Introduction
Log analysis, is one of the very basic but crucial exercise of any Forensics Analyst. It includes many aspects for analysis; some of the important ones being:
- Determine actions/requests performed by User/Host/IP Address
- The application’s or Server’s reactions towards user’s requests
- Finding more information about a particular User/Host/IP Address who may be performing some extra-ordinary transactions with the application/server
- Application/Server performance
- Application/Server traffic monitoring to calculate business growth etc
However from forensics point of view, investigating “which user did what on the application/server that lead to its compromise” is of the most importance. Similar scenario applies to Email investigation. It’s quite simple now to find out the IP Address of the person who is sending out fishy or threatening emails to the victim(s).
Here we are discussing a post investigation aspect of above and similar scenarios i.e. what after once the source IP Address (of the attacker) is identified? In this article we are going to discuss about a simple tool/script, which helps forensic analyst to get the exact location of the source IP Address on this very beautiful earth.
Geo-Edge
“geoedge.py” is a small Python utility/tool/script developed by Laramies from “edge-security.com” to get the exact location of the target host/IP Address on earth. This directly helps in finding the attacker’s physical location from where he carried out the attack.
However, those who don’t have a Python compiler/interpreter need not to worry, since NII Consulting have put in some more efforts and made this python script available in EXE format.
This tool can be downloaded as:
Original Python Version: Download here
EXE Version: Download here
The beauty of this tool is that it queries two sources – Maxmind and geoiptool, to extract information about given target host or IP Address. Hence possibility of availability and correctness of information about host or IP Address is high.
Example
Let’s first have a look how to use this tool:
Now we’ll try to locate physical location of IP Address 64.246.16.151.
So for this, we’ll issue:
As we can see, both the sources provided us with correct information about Latitude and Longitude of the target IP Address.
Now what? We have Latitude and Longitude information with us, but which country, which lane, which area this belongs to on earth?
So for this, we’ll refer to online world map available on MAP-Quest website.
We provide this obtained/derived information about Latitude and Longitude to this website, and find the exact location of this IP Address on earth.
The physical location of the target host/IP Address is shown using a red star marked on the map. Two kinds of views are available for getting the Latitude and Longitude information.
First view is the “Street View” in which we get the nearby street information about the target.
A little further zoom can help us to get more information about the target host/IP Address.
The second view is the “Aeriel view”, in which we get to see the exact satellite view of the target host/IP Address.
Further zoom is available subject to the database availability of MapQuest website.
Conclusion
So from this, we learn that it’s not at all difficult for any forensics analyst to find out the exact physical location of the attacker.
Besides this technique, “GeoTools” available at WikiMapia is also very handy and useful.
http://tools.softsutra.com/locip/index.php >> Get Ip Address & Location Of A Person….Best Tool I Found To Get Some One’s Computer Information.
Interesting & informative post. Truly useful information.
For more details about evidence & forensics you can visit http://stores.crimetech.net/StoreFront.bok