CSC586 Network Forensics IP Tracing/Domain Name Tracing IP Tracing/ Domain Name Tracing In this lesson you will learn: What IP address and domain name look up are and when to use them What IP trace is and when to use it What IP geolocation is and how to use it What a Proxy server is What fast flux malware is IP Address Background IP addresses are managed and created by the Internet Assigned Numbers Authority (IANA) Large blocks are allocated to one of 5 Regional Internet Registries : American Registry for Internet Numbers - ARIN, RIPE Network Coordination Centre - RIPE NCC, Asia-Pacific Network Information Centre - APNIC, Latin American & Caribbean Internet Registry - LACNIC African Network Information Centre - AfriNIC IP Address Background (2) Public vs. Private IP Addresses Public addresses – unique to avoid address conflicts -used on the WAN Private addresses – used on the LAN these are unique within the scope of the LAN network Private address Ranges: 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255 IP Address Background (3) 3 Classes of IP addresses that are typically used: Class A – large networks many devices Class B – medium sized networks Class C – small networks IP Address and Domain Name Lookup What it is Web sites allow you to enter the IP address, or domain name and return information about who registered the site How to use it Enter the suspect IP address or web site and the registration information will be displayed IP Address and Domain Name Locators Forensic use Used to identify sites visited Registrant information is often made up, it is often necessary to trace credit info to obtain the owner Examples of problems with sites are Domain Name Squatters Typo Squatters Phishing DNS Spoofing Domain Name Locators Web tools available: ARIN Sam Spade Whois RIPE Many others Domain Name Locators Example IP Trace What it is tracert tool can help you figure out the route a packet follows to get from one place or another. How to use it List the fully qualified domain name after the tracert command, the output will list the name and IP address of the destination and all hops along the way IP Trace Forensic use Traces the route the packets took Route identifies ISP or Proxy Route also can identify general location of suspect IP Trace Example IP Trace Tracing tools available Command line: XP, Windows 2000, Vista, Windows NT tracert Tracert, pathping Linux, Unix traceroute On Line: NeoTrace Visual Route Lite CSC586 Network Forensics IP Geolocators What it is IP geolocators show the location of the gateway of the users ISP. How to use it Enter the suspect IP address, this will show the location, and location details generally up to the ISP gateway of the address IP Geolocators Forensic Use Used to determine a suspects approximate location Used to validate online sales addresses Banking authentication process IP Geolocators Examples IP Geolocators Tools available in different granularities Whois http://cqcounter.com/whois/ IP_address.com Many other tools showcased at www.tracemyspace.com CSC586 Network Forensics Proxy Severs What they are Proxy servers service client requests by forwarding requests to other servers on behalf of the client. Used to make web surfing anonymous A circumventor is a proxy server that allow access to a blocked web site through an allowed web site. How to use them To mask your IP address and go to a site that your company, school, etc. doesn't allow go to www.youhide.com and enter the website you want to go to. Proxy Severs Forensic Use When a proxy server is identified in an IP trace the Server organization must be issued a subpoena for the user information This information can help trace where the user was conecting to Information may also provide credit card and password information Proxy Severs Example Proxy Servers Tools available youHide.com MySpaceProxy www.fastproxynetwork.com Anonymous proxy www.zend2.com Fast Flux Malware What it is A DNS technique that hides phishing and malware sites behind compromised hosts that act as proxies. How it is used Multiple addresses assigned to a fully qualified domain name Usually uses a reverse proxy Used for Cyber Crime Fast Flux Malware Forensic issues: Traditional phishing scams that compromised one or more computer systems was relatively simple to shut down this is not One mothership acts as the back end which makes it easier for criminals to manage and harder for LE to muddle through the layers to get to it Front end nodes may be spread across multiple continents, and time zones which make tracking down a malicious web site very difficult Fast Flux Malware The End