IP addresses are the foundation of Internet investigations. Resolving them is a bread-and-butter skill.
What’s an IP address?
An IP address is like a telephone number. It contains a grouping of numbers that translate to a specific region, an Internet Service Provider (ISP), and ultimately their customer. Anything connected to the Internet has an IP address: mobile phones, laptops, websites, smart appliances, and more.
Get the facts: Read up on IP addresses at NetBootCamp’s Knowledge Base
One of the first steps in most investigations is to locate and review the IP address. There are many things to assess:
- Does the IP address fall within your venue or jurisdiction?
- Does the regional assignment for the IP address make sense with the listed physical address?
- Is the physical address associated with the data center or the corporate headquarters?
- Is the data center actually a rack of servers located within a larger data center?
- Is the IP address reassigned? Is it proxied?
- Does the ISP have a history of compliance?
Rogue operators also consider these points while setting up their email or online operations. They can be creative and they can also miss the fine details when trying to avoid being found. Knowing how IP addresses are assigned and abused is an Internet Basic that can fuel creative and successful investigations.
Most investigators have a toolbox. Great investigators know the limits of each tool and the task it is suited for. Domaintools.com and Robtex.com, for example, are popular tools that can provide different results. When you search Domaintools, you’re searching its database. You’re not capturing information in real-time. Robtex aggregates data from other sources plus its own analysis. It identifies the date and time when the data was collected, but it cannot relay hosting locations over time like Domaintools.
Proxies and CDNs
Even with the correct tool, there is good cause to question the results. Rogue operators increasingly obfuscate their IP addresses. They hide behind proxies, VPNs (virtual private networks), DDoS protection services and CDNs (content delivery networks). Some of these services like CloudFlare and Google PageSpeed, are free. These services act as intermediaries located between you and the server you’re looking for. You know there is more work to do when your IP address search identifies one of these services.
A few data centers will also reassign IP addresses to customers located within their data center. Rogue operators in these instances have been known to change this contact information to suggest to tools that read this information that the server is located in another country.
Today’s tip: IP addresses are easy to obfuscate. Learn the tools of the trade in the Basic Internet studies.
Get updates from the Investigations Guide: Real Tips in Real-time.