare in the US, though.
I think that the best I could hope for is to get the IP's that he's connected to, cross reference that against some database of known bad sites, and then subpoena the site for their webserver access logs.
Again, I'm not sure why you expect to get those, or why an ISP would collect them. IPs belonging to the ISP, yes -- such as mail servers, web caches, FTP archives and so on, but that would be part of operating those hosts. IPs to external hosts ... why should an ISP collect those? It doesn't help his business in any obvious way. Or are there legal requirements to collect these?

Telephone operators ... perhaps more likely -- there are web proxies that 'adjust' standard web sites (mainly image data) to sizes suitable for 3G phones. But again, I doubt that they would retain information for very long unless there was something in it that was useful to their business.
If somebody could point me to any current related resources that would be fantastic.
The resources are out there: they're the ISPs themselves. Do you have anything like a national interest organization for ISPs in the US? -- they may have issued recommendations on this.

I'm not sure what you meant by 'project' ... if this is not a actual case, you may want to interview a reasonably well established ISP or two to better understand how they operate.
 

RobertR

New Member
Jun 3, 2007
447
0
#11
Sorry..

I did not have time to post the link to the DOJ's guide to what you can get with Subpoena, 2703d court orders and search warrants.... it is very informative and has alot of information which can trip you up if you are not aware of it

remove spaces and your good to go

http: //www. ojp. usdoj. gov/ nij/ pubs-sum/ 211314.htm
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu