How does law enforcement figure out who was using a computer to commit cybercrime?

Suppose that the feds were able to track down cybercrime (such as carrying out hacking operations, or viewing illegal porn, or hosting illegal content) to a particular computer at a particular location - but there were multiple people living there using the same computer - how do they figure out who to charge with the crime?

Say it’s three housemates, Bob, David and Alex, who’ve all been using the same computer. Do the feds charge them all? The usual investigation methods, such as dusting a crime tool for fingerprints, etc. wouldn’t apply here since there was no question of who used the computer, it’s just who used it to do what.

IANAL but as I understand the burden of proof is on the legal owner of the computer to show it wasn’t them, in practice if not actually by the letter of the law. Similarly if a car was used in a crime, assuming it wasn’t very obviously stolen, then the cops are going start with the assumption it was the owner of the car committed the crime unless they can convince them otherwise.

If the shared computer still has distinct user accounts for the users, the user logged into the machine at the time of the activities being investigated becomes the focus of the investigation at the moment. Of course, “the other guys know my password” becomes an impediment (as does having a single shared login on the machine).

I doubt computer forensics would be useful in isolating a subject at that point. (Although other use patterns in the same login session may be an indicator, like accessing a bank account accessible to only one user.)

I suspect investigators can always fall back on conventional techniques like “sweat 'em all until one fesses or the other two implicate”.

IANAL, but I did do computer forensics for some years, so I’ll toss in an observation.

Remember that evidence is offered for the purpose of prosecution (or for a civil matter) and it is seldom absolutely clear-cut and unequivocal. The jury or judge may choose to rely on THIS evidence and not on THAT evidence. The prosecution may offer evidence that Joe Smith’s computer was used to steal money on this date, which the jury or judge may choose to believe or not. But they are probably also going to make sure there is evidence that Joe Blow had access to the computer at that time, that he personally derived some benefit from the theft, that nobody else had access to the computer, and so forth.

This is comparable to the hokey scenes in TV shows where the police assume that Joe killed this person simply because HIS gun was used. Nope. They need to go on to try to prove that he had some sort of motive, that he had the opportunity, etc.

If nothing else, you could argue that the legal owner of the computer enabled the crime, by allowing the criminal access to the computer. That’s probably enough to make some lesser charge stick, which could be enough leverage to get useful testimony.

Likewise for the “my roommate knows my password” defense.

And it’s not like this is a problem unique to computers, either. You could have had a similar situation a century ago, with the police finding illegal materials in a house, and having to determine what resident of the house was responsible.

First, for most people today, computers basically are personal. Even housemates rarely share laptops and the average number of people using a particular smartphone regularly is probably 1.00. I’m guessing people who want to conceal their criminal activity don’t want their housemates to know about if, for obvious reasons, so they are probably less likely than average to share their computers.

You also assume that the only evidence that prosecutors have of the crime is that they’ve tied it to a particular computer. That’s not the way real prosecutions work. In the real world, they will know that the computer downloaded the kiddie porn, that it was obtained from BabyRaperBill, that BabyRaperBill is a contact in David’s phone, that David and BabyRaperBill spoke at least three times before the download, and that the stuff was downloaded overwhelmingly when Bob was at work and Alex was travelling abroad.

Are there cases where the prosecutors don’t have all that information. Not often. With some frequency there are investigations where police don’t have all that information but those don’t always develop into prosecutions.

In criminal court, the burden of proof has to be met by the government; the defendant needn’t prove anything.

Tired_and_Cranky is correct.

You also need to remember that the accused is going to have a defense. As an expert witness, I often worked for the defense. I might receive an image of the computer drive and be asked, “Was the computer ever accessed at a time when the defendant couldn’t possibly have been using it?” This is a pretty common defense strategy. If the defense can present evidence that, for WHATEVER reason, the computer or account was sometimes used by a party(ies) other than the defendant, that’s a big point in his/her favor. Juries usually give that a lot of weight.

IANAL: Near as I can tell an IP address can be sufficient for a warrant but not sufficient to convict someone by itself.

Many attorneys have tried to come to court with a list of IP addresses and attempt to convict people of crimes or wrongdoing. Judge Ungaro dismissed a lawsuit in March 2014 by Malibu Media saying that IP addresses cannot identify the individual. Judge Gary Brown of the U.S. District Court for the Eastern District of New York made a similar ruling in 2012. Essentially an IP address alone cannot be used to convict an individual in court.

IP Addresses as Clues

Though IP addresses alone cannot identify and convict a criminal, law enforcement can use them successfully as clues for locating and building a case against criminals. Alone, they are not enough evidence, but they can lead to the discovery of evidence and be used in conjunction with other evidence. Law enforcement has successfully used social media websites, Craigslist and other internet venues to track down and stop criminal activity. An IP address is just one clue that can be used to track and identify crimes. SOURCE

Unless a particular individual who uses a shared computer for not-legal stuff is extremely good at opsec and never uses any other internet connected devices, there will be tons of evidence.

Like, they’ll be able to show that just before and/or after the illegal stuff was done, the facebook page, or email account, or any of hundreds of other user-identifiable data was accessed from the shared computer, and also was accessed from the phone and other devices of one person who used the shared computer, at times and places when the other users could not have been accessing it.

“My roommate knows my computer password” is one thing. “My roommate habitually posts to my facebook account and responds to emails and buys stuff from my amazon account and watches part-episodes of the show I’m watching on Netflix on my shared computer” is… let’s say a poor quality defense.

In the case of Ross Ulbricht, the creator of Silk Road, they went to considerable effort to arrest him while he was actually logged in to his computer. That was mostly because they didn’t want him to be able to delete or encrypt the data, but it also gave them direct evidence that he was the person running the site.

Someone told me this is why they rarely go after the individual who download pirated movies and songs to watch and usually just go after the sites pirating them.

One, it is just to difficult to figure who it actually is downloading the pirated material.

Second, there is a shortage of qualified tech personnel so law enforcement end assigned to more serious crimes like child pornography and cyber-terrorism and their bosses don’t want them wasting time tracking down some guy who downloaded UFC’s last PPV.

Businesses tend to pay more than the government and they will hire tech personnel to hunt these people so they can sue them (see the Record Industry Association of America diligently suing anyone they could get their mitts on who dared download an MP3 song). Although I think you are right and they have switched targets to bigger fish than Joe Downloader.