Certify unauthorized access to Google, Gmail, Microsoft 365, Facebook and online accounts with IP address, device and geolocation for criminal complaint
When your online account has been compromised – Gmail, Google Drive, Microsoft 365, Facebook, Instagram, iCloud – and you have regained control of the account, it is fundamental to forensically certify the unauthorized access with IP address, device used and attacker’s geolocation before the logs are deleted or become inaccessible. With forensic certification of unauthorized account access, activity logs with hacker’s public IP, precise timestamps, devices used and actions performed are acquired through verifiable technical methodologies and transformed into an opposable, intact, and timestamped evidentiary package, suitable for criminal complaint and compliant with the legal requirements of the European and international regulatory framework.
We certify unauthorized access on any platform: Google/Gmail, Microsoft 365, Facebook, Instagram, Apple iCloud, Amazon, PayPal, Dropbox, LinkedIn. The service can be performed remotely for clients in any European and non-European country, preserving forensic integrity and evidentiary value for criminal proceedings.
Fundamental Prerequisites for Certification
Certification of unauthorized access is possible only if:
- You have regained control of the account (password changed, hacker excluded);
- The activity logs are accessible (activity log, access history, devices used);
- The unauthorized accesses are visible in the logs with IP, date/time, device;
- The logs have not yet been deleted (typically retained 6-12 months).
Important: If the hacker still has control or the logs are not accessible, certification is not technically possible.
Certifiable Platforms and Accounts
📧 Google / Gmail Certification
- Complete activity log: https://myaccount.google.com/device-activity with IP accesses, devices, locations;
- Google Takeout: complete archive Gmail (MBOX), Drive, Calendar, Photos, YouTube, Contacts;
- Gmail activity: emails read, sent, deleted with timestamp and IP;
- Drive activity: files downloaded, modified, shared by hacker;
- Calendar activity: appointments modified/deleted;
- Photos access: photos viewed/downloaded;
- YouTube activity: videos uploaded/deleted, comments;
- Recognized devices: which device the hacker used (model, operating system, browser);
- Active sessions: simultaneous sessions from different IPs (physically impossible).
Technical data acquired: hacker public IP, geolocation (country/city), ISP provider, User Agent, UTC timestamp.
💼 Microsoft 365 / Outlook Certification
- Devices page: https://account.microsoft.com/devices with devices used for access;
- Recent activity: access history with IP and location;
- Outlook activity: emails read/sent from unauthorized IP;
- OneDrive activity: files downloaded, modified, shared;
- Teams activity: chats read, messages sent;
- Office 365 audit log: complete log corporate account activity;
- Sign-in logs: successful/failed access attempts with IP;
- Unusual activity alerts: Microsoft alerts for suspicious access.
Technical data acquired: access IPs, location, device type, browser, apps used, access times.
📱 Facebook / Instagram / Meta Certification
- Where you’re logged in: Facebook/Instagram section with IP, devices, access locations;
- Active sessions: current unauthorized sessions;
- Recognized devices: which device the hacker used;
- Download your information: complete archive account activity (posts, messages, photos, videos, searches);
- Activity log: actions performed by hacker (posts published, messages sent, photos uploaded);
- Login alerts: notifications of suspicious access received;
- Authorized apps: apps connected to account used for access.
Technical data acquired: public IP, approximate city, device type, browser, access timestamps.
🍎 Apple iCloud Certification
- Associated devices: https://appleid.apple.com with devices connected to Apple ID;
- Activity log: recent accesses with IP and location;
- iCloud access: from where iCloud Drive, Photos, Contacts were accessed;
- Find My iPhone activity: Find My usage by hacker;
- iMessage/FaceTime access: messages read/sent;
- Password changes: password change attempts;
- Two-factor notifications: 2FA notifications received for suspicious access.
Technical data acquired: IP, location, device model, iOS version, timestamp.
🛒 Other Certifiable Platforms
- Amazon: Login history with IP, connected devices, unauthorized orders;
- PayPal: IP access history, suspicious transactions, connected devices;
- Dropbox: Security events, downloaded files, linked devices;
- LinkedIn: Where you’re signed in, recent activity, devices;
- Twitter/X: Apps and sessions, login history;
- TikTok: Security and login, devices;
- Spotify: Account overview, recent activity;
- Netflix: Recent device streaming activity.
Request a Quote
We will immediately provide the technical feasibility assessment (prerequisites verification), acquisition modality, execution timeframes and detailed cost estimate. Rapid intervention available for urgent cases (logs at risk of deletion).
Technical Elements Certified for Criminal Complaint
🌐 Hacker’s Public IP Address
The public IP is the fundamental evidentiary element to identify the attacker:
- Complete IP address: e.g. 185.220.101.45, 91.198.174.192;
- Precise timestamp: exact access date and time (UTC);
- IP geolocation: country, region, approximate city (using MaxMind, IPinfo database);
- ISP identification: which internet provider supplies that IP (e.g. Rostelecom Russia, Verizon USA, BT UK);
- Reverse DNS lookup: hostname associated with IP;
- IP reputation: is IP known for malicious activities? Is it a VPN/Proxy/Tor exit node?;
- ASN (Autonomous System Number): ISP network identifier.
Legal use: With public IP, Police can request ISP identify subscriber connection holder at time of access.
📱 Device and User Agent Used
Identification of device used by hacker:
- Device type: smartphone, tablet, desktop/laptop computer;
- Operating system: Windows 10/11, macOS, iOS, Android (specific version);
- Browser used: Chrome, Firefox, Safari, Edge (version);
- User Agent string: complete identificative technical string;
- Device model: iPhone 12, Samsung Galaxy S21, MacBook Pro (when available);
- Screen resolution: display dimensions indication;
- App used: access from official mobile app or web browser.
Evidentiary relevance: Demonstrates hacker device different from victim’s legitimate ones.
⏰ Chronological Access Timeline
Complete temporal reconstruction of the breach:
- First unauthorized access: when hacker entered first time;
- Subsequent accesses: frequency and temporal pattern (every day at 3am? One-time only?);
- Session duration: how long remained connected;
- Actions performed: what was done during each session (read email X, downloaded file Y, sent message Z);
- Last unauthorized access: when hacker lost access;
- Breach discovery: when victim realized;
- Control recovery: when password changed and hacker excluded;
- Temporal overlap: impossible simultaneous accesses (victim in London, hacker in Russia same moment).
🎯 Specific Actions Performed by Hacker
Detailed documentation of abusive activities:
- Emails read: which emails opened and when;
- Emails sent: messages sent from your account (phishing, scams, defamation);
- Emails deleted: evidence destroyed by hacker;
- Files downloaded: documents, photos, videos copied from Drive/OneDrive;
- Files modified/deleted: documents altered or destroyed;
- Files shared: documents made accessible to third parties;
- Posts published: content published on social media from your account;
- Messages sent: chats/DMs sent to contacts;
- Passwords changed: credential modification attempts;
- Settings modified: email forwarding activated, 2FA disabled;
- Purchases made: unauthorized Amazon/PayPal orders.
⚖️ Legitimate IP vs Abusive IP Comparison
Demonstration that accesses come from source different from victim:
- Victim’s usual IP: normal access pattern (e.g. always from 93.45.xxx.xxx BT Fiber London);
- Hacker IP: completely different (e.g. 185.220.xxx.xxx Rostelecom St. Petersburg);
- Geographic pattern: victim always UK, hacker from Russia/Nigeria/Romania;
- Temporal pattern: victim accesses working hours, hacker at night UK time;
- Impossible accesses: simultaneous login from London (victim) and Lagos (hacker) – physically impossible;
- Incongruous devices: victim uses iPhone/Mac, hacker uses Android/Windows;
- Visual map: geographic visualization legitimate vs abusive accesses.
Use Cases: When to Certify Unauthorized Access
📧 Emails Read/Sent Without Authorization
Typical scenario: Hacker accesses Gmail/Outlook, reads confidential emails (contracts, sensitive data, personal communications), sends emails from your account (phishing to contacts, money requests, defamation), deletes emails to hide traces.
What we certify: Gmail/Outlook activity log with highlighted hacker IP, access timestamps, list of emails read/sent/deleted, IP geolocation (e.g. Romania while victim in UK), comparison with victim’s legitimate IP.
Crime: Unauthorized access + possibly interception of communications if emails read.
💾 Files Stolen from Cloud Storage
Typical scenario: Hacker downloads confidential documents from Google Drive/OneDrive/Dropbox (contracts, financial statements, projects, personal photos), shares files with external accounts, deletes documents for sabotage.
What we certify: Drive/OneDrive activity log with download IP, list of downloaded files with timestamp, files shared with whom, any deletions, hacker IP geolocation, device used.
Crime: Unauthorized access + data impairment if files deleted + possible theft of intellectual property.
📱 Social Profile Used for Scams/Defamation
Typical scenario: Hacker accesses Facebook/Instagram, publishes defamatory posts, sends messages to contacts requesting money with excuses (“I’m in trouble, lend me money”), publishes compromising photos/videos.
What we certify: Facebook “Where you’re logged in” with hacker IP, device used, timestamp, “Download your information” with posts/messages sent by hacker, comparison victim IP vs hacker IP.
Crime: Unauthorized access + fraud if money requests + defamation if offensive posts.
🛒 Fraudulent Purchases with E-commerce Account
Typical scenario: Hacker uses compromised Amazon/PayPal account to make unauthorized purchases, changes shipping address, empties PayPal balance.
What we certify: Amazon login history with fraudulent order IP, PayPal transaction history with transaction IP, timestamp, geolocation (order made from foreign IP), order/transaction details.
Crime: Unauthorized access + computer fraud.
💔 Digital Stalking by Ex-Partner
Typical scenario: Ex-partner still knows password (never changed after breakup), regularly accesses Gmail/iCloud to read emails, check Calendar (where you are, with whom), view Google Photos/iCloud Photos, track location via Find My.
What we certify: Gmail/iCloud activity log with suspicious access pattern from ex-partner IP/device, access frequency (every day for months), actions performed (emails read, Calendar viewed, Photos accessed), IP correlation with ex residence.
Crime: Unauthorized access + stalking/harassment.
💼 Corporate Sabotage by Ex-Employee
Typical scenario: Dismissed ex-employee still has access to corporate Microsoft 365 (credentials not revoked), accesses and deletes documents, emails, projects for revenge, downloads confidential data before final exit.
What we certify: Microsoft 365 corporate audit log with ex-employee accesses post-dismissal, access IPs (from ex-employee home, not from office), files deleted/downloaded, actions timeline vs dismissal date.
Crime: Unauthorized access + data impairment + possible violation of trade secrets.
Legal Framework: Unauthorized Access to Computer System
🇬🇧 UK Legislation – Computer Misuse Act 1990
Main offense: Unauthorized access to computer material.
Section 1 – Unauthorized access: A person is guilty if he causes a computer to perform any function with intent to secure access to any program or data held in any computer, knowing the access is unauthorized. Penalty: imprisonment up to 2 years or fine.
Section 2 – Unauthorized access with intent: If unauthorized access is committed with intent to commit or facilitate further offenses. Penalty: imprisonment up to 5 years.
Section 3 – Unauthorized modification: Unauthorized acts causing modification of computer material. Penalty: imprisonment up to 10 years.
🇺🇸 US Legislation – Computer Fraud and Abuse Act (CFAA)
18 U.S.C. § 1030: Fraud and related activity in connection with computers.
Key provisions:
- (a)(2): Intentionally accessing computer without authorization to obtain information;
- (a)(4): Accessing protected computer with intent to defraud;
- (a)(5): Causing damage by knowing transmission.
Penalties: Fines and/or imprisonment up to 10 years (or 20 years for repeat offenses).
🇪🇺 European Directive 2013/40/EU
The Directive 2013/40/EU on attacks against information systems obliges EU Member States to criminalize unauthorized access to computer systems. Each country has implemented with own national criminal provisions.
EU Harmonization: Forensic certification with eIDAS methodology is recognized in all EU States for criminal proceedings relating to unauthorized access.
Evidence Required for Effective Complaint
For an effective criminal complaint, Law Enforcement requires:
- Attacker’s public IP address: fundamental element for identification via ISP;
- Precise access timestamps: exact date/time (UTC) for correlation with ISP logs;
- Demonstration of unauthorized access: comparison victim IP vs hacker IP, physical impossibility of simultaneous access;
- Actions performed: what hacker did (read, downloaded, sent, deleted);
- Damage suffered: damage quantification (stolen data, defamatory emails sent, fraudulent purchases);
- Digital chain of custody: certified forensic acquisition with qualified timestamp to guarantee evidence integrity.
Our forensic certification provides all these elements in suitable format for criminal complaint attachment to Police.
Evidentiary Standards and Technical Compliance
Forensic certification of unauthorized access is based on the following technical and regulatory standards:
- eIDAS Regulation (EU) No. 910/2014: The qualified time stamp crystallizes the moment of log acquisition, preventing contestations about when data was visible.
- GDPR (EU 2016/679): Management of personal data (IP, device info) according to legitimate interest (Art. 6 par. 1 let. f) for defense of legal rights in criminal proceedings;
- ISO/IEC 27037:2012: Guidelines for identification, collection, acquisition and preservation of digital evidence;
- ISO/IEC 27050: E-discovery standard for electronic evidence management;
- RFC 3161 and ETSI EN 319 422: Time stamping standards;
- Cryptographic integrity (SHA-256 hash): Each acquired file has unique digital fingerprint to verify it has not been altered;
- FEDIS Declaration: The FEDIS makes certification admissible in courts according to recognized standards.
Operational Modalities: Unauthorized Access Certification
Certification Process
- Technical prerequisites verification:
- Account recovered by victim? Password changed?
- Activity logs accessible?
- Unauthorized accesses visible in logs with IP?
- Logs not yet deleted?
- If all prerequisites satisfied → we proceed
- Immediate forensic acquisition:
- Guided access (with client credentials) to platform activity log sections;
- Multiple high-resolution screenshots of: complete activity log, accesses with highlighted IP, devices used, actions performed;
- Download complete export when available (Google Takeout, Facebook Download your information, Microsoft data export);
- Acquisition of HTML source log pages;
- Qualified eIDAS timestamp on each acquisition;
- SHA-256 hash calculation of each acquired file;
- In-depth technical analysis:
- IP analysis: geolocation lookup (MaxMind GeoIP2), ISP identification (WHOIS), reverse DNS, IP reputation check (AbuseIPDB, Shodan);
- Device fingerprinting: User Agent analysis, operating system/browser/device model identification;
- Timeline reconstruction: complete chronology first access → actions → last access → recovery;
- Pattern comparison: IP/device/times victim vs hacker to highlight inconsistencies;
- Impossible accesses: identification of physically impossible temporal overlaps;
- Actions performed documentation:
- Extraction list of emails read/sent/deleted with timestamp;
- Extraction files downloaded/modified/deleted from cloud;
- Extraction social posts/messages published/sent;
- Extraction transactions/orders made;
- Cross-reference each action with hacker IP/timestamp;
- Complete technical report:
- Executive summary for Police;
- Detailed IP analysis section;
- Graphical access timeline;
- Geographic map victim IP vs hacker IP;
- List of actions performed with evidence;
- Pattern comparison;
- Technical attachments (screenshots, export, hash);
What You Receive After Certification: The Evidentiary Package for Complaint
- Certified PDF Report for complaint with:
- Executive summary case (who, what, when, where, how);
- High-resolution screenshots activity log with highlighted hacker IP;
- Table unauthorized accesses (date/time UTC, IP, location, device, actions);
- Graphical timeline chronological visualization;
- Geographic map accesses (victim vs hacker);
- Technical IP analysis (geolocation, ISP, reputation);
- Comparison patterns legitimate vs abusive accesses;
- Documentation actions performed by hacker;
- Quantification damage suffered;
- Complete export files (when available):
- Google Takeout complete archive (Gmail MBOX, Drive, Calendar, Photos);
- Facebook “Download your information” archive;
- Microsoft data export;
- Each file with individual SHA-256 hash;
- HTML sources: HTML code acquired activity log pages;
- IP Intelligence Report:
- Detailed hacker IP geolocation (coordinates, city, region, country);
- ISP provider identified with contacts;
- ASN (Autonomous System Number);
- Reverse DNS hostname;
- IP reputation score and abuse reports;
- VPN/Proxy/Tor identification (if applicable);
- Cryptographic fingerprints (SHA-256 hash) of all files according to FEDIS protocol;
- Qualified time stamp compliant with eIDAS/RFC 3161 on each acquisition;
- Forensic technical report: methodology used, tools employed, chain of custody, standards applied;
- Complaint template (optional): pre-filled draft complaint for Police with technical elements already inserted;
- eIDAS qualified electronic signature on final report.
- Certified PDF Report for complaint with:
GDPR Compliance and Personal Data Processing
Activity logs contain personal data (IP addresses, device information) of both victim and attacker. We manage everything in full compliance with GDPR (EU 2016/679):
- Legal basis: Legitimate interest (Art. 6, par. 1, let. f GDPR) for establishment, exercise or defense of a right in judicial proceedings (criminal complaint);
- Data minimization: acquisition only of data strictly necessary for evidentiary purpose;
- Purpose limitation: data used exclusively for certification and subsequent criminal complaint;
- Technical security: data encryption, limited access, operation traceability;
- Limited retention: data retained only for time necessary for procedure + legal obligations;
- Data subject rights: hacker IP is personal data but rights limited by Art. 23 GDPR when processing for establishment of offenses.
When to Activate Unauthorized Access Certification
- if you have regained control of your compromised account (Gmail, Microsoft, Facebook, etc.);
- if in the activity logs you see accesses with unrecognized IP/devices;
- if someone has read your emails, downloaded files, sent messages from your account;
- if your ex-partner still accesses your accounts to monitor you (digital stalking);
- if an ex-employee still uses corporate credentials for sabotage;
- if unauthorized purchases were made with your Amazon/PayPal account;
- if from your account posts/messages were published that you didn’t write;
- if you want to file criminal complaint for unauthorized access and need solid evidence with hacker IP;
- if the activity logs are still accessible (act quickly, they are deleted after 6-12 months!);
- if you must prove in court that someone compromised your account;
- if you need eIDAS-compliant certification for legal evidentiary validity.
Request a Quote
We will immediately provide the feasibility assessment (prerequisites verification), technical acquisition modality, execution timeframes and detailed cost estimate. URGENT 24-48h intervention available for cases with logs at risk of imminent deletion.
Important technical note: Certification is technically possible only if you have regained account control and logs are accessible. In quote phase we evaluate free of charge the technical feasibility of your specific case verifying: platform used, available log types, IP presence in activity log, temporal log retention. If logs not sufficient or already deleted, we inform you immediately before any cost. Express service 24-48h for urgent cases with logs at deletion risk.
