When a crime is committed online or involves digital evidence, prosecuting suspects becomes more difficult. In many cases, the identity of individuals and organizations behind illegal online activities—such as hacking, child sexual abuse, cyberattacks, or online fraud—may be masked or obfuscated. In other cases, digital evidence like websites or emails can be easily modified or erased.
To support their investigations, prosecutors may turn to subpoenaing internet service providers (ISPs). Subpoenas compel these companies to disclose records or information of their customers and users that are critical to building a case against a suspect or shedding light on criminal activities.
Applying for a subpoena order, however, comes with a set of challenges of its own. There are legal restrictions in place to ensure subpoena requests stay within reasonable boundaries and away from privacy violation.
In this article, we will discuss how open source intelligence (OSINT) helps build a subpoena request, and provide a cheat sheet that lists out what OSINT data you should include to successfully subpoena an internet service provider (ISP).
Establishing Relevance is Key to Building Your Case 🔗︎
There is no clear set of rules that helps evaluate subpoena requests, and the approval or disapproval of subpoena requests depends largely on the jurisdiction, the judges, and the evidence at hand.
One of the key challenges to issuing a subpoena request is relevance. Prosecutors must justify the scope of the subpoena and prove relevance between the criminal case and the information requested. This is especially under scrutiny when the disclosure of information can potentially infringe upon an individual’s right to privacy.
Another challenge prosecutors face is compliance. Compliance of the subpoena requests ensures that the subpoena is legally compliant, valid, and enforceable, and that the evidence obtained via the subpoenas is admissible in court.
When subpoenaing an ISP, you need to prove that the suspect has used the ISP’s network services to commit a crime. Each ISP serves a specific region, location, and jurisdiction. It’s important to identify the correct ISP behind the public IP addresses connected to the suspect’s activities.
For example, when starting a case with a domain, the primary goal is to obtain information related to the suspect and their activities connected to that domain.
It is crucial to establish a clear connection between the suspect and the domain in question (domain attribution). This can be achieved through various methods such as examining the domain registry record, analyzing shared IP addresses, or exploring the content hosted on the website associated with the domain.
An example scenario: Let’s assume we have a suspect involved in cybercrimes and we have obtained a domain associated with their activities. Our first step would be to perform a WHOIS lookup on the domain to gather details about the domain owner. Additionally, we could conduct a reverse IP lookup to check for other domains hosted on the same server, potentially revealing related websites.
Once we have confirmed the suspect’s association with the domain, the next step is to obtain the public IP address(es) associated with the domain. This information is vital in identifying the location of the server hosting the domain and the ISP providing those addresses. This will provide valuable insights into the geographical location and jurisdiction under which the domain operates.
All of this comes down to being able to prove in a subpoena request that:
- The ISP is indeed the right one to provide relevant information to the case.
- The suspect is indeed associated with the evidence and requested information.
Using OSINT to Support Subpoenaing ISPs 🔗︎
It is essential to prepare a detailed written request for subpoenas which describes the investigation, its purpose, and the specific information sought. In the case of online crimes, understanding how open source intelligence (OSINT) data is stored, aggregated, and obtained can be very useful in building your case.
OSINT provides law enforcement agencies and legal professionals with access to a vast range of online information. Having OSINT tools allow law enforcement to have access to information gathered from publicly available sources and aggregated into structured databases.
The use of OSINT in law enforcement faces controversy. However, it is true that OSINT enables investigators to obtain real-time data from the internet, which is crucial for cyber-based crimes where digital evidence often gets destroyed or modified. By cross-referencing OSINT with traditional investigative methods, investigators can form a more comprehensive understanding of the facts of the crime or even pinpoint the identity of the suspects.
Some of the information needed via subpoenaing an ISP can actually be found using OSINT. If you know where to look for information, you might even be able to avoid jumping through multiple hoops of subpoenas and directly build a case that leads you to the most crucial piece of the puzzle.
Solidating Your Subpoena Request with OSINT! 🔗︎
To better support law enforcement officers with their subpoena requests to an ISP, we list out the most relevant domain data you need to build your criminal case, as well as a set of OSINT sources law enforcement can use to obtain each piece of information.
Download the cheat sheet now!
Download the resource
We hope you find this cheat sheet helpful for you and your team by incorporating OSINT in your subpoena requests to form a comprehensive criminal case that is relevant and compliant.
About the Author 🔗︎
Sergio Leal Rodriguez 🔗︎
Sergio is an experienced and dedicated professional with more than 20 years of invaluable experience in coordinating, investigating, modeling data, and researching cybercrimes with a focus on the critical field of Child Sexual Abuse at Europol’s AP TWINS. His expertise lies in coordinating multi-agency efforts as well as conducting thorough investigations, and he has actively contributed to the development of innovative methodologies for data analysis and modeling in the context of child sexual abuse.