This is super interesting, can ISP (internet service providor) information be enough to prove someone was responsible for a crime without checking their physical computer? And can isp logs alone be enough evidence for prosecution, again without physical evidence of seized devices?
Great question! That would be very, very difficult to link a person to the crime only with ISP logs. You would have to show that no one else could have used the internet connection. That includes someone taking over the subject's computer/network remotely. Imagine your neighbor accessed your WIFI and did a crime. The ISP could see that something happened, but investigators would have to prove that it was you. Traces from the ISP would not be enough, so they would have to look further, like at a computer or WIFI AP.
@@DFIRScience Oh ok, and also could certain ISP log situations.. such as someone using darkweb to purchase drugs or illegal stuff then logging into their social media straight after multiple times be enough to prosecute without seizing device? Or would they have to raid and search the device for 100% proof? Thanks for replying.
@@bennybenny7382 It is possible to build a strong enough case without having a suspect's device. Most likely it would include physically monitoring the suspect and working with the ISP to coordinate. Not impossible to do it without the device, but usually much more time-consuming.
@@DFIRScience Oh right as In physically monitoring do you mean undercover like in a vehicle outside the persons home, or somehow remotely accessing someones computer?
@@bennybenny7382 Both are possible, but remotely accessing someone's computer is less likely than watching their house if the suspect is already known. Remote access gets into wire-tapping legislation and more. It's very difficult and time-consuming, so the suspect must be doing something that is worth the effort (terrorism, drugs, etc). The thing to remember is that we have to put the suspect at the keyboard. That is one of the hardest parts of cybercrime investigation. Just from ISP logs it is very difficult to say WHO visited the a website. All we can say is that a website was visited. Other investigations/monitoring will be needed to establish the 'who'. .
Hi bro I have replied you in the comments (where we interacted) but I am not longer to post a reply means after Posting the reply I am not able to see it after refreshing?
Searching for additional information about the suspect is very common. There should be an SOP for how to search social media, but that doesn't mean that it would be used in every case. Much of the time investigation questions can be answered just with the computer/phone.
@@DFIRScience How often are preservation letters for social media accounts usually sent and when? Is it automatically sent before a search and seizure? If not, why so?
@@glauschtuckfereind5705 preservation requests should be sent as soon as you know where the data is located. Law Enforcement don't usually search and seize social media companies unless they are complicit in the crime or incapable of providing the data themselves. After a preservation request, law enforcement put in a formal request for data (depending on their legal system and that of the SM company), then the SM company will provide the data if it is lawfully requested... sometimes. The preservation request just tells the SM company to make sure the data is not deleted before the official request can be made.
Instead of saying "Guide the reader's own conclusions by providing the evidence" @ 18:19 Would it not be more accurate to say "Allow the reader to reach their own conclusions by providing the evidence". This way it sounds less like you're influencing a narrative, and just presenting facts.
Hello sir please make playlist with sequence it is not in sequence so it's quite deficult to understand which video Play first
This is super interesting, can ISP (internet service providor) information be enough to prove someone was responsible for a crime without checking their physical computer? And can isp logs alone be enough evidence for prosecution, again without physical evidence of seized devices?
Great question! That would be very, very difficult to link a person to the crime only with ISP logs. You would have to show that no one else could have used the internet connection. That includes someone taking over the subject's computer/network remotely. Imagine your neighbor accessed your WIFI and did a crime. The ISP could see that something happened, but investigators would have to prove that it was you. Traces from the ISP would not be enough, so they would have to look further, like at a computer or WIFI AP.
@@DFIRScience Oh ok, and also could certain ISP log situations.. such as someone using darkweb to purchase drugs or illegal stuff then logging into their social media straight after multiple times be enough to prosecute without seizing device? Or would they have to raid and search the device for 100% proof? Thanks for replying.
@@bennybenny7382 It is possible to build a strong enough case without having a suspect's device. Most likely it would include physically monitoring the suspect and working with the ISP to coordinate. Not impossible to do it without the device, but usually much more time-consuming.
@@DFIRScience Oh right as In physically monitoring do you mean undercover like in a vehicle outside the persons home, or somehow remotely accessing someones computer?
@@bennybenny7382 Both are possible, but remotely accessing someone's computer is less likely than watching their house if the suspect is already known. Remote access gets into wire-tapping legislation and more. It's very difficult and time-consuming, so the suspect must be doing something that is worth the effort (terrorism, drugs, etc).
The thing to remember is that we have to put the suspect at the keyboard. That is one of the hardest parts of cybercrime investigation. Just from ISP logs it is very difficult to say WHO visited the a website. All we can say is that a website was visited. Other investigations/monitoring will be needed to establish the 'who'.
.
Great info
Hi bro
I have replied you in the comments (where we interacted) but I am not longer to post a reply means after Posting the reply I am not able to see it after refreshing?
During a computer investigation is it normal procedure to check the suspects social media as well?
Searching for additional information about the suspect is very common. There should be an SOP for how to search social media, but that doesn't mean that it would be used in every case. Much of the time investigation questions can be answered just with the computer/phone.
@@DFIRScience How often are preservation letters for social media accounts usually sent and when? Is it automatically sent before a search and seizure? If not, why so?
@@glauschtuckfereind5705 preservation requests should be sent as soon as you know where the data is located. Law Enforcement don't usually search and seize social media companies unless they are complicit in the crime or incapable of providing the data themselves. After a preservation request, law enforcement put in a formal request for data (depending on their legal system and that of the SM company), then the SM company will provide the data if it is lawfully requested... sometimes. The preservation request just tells the SM company to make sure the data is not deleted before the official request can be made.
Instead of saying "Guide the reader's own conclusions by providing the evidence" @ 18:19
Would it not be more accurate to say
"Allow the reader to reach their own conclusions by providing the evidence".
This way it sounds less like you're influencing a narrative, and just presenting facts.