Tracing the location of a mobile IP from an email

  • I'm a TV scriptwriter - and not hugely tech-savvy, so please bear with me...

    If the police have an email, sent by a suspect over a 3G or 4G network, could they use the IP address (since they know when it was sent) to find out - from the service provider - the precise location the email was sent from?

    +1 for scriptwriters asking for information on this SE.

    As a moderator here, let me say WELCOME! We have many discussions about our frustrations regarding how the media represents basic security concepts. I'm sure you will get lots of responses.

    I just tried that from the mobile. I sent an mail via gmail and it contains the IP address I had at the time of sending, so the provider knows the location of my mobile. On the other hand, my mobile must not be near by me.

    Thank you for not being another "hack the mainframe" writer

    I feel like we need to ask about your sender, here. Are they an 'adversary', and attempting to remain hidden? Just a normal person using a phone, on their regular account? Something else? In the first case, there's a number of steps that could be taken to reduce the chance of being located to ~0%.

    If the *device* IP is known, and it was a mobile network, then the ISP may associate it with IMEI of the device and MAC address, and if it was continuously recording location (by triangulating the phone from several cell towers — if it's a *suspect*, then it's likely), then a location could be retrieved from the log, too. Precision can sometimes be very good — up to a few meters.

    What country is the suspect suspected to be in? Also, what country are the investigators? Different countries have various laws about data capture and retention. Then there are the presence of transparent mobile comm towers which are normal comms towers managed by various forces which capture all data traffic sent through it on their way to its destination. The UK Govt have confirmed the police control such towers but won't specify what other forces have access to them, and where they are placed. This means that if such a tower was used, the service provider wouldn't need to be contacted.

    Firstly - thank you all for the replies. And apologies for my tardy response - i thought I'd set up some kind of alert. (I did say I wasn't tech-savvy...!) I'm in the UK, but it's sounding like - realistically - you couldn't track where an email was sent from over 4G (not to an actual pinpoint precise address, anyway, which is what I was going for. But WAY better to find this out now than trying to sort later). I'll have to find another workaround - much appreciated again folks xx

    You *could* easily just use a smartphone running Tor, an uncrackable anonymization service, even to the NSA. And the email service could scrub the IP. More likely, the suspect would use something more secure than email like Tor messenger.

    Relevant: http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/ (maybe less so for mobile, or maybe more so). Alternatively, you could make it a plot point that they get the *wrong* location trying this technique. =D

    You just need to learn some Visual Basic.

    (re-commenting since I've noticed some humourless moderator quietly removed my last attempt at some point without so much as a peep back to me about it - ask first if you don't get it)

  • The problem with this scenario is that emails are typically not sent from the device itself, but from a central service.

    In order to do what you want, the investigators would have to make a few hops:

    1. to the email service (gets the user account details, including the IP the user used to connect with)
    2. to the ISP the device used at the time of sending (gets the general location of the connecting IP, or if lucky, the known IP of the user's home)

    At best, using 3G/4G, investigators might get the cluster of towers the user was in the middle of. No exact location.

    BUT, with all that info, it might be possible for investigators to breach the phone's data or the user's other accounts and determine the location of the device using the multitude of location services modern devices have (Find My Phone, Facebook, Instagram, etc.) (Insert a whole host of legal issues currently in the news, like Stingray).

    Edit:

    You don't specify the country (or reality) you are dealing with. There are some countries that have set up massive detection nets so that every mobile device is physically tracked no matter where it goes. That way, investigators can have a real-time, accurate map of a particular device at any time.

    Which countries have such nets?

    I am interested in that "massive detection nets" you talk about. Could you provide more reference?

    @schroeder Many times, the central server in your first statement log and record what IP address originated the email request. An email I received this morning from someone sending from an AWS EC2 instance through Gmail had this in the header: `Received: from sender.com (ec2-1-2-3-4.us-west-2.compute.amazonaws.com. [1.2.3.4]) by smtp.gmail.com with ESMTPSA id b64123456789abcd.2016.05.26.14.51.25 for `

    @uxp absolutely - but mobile?

    @schroeder What's the difference? If a user of Gmail/Hotmail/etc sends an email via their phone's email app, they're connecting, authenticating, and communicating in the exact same way a python script running on EC2 is. If they're connecting via their provider's native app, then the provider will additionally know what IP they are authenticating with, if not more metadata, than if they visited the providers webmail app on their phone. I'm 90% sure even webmail sent from Gmail includes the browser's IP. All of this disregarding any proxy/obfuscation, of course.

    Right. Even if the connecting IP isn't in the email headers, the mail provider will have it logged and will be able to produce it for law enforcement easily enough. Then they can go straight to the carrier and ask where the phone was or is.

    Russia, USA, China.

    Also probably the UK. We sort of know the monitoring stations exist but we're not entirely sure of their capabilities. Also, unlike the US, nobody's come forward claiming to have installed government controlled routers and switches into privately owned telco networks. Although, to be fair, given the secrecy it's unlikely the operators of UK's ECHELON networks will share info with the police. They might share them with US federal agents.

    @slebetman: actually, it's much worse. Not only the US and UK.

    From your answer i guess it would be a precise location,how about a scheduled message triggered up at particular location?and the hacker left the area

    Those detection nets are now experimented with in busy shopping streets as well. At least Citytraffic does this and something like this has been done with WiFi for a while now. Link (in Dutch).

  • If the police have an email, sent by a suspect over a 3G or 4G network, could they use the IP address (since they know when it was sent) to find out - from the service provider - the precise location the email was sent from?

    Yes, this is very easy. However... the key word here is "precise location." Not exactly. Not unless the phone is hacked.


    Government Options

    If you're looking for evidence of governments assisting law enforcement with locating devices, then you'd be looking for the NSA's Treasure Map program. This is available to cleared law enforcement personnel, mostly FBI/DEA, but I wouldn't be surprised if they also assist local law enforcement.

    The NSA shares intelligence data with local law enforcement and helps them utilize parallel construction to make their cases.


    ISP & Normal Law Enforcement options

    Schroeder covered this pretty well, but let me add to it:

    Since you're writing for TV, I feel you should know this part to make it seem more realistic. Anyone can walk into Walmart and buy a throwaway smartphone or dumbphone. From there, they can go to the nearest open wifi, and register under fake credentials. Fake name, fake address, fake everything else. And they can use a prepaid credit card that they purchased with cash to register the device(s).

    So you won't be able to find their actual address, or even know who they are, unless you hack the phone (normally a smartphone).

    However, if you know the general time-frame that someone bought and created the account, you can request evidence from Walmart, and they're usually almost always happy to help law enforcement. They'll be able to review the security footage to see who bought that device, and when.

    But how will they find the time frame? Walmart, and other major retailers, keep track of when things are sold, right down to the very minute. You know when you return an item? They know, because the information is stored in their databases, and looking up the bar code of the receipt is possible. It shows when the purchases happened.

    Doing a bit of investigation will probably reveal that the account for that phone was registered at a specific time. If the phone was registered at a specific time, then it may be likely that the perp purchased that phone at a nearby store.

    Bringing up a list of stores in close proximity to the open wifi where you registered the phone may reveal where the perp purchased the device. You can then go in and request security footage to look for anyone purchasing the phone(s) in the electronics departments. Better yet, the place with open Wi-Fi may have you on camera at the time you registered.


    Other Perp-Locating Options

    And then there's Stingray, an IMSI-Catcher.

    Since you know the perp's IP, you can likely find the perp's carrier. With the perp's carrier providing the phone number used by that IP address on their network, bringing up your actual cell phone number is not hard. In fact, if you know of an area that the perp has hung out at, you can use a Stingray device to perform a man-in-the-middle attack on the suspect without him realizing it.

    Every mobile phone has the requirement to optimize the reception. If there is more than one base station of the subscribed network operator accessible, it will always choose the one with the strongest signal. An IMSI-catcher masquerades as a base station and causes every mobile phone of the simulated network operator within a defined radius to log in. With the help of a special identity request, it is able to force the transmission of the IMSI.

    An IMSI catcher is an incredibly easy-to-use, one-button-fatality-man-in-the-Middle-attack-in-a-box. It allows law enforcement and intelligence agencies to act as a tower to catch communications. Having personally seen one in use, I can attest to their effectiveness.

    Using normal tools, even those that don't require the help of the NSA, providers can generally help you find the location of any given phone at any given time. It knows the closest tower you're connected to at that time.

    If you're able to force the location feature to turn on, which law enforcement can do... how do you think 911 finds you when you can't tell them where you are because you don't know? They can know the general area you're at, within a few hundred feet.


    IP Address Geo-Location in USA and China. NEVER rely on this!

    While, yes, it's certainly possible to geolocate a phone's IP address, you should not rely on this because the information returned can be wildly incorrect. Your assigned IP address, even if you're somewhere else at the moment, could be shown as elsewhere.

    In fact, when I travel all over the place, and tried to geolocate my IP address, it was always located in the city I registered in. I've tested this both in China, and in the USA. I could be 2000 miles away, but the phone's IP address geolocates to a different state/province.

    Can normal citizens buy that device as that device can also be used to do a type of fraud. Lets say we install that device now phones around that device(fake base station) will try to login with that device and the login credentials can be saved on the computer and later a device and SIM card can be created with that data(as like fishing on web)

    I don't think that things like Stigray and IMSI catcher can work backwards in time, can they?

    Treasuremap, xkeyscore and prism do. But this is how you'd catch a perp in real time.

    I think your prepaid cc angle is busted. Last I checked they come empty. You have to use another credit card online to charge them. l0) Also, might be interesting to explore the inability to access the carnivore records and the need to use a hack. E.g. 60 minutes had a recent piece where some security researchers cracked into a congressman's phone, as a test, with his permission. The script might have a PI using a network of clandestine hackers to track the bad guy. http://www.cbsnews.com/videos/hacking-your-phone. I don't know the law but thing the carnivore is open to national security only

    Another angle could be if they are in some common company. Companies often use MDA (mobile nanny software) and it could run all traffic through a proxy owned by the company which also logs stuff. So, it would know at least what worker sent the email and when and may could do some of the stuff the other people mention to find the location. Well, I think many if not most companies now track the PHONE location (maybe not legal to track the employee but do require always have phone and have it on :-). So, companies in service industry like repair would know exact location within meter or two.

    Prepaid 'burner' phones and their drawbacks when trying to get a real-time fix on them have been extensively (and quite accurate) covered by The Wire, a series from a couple of years back.

    Stingrays are controversial and secret enough that the FBI has at least considered dropping a case rather than telling the judge about it.

  • There's another common way that email leaks location information. If the email includes a photograph that was taken on a smartphone, the photo will usually have location information embedded. Since you're writing the story, you might contrive to have the sender email a photo for some reason.

    The JPEG standard (used for virtually all mobile phone photos) contains EXIF data by default. This is mostly technical information about the picture, but it includes all kinds of forensically relevant details, including the camera's make, model, and serial number, the user's name, the f-stop, shutter speed, and the exact time the photo was taken. When the photo is sent, or uploaded to a photo sharing service, all that EXIF data invisibly travels with the image.

    Most phones with cameras and GPS units, including all iPhones and Android phones, can include the precise lat/lon coordinates of where the photo was taken. This is called geotagging, and the data is inserted along with the rest of the EXIF data. This option may be turned on by default or set when someone is setting up their phone, and most people are unaware it even exists.

    Having the phone include location data with the image is an option that can be turned off, and the EXIF data is easily removed. But I've found that most people prefer the convenience of having their photos geotagged, or they don't care about it and then forget it exists.

    Viewing the EXIF data is also very easy, as there are literally hundreds of phone apps and viewers available, many for free. Non technical people are able to use them, so it doesn't require a forensic scientist or computer nerd to be the one to "crack the case".

    Note: Some mail providers (read as: 'way toooo much') remove exif data and modify (compress) attachments, especially images. At one of my jobs we used to send images with embedded data inside them but quickly found out many users experienced problems because mail providers where compressing images from incoming mails.

    @Rolfツ, sure, but this is for a TV script. The investigator only has to jump over the hurdles the scriptwriter puts in his or her way. :-) It also depends on whether the image is inline or an attachment. Most attachments aren't stripped like that.

    *Anybody* with their right mind will not enable access ot location data by default when activating a new phone. A criminal being careful enough to buy a throwaway phone certainly won't

    `This option is turned on by default` I'd say citation needed! Here in Europe, at least with Samsung Galaxy S4/5/7 devices I've seen from several different carriers, the option is turned off by default!

    @HagenvonEitzen, the average person who is caught committing a crime is not a career criminal, and rarely thinks to cover their tracks in advance of committing the crime. Besides, the request is for a TV script. The script writer can choose to make the person behave in any way they see fit.

    @AndrejaKo, noted and updated my answer.

    For those of you doubting the viability of this, it has happened: https://nakedsecurity.sophos.com/2012/12/03/john-mcafee-location-exif/

  • In addition to what @schroeder wrote, I would like to point out a few things about geolocation.

    Among other things, a CDR (Call Detail Record) contains information about the cell tower used by the mobile phone at the time. Note that a cell tower can cover an area of about one square mile, or more.

    In some countries, mobile operators might always be able to store (in other countries, this may only be possible with a warrant) the strength of the signal received by the closest cell towers. Under certain conditions, they can use triangulation in order to obtain a higher accuracy in the location from which the email was sent. In other countries, as I have already said, mobile operators might triangulate a user only after a warrant. In this case, the police may obtain the current position of the phone as follows:

    1 - Police obtains IP address from the email servers;

    2 - using the IP address, they identify the mobile phone;

    3 - police obtains a warrant, sends it to the operator, and if the phone is still on, they can triangulate it to its current position.

    Another thing that is theoretically possible works like this. Every device which can be connected to the Internet, including a smartphone, has a MAC address.

    Now, if you connect to a public Wi-Fi network, the access point (basically, the device which connects the users to an ADSL connection or whatever used by the Wi-Fi owner) may choose to log the MAC addresses of its users and store them for some time.

    If this is legal (no idea), and the log is stored for a long enough period of time, and if the mobile phone used that Wi-Fi network, the police may find the cell used by the mobile phone, ask the MAC address log to the access point owner (this may require a warrant, I really don't know) and confirm that the user actually used that Wi-Fi network. Since a typical access point has a range of 100 meters or so, this may narrow down the area. If the police are really lucky, they might even be able to identify the user (who may use a phone whose owner is another person, e.g.borrowed or stolen) by checking the footage from surrounding CCTV cameras.

    Please note that, in most cases, these investigations require a significant amount of luck, time, and/or warrants. Plus, a lot of these techniques can be defeated by a skilled criminal, so if the suspect is a "hacker" he/she can further complicate the process.

    but someone can also spoof mac address easily.. as android is opensource we can hard code a specific fake mac address in device (Same way IMEI and other info also)

    @Ravinder Payal I know, that's why I wrote the last sentence. It really depends on the skill of the suspect. If he is just a low-level criminal, with no technical skills, these techniques can work, otherwise they can be thwarted and the chance of locating the suspect almost drops to zero.

  • Earlier answers already describe the process of using triangulation to pinpoint the location of a specific phone better than I could describe it. However there is very little said about whether the investigators can figure out which exact phone the mail was sent from.

    In traditional mail services where the user run an email client on their device and use SMTP to send the email to the server, the server will usually include the IP address of the client in the mail headers.

    In cloud services where the user access email through a web browser or a vendor specific email app and use HTTP or HTTPS to send the email to the server, the server will usually not include the IP address of the client in the mail headers.

    In the later case it is very likely that with a warrant the investigator could get the IP address through the cloud service provider.

    But there is another question as to whether the IP address obtained in one of the two ways mentioned above will pinpoint the exact phone.

    If your story is set somewhere between 2010 and 2020 it is quite likely that the internet provider is using carrier grade NAT due to shortage of IP addresses. And this can get in the way of figuring out which phone was connected to the server.

    The eventual shortage of IP addresses was recognized by network engineers in the early 90s. By 1998 a solution was ready in the new IPv6 standard intended to replace the old IPv4 standard. But rather than working on the upgrade most internet providers have chosen to deploy carrier grade NAT instead, which will allow them to share a single IPv4 address between hundreds or thousands of users, though from the users perspective this will be a bit less reliable.

    In case the internet provider the phone is connected to is already upgraded to the new IPv6 protocol, but the mail service only supports IPv4, the internet provider most likely uses NAT64. That is a kind of carrier grade NAT which happens to also translate packets between IPv4 and IPv6.

    In terms of your storyline, NAT64 would be no different from carrier grade NAT. Though there could be some interesting arguments between investigator, mail provider, and internet provider as to who is responsible for the inability to find out which exact phone the email originated from. The internet provider could make a sound technical argument that the responsibility lies with the mail provider for not upgrading to IPv6. The mail provider would argue that they plan to do that a few months after everybody else have done it.

    If you are going to have specific IP addresses show up in your script, there are three ranges of IPv4 addresses and one range of IPv6 addresses, you can use without worrying about the addresses belonging to somebody in particular.

    • 192.0.2.0 - 192.0.2.255
    • 198.51.100.0 - 198.51.100.255
    • 203.0.113.0 - 203.0.113.255
    • 2001:db8:: - 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff

    +1 for the IPv6 argument between the parties

    Those are the IP equivalents of 555 phone numbers :)

    @HagenvonEitzen To the best of my knowledge, yes. But I don't know if the 555 numbers are officially reserved for such purpose.

    Would be funny to also use a 10.* address. The computer folks would get a good laugh out of it. Can also uses 0100-0199 ending phone numbers I think, xxx-867-5309, and other famous numbers. I think.

    555 or KLondike 5) has been an official fictitious prefix in the North American Numbering Plan for decades. But since the 1990s it's only 555-0100 through 555-0199 that are reserved.

  • Speaking as a wireless telecom professional, the answer to your question depends on how precise you expect the location to be.

    • With minimal effort (and a legal obligation to do so), I can tell exactly which cellsite(s) you were using, which narrows your location down to a particular geographic area. And we don't even need to know the IP Address, we just need the mobile number. If the phone was on and actively communicating with the network, the provider should be able to determine your general location. the coverage of a specific site can vary from a radius of less than 0.2 miles in the middle of a city to more than 10 miles in very rural areas (more rural locations will have fewer sites so each site will have a large coverage footprint).
    • If you need more exact location, then your mileage may vary
      • With some additional info, the provider may be able to estimate how far you were from the site (this depends on the technology that the provider uses).
      • More specific locations are difficult. In the US, emergency calls (911) are able to be located with reasonable accuracy (usually <50m), however, locations with that accuracy can only be generated if you call 911. If you don't the info isn't readily available.
      • Additional tools used by wireless providers to help with traffic analysis can sometimes locate a specific device within 50 to 100m, but it is not a guaranteed location, just an estimate used for planning purposes.

    To wrap it up, the idea that you can be precisely located is probably an invention of TV and Movies. Wireless network providers are limited in what info can be obtained due to privacy limitation and general limitation of the network itself.

    You should be able to be located to a specific town (unless you are in a very rural area when a specific site covers several towns). In more urban areas you may be able to located within a 2 or 3 block area, but to pinpoint a specific address, it's not really feasible (except during a real time emergency call when your device explicitly provides your specific location via GPS).

    To clarify, the above assumes the device was not previously being monitored by law enforcement based on my interpretation of the question (that the user was not specifically being monitored beforehand).

    In general, detailed location information is not provided to the network and is not stored so cannot be obtain after the fact by law enforcement.

    However, if a specific device was specifically being monitored by law enforcement (with a warrant or legal right to do so), additional information may be extracted in real time. How accurate this location is still related to the density of the network. In a dense urban area, in which you are within range of multiple cell sites, you can be located within a reasonable distance (<50 meters), but the less dense the network is, the fewer cell sites can see your mobile device, and the location becomes less and less accurate.

    But the concept of precision (GPS-level) accuracy in real-time is still not realistic and cannot be obtained through traditional means.

    Even phones w/o GPS are required by law to be precisely locatable. So most of the time they are. Proof: https://consumerist.com/2007/09/12/verizon-is-taking-my-phone-away-because-it-doesnt-have-gps/

    @MatthewElvey that is required for 911 purposes only due to US regulations. I can tell you, if you don't dial 911, network operator does not know "precisely" where you are. If they did, my job would infinately easier (and if you did dial 911, only the 911 call center really has that exact info)

    But the question isn't what info a TelCo Project Manager can obtain. It's what location info a LEO can obtain. Certainly the OS in the main mobile platforms usually know quite precisely where a given mobile is.

    @MatthewElvey depends on your definition of precise. Precise in terms of GPS accuracy, no. Only the phone knows that and the phone doesn't provide that info due to privacy issues. Beyond that it depends greatly on the mobile technology. In a CDMA network, you can be located pretty well in a dense area with a lot of sites. But in something in the 3GPP family (GSM/UMTS/LTE), there's not a lot of info that can be extracted in real time without a lot of post processing and guesswork.

    @MatthewElvey I did clarify my answer a bit as my original answer assumed the device was not previously being monitored by law enforcement. If law enforcement did have a warrant to monitor the device it could be located in real time with similar accuracy as a 911 call. But would still not be GPS-level accuracy

    @pubsee2003 You appear to be ignorant of or trying to cover up the existance DROPOUTJEEP, MONKEYCALENDAR, PICASSO, TOTEGHOSTLY, WATERWITCH, WARRIOR PRIDE, TRACKER SMURF, etc. MONKEYCALENDAR is software used by law enforcement that transmits a mobile phone's location by hidden text message. TRACKER SMURF that provides "high-precision geolocation". Not just as accurate as the phone's normal GPS subsystem. More accurate - as accurate as the Wi-Fi assisted location systems.

    Do regular police have access to this? Yes. See @Mark Buffalo's answer. (Also, there's another possible way to get super-high-precision geolocation: Perhaps the NSA can reprogram a phone to use the military-encoded GPS signals.)

    What about DROPOUTJEEP, MONKEYCALENDAR, PICASSO, TOTEGHOSTLY, WATERWITCH, WARRIOR PRIDE, TRACKER SMURF, etc.? MONKEYCALENDAR is software used by law enforcement that transmits a mobile phone's location by hidden text message. TRACKER SMURF provides "high-precision geolocation". Not just as accurate as the phone's normal GPS subsystem. More accurate - as accurate as the Wi-Fi assisted location systems. I guess SE is hiding comments disclosing this info due to down votes?

  • Well, if he was already a suspect, you wouldn't need the email to begin with. The investigators could have been watching their mobile phone wanderabouts the whole time (or another agency have already put this guy on watch, and thus the mobile has more data about it).

    The other option is that you have an email, but no idea who the criminal is (for example, “They kidnapped my child and now I received this ransom email from [email protected] saying they are holding him in Eastasia…”).

    Assuming the email was sent through SMTP and not by webmail, the IP address from which it was sent would be directly available to the investigators (show some Received: lines here).

    Additionally, they could gather more information from the email provider (Google here), which could provide more information, in addition to other IP addresses from which he has connected, such as a phone number used for account recovery (if they have been dumb), the registration date (the day before, quite uninteresting), that the language used in the signup was German (this would be useful), maybe they even a Google Maps search for an isolated place that would be ideal for hiding someone (make them receive this when the guy is about to kill the poor boy)…

    As stated before, geolocation is unreliable for determining where the suspect is (albeit immediate, so I would expect them to query it anyway), but it can be used to know where it isn't. If the IP address is geolocated to the city where the crime was committed, that means the criminal sent it from there, not from Eastasia! That was probably a bluff.

    Once they have the IP address(es), they will ask the Internet provider (with a court order) who was using that address at that time. If it was accessed through 3G/4G, then they could ask for the location of such phone at the time of sending, and discover which tower service it (they also asked where it was now, but it's currently powered off).

    However, it is also possible that he wasn't connecting through 3G, but through Wi-Fi (or that some of the multiples IP addresses they got from Gmail / several exchanged emails). Maybe it turns out to belong to Starbucks. They may then quite confidently assume -something they could check by connecting themselves from there- that it was sent from the only Starbucks premise in town (later they will find that the phone card was bought in a nearby supermarket). Or it may be a local coffee shop that happens to host their website on the same IP address used to nat the connections on their free Wi-Fi (not a good setup, but it was installed by the owner's nephew, and they only have an IP address). Thus, just entering the IP address in a browser they would learn the precise place from which it was sent. With no delays by legal roundtrips.

    Knowing the store "from" which the email was sent may or may not be too useful. There could be interesting footage from security cameras. Perhaps he only went there once. Maybe he lives nearby, or even is able to connect from his home.

    Naturally, if the criminal connects repeatedly from there, they can put it on surveillance, as well as immediately going there as soon as a new email is received.

  • All previous answers are good with lots of technical details. Yet no one mentions the probabilities that the suspect may use Anonymous Remailer.

    Though the service itself is a myth in Internet (I never use it myself), it is possible in principle. And there are previous cases against it. In the ideal situation, the suspect may construct a mailing-chain of anonymous remailers from multiple countries.

    As stated in previous answers, legal issues are the main problems. Think about that you have to crack, not only a specific email company, but a dozen of them, in countries with different rules and regulations on data safety. It could be almost impossible to retrieve all the relevant data:

    Case of Penet remailer:

    In September 1996, an anonymous user posted the confidential writings of the Church of Scientology through the Penet remailer. The Church once again demanded that Julf turn over the identity of one of its users, claiming that the poster had infringed the Church's copyright on the confidential material. The Church was successful in finding the originating e-mail address of the posting before Penet remailed it, but it turned out to be another anonymous remailer: the alpha.c2.org nymserver, a more advanced and more secure remailer which didn't keep a mapping of e-mail addresses that could be subpoenaed.

    Yet it comes with a price: less reliable delivery and (maybe) lost of 2-way communication. But in certain cases this restriction maybe not so important.

    Because the question was asked about writing a story for a TV script, the chances of the suspect using an anonymous remailer are exactly whatever the scriptwriter chooses. If the scriptwriter needs to hide the suspect more, he could have the suspect use an anonymous remailer to help him hide. If he needs to reveal the suspect's location, he would not add such a device.

    I would not assume the intention of the writer, since he didn't state clearly he would follow which path. From my understanding, the writer is here to understand how technology works, so that his work is not unrealistic in technical point of view. I represent another reason that "location-detection" may not work.

    And of course, "impossible in theory" doesn't mean impossible in reality. You can check @JohnDeters 's answer ( well, your answer, just realized that...) which has an excellent use of picture to identify the location. The use of advanced tool like remailer may give the suspect a false sense of security, which could be utilized in the plot as well

  • I work in Geolocation and do a lot of work resolving questions as to location of devices.

    To get back to the original question posted:

    If the police have an email, sent by a suspect over a 3G or 4G network, could they use the IP address (since they know when it was sent) to find out - from the service provider - the precise location the email was sent from?

    I think the answer can be a lot more specific.

    As Mark Buffalo correctly pointed out; 3G/4G Mobile Networks contain ZERO location data associated with the location of the device. So this is a dead end.

    The IP ranges are normally assigned randomly to the Mobile Network Provider and relate to that company's locations - not the device. So a UK Mobile Phone customer when roaming in the US would have an IP address that points to somewhere in the UK.

    A lot of the other answers seem to relate to the topic of geolocation generally but are not of much help in this case as we only have IP data to work of.

    So Mr/Ms Screenwriter, I think you need to try and see if the "Perp" can use a WiFi connection to connect so you get a "static" IP address (rather than the 3G/4G one) which MIGHT help narrow the search down to a town or possibly even a house if the Police could twist some arms amongst the ISP providers.

    Or as another person suggested, if you can get the phone number then in countries like the US you can actually track the user without them knowing about it with Cell Tower Triangulation.

    However, IP address on a Mobile/Cell/3G/4G connection will not get you anywhere...

  • Belated answer: Yes. DROPOUTJEEP, MONKEYCALENDAR, PICASSO, TOTEGHOSTLY, WATERWITCH, WARRIOR PRIDE, TRACKER SMURF, etc. are NSA-developed tools whose existence Edward Snowden and others have revealed.

    MONKEYCALENDAR is software used by law enforcement that transmits a mobile phone's location by hidden text message. TRACKER SMURF provides "high-precision geolocation". It can be not merely as accurate as the phone's normal GPS subsystem. It can be more accurate - as accurate as the Wi-Fi assisted location systems. Do regular police have access to this? Yes. As @Mark Buffalo noted, NSA's Treasure Map program provides access.

    (Also, there's another possible way to get super-high-precision geolocation: Perhaps the NSA can reprogram a phone to use the military-encoded GPS signals.)

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM