23 Aug 2023

OSINT Data to Support Subpoenaing Internet Service Providers

Sergio Leal Rodriguez

When a crime is committed online or involves digital evidence, prosecuting suspects becomes more difficult. In many cases, the identity of individuals and organizations behind illegal online activities—such as hacking, child sexual abuse, cyberattacks, or online fraud—may be masked or obfuscated. In other cases, digital evidence like websites or emails can be easily modified or erased.

To support their investigations, prosecutors may turn to subpoenaing internet service providers (ISPs). Subpoenas compel these companies to disclose records or information of their customers and users that are critical to building a case against a suspect or shedding light on criminal activities.

Applying for a subpoena order, however, comes with a set of challenges of its own. There are legal restrictions in place to ensure subpoena requests stay within reasonable boundaries and away from privacy violation.

In this article, we will discuss how open source intelligence (OSINT) helps build a subpoena request, and provide a cheat sheet that lists out what OSINT data you should include to successfully subpoena an internet service provider (ISP).


Establishing Relevance is Key to Building Your Case 🔗︎

There is no clear set of rules that helps evaluate subpoena requests, and the approval or disapproval of subpoena requests depends largely on the jurisdiction, the judges, and the evidence at hand.

One of the key challenges to issuing a subpoena request is relevance. Prosecutors must justify the scope of the subpoena and prove relevance between the criminal case and the information requested. This is especially under scrutiny when the disclosure of information can potentially infringe upon an individual’s right to privacy.

Another challenge prosecutors face is compliance. Compliance of the subpoena requests ensures that the subpoena is legally compliant, valid, and enforceable, and that the evidence obtained via the subpoenas is admissible in court.

When subpoenaing an ISP, you need to prove that the suspect has used the ISP’s network services to commit a crime. Each ISP serves a specific region, location, and jurisdiction. It’s important to identify the correct ISP behind the public IP addresses connected to the suspect’s activities.

For example, when starting a case with a domain, the primary goal is to obtain information related to the suspect and their activities connected to that domain.

It is crucial to establish a clear connection between the suspect and the domain in question (domain attribution). This can be achieved through various methods such as examining the domain registry record, analyzing shared IP addresses, or exploring the content hosted on the website associated with the domain.

An example scenario: Let’s assume we have a suspect involved in cybercrimes and we have obtained a domain associated with their activities. Our first step would be to perform a WHOIS lookup on the domain to gather details about the domain owner. Additionally, we could conduct a reverse IP lookup to check for other domains hosted on the same server, potentially revealing related websites.

Once we have confirmed the suspect’s association with the domain, the next step is to obtain the public IP address(es) associated with the domain. This information is vital in identifying the location of the server hosting the domain and the ISP providing those addresses. This will provide valuable insights into the geographical location and jurisdiction under which the domain operates.

All of this comes down to being able to prove in a subpoena request that:

  1. The ISP is indeed the right one to provide relevant information to the case.
  2. The suspect is indeed associated with the evidence and requested information.

Using OSINT to Support Subpoenaing ISPs 🔗︎

It is essential to prepare a detailed written request for subpoenas which describes the investigation, its purpose, and the specific information sought. In the case of online crimes, understanding how open source intelligence (OSINT) data is stored, aggregated, and obtained can be very useful in building your case.

OSINT provides law enforcement agencies and legal professionals with access to a vast range of online information. Having OSINT tools allow law enforcement to have access to information gathered from publicly available sources and aggregated into structured databases.

The use of OSINT in law enforcement faces controversy. However, it is true that OSINT enables investigators to obtain real-time data from the internet, which is crucial for cyber-based crimes where digital evidence often gets destroyed or modified. By cross-referencing OSINT with traditional investigative methods, investigators can form a more comprehensive understanding of the facts of the crime or even pinpoint the identity of the suspects.

Some of the information needed via subpoenaing an ISP can actually be found using OSINT. If you know where to look for information, you might even be able to avoid jumping through multiple hoops of subpoenas and directly build a case that leads you to the most crucial piece of the puzzle.

Solidating Your Subpoena Request with OSINT! 🔗︎

To better support law enforcement officers with their subpoena requests to an ISP, we list out the most relevant domain data you need to build your criminal case, as well as a set of OSINT sources law enforcement can use to obtain each piece of information.

Download the cheat sheet now!

Download the resource

DE +49
Albania +355
Algeria +213
Andorra +376
Angola +244
Anguilla +1264
Antigua And Barbuda +1268
Argentina +54
Armenia +374
Aruba +297
Australia +61
Austria +43
Azerbaijan +994
Bahamas +1242
Bahrain +973
Bangladesh +880
Barbados +1246
Belarus +375
Belgium +32
Belize +501
Benin +229
Bermuda +1441
Bhutan +975
Bolivia +591
Bosnia and Herzegovina +387
Botswana +267
Brazil +55
Brunei Darussalam +673
Bulgaria +359
Burkina Faso +226
Burundi +257
Cambodia +855
Cameroon +237
Canada +1
Cape Verde +238
Cayman Islands +1345
Central African Republic +236
Chile +56
China +86
Cote d'Ivoire +225
Colombia +57
Comoros +269
Congo +242
Cook Islands +682
Costa Rica +506
Croatia +385
Cuba +53
Cyprus +90392
Czech Republic +42
Denmark +45
Djibouti +253
Dominica +1809
Dominican Republic +1809
Ecuador +593
Egypt +20
El Salvador +503
Equatorial Guinea +240
Eritrea +291
Estonia +372
Ethiopia +251
Falkland Islands (Malvinas) +500
Faroe Islands +298
Fiji +679
Finland +358
France +33
French Guiana +594
French Polynesia +689
Gabon +241
Gambia +220
Georgia +7880
Germany +49
Ghana +233
Gibraltar +350
Greece +30
Greenland +299
Grenada +1473
Guadeloupe +590
Guam +671
Guatemala +502
Guinea +224
Guinea-Bissau +245
Guyana +592
Haiti +509
Honduras +504
Hong Kong +852
Hungary +36
Iceland +354
India +91
Indonesia +62
Iran, Islamic Republic of +98
Iraq +964
Ireland +353
Israel +972
Italy +39
Jamaica +1876
Japan +81
Jordan +962
Kazakhstan +7
Kenya +254
Kiribati +686
Korea, Democratic People's Republic of +850
Korea, Republic of +82
Kuwait +965
Kyrgyzstan +996
Lao People's Democratic Republic +856
Latvia +371
Lebanon +961
Lesotho +266
Liberia +231
Libyan Arab Jamahiriya +218
Liechtenstein +417
Lithuania +370
Luxembourg +352
Macao +853
Macedonia, the former Yugoslav Republic of +389
Madagascar +261
Malawi +265
Malaysia +60
Maldives +960
Mali +223
Malta +356
Marshall Islands +692
Martinique +596
Mauritania +222
Mauritius +230
Mayotte +269
Mexico +52
Micronesia, Federated States of +691
Moldova, Republic of +373
Monaco +377
Mongolia +976
Montserrat +1664
Morocco +212
Mozambique +258
Myanmar +95
Namibia +264
Nauru +674
Nepal +977
Netherlands +31
New Caledonia +687
New Zealand +64
Nicaragua +505
Niger +227
Nigeria +234
Niue +683
Norfolk Island +672
Northern Mariana Islands +670
Norway +47
Oman +968
Pakistan +92
Palau +680
Panama +507
Papua New Guinea +675
Paraguay +595
Peru +51
Philippines +63
Poland +48
Portugal +351
Puerto Rico +1787
Qatar +974
Reunion +262
Romania +40
Russian Federation +7
Rwanda +250
San Marino +378
Sao Tome and Principe +239
Saudi Arabia +966
Senegal +221
Serbia +381
Seychelles +248
Sierra Leone +232
Singapore +65
Slovakia +421
Slovenia +386
Solomon Islands +677
Somalia +252
South Africa +27
Spain +34
Sri Lanka +94
Saint Helena +290
Saint Kitts and Nevis +1869
Saint Lucia +1758
Sudan +249
Suriname +597
Swaziland +268
Sweden +46
Switzerland +41
Syrian Arab Republic +963
Taiwan +886
Tajikistan +7
Thailand +66
Togo +228
Tonga +676
Trinidad and Tobago +1868
Tunisia +216
Turkey +90
Turkmenistan +993
Turks and Caicos Islands +1649
Tuvalu +688
Uganda +256
United Kingdom +44
Ukraine +380
United Arab Emirates +971
Uruguay +598
United States +1
Uzbekistan +7
Vanuatu +678
Holy See (Vatican City State) +379
Venezuela +58
Viet Nam +84
Virgin Islands, British +84
Virgin Islands, U.S. +84
Wallis and Futuna +681
Yemen +967
Zambia +260
Zimbabwe +263

By clicking on "Access", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

We hope you find this cheat sheet helpful for you and your team by incorporating OSINT in your subpoena requests to form a comprehensive criminal case that is relevant and compliant.

Don’t forget to follow us on Twitter, LinkedIn, Mastodon, and sign up to our email newsletter, so you don’t miss out on updates and news!

Happy investigating!

About the Author 🔗︎

Sergio Leal Rodriguez

Sergio Leal Rodriguez 🔗︎

Sergio is an experienced and dedicated professional with more than 20 years of invaluable experience in coordinating, investigating, modeling data, and researching cybercrimes with a focus on the critical field of Child Sexual Abuse at Europol’s AP TWINS. His expertise lies in coordinating multi-agency efforts as well as conducting thorough investigations, and he has actively contributed to the development of innovative methodologies for data analysis and modeling in the context of child sexual abuse.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.