Tracing the location of a mobile IP

The problem with this scenario is that emails are typically not sent from the device itself, but from a central service.

In order to do what you want, the investigators would have to make a few hops:

1. to the email service (gets the user account details, including the IP the user used to connect with)
2. to the ISP the device used at the time of sending (gets the general location of the connecting IP, or if lucky, the known IP of the user's home)

At best, using 3G/4G, investigators might get the cluster of towers the user was in the middle of. No exact location.

BUT, with all that info, it might be possible for investigators to breach the phone's data or the user's other accounts and determine the location of the device using the multitude of location services modern devices have (Find My Phone, Facebook, Instagram, etc.) (Insert a whole host of legal issues currently in the news, like Stingray).

Edit:

You don't specify the country (or reality) you are dealing with. There are some countries that have set up massive detection nets so that every mobile device is physically tracked no matter where it goes. That way, investigators can have a real-time, accurate map of a particular device at any time.

If the police have an email, sent by a suspect over a 3G or 4G network, could they use the IP address (since they know when it was sent) to find out - from the service provider - the precise location the email was sent from?

Yes, this is very easy. However... the key word here is "precise location." Not exactly. Not unless the phone is hacked.

Government Options

If you're looking for evidence of governments assisting law enforcement with locating devices, then you'd be looking for the NSA's Treasure Map program. This is available to cleared law enforcement personnel, mostly FBI/DEA, but I wouldn't be surprised if they also assist local law enforcement.

The NSA shares intelligence data with local law enforcement and helps them utilize parallel construction to make their cases.

ISP & Normal Law Enforcement options

Schroeder covered this pretty well, but let me add to it:

Since you're writing for TV, I feel you should know this part to make it seem more realistic. Anyone can walk into Walmart and buy a throwaway smartphone or dumbphone. From there, they can go to the nearest open wifi, and register under fake credentials. Fake name, fake address, fake everything else. And they can use a prepaid credit card that they purchased with cash to register the device(s).

So you won't be able to find their actual address, or even know who they are, unless you hack the phone (normally a smartphone).

However, if you know the general time-frame that someone bought and created the account, you can request evidence from Walmart, and they're usually almost always happy to help law enforcement. They'll be able to review the security footage to see who bought that device, and when.

But how will they find the time frame? Walmart, and other major retailers, keep track of when things are sold, right down to the very minute. You know when you return an item? They know, because the information is stored in their databases, and looking up the bar code of the receipt is possible. It shows when the purchases happened.

Doing a bit of investigation will probably reveal that the account for that phone was registered at a specific time. If the phone was registered at a specific time, then it may be likely that the perp purchased that phone at a nearby store.

Bringing up a list of stores in close proximity to the open wifi where you registered the phone may reveal where the perp purchased the device. You can then go in and request security footage to look for anyone purchasing the phone(s) in the electronics departments. Better yet, the place with open Wi-Fi may have you on camera at the time you registered.

Other Perp-Locating Options

And then there's Stingray, an IMSI-Catcher.

Since you know the perp's IP, you can likely find the perp's carrier. With the perp's carrier providing the phone number used by that IP address on their network, bringing up your actual cell phone number is not hard. In fact, if you know of an area that the perp has hung out at, you can use a Stingray device to perform a man-in-the-middle attack on the suspect without him realizing it.

Every mobile phone has the requirement to optimize the reception. If there is more than one base station of the subscribed network operator accessible, it will always choose the one with the strongest signal. An IMSI-catcher masquerades as a base station and causes every mobile phone of the simulated network operator within a defined radius to log in. With the help of a special identity request, it is able to force the transmission of the IMSI.

An IMSI catcher is an incredibly easy-to-use, one-button-fatality-man-in-the-Middle-attack-in-a-box. It allows law enforcement and intelligence agencies to act as a tower to catch communications. Having personally seen one in use, I can attest to their effectiveness.

Using normal tools, even those that don't require the help of the NSA, providers can generally help you find the location of any given phone at any given time. It knows the closest tower you're connected to at that time.

If you're able to force the location feature to turn on, which law enforcement can do... how do you think 911 finds you when you can't tell them where you are because you don't know? They can know the general area you're at, within a few hundred feet.

IP Address Geo-Location in USA and China. NEVER rely on this!

While, yes, it's certainly possible to geolocate a phone's IP address, you should not rely on this because the information returned can be wildly incorrect. Your assigned IP address, even if you're somewhere else at the moment, could be shown as elsewhere.

In fact, when I travel all over the place, and tried to geolocate my IP address, it was always located in the city I registered in. I've tested this both in China, and in the USA. I could be 2000 miles away, but the phone's IP address geolocates to a different state/province.

There's another common way that email leaks location information. If the email includes a photograph that was taken on a smartphone, the photo will usually have location information embedded. Since you're writing the story, you might contrive to have the sender email a photo for some reason.

The JPEG standard (used for virtually all mobile phone photos) contains EXIF data by default. This is mostly technical information about the picture, but it includes all kinds of forensically relevant details, including the camera's make, model, and serial number, the user's name, the f-stop, shutter speed, and the exact time the photo was taken. When the photo is sent, or uploaded to a photo sharing service, all that EXIF data invisibly travels with the image.

Most phones with cameras and GPS units, including all iPhones and Android phones, can include the precise lat/lon coordinates of where the photo was taken. This is called geotagging, and the data is inserted along with the rest of the EXIF data. This option is turned on by default, and most people are unaware it even exists.

Having the phone include location data with the image is an option that can be turned off, and the EXIF data is easily removed. But I've found that most people prefer the convenience of having their photos geotagged, or they don't care about it and then forget it exists.

Viewing the EXIF data is also very easy, as there are literally hundreds of phone apps and viewers available, many for free. Non technical people are able to use them, so it doesn't require a forensic scientist or computer nerd to be the one to "crack the case".

In addition to what @schroeder wrote, I would like to point out a few things about geolocation.

Among other things, a CDR (Call Detail Record) contains information about the cell tower used by the mobile phone at the time. Note that a cell tower can cover an area of about one square mile, or more.

In some countries, mobile operators might always be able to store (in other countries, this way only be possible with a warrant) the strength of the signal received by the closest cell towers. Under certain conditions, they can use triangulation in order to obtain a higher accuracy in the location from which the email was sent. In other countries, as I have already said, mobile operators might triangulate a user only after a warrant. In this case, the police may obtain the current position of the phone as follows:

1 - Police obtains IP address from the email servers;

2 - using the IP address, they identify the mobile phone;

3 - police obtains a warrant, sends it to the operator, and if the phone is still on, they can triangulate it to its current position.

Another thing that is theoretically possible works like this. Every device which can be connected to the Internet, including a smartphone, has a MAC address.

Now, if you connect to a public Wi-Fi network, the access point (basically, the device which connects the users to an ADSL connection or whatever used by the Wi-Fi owner) may choose to log the MAC addresses of its users and store them for some time.

If this is legal (no idea), and the log is stored for a long enough period of time, and if the mobile phone used that Wi-Fi network, the police may find the cell used by the mobile phone, ask the MAC address log to the access point owner (this may require a warrant, I really don't know) and confirm that the user actually used that Wi-Fi network. Since a typical access point has a range of 100 meters or so, this may narrow down the area. If the police are really lucky, they might even be able to identify the user (who may use a phone whose owner is another person, e.g.borrowed or stolen) by checking the footage from surrounding CCTV cameras.

Please note that, in most cases, these investigations require a significant amount of luck, time, and/or warrants. Plus, a lot of these techniques can be defeated by a skilled criminal, so if the suspect is a "hacker" he/she can further complicate the process.

Earlier answers already describe the process of using triangulation to pinpoint the location of a specific phone better than I could describe it. However there is very little said about whether the investigators can figure out which exact phone the mail was sent from.

In traditional mail services where the user run an email client on their device and use SMTP to send the email to the server, the server will usually include the IP address of the client in the mail headers.

In cloud services where the user access email through a web browser or a vendor specific email app and use HTTP or HTTPS to send the email to the server, the server will usually not include the IP address of the client in the mail headers.

In the later case it is very likely that with a warrant the investigator could get the IP address through the cloud service provider.

But there is another question as to whether the IP address obtained in one of the two ways mentioned above will pinpoint the exact phone.

If your story is set somewhere between 2010 and 2020 it is quite likely that the internet provider is using carrier grade NAT due to shortage of IP addresses. And this can get in the way of figuring out which phone was connected to the server.

The eventual shortage of IP addresses was recognized by network engineers in the early 90s. By 1998 a solution was ready in the new IPv6 standard intended to replace the old IPv4 standard. But rather than working on the upgrade most internet providers have chosen to deploy carrier grade NAT instead, which will allow them to share a single IPv4 address between hundreds or thousands of users, though from the users perspective this will be a bit less reliable.

In case the internet provider the phone is connected to is already upgraded to the new IPv6 protocol, but the mail service only supports IPv4, the internet provider most likely uses NAT64. That is a kind of carrier grade NAT which happens to also translate packets between IPv4 and IPv6.

In terms of your storyline, NAT64 would be no different from carrier grade NAT. Though there could be some interesting arguments between investigator, mail provider, and internet provider as to who is responsible for the inability to find out which exact phone the email originated from. The internet provider could make a sound technical argument that the responsibility lies with the mail provider for not upgrading to IPv6. The mail provider would argue that they plan to do that a few months after everybody else have done it.

If you are going to have specific IP addresses show up in your script, there are three ranges of IPv4 addresses and one range of IPv6 addresses, you can use without worrying about the addresses belonging to somebody in particular.

• 192.0.2.0 - 192.0.2.255
• 198.51.100.0 - 198.51.100.255
• 203.0.113.0 - 203.0.113.255
• 2001:db8:: - 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff

Speaking as a wireless telecom professional, the answer to your question depends on how precise you expect the location to be.

• With minimal effort (and a legal obligation to do so), I can tell exactly which cellsite(s) you were using, which narrows your location down to a particular geographic area. And we don't even need to know the IP Address, we just need the mobile number. If the phone was on and actively communicating with the network, the provider should be able to determine your general location. the coverage of a specific site can vary from a radius of less than 0.2 miles in the middle of a city to more than 10 miles in very rural areas (more rural locations will have fewer sites so each site will have a large coverage footprint).
• If you need more exact location, then your mileage may vary
  • With some additional info, the provider may be able to estimate how far you were from the site (this depends on the technology that the provider uses).
  • More specific locations are difficult. In the US, emergency calls (911) are able to be located with reasonable accuracy (usually <50m), however, locations with that accuracy can only be generated if you call 911. If you don't the info isn't readily available.
  • Additional tools used by wireless providers to help with traffic analysis can sometimes locate a specific device within 50 to 100m, but it is not a guaranteed location, just an estimate used for planning purposes.

To wrap it up, the idea that you can be precisely located is probably an invention of TV and Movies. Wireless network providers are limited in what info can be obtained due to privacy limitation and general limitation of the network itself.

You should be able to be located to a specific town (unless you are in a very rural area when a specific site covers several towns). In more urban areas you may be able to located within a 2 or 3 block area, but to pinpoint a specific address, it's not really feasible (except during a real time emergency call when your device explicitly provides your specific location via GPS).

Well, if he was already a suspect, you wouldn't need the email to begin with. The investigators could have been watching their mobile phone wanderabouts the whole time (or another agency have already put this guy on watch, and thus the mobile has more data about it).

The other option is that you have an email but no idea who the criminal is (eg. “They kidnapped my child and now I received this ransom email from [email protected] saying they are helding him in Eastasia…”).

Assuming the email was sent through smtp and not by webmail, the IP from which it was sent would be directly available to the investigators (show some Received: lines here).

Additionally, they could gather more information from the email provider (Google here), which could provide more information, in addition to other IP addresses from which he has connected, such as a phone number used for account recovery (if they have been dumb), the registration date (the day before, quite uninteresting), that the language used in the signup was German (this would be useful), maybe they even a Google Maps search for an isolated place that would be ideal for hiding someone… (make them receive this when the guy is about to kill the poor boy)

As stated before, geolocation is unreliable for determining where the suspect is (albeit immediate, so I would expect them to query it anyway) but it can be used to know where it isn't. If the IP is geolocated to the city where the crime was committed, that means the criminal sent it from there, not from Eastasia! That was probably a bluff.

Once they have the IP address(es), they will ask the internet provider (with a court order) who was using that address at that time. If it was accessed through 3G/4G, then they could ask for the location of such phone at the time of sending, and discover which tower service it (they also asked where it was now, but it's currently powered off).

However, it is also possible that he wasn't connecting through 3G but through WiFi (or that some of the multiples IPs they got from Gmail / several exchanged emails). Maybe it turns out to belong to Starbucks. They may then can quite confidently assume -something they could check by connecting themselves from there- that it was sent from the only Starbucks in town (later they will found that the phone card was bought in a nearby supermarket). Or it may be a local Coffee that happens to host their website on the same IP used to nat the connections on their Free WiFi (not a good setup, but it was installed by the owner's nephew, and they only have an IP address). Thus, just entering the IP in a browser they would learn the precise place from which it was sent. With no delays by legal roundtrips.

Knowing the store "from" which the email was sent may or may not be too useful. There could be interesting footage from security cameras. Perhaps he only went there once. Maybe he lives nearby, or even is able to connect from his home.

Naturally, if the criminal connects repeatedly from there, they can put it on surveillance, as well as immediately going there as soon as a new email is received.

No, the location is not traced for everyone in logs - unless it's under the watch/hood before. The last resort here - usually, if no previous location trace is enabled - a base stations where the IP-carrying node was active at the moment.

Around ten years ago it was more likely. Back then, many free website-based e-mail providers (including Yahoo) added the IP address of the machine the e-mail was sent from to the e-mail header. I didn't check what every provider does now, but I would guess most providers now put the IP of their server instead of the sender's machine into the header. if I remember correctly, gmail was among the first webmails to do so.

This means, that if the sender is not very tech-savvy and does not actively try to hide (by using proxies or whatever), and using a relatively low-quality free web-based service, it can happen that the sender machine's IP address is added to the e-mail header. And, depending on the internet provider, it might be a static IP address easily linked to a specific household. Much more likely to happen in the early 2000's than now.

You have plenty of good suggestions here. But at the risk of ruining my script writing career, the most visual scheme to use would be the "silent ping", that is if you want to find the person in real time. I will discuss email as well later in the post.

The silent ping takes advantage of a mode of SMS where nothing appears on your phone. The three letter organization trying to find you pings your phone, then they look for RF energy as your phone replies. Radio detection schemes are used, so you get to have the creepy dudes in the van fiddle with dials and look at screens as they try to find the source of the signal. And they drive around to get closer and closer for a better fix. (cue James Bond music).

Now regarding email, if you could tell where all email originates, there would be no spammers. But 90% of all email traffic is spam. If I sent you an email, even on a mobile device, you would know exactly what server I used due to a parameter called SPF. Now the server could be compromised (maybe the sysadmin doesn't know how to prevent an open relay), so the unauthorized email could be relayed from my server, but it would lack DKIM, a means of authenticating the server in a cypto manner. Any legit email server will have SPF and DKIM. However, a lot of these email forwarding services lose the SPF and DKIM. If they didn't, the entire email service provider world would reject email that lacked SPF plus DKIM. (The mail must go through, no matter how crappy the server that sends it. Nobody wants to deal with bounced messages.)

So I think email is not the way to go unless you want Silicon Valley types in the audience groaning.

I was trying to do forensics on some jerk and discovered that if you use gmail and log into the google server, you lose the IP of the person creating the email. Of course google has that data, but it isn't like I can generate a court order. Pissed me off, but I honeypotted the jerk and found his IP via port 80 access. (There are schemes to hide your IP from port 80 access, such as a VPN, but I block many VPNs on my server. Tor can be blocked as well.)

I'd still go with the silent ping. Everything else is neck beards typing on keyboards.