Say you found the IP of someone who hacked in to a network you are investigating. And you decide to follow through and you want to prosecute him. What would happen if you went through all of the hosts he used as proxies and then you get to one IP and that person said that he found out earlier someone had hacked him as well, so he did a low level format on his hard drive. Would you be able to subpoena his ISP's records and somehow tell if he really was used as a proxy for the attack or if he was indeed the attacker?

Or what if someone was war driving and used a wireless LAN for internet access to launch his attack, and he changed his IP/MAC address to match one of the hosts he sniffed earlier that had been shutdown over the weekend. Would there be any way to find and prosecute the attacker in either of these scenarios?

Also SafeBack freeware? Cyber Forensics--A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes says it is freeware but i haven't been able to find it for free anywhere.