Evidential value of country location evidence obtained from IP address geolocation

Abstract

Knowledge of the previous location of an Internet device is valuable information in forensics. The previous device location can be obtained via the IP address that the device used to access Internet services, such as email, banking, and online shopping. However, the problem with the device location using its IP address is the unknown evidential value, which is used to admit the evidence in the case. This work introduces a method to process free and constantly updated data to assess the evidential value of the IP country location. The evidential value is assessed for several countries by analyzing historical data over 8 years. Tampering with the location evidence is discussed, as well as its detection. The source code to replicate the results and to apply the updated data to future evidence is available.Knowledge of the previous location of an Internet device is valuable information in forensics. The previous device location can be obtained via the IP address that the device used to access Internet services, such as email, banking, and online shopping. However, the problem with the device location using its IP address is the unknown evidential value, which is used to admit the evidence in the case. This work introduces a method to process free and constantly updated data to assess the evidential value of the IP country location. The evidential value is assessed for several countries by analyzing historical data over 8 years. Tampering with the location evidence is discussed, as well as its detection. The source code to replicate the results and to apply the updated data to future evidence is available.