1 / 24

CSC586 Network Forensics

IP Tracing/Domain Name Tracing. CSC586 Network Forensics. IP Tracing/ Domain Name Tracing. In this lesson you will learn: What IP address and domain name look up are and when to use them What IP trace is and when to use it What IP geolocation is and how to use it What a Proxy server is

gella
Télécharger la présentation

CSC586 Network Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IP Tracing/Domain Name Tracing CSC586 Network Forensics

  2. IP Tracing/ Domain Name Tracing In this lesson you will learn: • What IP address and domain name look up are and when to use them • What IP trace is and when to use it • What IP geolocation is and how to use it • What a Proxy server is • What fast flux malware is

  3. IP Address Background • IP addresses are managed and created by the Internet Assigned Numbers Authority (IANA)‏ • Large blocks are allocated to one of 5 Regional Internet Registries : • American Registry for Internet Numbers - ARIN, • RIPE Network Coordination Centre - RIPE NCC, • Asia-Pacific Network Information Centre - APNIC, • Latin American & Caribbean Internet Registry - LACNIC • African Network Information Centre - AfriNIC

  4. IP Address Background (2)‏ • Public vs. Private IP Addresses • Public addresses – unique to avoid address conflicts -used on the WAN • Private addresses – used on the LAN these are unique within the scope of the LAN network • Private address Ranges: 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255

  5. IP Address Background (3)‏ 3 Classes of IP addresses that are typically used: • Class A – large networks many devices • Class B – medium sized networks • Class C – small networks

  6. IP Address and Domain Name Lookup What it is • Web sites allow you to enter the IP address, or domain name and return information about who registered the site How to use it • Enter the suspect IP address or web site and the registration information will be displayed

  7. IP Address and Domain Name Locators Forensic use • Used to identify sites visited • Registrant information is often made up, it is often necessary to trace credit info to obtain the owner Examples of problems with sites are • Domain Name Squatters • Typo Squatters • Phishing • DNS Spoofing

  8. Domain Name Locators Web tools available: • ARIN • Sam Spade • Whois • RIPE • Many others

  9. Domain Name Locators Example

  10. IP Trace What it is • tracert tool can help you figure out the route a packet follows to get from one place or another. How to use it • List the fully qualified domain name after the tracert command, the output will list the name and IP address of the destination and all hops along the way

  11. IP Trace Forensic use • Traces the route the packets took • Route identifies ISP or Proxy • Route also can identify general location of suspect

  12. IP Trace Example

  13. IP Trace Tracing tools available • Command line: • XP, Windows 2000, Vista, • tracert • Windows NT • Tracert, pathping • Linux, Unix • traceroute On Line: • NeoTrace • Visual Route Lite

  14. CSC586 Network ForensicsIP Geolocators What it is • IP geolocators show the location of the gateway of the users ISP. How to use it • Enter the suspect IP address, this will show the location, and location details generally up to the ISP gateway of the address

  15. IP Geolocators Forensic Use • Used to determine a suspects approximate location • Used to validate online sales addresses • Banking authentication process

  16. IP Geolocators Examples

  17. IP Geolocators • Tools available in different granularities • Whois http://cqcounter.com/whois/ • IP_address.com • Many other tools showcased at www.tracemyspace.com

  18. CSC586 Network ForensicsProxy Severs What they are • Proxy servers service client requests by forwarding requests to other servers on behalf of the client. • Used to make web surfing anonymous • A circumventor is a proxy server that allow access to a blocked web site through an allowed web site. How to use them • To mask your IP address and go to a site that your company, school, etc. doesn't allow go to www.youhide.com and enter the website you want to go to.

  19. Proxy Severs Forensic Use • When a proxy server is identified in an IP trace the Server organization must be issued a subpoena for the user information • This information can help trace where the user was conecting to • Information may also provide credit card and password information

  20. Proxy Severs Example

  21. Proxy Servers Tools available • youHide.com • MySpaceProxy www.fastproxynetwork.com • Anonymous proxy www.zend2.com

  22. Fast Flux Malware What it is • A DNS technique that hides phishing and malware sites behind compromised hosts that act as proxies. How it is used • Multiple addresses assigned to a fully qualified domain name • Usually uses a reverse proxy • Used for Cyber Crime

  23. Fast Flux Malware Forensic issues: • Traditional phishing scams that compromised one or more computer systems was relatively simple to shut down this is not • One mothership acts as the back end which makes it easier for criminals to manage and harder for LE to muddle through the layers to get to it • Front end nodes may be spread across multiple continents, and time zones which make tracking down a malicious web site very difficult

  24. Fast Flux Malware The End

More Related