Posts Tagged ‘Gary Kessler’

Tracing IP Addresses: Q&A

Friday, February 18th, 2011

We were very pleased to welcome back Dr. Gary Kessler to our “Online Investigations Basics” webinar series this week. Once again Dr. Kessler discussed some of the background and tools relevant to tracing IP addresses. Below is his companion presentation:

During the session, we took several questions from some of our listeners. One person asked whether tracing IP addresses overseas was any different from tracing them domestically. Answer: not technically; the overall process remains the same, but whether American investigators can secure foreign cooperation is a different question. The best bet is for investigators to contact legal representatives in American embassies for help dealing with law enforcement in another country.

Another participant asked whether TCP/IP packets would provide information on what kind of device accessed the Internet; in a related question, someone else asked if MAC addresses from two devices could show that they had been communicating with one another.

By themselves, packets contain no information on the type of device communicating. A device or router is needed to show where an IP address was assigned; the same is true for tracing IP addresses past a private network. And as for MAC addresses, they have only local relevance, not end-to-end applicability.

We wished we could have gotten into more detail about this question: the biggest challenges with tracing IP addresses in the cloud. As the load of traffic increases, and IPv4 addresses diminish (before IPv6 takes hold), more ISPs will begin to allow shared IP addresses. On the flip side, multiple IP addresses will be resolved to single devices.

Again, we’re grateful to Dr. Kessler for taking the time to help educate the community on a complex issue. Have questions? Please contact us. And we’d love to see you at our future “Online Investigations Basics” webinars. In another few weeks, Cynthia Navarro will be talking about online sources of information. We hope you’ll join us!

Our Online Investigations Basics webinar series is back!

Thursday, February 3rd, 2011

We’re excited to announce the return of our popular, free “Online Investigations Basics” webinar series! Designed to help investigators maximize their online evidence collection skills, the monthly webinars will feature investigative techniques and issues such as:

  • Tracing IP Addresses
  • Online Sources of Information
  • Online Identity Theft Investigations
  • Internet Relay Chat (IRC) Investigations
  • Investigating Social Media

The webinar series builds on the original series, offered in the fall of 2009, by offering both new courses and updated content from some returning instructors as well as new voices. Established experts in their fields, the Online Investigation Basics instructors will take questions from, and interact with, webinar attendees during a structured Q&A period within each 60-minute presentation. The webinars are meant for investigators from all sectors — law enforcement, corporate and independent.

In addition, we’ll continue to provide our monthly WebCase webinars, which allow investigators to get to know our software when they can’t attend our on-site training.

The first Online Investigation Basics webinar is Thursday, February 17. Dr. Gary Kessler of Gary Kessler & Associates will present “Tracing IP Addresses,” in which he will introduce concepts about the TCP/IP suite, the Internet, IP addressing and domain names, and the administration of Internet names and numbers. He will also demonstrate tools to support IP tracing.

Want to know more? Sign up today!

Tracing IP Addresses: Some Background

Wednesday, October 14th, 2009
Tools like traceroute show the many data packet paths across the Internet.

Tools like traceroute show the many data packet paths across the Internet.

Everyone uses the Internet, says Gary Kessler, instructor of upcoming “Tracing IP Addresses” webinar—but few people understand how it actually works. And while investigators don’t need to know how the telephone system works to get a warrant for phone records or even wiretapping, the Internet is far more complex–but far more accessible to the investigator.

“Computer forensics starts ‘under the hood’,” he explains. The investigator must know about file allocation tables, storage space on a hard drive or other digital device, and so forth, before being able to use the appropriate tool to recover evidence.

And because the Internet figures into so many forensic examinations—those involving child pornography, cyber bullying and harassment, etc.—it is one of the working parts “under the hood.” “No longer are there standalone computers,” says Kessler, “so conducting online investigations involves the application of some forensic principles.”

Tying digital evidence to individuals

These include both legal and technical aspects. “Investigators need to be able to understand the networking clues left on the computer,” says Kessler, “such as where to look, and how the clues can mislead. For example, the email header doesn’t prove who sent the email, but it can indicate where the email came from.”

In fact, he adds, everything in digital forensics is about finding patterns of behavior. “When taken together, those patterns can lead a reasonable person to what a suspect did,” says Kessler. “Digital forensics provides exculpatory or incriminating information which might take an investigation in a direction it may not otherwise have gone.”

In the case of IP tracing, this can even include geolocation. “An IP address can provide a general location from where an individual accessed email, for example,” says Kessler. “In one homicide investigation, this was key when the suspect denied an email account was his. Not only was the account established as his, but the IP addresses also showed the account being accessed from locations which coincided with his business trip calendar.”

Seeing evidence from every angle

Kessler says there are few misunderstandings about IP address tracing, but that investigators don’t always correctly interpret the evidence. “As an example, a traceroute showing data packets going from Point A to Point B will show a different set of addresses than the packets going back from Point B to Point A,” he explains, “which could be interpreted as a completely different route. The investigator has to know how to interpret the information, which is simply the same route being reported in a different way.”

The takeaways from Kessler’s webinar: how IP addresses relate back to online activities, along with tools that show how addresses relate to Web domains, how the domains relate to individuals, and how IP addresses relate to geographical locations.

In addition, Kessler will cover how criminals use the same tools. “An investigator uses the tools in a criminal case, but a hacker uses them to discover vulnerabilities,” he explains. So in all, while IP address tracing may seem trivial, it is important in any case with a networking component.

Learn more: register for the Tracing IP Addresses webinar today!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Image: curiouslee via Flickr