Domain name forensics: a systematic approach to investing an internet presence

Source : Digital Investigation (2004) 1, 247-255 Date : Mar. 7th, 2006 Reporter : Sparker, Yao Professor : Shiuh-Jeng, Wang

Our scheme Introduction Advantages of complexity Identifying points of responsibility --- Domain name registrars --- Domain name registrants --- DNS server owners --- Regional Internet registries --- Network owners --- Web server owners --- Email server owners --- Upstream ISP --- Telecommunications carriers --- Routes and AS owners --- Other responsible parties --- The next generation, IPv6

Our scheme (cont.)

Collecting and preserving the evidence

--- Preparing for the investigation

--- Investigating the domain registry and registrant

--- Investigating the DNS owners

--- Investigating the IP network owners

--- Investigating the reverse DNS

--- Investigating the webserver owner

--- Investigating the upstream ISPs

--- Investigating the routing information

--- Investigating the physical location

--- Investigating the email owners

--- Finding additional information

Our scheme (cont.)

Packaging and preserving the evidence Presenting the evidence Conclusion and future work

Motivation

Finding the parties responsible for the different infrastructure areas has become time consuming and error prone.

Systematic approach to investigating a complex Internet presence

--- collecting

--- time-stamping

--- packaging

--- preserving

--- presenting

Advantages of complexity

Having critical infrastructure spread across multiple parties can help investigators overcome legal jurisdiction hurdles, as well as solve issues regarding anonymity.

Illegal activity done using Internet infrastructure residing outside a local jurisdiction has always been difficult to bring under control.

The more parties involved in the existence of an Internet presence, the more difficult it becomes for an entry to remain completely anonymous.

Identifying points of responsibility

Domain name registrars : --- TLD (top level domain)

--- ccTLD (country code TLDs)

--- gTLD (generic TLDs) Regional Internet registries : --- ARIN

--- LACNIC

--- APNIC

--- RIPE

Collecting and preserving the evidence

Use the Unix script command to keep a record of everything we see or type, for human errors from graphical interactions such as coping and pasting are eliminated.

For example :

$ mkdir evidence $ cd evidence $ script record.txt $ ntpq –p > timesync.txt $ date

Collecting and preserving the evidence (cont.)

--- Investigating the domain registry and registrant

--- Investigating the DNS owners

--- Investigating the IP network owners

--- Investigating the reverse DNS

--- Investigating the webserver owner

--- Investigating the upstream ISPs

--- Investigating the routing information

--- Investigating the physical location

--- Investigating the email owners

--- Finding additional information

Packaging and preserving the evidence

Package the collected evidence using the Unix tar command :

$ exit $ cd .. $ tar cvf evidence.tar evidence

Make a cryptographic hash of the tar file : $ md5 evidence.tar > evidence.md5

Presenting the evidence

Without going into too much technical detail, we have created a report during the course of the investigation that non-technical staff can use within the content of their roles.

The information in the report can be independently verified based on the data in the evidence.tar file.

The integrity of the evidence.tar file can be verified with the evidence.md5 file.

Conclusion and future work

Defined the points of responsibility related to an Internet presence.

Systematically collected and time-stamped the evidence which identifies these parties.

Saved and packaged the evidence in an organized manner. Created a cryptographic hash of the evidence to ensure

integrity is preserved. Created a verifiable report presenting the contact information

found in the evidence.

簡報完畢

敬請指教 !