CSC586 Network Forensics
IP Tracing/Domain Name Tracing
IP Tracing/ Domain Name Tracing
In this lesson you will learn:

What IP address and domain name look up are
and when to use them

What IP trace is and when to use it

What IP geolocation is and how to use it

What a Proxy server is

What fast flux malware is
IP Address Background


IP addresses are managed and created by the Internet
Assigned Numbers Authority (IANA)
Large blocks are allocated to one of 5 Regional Internet
Registries :

American Registry for Internet Numbers - ARIN,

RIPE Network Coordination Centre - RIPE NCC,

Asia-Pacific Network Information Centre - APNIC,

Latin American & Caribbean Internet Registry - LACNIC

African Network Information Centre - AfriNIC
IP Address Background (2)

Public vs. Private IP Addresses

Public addresses – unique to avoid address
conflicts -used on the WAN

Private addresses – used on the LAN these are
unique within the scope of the LAN network

Private address Ranges:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
IP Address Background (3)
3 Classes of IP addresses that are typically
used:

Class A – large networks many devices

Class B – medium sized networks

Class C – small networks
IP Address and
Domain Name Lookup
What it is
 Web sites allow you to enter the IP address,
or domain name and return information about
who registered the site
How to use it
 Enter the suspect IP address or web site and
the registration information will be displayed
IP Address and
Domain Name Locators
Forensic use
 Used to identify sites visited
 Registrant information is often made up, it is often
necessary to trace credit info to obtain the owner
Examples of problems with sites are
 Domain Name Squatters

Typo Squatters

Phishing

DNS Spoofing
Domain Name Locators
Web tools available:

ARIN

Sam Spade

Whois

RIPE

Many others
Domain Name Locators
Example
IP Trace
What it is

tracert tool can help you figure out the route a packet
follows to get from one place or another.
How to use it

List the fully qualified domain name after the tracert
command, the output will list the name and IP address
of the destination and all hops along the way
IP Trace
Forensic use

Traces the route the packets took

Route identifies ISP or Proxy

Route also can identify general location of suspect
IP Trace
Example
IP Trace
Tracing tools available
 Command line:

XP, Windows 2000, Vista,


Windows NT


tracert
Tracert, pathping
Linux, Unix

traceroute
On Line:
 NeoTrace
 Visual Route Lite
CSC586 Network Forensics
IP Geolocators
What it is

IP geolocators show the location of the gateway of
the users ISP.
How to use it

Enter the suspect IP address, this will show the
location, and location details generally up to the ISP
gateway of the address
IP Geolocators
Forensic Use

Used to determine a suspects approximate location

Used to validate online sales addresses

Banking authentication process
IP Geolocators
Examples
IP Geolocators




Tools available in different granularities
Whois http://cqcounter.com/whois/
IP_address.com
Many other tools showcased at
www.tracemyspace.com
CSC586 Network Forensics
Proxy Severs
What they are



Proxy servers service client requests by forwarding requests
to other servers on behalf of the client.
Used to make web surfing anonymous
A circumventor is a proxy server that allow access to a
blocked web site through an allowed web site.
How to use them

To mask your IP address and go to a site that your
company, school, etc. doesn't allow go to www.youhide.com
and enter the website you want to go to.
Proxy Severs
Forensic Use
 When a proxy server is identified in an IP
trace the Server organization must be issued
a subpoena for the user information
 This information can help trace where the
user was conecting to
 Information may also provide credit card and
password information
Proxy Severs
Example
Proxy Servers
Tools available
 youHide.com
 MySpaceProxy www.fastproxynetwork.com
 Anonymous proxy www.zend2.com
Fast Flux Malware
What it is
 A DNS technique that hides phishing and
malware sites behind compromised hosts
that act as proxies.
How it is used
 Multiple addresses assigned to a fully
qualified domain name
 Usually uses a reverse proxy
 Used for Cyber Crime
Fast Flux Malware
Forensic issues:



Traditional phishing scams that compromised one or
more computer systems was relatively simple to shut
down this is not
One mothership acts as the back end which makes it
easier for criminals to manage and harder for LE to
muddle through the layers to get to it
Front end nodes may be spread across multiple
continents, and time zones which make tracking down
a malicious web site very difficult
Fast Flux Malware
The End