As more details emerge from the horrible mass shooting in Parkland, Florida on February 14, 2018, one item of interest is a YouTube comment left on a channel created by a man named Ben Bennight of Mississippi. Mr. Bennight noticed a disturbing comment left by someone with the YouTube account name of “Nikolas Cruz” that stated, “Im going to be a professional school shooter.”
After all the hype of “see something, say something” someone actually did just that. According to media reports, Mr. Bennight not only tried to send a report to the FBI via email (which bounced back), he also called his local field office. This resulted in the FBI contacting him to get additional details. Mr. Bennight also took the steps to contact Google, who promptly removed the post. Despite Mr. Bennight doing everything right, and kudos to him for doing so, the lead didn’t seem to go anywhere.
In a statement from the FBI, they acknowledged receiving this information. The FBI said that, “No other information was included in the comment which would indicate a particular time, location, or the true identity of the person who posted the comment. The FBI conducted database reviews and other checks, but was unable to further identify the person who posted the comment.”
As a matter of background, I spent eleven years in law enforcement with seven of those years as the commander of a cybercrimes task force. I was deputized by the FBI to conduct federal cybercrimes investigations and perform digital forensic examinations and have performed hundreds of cyber-investigations and thousands of examinations.
In my experience, criminals do not typically provide the, “particular time, location, or their true identity” when talking about a crime they have committed or are planning to commit. Additionally, while there are databases and systems to check, these are not what is used to positively identify an unknown subject in cyberspace.
How to Track a Subject in Cyberspace
When someone sends an email, posts a comment, uploads or downloads something, buys something, visits a website, or many other transactions, there are a variety of logs captured. In the particular case of YouTube, in order for “Nikolas Cruz” to post a comment, the user must be logged in to YouTube. When a user logs in, Google (who owns YouTube) captures the date and time, the username logging in, and the Internet Protocol (IP) address of the Internet connection. Logs continue to capture activity of the user, including posting comments, uploading, liking, or saving a favorite video, etc.
These IP connection logs are typically saved for a considerable time (in most cases at least a year, sometimes indefinitely and sometimes less) and are available for law enforcement inspection with the proper legal process. Jurisdictions handle subpoenas in a variety of ways. For example, as a municipal police officer, I had to appear before a grand jury and seek a subpoena duces tecum. This involved me presenting to a grand jury what information I was seeking with the subpoena and how I believed the information being sought would support a criminal investigation. It took me about five minutes to present my case and I would walk out of the room with a signed subpoena in hand. Under my FBI authority, I could issue my own subpoenas after they were reviewed by a supervisory special agent. Usually within an hour or so, I could draft my own subpoena, get it reviewed and serve it.
How the Process Works
At the very moment any law enforcement officer is made aware of the potential for digital evidence to exist, they have authority under United States Code (USC) 2703(f) to issue a preservation letter. There is no approval needed and all that is involved is sending a preservation request to the provider with specific information about the account in question.
Electronic Communications Service Providers (ECSPs) are required by law to comply and hold the data for up to 90 days pursuant to the order. The idea behind these “f letters” is to ensure digital evidence isn’t deleted or overwritten before law enforcement can obtain a subpoena or search warrant. This is particularly important in cases involving text messages or other rapidly perishable evidence.
After issuing the “f letter”, law enforcement can follow-up with the necessary legal process. In cases where content is not sought, a subpoena is used. Subpoenas are the process of choice for connection information, IP address information, account ownership, phone number owners, etc. If actual content is requested such as the email messages or text messages themselves, a search warrant is required. Essentially, if a person has a reasonable expectation of privacy for something, a search warrant is needed and the standard to obtain a search warrant is much more rigorous than a subpoena (probable cause vice reasonable suspicion, respectively). The courts have ruled that people are not entitled to an expectation of privacy for their IP addresses, phone numbers, account information, and other metadata items.
By doing some additional online reconnaissance, law enforcement may also be able to find the URL for the YouTube user and provide that in the subpoena. Since we know in this particular case that the YouTube username was the subject’s actual name, it is entirely possible that by sifting through digital posts on different sites the true identity could be determined without even needing a subpoena. By simply searching YouTube and other social media sites for the same username (most people reuse their Internet monikers across sites), more information would have been available to law enforcement without any legal process. Based upon all of the different pictures and statements posted by this user online, it painted a clear and disturbing picture.
In the case of YouTube, law enforcement can issue a subpoena for things such as:
- The email address associated with the YouTube user account of “Nikolas Cruz”
- The IP address used when the above account was first created
- The date, time, and time zone of when the account was created
- Any and all connection logs for this account, including date, time, time zone, IP address, and duration of connections
- Any names, credit cards, addresses, phone numbers, or other identifying information for the account
- Any other Google services associated with this account, such as Gmail, Google Voice, Google Drive, etc.
In most cases, an ECSP such as Google will provide this information within one to four weeks. There is a completely different process for requesting immediate information under the exigent circumstances process.
Law enforcement can fax, email, or submit the subpoenas online to most ECSPs. ECSPs usually email the responses back to the investigator. Once the subpoena results are obtained, the information must be reviewed for next steps. A general response from Google would include all of the bulleted items above and may have more. If the user provided a credit card, phone number, or address because they purchased Google services or opted to include that information in another Google service (such as Google+), that may be enough to give law enforcement the real identity of the subject.
Generally though, the next step involves looking through all of the IP addresses that have been used to connect to the Google services. It is very common to find multiple IP addresses within connection logs. For example, it may include coffee shops, hotels, a cell phone, the home Internet connection, and any other Internet connection used to access the account.
After reviewing the IP addresses with associated login dates and times, they can be sorted and de-duplicated to find all unique IPs. Next, law enforcement can use a free online database to determine what ECSP has the IP addresses used by the subject and what geolocation the IP comes from. For example, if in the logs the IP address of 188.8.131.52 is found (picked purely at random), that IP address can be entered into a website such as domain dossier, ARIN.net, or Maxmind to determine what ECSP it is assigned to. A screenshot is below:
Further down in the results even have the organization’s email address, phone number, and address:
With this information in hand, law enforcement would now immediately send a preservation letter to Charter Communications asking to preserve all records related to the IP address identified. This process may be repeated several times for different ECSPs and some may be disregarded all together, such as those IPs that come back to libraries, Starbucks, or other public Wi-Fi access points that may not help identify the subject.
The second round of subpoenas would be written to obtain the following:
- Physical address of customer
- Any and all connection logs
- Subscriber name, address, email address(es) phone number(s), credit card information, and any other personally identifiable information for the account
- History on the account including service calls, complaints, and transfers
- MAC addresses associated with the account
After another one to four weeks, law enforcement would receive results. If the results are from an ECSP like Charter, law enforcement would now have the physical address of where the IP address was assigned. In the case of a cell phone, law enforcement would have obtained the cell phone number on the account and all the subscriber information. This round of subpoenas will most likely reveal additional email addresses, phone numbers, and addresses that can be used to positively identify the subject.
Once all of this information is correlated with other law enforcement sources, there is a great chance to identify the subject and begin a strategy to make contact. This may be as simple as driving to the location and doing a “knock and talk”, or could involve surveillance and other activities. Since it is entirely possible that the subject’s location is determined to be outside of the area of the original investigator the investigator can send this lead to field offices, other federal agencies, or local law enforcement to continue the investigation.
In all fairness to investigators, there are ways to evade detection. There are times, with very savvy subjects, that going through all of these steps still doesn’t lead to the identification of the subject. If subpoenas are written well and ask for all historical connection logs then the likelihood of evading identification is minimal. All a subject has to do is access the account just once from an IP address that can be traced back to them in order to be identified. In my experience, people get lazy, forget, or a device connects without their knowledge and exposes their location.
For obvious reasons, I am not going to detail all of the ways an individual can hide their identity and location, but it is possible.
This situation is tragic and adds to a long list of similar acts of violence. As a father of two school-aged kids, these incidents immediately make me think about my kids and what it must be like for those parents who have children injured or killed and the kids as they are in the midst of these terrifying situations. Some hard questions need to be asked about how much effort really went in to identifying the author of these social media posts.
I am with ATF in Atlanta. I won’t comment regarding what LE should or could have done with the leads they received in Parkland, but this was a good write-up on the basics of backtracking Internet activity like posts and emails. I forwarded it to our agents as a reminder. Thanx.
Daniel – Thank you for taking the time to comment and I am glad that the post was helpful. Stay safe.