Internet tracking and tracing

DEFINITIONS: Internet tracking is the collection of information about the websites and chat rooms visited by Internet users, as well as emails and instant messages sent and received. Internet tracing consists of following selected Internet activity between senders and receivers.

SIGNIFICANCE: To determine whether particular persons have used the Internet to commit crimes, and later to prove in legal settings that such crimes were committed, law-enforcement authorities have to track suspects’ Internet activities. This forensic work often requires tracing how suspects use the Internet.

Law-enforcement authorities can use Internet tracking and tracing to identify and prosecute persons who are responsible for irresponsible or malicious Internet activity. Internet tracking and tracing are used, for example, in the identification, capture, and of those who mount denial-of-service (DoS) attacks against online companies. In such attacks, the perpetrators attempt to stop particular Internet sites from functioning. In a DoS case that took place in February 2000, a number of websites—including those of Yahoo, CNN, and eBay—were overrun, and essentially disabled, by requests that were orchestrated by a young boy in Montreal, Canada, who used the “Mafiaboy.”

89312238-73973.jpg

Agents for the Federal Bureau of Investigation (FBI) and the Royal Canadian Mounted Police (RCMP) began to that Mafiaboy was behind the DoS attacks after they tracked activity in an Internet chat room. After they established that Mafiaboy was a suspect, they used standard software to trace his URL (uniform resource locator)—that is, his online address—and obtain his Internet protocol (IP) address. With this information, they obtained permission to tap the suspect’s telephone and recorded his descriptions of the DoS attacks in subsequent phone conversations. Mafiaboy ultimately pleaded guilty to fifty-six charges related to his DoS attacks. Although estimates differ, it is generally agreed that his attacks caused more than one million dollars’ worth of damage to the companies he victimized.

Tracking and Tracing Tools

The activities of Internet tracking and tracing are often done by humans. For example, undercover agents might pose as children in online chat rooms to catch child predators. Humans also inspect Internet log files heuristically to detect the misuse of browsers to search the Internet for illegal items such as drugs and weapons.

Many of the forensic tools used for Internet tracking and tracing are computer programs that are designed to search chat rooms, websites, and email automatically. For example, the social media platform MySpace, which was popular in the 2000s, partnered with Sentinel Tech Holding Corporation to build a sexual predator database and search program that could automatically discover sexual predators using MySpace. The effort was so successful that several state attorneys general demanded and received predator information from MySpace to assist in the prosecutions of sexual predators in their states.

The most popular social media platform, Facebook, which began operation in 2004, has battled numerous issues with customer privacy in its first two decades of existence. According to Facebook’s terms of service, the platform stores various information for different lengths of time and says it will turn over information to law enforcement with the proper subpoenas, court orders, or search warrants. The social media platform also said it will release information immediately in cases where a child is endangered or a person is in danger of imminent harm. Facebook contends it will immediately turn over information on potential child sexual exploitation to the National Center for Missing and Exploited Children (NCMEC). “Honey pots” are network resources that law-enforcement authorities use to fool potential online attackers into thinking they can easily perpetrate attacks; the authorities then let the attacks occur and collect important information about the attackers from these activities. Most honey pots are websites, but a number of wireless access-point honey pots have been developed to defend against those attacking wireless networks. Honey pots have been very successful tools for the early identification of computer hackers and crackers.

Tracking Individual Users

Employers and concerned parents of Internet-using children sometimes use Internet tracking to detect and then prevent or control undesirable Internet behavior. This type of tracking is generally done at individual computers with software programs that record every keystroke made by users. Individual Internet tracking software packages record such information as instant messages, chat, and emails sent and received; peer-to-peer file searching and swapping; Internet search strings typed; Internet sites visited; and web-oriented programs used. By installing an individual tracking package on each computer, a company can encourage all employees to make proper use of the Internet, catch those employees who abuse the Internet, and document the company’s efforts to secure its computer systems.

Home and corporate products aimed at defending against malware (malicious software, including viruses and worms) often have databases of dangerous sites that function to stop users from visiting those sites. These software packages also keep records of users’ attempts to access forbidden sites, such as pornography sites; this could be valuable information for parents, employers, or law-enforcement agencies if they need to prove that particular users have been misusing their Internet access.

Tracking at Routers and Firewalls

Some of the most important Internet tracking done by organizations takes place at border routers and firewalls, where it is routine to inspect all incoming Internet traffic. If a firewall serves as a bastion host, for example, it will check all requests of the corporate web server for known attackers. Also, all emails arriving at an organization’s email post office are usually checked for viruses, with attachments opened and scanned as well. In addition to tracking incoming traffic, it is common for computer systems to track outgoing traffic as well. Some famous cases in which the American public has been made aware of this type of tracking have occurred at the White House. During the Clinton administration, the White House email archives were important because they allowed the tracking of communications between President Bill Clinton and intern Monica Lewinsky . During the presidency of George W. Bush , the log files of official and unofficial White House email traffic appeared to be significant in the investigation of the firings of several federal attorneys.

Internet tracing to determine all routers used in the sending of web requests or emails is also an important activity carried out by both individuals and organizations, including law-enforcement agencies. Numerous computer programs have been designed to carry out automatic traces to find the home addresses of online attackers or email senders. For example, several Internet security packages intended for home use can provide the home IP addresses of suspected web server attacks with a simple mouse click on the URL.

The US government tracks web activity and email use as part of ongoing efforts to defend against potential terrorist threats. For example, for a period the FBI used a system known as Carnivore to monitor emails sent and received as a tool for identifying, deterring, and prosecuting terrorists. Public uproar over the use of such a system caused the government to drop the project, but the FBI is reported to have replaced Carnivore with commercial products that collect much of the same desired information.

The exponential increase in mobile technology and mobile devices in the first decades of the twenty-first century made legal issues concerning online tracking and tracing more complex, but legal procedures still adhered to long-standing practices. For example, police are able to trace an IP address to solve a crime, but they cannot do so unless they have reasonable suspicion it was used for illegal activity. A 2024 federal court ruling also found that police can compel people to unlock their cell phones and reveal pertinent data as part of an investigation.

Bibliography

Almulhem, Ahmad, and Issa Traore. Experience with Engineering a Network Forensics System. New York: Springer, 2005.

Berghel, Hal. “The Discipline of Internet Forensics.” Communications of the ACM 46 (August, 2003): 15-20.

"Information for Law Enforcement." Facebook, 2024, www.facebook.com/help/494561080557017. Accessed 15 Aug. 2024.

Lancaster, Joe. "Appeals Court Rules That Cops Can Physically Make You Unlock Your Phone." Reason, 19 Apr. 2024, reason.com/2024/04/19/appeals-court-rules-that-cops-can-physically-make-you-unlock-your-phone/. Accessed 15 Aug. 2024.

Mandia, Kevin, Chris Prosise, and Matt Pepe. Incident Response and Computer Forensics. 2d ed. Emeryville, Calif.: McGraw-Hill/Osborne, 2003.

Marcella, Albert J., and Robert S. Greenfield, eds. Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes. Boca Raton, Fla.: CRC Press, 2002.

Shinder, Debra Littlejohn. Scene of the Cybercrime: Computer Forensics Handbook. Rockland, Mass.: Syngress, 2002.

Vacca, John R. Computer Forensics: Computer Crime Scene Investigation. 2d ed. Hingham, Mass.: Charles River Media, 2005.