It is very clear how the attacker sent an e-mail with the owner's IP address.

1. Hacker get's connection to owner's wifi (wireless)
2. Hacker receive's internal IP address through DHCP (ex: 192.168.1.102)
3. Hacker send's email
4. E-mail comes from the owner's external ISP provided IP address

That is just how things work.  Another example.

You have a small home network with 3 computers on it.  Your router is set to assign IP's through DHCP.

Computer 1: 192.168.0.1
Computer 2: 192.168.0.2
Computer 3: 192.168.0.3

All of these computer's only have (1) external IP address.  Unless of course you have purchased (3) static IP's from your ISP.

I don't know if I have missed something, but I am sure hoping this is not baffling the experts that have investigated this.

• The source address could have been forged
• The email could have been sent from the computer on that IP address in question without the owners knowledge
• An improperly secured wireless network could have been used
• Inadequate physical access could let someone turn up and plug in a laptop
• The mail could have been sent by the IP address' owner
• The IP address could be running a proxy server or mail relay
• Malware on the PC could allow remote access

There are others, but I wanted to illustrate how without any other evidence there are a lot of possibilities. If you only have the email headers as evidence you investigation will be limited. If the situation is serious enough the computer attached to the IP address from the email could be seized and examined for evidence.

Jimbob

If all you have is the email then analysis of the headers is a good start. This is not an uncommon situation, people often send email from unsecured wifi hotspots, public access computers etc. There's several avenues of investigation.

There's often a wealth of information in an email's headers. It can contain who the email is from, who it was addressed to, which IP address is came from and the route it took. I assume in this case the IP address was in the headers but the owner of said address claims no knowledge of the email being sent. It can get trickier here one but you can look to other headers for additional evidence.

Was the mail sent from a web mail account (gmail, yahoo!, hotmail) or from an email client like Outlook Express? If it came from an email client does the version number in the headers match that installed on a suspect's PC? If a webmail account was used can the provider give up and other IP addresses from which the account was accessed?

Do you believe that someone other than the owner used the wifi connection? Was encryption turned on and if so how likely is it that someone could have cracked the key? Are there any logs on the wireless access point which may provide additional info?

Those are just some thoughts.

Jimbob