- 1.- Starting principle: preserve the evidence
- 2.- Trace the IP (when possible)
- 3.- OSINT techniques to link identity
- 4.- False-lead indicators and risks
- 5.- Legal best practices and chain of custody
- 6.- Operational conclusions
Introduction: Locating a fake profile on social media or email requires preserving every digital trace intact, identifying—when feasible—the associated IP address, and using OSINT techniques to attribute the account to a real person. The key steps, forensic best practices, and legal safeguards needed for the evidence to be admissible in court are outlined below.
1.- Starting principle: preserve the evidence
| Immediate action | Reason | Best practices |
|---|---|---|
| Capture screenshot (visible URL, timestamp) | Maintains original appearance | Use forensic capture tools (Arsenal Recon, Hunchly). |
| Download a full copy of the profile (HTTrack, SingleFile) | Saves HTML metadata | Calculate SHA-256 hash and record UTC time. |
| Export messages / emails in native format (.eml, .msg, JSON) | Preserve full headers | Never forward: contaminates metadata. |
2.- Trace the IP (when possible)
| Channel | Where it appears | Tool / procedure |
|---|---|---|
The Received: line closest to the source |
Download the .eml message and analyze with xHeader or a header viewer. |
|
| Facebook / Instagram message | IP not exposed to the user | Judicial request to Meta’s LE team required. |
| Skype, Telegram (P2P call) | UDP traffic captured with Wireshark | Filter udp && ip.src== to isolate the remote IP. |
| Forum / website | access.log from Apache/Nginx or Cloudflare | Request to the hosting provider; if a proxy exists, check X-Forwarded-For headers. |
Note: the IP only identifies an Internet access point at a given moment; it does not prove identity by itself.
3.- OSINT techniques to link identity
| Technique | Tools | What it reveals |
|---|---|---|
| Reverse image search | Google Lens, Yandex, PimEyes | Matches in real profiles or stock-image libraries. |
| User enumeration / namecheck | Sherlock, Maigret, WhatsMyName | Same aliases on other platforms. |
| Timestamp correlation | SpiderFoot, Maltego | Parallel activity across multiple platforms. |
| WHOIS & DNS history | SecurityTrails, DomainTools | Registration date, reverse DNS, server history. |
| Leaks & dumps | HaveIBeenPwned, Dehashed | Reused emails and passwords. |
4.- False-lead indicators and risks
| False lead | Risk / warning |
|---|---|
| VPN or Tor | IP points to another country or anonymous exit node. |
| Spoofed emails | Headers manipulated to hide origin. |
| GAN-generated photos (AI) | Reverse search yields no hits; artificially symmetrical features. |
5.- Legal best practices and chain of custody
- Request a court order before seeking data from foreign operators or platforms (MLAT, Budapest Convention).
- Maintain an immutable log (WORM or blockchain) of hashes and evidence access.
- Document every step with UTC timelogs and an advanced electronic signature.
- Prepare an expert report explaining methodology, tools, and limitations.
6.- Operational conclusions
- Preserve first, investigate later: altered evidence loses probative value.
- Combine IP tracing with OSINT; a single data point rarely suffices for attribution.
- Beware of clues that seem too “perfect”—VPN, AI photos, spoofed emails—and cross-verify sources.
- Involve the prosecutor early to speed up subpoenas and prevent log expiration on servers.
MANDATORY
Review the disclaimer on our website.