Need Help: tracking activity via IP address

Thanks Msmittens and Scratchonthebox. I agree that, if what I know of the computer security is correct, then it does need to be changed. I'm meeting with the University ombudsman later in the week and this is one of the things we will be discussing.

A couple people have said that more information needs to be given before they can help. That's fine, but be specific. It was a message posted onto an online site that does not require a login, it referenced me specifically, as well as a class that I taught in the recently completed term (and had not taught before), it made a physical threat that was credible to the website admin, myself, the police, and my lawyer. From the website admin I obtained an IP address and a time of the posting. According to WHOIS, the IP address is part of a batch assigned to my University, and according to them the posting was made from a computer lab that does not require you to login to its workstations, that does not have someone physically present watching the room, and that only has a cardswipe to get access (and, yes, I know about tailgating). For what seem obvious reasons, I'm not going to say who I am or where I work.

What I'm looking for are specific requests to take to the IT people at the University (along the lines of "check this log file...") since, at this point, I'm not convinced that they're doing all they can to find out about this posting.

Finally, to those who have replied thinking that this is a hoax, or I need to learn more about the law (that's what I teach folks, so please don't lecture me), etc. - that's fine, you're entitled to your opinions, but unless you have something worthwhile to contribute, please stop cluttering up this thread.

Heineken,

Your extremely limited profile and you shurking of the questions is why people, including myself, are suspicious of your motives...excuuuuuuse meeeeeee but we often have people coming here who pretend to be someone they're not, asking questions for the wrong purposes...

our only evidence that you are who you say you are and you're not some game junkie high on mushrooms who got dissed by another game junkie on a bulletin board and is out to get even is your say-so...

excuuuuuuuse meeeeeeeee again but there are some things you've said that just don't add up! This university itself is called what exactly: UFTMI ( University For The Mentally Incompetent ) !

Egaladeist: those game junkies, etc. are precisely why I'm not going to post information about myself unless it is germane to figuring out who sent the post. If I've posted info that doesn't add up, it's probably because I'm not techincally savvy - let me know what's inconsistent and I'll try to clear it up.

Oh, and it's "shirking" not "shurking" (perhaps that helps establish me as a professor).

Quote:

---

It was a message posted onto an online site that does not require a login, it referenced me specifically, as well as a class that I taught in the recently completed term (and had not taught before), it made a physical threat that was credible to the website admin, myself, the police, and my lawyer. From the website admin I obtained an IP address and a time of the posting. According to WHOIS, the IP address is part of a batch assigned to my University, and according to them the posting was made from a computer lab that does not require you to login to its workstations, that does not have someone physically present watching the room, and that only has a cardswipe to get access (and, yes, I know about tailgating).

---

Then there isn't much you can do to prove who it is really. Unless there was something put in beforehand (a form of forced authentication), you have no way of knowing for sure who it is and I would think (based on what happens here) that if you accuse a student of something they didn't do they may take an even stronger objection (e.g., lawsuit for deframation, slander or something else -- you probably know this better than I).

And as an additional thought, and I'm thinking at random here, if a machine was compromised in the lab (has that been checked yet and not knowing the OS of the systems in question) then it could have been used to post the comment. The actual source (person) could have been off-campus using the compromised machine.

Although, if perhaps you had a "witness" or suggested witness it might make them "confess" but that's only if you know for a fact that there was more than one person in the room at the time (ideally a packed house). Since they won't know who "fingered" them perhaps that might work.

Quote:

---

Oh, and it's "shirking" not "shurking" (perhaps that helps establish me as a professor).

---

No, that just establishes me as being over-tired ! :rolleyes:

Quote:

---

What I'm looking for are specific requests to take to the IT people at the University (along the lines of "check this log file...") since, at this point, I'm not convinced that they're doing all they can to find out about this posting.

---

- IF EVER IT IS (workstation) a Win XP Professional (not Win XP Home).

- Since we may not have enough info directly on the server, can you request that the specific workstation (IF SPECIFIC IP IS ASSIGNED TO THAT BOX ONLY) to be isolated and be investigated. You need to have the following info:

A. HISTORY IN THE BOX (IF AVAILABLE)
- Date/Time of POST in the BBS (compare it with the log of the BoX/PC/Workstation)
- Check the history logs of the BoX (for sure the ADMIN knows where to find it, if not, get themselves another JOB/WORK).
- Just like what you are looking for, sites visited during the said Date/Time, even messenger used (you may find the user profile, dig dig dig).

B. NO HISTORY, THEN NARROW THE OPTIONS
- MsM said, maybe there will be witness (s), narrow the options who might use the specific BoX. At least you have the Date/Time and workstation being used, look around and observe any unusual user doing unusual stuff (better have someone spy on them -- for investigatory purposes).

C. IT HAPPENED BEFORE, IT WILL HAPPEN AGAIN
- Like GnR ssaid, have a little patience... Yeah!
- Take the suggestions made, at the right time, the right place, the ADMIN should have setup the LOG SYSTEM already.

BUT BUT BUT... If ever the offender is clever enough to be remotely accessing the network, then go to *A,B,C and loop until the University decides to get a more SECURED-CONCIOUS TECHNICAL SAVVY STAFFS (meaning a more competent ADMIN who will do the REAL ADMIN TASKS).

Yo!

The germane answer is you will never find out. The whole idea of internal IT security is based on each user having a unique identity and a password to access the system.

Normally you would expect that to be recorded (logged) in the firewall and internet usage monitors, or whatever system you have. All you will find from those is source, destination and time, which you know already.

I very much doubt if those are anything but minimalistic, as there is no point in keeping detail when you don't know who the user is. Anyway who would monitor these logs, and for what? It sounds very much that this lab is outside your main network, and is not paid much attention to by your IT department.

You might be able to trace visits to other sites before and after, but they will be able to tell you less or the same as the bulletin board, and they won't even bother to do that, because they will read it as none of their business. The bulletin board had something nasty on their site so they would help, as their service had been used for an illegal activity.................but as a law professor you should already be aware of that.

It is time to give up and move on...............sorting out your internal security would be a good place to move to.

Scratchonthebox & nihil: Thank you for the suggestions/advice. This is what I was looking for and I think I have enough to get some action out of the IT staff and also, hopefully, get the University to reevaluate some of their computing policies. I'll post again if something new develops.

Nekenieh, understand that people on here are a little precautious spreading information due to the fact that a lot of people try to use social engineering to get information. Noone knows you are who you say you are and thus people are a little cautious.

Since this is a public board that you said was posted on you could private message someone trustworthy here the link and let them check it out and maybe have them vouch for you being legit. I understand your cautiousness in releasing this information, but from this side, it looks like you're standing behind a smokescreen.

For the most part it looks like you're stuck between a rock and a hard place. There is no account tied to the user who did what you say, on the computer or on the message board. The only way to find out who someone is, is to link something they did with their identity. Logging onto a workstation or message board is a very good linking situation.

Quote:

---

Originally posted here by nekenieh
It was a message posted onto an online site that does not require a login, it referenced me specifically, as well as a class that I taught in the recently completed term (and had not taught before), it made a physical threat that was credible to the website admin, myself, the police, and my lawyer.

---

You said earlier that this threat was credible to the police? If this is true I would expect they are doing an investigation?

The only piece of advice that I have that "might" help locate who it was is to look at the history and cookies on the machine. It is possible that the user was doing something else at the time that might link him/her to his identity. Maybe he/she was on hotmail or something. This is a long shot, but worth a look.

Quote:

---

Originally posted here by nihil
The germane answer is you will never find out. The whole idea of internal IT security is based on each user having a unique identity and a password to access the system.

---

Having recently left university, the above was basic, standard procedure to access the system from anywhere within the university, and one would imagine applies to most organisations