Suppose that the same precious object was stolen again when the burglar from the previous scenario was released from prison a few months later. This time, however, the burglar claims to have been in California, thousands of miles away, starting a new life. The burglar's parole officer does not think that the suspect left California but cannot be certain. The only evidence that supports the suspect's alibi is an e-mail message to his friend in Miami. Though the suspect's friend is irritated at being involved again, she gives the investigators the following e-mail:
Received: from mail.california.net by mail.miami.net (8.8.5/8.8.5) with ESMTP id NAA23905 for, witness@miami.net.; Fri, 21 May 1999 22:03:46 EST -0500 (EST) Received: from suspectshome.california.net by mail.california.(InterMail v03.02.07 118 124) with SMTP id <19990521220346.CBJN9925@california.net> for <witness@miami.net>; Fri, 21 May 1999 22:03:46 +0000 From: suspect@california.net Date: Fri, 21 May 1999 22:03:46 EST Subject: New E-mail Address To: witness@miami.net Message-id: <001801be724c$dc842000$1f02480c@california.net> I have moved to California to start afresh. You can send e-mail to me at this address.
The investigators examine the e-mail header, determine that it was sent while the burglar was in the museum, and find no indication that the e-mail was forged. The suspect claims that someone is trying to frame him and assures the investigators that he has no knowledge of the crime. The following month, when the Museum of Fine Arts received its telephone bill, an administrator finds an unusual telephone call to California on the night of the burglary. The investigators are notified and they determine that the number belongs to an ISP in California (california.net). Unfortunately, the ISP's dialup logs were deleted several weeks earlier and there is not enough evidence to link the suspect to the telephone call. The investigators search the suspect's computer but do not find any incriminating evidence.
Investigators are stumped until it occurs to them to investigate the suspect's friend in Miami more thoroughly. By examining the friend's credit card records, the investigators determine that she bought a plane ticket to Boston on the day of the burglary. Also, the investigators find that her laptop is configured to connect to california.net and her telephone records show that she made several calls from Miami to the ISP while planning the robbery. Finally, investigators search the slack space on her hard drive and find remnants of the e-mail message that she sent from the Museum of Fine Arts during the robbery. When presented with all of this digital evidence, the woman admits to stealing the precious object and implicating the original suspect. This time a different buyer is identified and the object is recovered once again.
As noted in previous chapters, many sources of digital evidence can reveal the location of an individual, including their mobile telephone.