# IP addresses and electronic evidence --- <section data-markdown data-background-image="./keyboard.jpg" data-background-opacity="0.25" data-auto-animate> ## A quick primer on IP addresses </section> --- ### The Internet uses alphanumeric strings for addressing But humans are (typically) better with words (e.g. google.com / decoded.legal) The domain name system converts words to alphanumeric strings --- ### The domain name system  --- `decoded.legal. 3285 IN AAAA 2001:8b0:836:13:6f6:a167:3f62:b12e` --- ### IP addresses identify an interface on a computer system A computer system may have more than one interface Interfaces can be virtual as well as physical --- ### Example (legacy) IPv4 address: 203.0.113.157 --- ### IP addresses should be unique globally But there are not enough (legacy) IPv4 addresses to give one to every interface So we have a concept of private Internets (RFC 1918) and Network Address Translation These IPv4 addresses are *not* globally unique --- ### Example IPv4 RFC 1918 / private internets address: 192.168.1.49 --- ### And we now have IPv6 --- ### Example IPv6 address: 2001:db8:1e7:115:403:9457:df8:7902/128 --- <section data-markdown data-background-image="./beach_people.jpg" data-background-opacity="0.25" data-auto-animate> ## Key point #1: ## IP addresses are allocated to interfaces, not humans </section> --- ### Why does this matter? --- ### Why does this matter? When presented with a claim purporting to show that an IP address shows that a *person* did something, be careful. --- ### Why does this matter? When presented with a claim purporting to show that an IP address shows that a *person* did something, be careful. What proves that *that person* did something? --- ### What evidence links *that person* to *that activity*? --- ### What evidence links *that person* to *that activity*? And not, for example, a visitor to someone's home? --- ### What evidence links *that person* to *that activity*? And not, for example, a visitor to someone's home? Or a family member who borrowed a phone? --- ### What evidence links *that person* to *that activity*? And not, for example, a visitor to someone's home? Or a family member who borrowed a phone? Or malware on the defendant's computer? --- <section data-markdown data-background-image="./watch.jpg" data-background-opacity="0.25" data-auto-animate> ## Key point #2: ## Ensuring the time is right can be vital </section> --- ### Let's play through an example --- ### Police have obtained server logs --- ### Police have obtained server logs  --- ### Police have obtained server logs `203.0.113.157 - - [16/May/2022:18:35:05 +0100]` --- ### Police have obtained server logs `203.0.113.157 - - [16/May/2022:18:35:05 +0100]` They identify which Internet Service Provider was allocated that IP address --- ### Police have obtained server logs `203.0.113.157 - - [16/May/2022:18:35:05 +0100]` They identify which Internet Service Provider was allocated that IP address They ask the ISP to which subscriber that IP address was assigned at that time --- ### Depending on the network, a few seconds may make a difference It might have been allocated to a different user --- ### Is the server's timestamp correct? --- ### Is the ISP's time logging correct? --- ### Has the prosecution handled timezones correctly? --- ### What corroborating evidence is presented? "Single-strand" IP address evidence may be risky --- <section data-markdown data-background-image="./curtains.jpg" data-background-opacity="0.25" data-auto-animate> # The end. </section> --- ### Image credits [*Turned on Black Laptop Computer*, by Ingnio Studio](https://www.pexels.com/photo/turned-on-black-laptop-computer-665214/) [*People Silhouette during Sunset*, by Min An](https://www.pexels.com/photo/people-silhouette-during-sunset-853168/) [*Round Silver-colored Chronograph Watch*, by Mat Brown](https://www.pexels.com/photo/round-silver-colored-chronograph-watch-552598/) [*People at Theater*, by Monica Silvestre](https://www.pexels.com/photo/people-at-theater-713149/)