IP Help, new at this (its for a court case)

Post your questions about IP address geolocation here.
Locked
Universed
New Member
Posts: 1
Joined: Sat Sep 09, 2017 10:54 am

IP Help, new at this (its for a court case)

Post by Universed »

Basic Story:

A person had access to a Persons Email (intermediary) email address [email protected]

They created a spoof email address pretending to be someone else [email protected]

Sent a made up email from [email protected] to [email protected] pretending to be the persons sister, then logged into [email protected] and forwarded the email to [email protected]. She is now using this as evidence in a court filing.

Below is the header of the email received from [email protected] to [email protected] and below that is the header of the email forwarded from [email protected] to [email protected]

I am trying to find something that shows they are from the same location or computer or something (they are only 4 mins apart)


I have access given to me to the mail address [email protected] in order to figure out how to track the origin of the original email or the location of where the emails were received and sent from, as they are only 4 mins apart i think they were received and sent from the same place.



Message ID <CAHj67_FXaMPpF+n8DNg6aD4cKipLCo-U6tHmsH=[email protected]>
Created at: Wed, May 20, 2015 at 8:09 PM (Delivered after 0 seconds)
From: Dassa Sun <[email protected]>
To: laron jurik <[email protected]>
Subject:
SPF: PASS with IP 2607:f8b0:4002:c07:0:0:0:22d Learn more
DKIM: PASS with domain gmail.com Learn more
DMARC: PASS Learn more

Delivered-To: [email protected]
Received: by 10.194.156.168 with SMTP id wf8csp1573449wjb;
Wed, 20 May 2015 11:09:31 -0700 (PDT)
X-Received: by 10.236.61.110 with SMTP id v74mr20777720yhc.115.1432145370912;
Wed, 20 May 2015 11:09:30 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mail-yk0-x22d.google.com (mail-yk0-x22d.google.com. [2607:f8b0:4002:c07::22d])
by mx.google.com with ESMTPS id h186si10230247ykf.154.2015.05.20.11.09.30
for <[email protected]>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 20 May 2015 11:09:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 2607:f8b0:4002:c07::22d as permitted sender) client-ip=2607:f8b0:4002:c07::22d;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 2607:f8b0:4002:c07::22d as permitted sender) smtp.mail=[email protected];
dkim=pass [email protected];
dmarc=pass (p=NONE dis=NONE) header.from=gmail.com
Received: by mail-yk0-x22d.google.com with SMTP id o186so18569461yke.0
for <[email protected]>; Wed, 20 May 2015 11:09:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to:content-type;
bh=yTQOuQHRQptGxfhyahEHQceiEC9KNOeHxNiGeGyUN4o=;
b=DufRB4sNbRnCu4QxU9op4Y/Dpfy+2JjNKhcWX70bHZPGRDDaYe/NycjNGoyYa9mk9S
u9yx4M/j9AAp2oAa3DXy0udkd/fpftRFcMdiP9glaaW5WPmf3uGT9Ck8KvM9rd1OlLQ5
kBI3nVevRiNVSrHGWcxoJ6/rR6hcc88mW29+GcIsL/ZUmVkhAJQR27CPTYbkyMR6jkDW
6Le4KoQoBVXzgjJ34QRbLmfpZc9pIpLXjg7AbYZ4fI7vMT6heLlrIr19cTUVtv7X0QJp
Sk799DThfLu+XDoRsmygAn9NKbYpO3gp4rwBLxOo8rLTJCA09+U6DuV5fcgsvyhzvIy9
30ug==
MIME-Version: 1.0
X-Received: by 10.236.67.7 with SMTP id i7mr32618907yhd.183.1432145370463; Wed, 20 May 2015 11:09:30 -0700 (PDT)
Received: by 10.129.15.211 with HTTP; Wed, 20 May 2015 11:09:30 -0700 (PDT)
Received: by 10.129.15.211 with HTTP; Wed, 20 May 2015 11:09:30 -0700 (PDT)
Date: Wed, 20 May 2015 11:09:30 -0700
Message-ID: <CAHj67_FXaMPpF+n8DNg6aD4cKipLCo-U6tHmsH=[email protected]>
Subject:
From: Dassa Sun <[email protected]>
To: laron jurik <[email protected]>
Content-Type: multipart/alternative; boundary=089e013a09ae12c3f905168754a6

--089e013a09ae12c3f905168754a6
Content-Type: text/plain; charset=UTF-8

Hi Loran I got your email I will help you out you are my brother but I need
you help also I have proof Susan made you sell your sheers when you were
incompetent when she knew because she sent you money for your doctor she is
a scanner help me help us will you come to court too

--089e013a09ae12c3f905168754a6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr">Hi Loran I got your email I will help you out you are my bro=
ther but I need you help also I have proof Susan made you sell your sheers =
when you were incompetent when she knew because she sent you money for your=
doctor she is a scanner help me help us will you come to court too</p>

--089e013a09ae12c3f905168754a6--










----------------------------------------------------------------------------------------------------------------------------------------

Original Message
Message ID <CAFYZkq_Yo9=JJmhPyJ22v=[email protected]>
Created at: Wed, May 20, 2015 at 8:13 PM (Delivered after 0 seconds)
From: "laronjurik ." <[email protected]>
To: [email protected]
Subject: Fwd:


MIME-Version: 1.0
Received: by 10.194.124.174 with HTTP; Wed, 20 May 2015 11:13:00 -0700 (PDT)
Received: by 10.194.124.174 with HTTP; Wed, 20 May 2015 11:13:00 -0700 (PDT)
In-Reply-To: <CAHj67_FXaMPpF+n8DNg6aD4cKipLCo-U6tHmsH=[email protected]>
References: <CAHj67_FXaMPpF+n8DNg6aD4cKipLCo-U6tHmsH=[email protected]>
Date: Wed, 20 May 2015 19:13:00 +0100
Delivered-To: [email protected]
Message-ID: <CAFYZkq_Yo9=JJmhPyJ22v=[email protected]>
Subject: Fwd:
From: "laronjurik ." <[email protected]>
To: [email protected]
Content-Type: multipart/alternative; boundary=089e0122f5cc9934e805168760fd

--089e0122f5cc9934e805168760fd
Content-Type: text/plain; charset=UTF-8

---------- Forwarded message ----------
From: "Dassa Sun" <[email protected]>
Date: May 20, 2015 1:09 PM
Subject:
To: "laron jurik" <[email protected]>
Cc:

Hi Loran I got your email I will help you out you are my brother but I need
you help also I have proof Susan made you sell your sheers when you were
incompetent when she knew because she sent you money for your doctor she is
a scanner help me help us will you come to court too

--089e0122f5cc9934e805168760fd
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div class=3D"gmail_quote">---------- Forwarded message ----------<br>From:=
&quot;Dassa Sun&quot; &lt;<a href=3D"mailto:[email protected]">dassasunn=
@gmail.com</a>&gt;<br>Date: May 20, 2015 1:09 PM<br>Subject: <br>To: &quot;=
laron jurik&quot; &lt;<a href=3D"mailto:[email protected]">laronjur=
[email protected]</a>&gt;<br>Cc: <br><br type=3D"attribution"><p dir=3D"ltr=
">Hi Loran I got your email I will help you out you are my brother but I ne=
ed you help also I have proof Susan made you sell your sheers when you were=
incompetent when she knew because she sent you money for your doctor she i=
s a scanner help me help us will you come to court too</p>
</div>

--089e0122f5cc9934e805168760fd--
User avatar
Chrispcritters
Forum Administrator
Posts: 2555
Joined: Tue Mar 02, 2010 5:41 pm
Location: 127.0.0.1 | ::1
Contact:

Re: IP Help, new at this (its for a court case)

Post by Chrispcritters »

Forwarded messages do not include the original headers.

Gmail and Yahoo headers do not include the sender's IP address. Your lawyer should be able to subpoena the access records of the accounts to find out what IP addresses were used to access those accounts. From there your lawyer can subpoena the appropriate ISP to get the records for which customer the IP addresses was assigned to at the time the email accounts were accessed.
Founder & CEO of WhatIsMyIPAddress.com.
You can follow me on Twitter and Facebook for some behind the scenes info.
Locked