The importance of IP address evidence

We have previously reported on how prosecution errors in requesting IP address evidence can cause issues (https://keithborer.co.uk/news/police-errors-finger-wrong-suspects-cybercrime). Getting the information, however, is only half of the issue - understanding what its evidential value is, is just as important.

KBC was instructed in a case of stalking. Multiple fake Instagram accounts were created to harass the victim, and a telephone call was placed to the victim's mother using a withheld number.

IP address records were sought for each of the suspect Instagram accounts. These were then resolved to a physical address through the Internet Service Providers. They were all found to point to the address of an ex-boyfriend, who was subsequently arrested.

Regarding the telephone call placed to the victim's mother, it was reported to be a female who placed the call and therefore could not have been the ex-boyfriend. Incoming call data records were retrieved for this call, and the number that placed the call identified. It was traced to the suspect's new girlfriend, who lived at the same address, and she was also arrested.

It was alleged that the two suspects had conducted a campaign of stalking together, and they were charged with stalking.

KBC was instructed and we reviewed the prosecution case. On a technical level, all of the IP address evidence appeared to have been interpreted correctly - the activity could be traced back to the home of the suspects. But it was here that a crucial issue was identified. An IP address identifies the Internet connection used, but not the specific device.

None of the devices seized from the suspects were found to contain any trace of the malicious activity.

This means there was no evidence of who at that address was responsible for activity that was the subject of charge. Was it the vengeful ex-boyfriend, a jealous new girlfriend, or both working together? From the evidence presented by the prosecution, it was impossible to say. It was plausible that one or other of the charged parties had no knowledge of the Instagram activity.

The loose thread was the telephone call, placed by a female and traced to the new girlfriend's phone. As it could not be demonstrated she was aware of the Instagram messages, this telephone call was left as an isolated incident. For an offence of stalking, a course of conduct is required, which is defined as being on at least two occasions. The phone evidence only demonstrated one such occasion.

Presented with KBC's analysis of the evidence, the CPS dropped the case against both suspects. It is unfortunate that the person responsible will no longer face charges, but in the absence of evidence as to which party or parties were responsible in relation to the Instagram accounts, the CPS was left with no other option.

Ross Donnelly, Digital Forensic Investigator, Keith Borer Consultants

Previous
Previous

Footwear mark evidence

Next
Next

EncroChat: What You Need to Know