Even if you feel you are an experienced cyber crime investigator, it never hurts to review what you know and maybe learn something new.
I’m going to highlight a case I worked on earlier this year, one involving the cyberstalker located in Australia.
Case #1 Victim, KB, female, lives in Wisconsin Cyberstalker, Unknown to victim, lives in Australia Victim posted a comment about an article located on Buzzfeed at http://www.buzzfeed.com/ryanhatesthis/this-is-what-happens-when-anonymous-accuses-you-of-faking-a
As a result, someone took offense to her comments and began harassing her in the Comments section, then escalated to stalking her on her Facebook, Twitter and Myspace accounts, as well as via email. The cyberstalker found personal information about the victim online, such as her home address and phone number and photos and posted all of that online, encouraging others to harass her as well. Luckily, most online users took offense to this tactic and rebutted against the cyberstalker. Emails sent to the victim showed that the messages originated from Australia.
Complaints were filed with Buzzfeed, Facebook, Twitter, Myspace and the cyberstalker’s ISP. The victim also changed her profile photos to something generic, locked down privacy settings on all her accounts and blocked/ignored the cyberstalker. Buzzfeed removed the harassing comments and Facebook and Twitter warned the cyberstalker to stop or their accounts would be removed. The ISP involved canceled the cyberstalker’s account.
So, how was the email traced to the cyberstalker’s ISP? In emails, there is more than the TO, FROM, DATE and SUBJECT lines in the headers. Once you have activated what is called full headers, you need to find the originating IP address. An IP address is a combination of four sets of numbers, with one to three numerals in each set.
I’ll use an example here (not the original from the case, due to privacy reasons). I’ll use a SPAM email I received.
Normal headers usually look like this:
Date: Wed, 13 Nov 2013 07:03:34 -0800 From: Dr.Oz Weekly Clip <AbrahamTyler@caseunsteadily.com> Subject: Trim 18-pounds without physical activity To: <awriter@ >
When full headers are activated, they look like this:
X-Persona: <JAHitchcock> Return-path: <AbrahamTyler@jazzmotorsports.caseunsteadily.com> Envelope-to: awriter@ Delivery-date: Wed, 13 Nov 2013 09:03:35 -0600 Received: from jazzmotorsports.caseunsteadily.com ([184.108.40.206]:56070) by gator3186.hostgator.com with esmtp (Exim 4.80) (envelope-from <AbrahamTyler@jazzmotorsports.caseunsteadily.com>) id 1Vgbyh-0002fF-77 for email@example.com; Wed, 13 Nov 2013 09:03:35 -0600 Content-Type: text/plain; charset=”us-ascii” MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Date: Wed, 13 Nov 2013 07:03:34 -0800 From: Dr.Oz Weekly Clip <AbrahamTyler@caseunsteadily.com> Message-ID: <firstname.lastname@example.org> Reply-to: <AbrahamTyler@caseunsteadily.com> Subject: Trim 18-pounds without physical activity To: <awriter@ > X-Spam-Status: No, score=-0.2 X-Spam-Score: -1 X-Spam-Bar: / X-Spam-Flag: NO
Working from the bottom up, usually the first Received: from line shows the originating IP address. In this case that is 220.127.116.11
Now you need to take the IP address and put it into a WHOIS search engine. WHOIS is a database of all the registered domain names worldwide. While you may be seeing http://www.haltabuse.org in your web browser URL box, it actually resolves to a numerical IP address.
I personally like to use either whois.cyberabuse.org or whois.sc
Putting in .120.135.138 into whois.cyberabuse.org, I get the following results:
IP range : 18.104.22.168 – 22.214.171.124 Network name : HOSTNOC-5BLK Infos : Network Operations Center Inc. Infos : PO Box 591 Infos : Scranton Infos : PA Infos : 18501-0591 Country : United States (US) Abuse E-mail : email@example.com Source : ARIN
Now I have a contact email address and snail mail address to send a complaint to.
Sometimes whois.sc gives me more contact info, so putting 126.96.36.199 into their search engine, I get the same as above, but also a name and contact phone number:
Arcus, S. Matthew +1-570-343-2200
Usually, a phone call from law enforcement goes a long way to get the ball rolling to stop the cyberstalker by asking the ISP what is needed. Some ISPs will ask for proof, such as the emails with full headers, a link/URL to the harassing posts or where else the harassment has occurred. Some ISPs will only help with a subpoena or court order. Sites such as Facebook have specific guidelines for law enforcement. We have a link to those, as well as other web sites at http://haltabuse.org/cops/links.html. We also have a list of ISP contact information at http://haltabuse.org/cops/isplist.html (the password is cops). Sometimes what we have listed is more relevant to law enforcement and better contact info than what you get from WHOIS.
The results in this case were that the victim was safer online with the changes she made and she has learned not to keep defending herself if someone harasses her online, but to ask them to stop and report them to the correct web site/people. The cyberstalker stopped. They lost their account from their ISP – we have found that most cyberstalkers stop when they are caught and punished. But there are those who take it a step further and may confront the victim in real life. Luckily, that does not happen very often.
About the author:
J. A. Hitchcock is an author and cyber bullying and cyber crime expert. She volunteers with the U.S. DOJ Office for Victims of Crime, the National Center for Victims of Crime, and law enforcement agencies worldwide. She has worked tirelessly with legislators in the drafting and passing of many of this country’s Internet laws.
As president of WHOA (Working to Halt Online Abuse) at haltabuse.org and WHOA-KTD (Kids/Teens Division) at haltabusektd.org, J.A. continues a mission to educate adults and children in online safety.
J.A. conducts law enforcement training for local, county, state, military and federal agencies. Her speaking schedule on cyber crime and cyber bullying includes elementary/middle/high schools, universities and colleges. She also lectures at libraries, conferences, and corporations. She has been featured on Swift Justice, Americas Most Wanted, 48 Hours, Good Morning America, Cosmopolitan and TIME magazines, and local, national and international newscasts, and was selected by Lifetime TV as their “Champion For Change.
J.A.’s ninth book, True Crime Online: Shocking Stories of Scamming, Stalking, Murder and Mayhem is now available (truecrime-online.com). She is also on the editorial board of the International Journal of Cyber Crimes and Criminal Justice and a member of Operations Security Professionals Society, Sisters In Crime (national and New England), Maine Writers & Publishers Alliance, National Rifle Association (Life Member), The American Legion, and 3rd Marine Division Association (Life Member).