I did read of an interesting case at the beginning of last year regarding a paedo ring in Glasgow, Scotland.Apparently these guys didn't know each other IRL but had set up a fake e-mail account that they were using as a sort of "dead letter box" to exchange their filth. Each of them knew the userid and password of the fake account, so could access it, and send attachments to it. Basically like sending a test e-mail to yourself.

The case developed when one of the paedos had computer trouble and took his kit to a repair shop, where a technician discovered the material he had on it and informed the police.

They had a look, and noticed an e-mail account that didn't seem related to the owner of the PC. They decided to monitor it and see where the traffic was coming from and going to.

As soon as they saw that most of the traffic was the account apparently mailing itself, they realised what must be going on. It was relatively trivial to trace from e-mail provider to ISPs to ISP account holder.

All but one of them didn't know about proxies and the one who did was quite sly. They also didn't know much about international law, and the fact that CP is illegal in many countries whose law enforcement authorities would not normally co-operate. So a proxy may well not protect you........just get you a longer sentence

This guy connected to someone else's unprotected WiFi node and did his dirty deeds from there.

Strathclyde police (Glasgow) checked this out, and quickly concluded that the owner's router was being used as a proxy.

Now, this is just a wireless connection to a router, so there is no audit trail. [Most people over here use a router that is provided free by their ISP/Telco, so there are very limited logging and security features, to cut costs]

Strathclyde Police are a very resourceful and forward thinking outfit IMO (although I have only worked with them on fraud cases) and someone thought of re-checking the evidence (logs).

They found that one of the connections to the paedo e-mail account ( a single instance) came from a major employer in the city. Not much good as you didn't see the actual device connected (even assuming he used his own, rather than slide into a videoconferencing room or whatever), and there were no useful logs still saved by the company.

But! taking the circular area of probability of the WiFi node's reception and matching that to the employee list of the large corporation gave just one hit............and guess what he had on his hard drive?

It only takes one mistake huh? But I don't really regard it as computer forensics rather than good, honest, police work.

Might I recommend this site as an interesting source of technological news?