Secrets of Internet Forensics, Part I

May 19th, 2009 at 4:00 PM - How-To by John Martellaro

Have you ever wondered how network security professionals sleuth on the Internet? Many of their tools are highly specialized and have special sauce, but there things that you can do right on your Mac to do some sleuthing on your own, especially if you think you've been the victim of an Internet attack. This is the first in a series of articles.

The first thing to know is that the domain names we use every day are just human friendly, memorable names for Internet addresses that use the Internet Protocol (IP). For example, we tell our Web browser to got to Filemaker.com because that's easy to remember. However, the Mac has to convert that to an IP address before it's usable.

IP addresses are called "dotted quads" and are of the form x.y.z.t. I won't go into too much detail there except to say that, in the case of Filemaker.com, their IP address is 17.112.152.73. That's easy to get by sending out what's called a "ping." Think of it as a short, packet of data sent out, analogous to a sonar ping, that returns some information.

You can get that information easily on a Mac with the Network Utility found in /Applications/Utilities. Just launch it, select the Ping tab, and enter the domain of Web host of interest. Note that often, for security or to reduce system loading, many sites disable ping, but often the IP address is still returned.

.

/Applications/Utilities/Network Utility.app

What's interesting is that IP addresses are generally assigned by country, and there are databases of IP addresses versus geolocation. That's one way your iPhone knows how to locate you.

Suppose one of your log files suggests some malicious activity from a source called "thebadguys.com" and you want to find out more. There are several ways to track them down.

First you could use the same Network Utility in the "Whois" tab to collect some information about their domain registration. Many malicious domain holders will try to minimize their public information, but anyone who registers a domain has to supply some minimal data. In our example, the Mac's Network Utility doesn't supply a lot of interesting information, so it's better to to use the command-line in the Terminal app. It's also in the Utilities directory.

No need to be concerned here. You won't hurt your computer. Just launch the Terminal app and type in, for example:

> whois filemaker.com

/Applications/Utilities/Terminal.app (Customized look)

Just hit CMD-Q when you're done, just like any other Mac app. Whois is a standard Internet utility that looks up domain registration data.  

Now we may know some things we didn't know before. If it was hard to find the phone number on the Website, there it is in Whois. We even have a street address and an e-mail for admin and technical contacts. Of course, in this example, all that information about Filemaker is public. However, the site you're investigating might not be so forthcoming on their Website.

What's interesting about IP addresses is that the highest level domains are generally assigned by country. There is a database of IP's vs. cities, in fact, and you have to look around to find a conversion site. For example, you were working with the IP address of, say, 194.145.236.53, you could go to MelissaData.com to look up the city and the corresponding ISP. That IP turns out to be in Berlin, Germany.

Converting IP Address to a City and ISP

Finally, a word of caution here. All this information is public, but Internet security is a high priority for everyone. As a result, the Internet has changed a lot since its early design, and security people are more alert than ever to probes like these. So it's a good idea to use these techniques with sobriety, caution, and care, only for research or your own legitimate forensic purposes.