LEEDIT (Law Enforcement Education and Investigative Techniques)

Have you ever wanted to locate a person on social media but have been stopped because of the MLAT (Mutual Legal Assistance Treaty) process?

I need to locate a suspect who has disappeared. I can see that they are posting to their social media account but the information I need is stored and protected by another country.


How Do I Locate A Person’s Internet Protocol Address?

Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential or personal information.

Are the police allowed to use social engineering? Yes. According to Crown, “Police are permitted to use tricks to obtain evidence.” The rules of engagement are governed by R. v. Delaa, 2009 ABCA 179.

Currently, NO police officer in Canada can obtain a Production Order UNLESS there happens to be a “brick and mortar” office located in their Province. This also includes using the Law Enforcement only portals. The ONLY recourse is to use the Mutual Legal Assistance Treaty. Anyone who has used an MLAT knows that it can often take YEARS to obtain the necessary information needed to solve a file.

I often get calls from investigators located outside of Canada requesting my assistance with obtaining target information from web sites located within my jurisdiction. What these investigators fail to understand is that, under current Canadian law, I am unable to provide them with the necessary information UNLESS their file has either a suspect, or victim, residing in Canada. The same holds true if I am attempting to obtain information from the U.S., or any other country, where a web site might be located. Canada and the U.S. are not the only countries facing this issue. However, all this being said, there IS a way around this process. It’s legal but requires an understanding of the Internet and social engineering. Based upon my experience, in the majority of cases, investigators are simply looking to identify a targets location.


LEEDIT Successes Stories

LEEDIT has been used locally, nationally and internationally to locate:

    • Fugitives

    • Terrorists

    • Pedophiles

    • Homicide suspects

    • Fraud suspects

    • Missing Persons

    • Witnesses

In fact, any type of suspect that is hiding on the Internet and difficult to locate.

After taking this detail instructional course you will be able to create different scenarios, on any type of interactive social media, in order to locate your suspect.


Legal Concerns

There have been some questions regarding the legality of this investigative tool under Bill C-13. If you are currently using a program like ReadNotify then LeedIt is using the very same principles but “on steroids.” Instead of only working with emails LeedIt works in any situation where you can interact with a suspect. LeedIt DOES NOT intercept ANY communication nor is it considered malware. It works on the same principles that every website currently employs.

In particular, the Spencer decision (since over turned) revolved mainly around the use of PIPEDA in order to obtain subscriber information without a proper warrant.

In Spencer, the officers noted a particular IP associated to their suspect which was obtained through the regular “day to day” usage of the Internet. However, these days an IP address (IPA) alone no longer provides any revealing information about a suspect or individual. I have begun to notice that people assumed to be in one location can be using IPA’s from other parts of Canada. During times of heavy Internet usage the ISP’s will “borrow” IPA’s from other cities. In one example, we knew our suspect was in Vancouver but showed an IPA of both Toronto and Winnipeg within 30 minutes of each other. The ONLY thing we can now say with any certainty regarding IPA’s is the associated ISP – not individual, not city, not location.

In Spencer the officers obtained the subscriber information via a PIPEDA request which is what the court had issue with and subsequently dismissed. The court also went on to state that IPA’s are private. The Internet can’t work if IPA’s are private. By design they remain public so that Internet traffic knows where to go.

We currently employ a technique that may capture a person’s IPA. The key is that the suspect has a choice to “click or not to click.” The same way a drug dealer has a choice to sell or not to sell to an under cover officer. Just because we obtain an IP address does not necessarily mean we have a suspect; they could be using a public wifi network, their neighbours insecure wifi, their landlord or friends wifi. A lot of follow up work still needs to be done even after we obtain the subscriber information with a Production Order or Search Warrant.

Once we have that target’s IPA we still know very little about that particular individual. Even if, on the rare occasion I am able to locate information online re that IPA, I can never say that this is my suspect. IPA’s can change within minutes and as stated above others can use the same IPA.

The Internet cannot work if IPA’s were privatized. Certain programs and services will hide your real IP (for example Gmail) but at the end of the day you must reveal your IPA in order to surf the ‘net. All websites capture certain revealing information about a visitor:

    • Date

    • Time

    • IP

    • Device

    • Web browser

    • Page visited

    • Time spent on site / page

    • Item downloaded

    • Image viewed

A common misconception is that the above information will reveal the true identity of an individual. This is not true. What it does reveal are the surfing habits and other bits of information that is useful to marketing companies. The only true way to reveal who is behind a certain IPA is to serve the ISP with the appropriate legal paperwork to obtain the associated subscriber information.

The argument then becomes Transmission Data. Under Bill C-13 we understand Transmission Data to be cell phone data that is captured from cell towers. Nowhere does it mention IPA’s. If Transmission Data becomes an issue then if we trick a suspect into calling us, and we have call display and they reveal their phone number, are we not capturing Transmission Data?


What You Will Need For This Program

Prerequisite: This is an advanced course and it is assumed that the student has an understanding of:

    • Online undercover techniques

    • Social engineering

    • Using social media

    • Create simple Google websites


The student will also be required to have access to:

    • A laptop or desktop – NOT a tablet – running either the Windows or Mac operating system.  Please Note: If you would like to use a MAC you will need to be running a VM program like Parallels. These courses are designed for an “off the shelf PC” – the standard, issued piece of equipment found in all government offices. The best forensic tools run on either Windows or Linux operating systems.
    • Internet Explorer web browser.

    • Be able to install programs (computer Admin access)

    • A Dropbox account – you can create one during the course

    • A Facebook account – you can create one during the course

    • A Twitter account – you can create one during the course


How To Register For This Course

All Cyber Training International courses are available exclusively through the Justice Institute of British Columbia ( jibc.ca ) as part of the School of Criminal Justice & Security, Police Academy – Advanced Police Training. Upon the successful completion of any courses offered, students will receive a JIBC Letter of Completion, sent to their home agency.

Registration is now done directly through the JIBC. Simply fill in the online Registration Form, and click the Submit button.

No personal information is stored on this site.

For more information about these courses please contact either myself or the JIBC Advanced Police Training program manager, Nancy Jolin.

The cost for this course is $157.50 CDN (includes 5% GST) and includes 25 site credits.


Please note, these courses are only offered to Law Enforcement, Government Investigators and Licensed Private Investigators

Credentials WILL be verified before granting access to the course(s)


JIBC / Instructor Expectations

Taking an online course will be considered the same as attending a JIBC classroom.

Students are expected to:

    • Complete each course section
    • Complete each course quiz
    • Complete the final exam / quiz
    • Complete the course on the designated end date specified by the instructor
    • Advise the instructor of any issues that might prevent the student from completing the course by the specified end date

Each student will be provided with:

    • A specified course end date
    • A mid point “friendly reminder”
    • A final week “friendly reminder”
    • Full access to the instructor between the hours of 0800 – 2200 PST. (Full access means that the instructor will return all emailed questions, concerns or comments within 30 minutes of receiving the students email).

Any student who fails to complete the course by the specified end date will:

    • Not receive a JIBC Letter of Completion
    • Not pass the course
    • Not be issued a refund for the course

site stats