The following is an excerpt from the book Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace written by Todd G. Shipley and Art Bowker and published by Syngress. This section from chapter 8 discusses tracing IP addresses through the Internet, including the online tools used for tracing IP addresses, available Internet tools, and finding the geolocation of an IP address.
Tracing IP addresses
Internet Protocol (IP) addresses provide the basis for online communication, allowing devices to interface and communicate with one another as they are connected to the Internet. As was noted in Chapter 3, IP addresses provide investigators a trail to discover and follow, which hopefully leads to the person(s) responsible for some online malfeasance. In Chapter 5 and 6, we discussed different tools that investigators can use to examine various parts of the Internet, including identifying the owners of domains and IP addresses. In this chapter, we are going to discuss tracing an IP address and the investigative advantages of this process. We have covered the tools to help us trace IP addresses in previous chapters, but here we want to walk through the process of identifying the IP to trace and who is behind that address.
Online tools for tracing an IP address
Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace
Learn more about Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace from publisher Syngress.
At checkout, use discount code PBTY14 for 25% off
Tracing IP addresses and domains is a fundamental skill for any Internet investigator. There are many resources available on the Internet to assist in this process. Of primary importance are the entities responsible for the addressing system, namely, the Internet Assigned Number Authority (IANA) and its subordinate bodies the Regional Internet Registries (RIR). In addition to IANA and RIR, there are a multitude of other independent online resources that can assist the investigator in conducting basic IP identification.
IANA and RIR
Starting at the top is IANA. According to their website they are ". . .responsible for the global coordination of the DNS Root, IP addressing and other Internet protocol resources." What this means to the investigator is that they manage and assign the top level domains, that is, .com, org, mil, edu. (see Table 3.6 for additional examples) and coordinate the IP addresses and their allocation to the RIR. IANA established the RIR to allocate IP address in geographical regions. The RIR system evolved over time, eventually dividing the world into the following five regions:
- African Network Information Centre (AfriNIC) for Africa, http://www.afrinic.net/
- American Registry for Internet Numbers (ARIN) for the United States, Canada, several parts of the Caribbean region, and Antarctica, https://www.arin.net/
- Asia-Pacific Network Information Centre (APNIC) for Asia, Australia, New Zealand, and neighboring countries, http://www.apnic.net/
- Latin America and Caribbean Network Information Centre (LACNIC) for Latin America and parts of the Caribbean region, http://www.lacnic.net/en/web/lacnic/inicio
- Réseaux IP Européens Network Coordination Centre (RIPE NCC) for Europe, Russia, http://http://www.ripe.net/
Each site has a search "Whois" function that allows the investigator to identify IP registration information. IANA and the RIR are the official registrars and owners of the domain records and IP addresses. An investigator wishing to verify the owner of an IP can use the RIR to locate the records.
Internet commercial and freeware tools
There are also many Internet sites to look up IP and Domain registrations. Some provide the basic registration information and other sites combine additional tools that enable the investigator to identify an IP's physical location. The following websites, mentioned in Chapter 6, are easily accessible from the Vere Software Internet Investigators Toolbar, and are important utilities for the investigator:
DNS Stuff (http://www.dnsstuff.com/tools/tools): This website has been around for a number of years. It offers both free and pay options for assisting in IP addresses identification and other online information.
Network-Tools.com (http://network-tools.com): Another website with a simple user interface to assist in IP tracing.
CentralOps.net (http://centralops.net/co/): This is another website that assists with your IP tracing. One of its features, Domain Dossier, does multiple lookups on an IP address or domain.
In some circumstances, the investigator may look up a domain or and IP address with these commercial tools and find the address concealed by the commercial registrar. In these cases, the investigator may need to go to the commercial registrar's site and use the Whois search located there to determine the domain registration records. Each of the mentioned websites presents the domain registration information in a slightly different manner and may have additional tools useful to the investigator. Experience with each will provide the investigator with a better understanding of each site's features.
Geolocation of an IP address
Read the full excerpt
Download the PDF of chapter 8 to learn more!
Geolocation in general refers to the identification of the real geographical area of an electronic device, such as a cell phone, IP addresses, WiFi, and MAC addresses. Now that being said that does not mean an IP address can be traced directly to a house. Geolocation particularly for IP addresses is not an exact science. Unlike cell phones that can be traced via their GPS coordinates or cell tower triangulation, IP addresses use a common database of address locations maintained by different companies. One of the most commonly used databases is maintained by Maxmind, Inc. which can be found at www.maxmind.com. Maxmind provides a free service to geolocate an IP address to a state or city. Purchasing their services can give the Internet investigator access to a more precise location, up to and including physical addresses. There are other online services that provide geolocation identification of IP addresses such as IP2Location.com. Some investigative tools, such as Vere Software's WebCase, include access to the Maxmind database as a feature of its domain lookup. On Maxmind's website you can use their demo function to identify an IP addresses location. An example of a Maxmind search for the geolocation of IP address 126.96.36.199 is shown in Figure 8.1.
Along with identifying the geolocation of the address as Scottsdale, Arizona, website provides the latitude and longitude based on this location and the Internet Service Provider (ISP) hosting the IP address, in this case GoDaddy.com LLC.
About the authors:
Todd G. Shipley is a retired Detective Sergeant with over 30 years of law enforcement and civilian experience performing and teaching Internet and digital forensic investigations, speaking internationally, has authored books and articles in the field and holds the Patent for Online Evidence Collection.
Art Bowker (@Computerpo) has over 28 years' experience in law enforcement and corrections. His first book, The Cybercrime Handbook for Community Corrections: Managing Risk in the 21st Century, describes the process of supervising cyber-offenders. Bowker cowrote his second book, Investigating Internet Crimes, 1st Edition: An Introduction to Solving Crimes in Cyberspace, with Todd Shipley. His second book provides step-by-step instructions for investigating Internet crimes, including locating, interpreting, understanding, collecting, and documenting online electronic evidence to benefit investigations. Besides his two books he has written numerous law enforcement and corrections articles published by Perspectives, an American Probation and Parole Association (APPA) publication , Federal Probation, and the FBI Law Enforcement Bulletin. On January 14, 2013, Bowker was awarded the APPA Sam Houston State University Award, for work in promoting awareness and knowledge of cybercrime and tools to combat such crimes in the field of community corrections. On November 22, 2013, he was recognized by the Federal Probation and Pretrial Officers Association (FPPOA) with their top honor, the Richard F. Doyle Award, for having made the most significant achievement in, or contribution to, the Federal Probation & Pretrial Services System or the broader field of corrections. Additionally, Bowker received the Thomas E. Gahl, Line Officer of the Year Award (Great Lakes Region Award), which is named in honor of the only U.S. Probation Officer killed in the line of duty. Both awards centered on his contributions and efforts in managing cybercrime risk.
Dig Deeper on Web Server Threats and Countermeasures