Overview • Acquiring a physical location can provide a point of information that may be relevant to an investigation. • While location information is important, because it can tie a particular computer to a physical location. • That doesn’t mean that the user can necessarily be tied to that same location. How System Identify Location? • Systems can identify where they are located in a number of ways: • Some of this information is available from the network and can be as simple as just a time zone from a DHCP server. • However, smartphone applications that became reliant on global positioning systems (GPS) to obtain a location have driven a need for devices to get locations in other ways. • If you visit particular websites, you may notice that your web browser asks if you want to provide a location to the website. Location usage • The device needs to be more aware of where it is in time and space. • There are a number of reasons for this. • One reason is that many applications want to know where you are in order to provide more accurate information. • Not all devices have global positioning systems (GPS). • however, so to provide the same level of service, there needed to be a means that would allow systems without GPS to know where they are. Tracking location • Although databases are available that track information related to WiFi networks in order to provide location-based services. • Other ways exist to get information about where a system may be located. • As a starting point, just knowing what public Internet Protocol (IP) address is being used can provide information about the location of the system. • You can get this information in different ways with varying levels of accuracy. Time Zones • When it comes to computers, time is relative. • Every computer can be configured to know what time zone it is in. • This allows computers around the world to correlate events across multiple systems. • Because their timestamps can place events in a consistent time line. • A time zone is a recognition that the Earth is a sphere that revolves in space. • Providing us with a way to measure the passage of time. Time Zones • Because it’s a sphere, different parts of the globe are at different times of the day. • This is because we use the sun’s position in the sky to calculate time. • The origin or reference time zone is based on the observatory in Greenwich, England. • In the 1800s,in light of the importance of the Greenwich Observatory to astronomy and navigation. • The prime meridian 0 was established to run through Greenwich. Time Zones
• This means that the line of longitude with a
degree of 0 is the line of longitude that runs through Greenwich. • Every other line of longitude is calculated mathematically based on an origin of that prime meridian. Time Zones Time Zones • Longitude and latitude are ways of breaking the globe up into measurable units. • They provide a way of location orientation at any point on the sphere we call Earth. • Lines of longitude are those that run from one pole to the other and as such, the measurement is east and west. • Where Greenwich, England is 0, anything to the west starts counting positively from there to the opposite side of the world at 180 degrees. • Longitude measurements east of Greenwich are measured in negative numbers to –180. • This means that in total, there are 360 degrees of longitude around the world. Time Zones Time Zones
• It’s necessary to keep time zones in mind as
you are working with any piece of information that has a timestamp. • You need to know the time zone the system is in so you can create a coherent understanding of when events happened. Time Zones
• if you are told the time zone, you have a
better understanding of where the system is. • This is not a guarantee, however, because many systems are configured not to provide that information in their network communications. Time Zones
• As an example: • Listing 6-1 shows a set of HTTP headers with a timestamp that shows that the time is set to be GMT, or Greenwich Mean Time. Operating System Time Zones
• Operating systems handle time zones in
different ways. • Linux • Windows Operating System Time Zones
• In a Linux system, for example:
• there may be a file in the /etc directory that points to a file providing specific details about the time zone. Operating System Time Zones
• You can see in Listing 6-2 that the
/etc/localtime file points to a different file altogether. • Indicating that this system is on the East Coast. Operating System Time Zones • Not all Unix-like operating systems will use links to point to • the zone file. • Some will use a copy of the zone file to stand for the /etc/localtime file. • While the time zone suggests it’s in New York, New York is just one of the cities that has been designated to indicate what time zone the system is in. • The properties of the location “New York” convey to the system that it is in the East Coast time zone and also adheres to daylight savings time. • Although you can set the time zone using the graphical user interface components, ultimately what is happening is the time zone is set using the /etc/localtime file. Operating System Time Zones
• The process is different on a Windows system,
but just as with Linux, everything related to time is relative to where you are in the world in relation to Greenwich Mean Time. • In Figure 6-1, you can see a partial list of the time zones that are available to be configured in Windows. • According to documentation at Microsoft’s Developer’s Network, 75 possible time zones can be configured on a Windows system. Operating System Time Zones
• In Figure 6-1, you can see a partial list of the
time zones that are available to be configured in Windows. Operating System Time Zones
• According to documentation at Microsoft’s
Developer’s Network, 75 possible time zones can be configured on a Windows system. • Unlike Linux systems where configuration files are typically stored in plaintext files in the /etc directory. • Windows systems store their configuration in the registry. Operating System Time Zones
• As you can see in Figure 6-2, the time zone
setting on a Windows system is stored by name in the registry. • The key holding this information is HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont rolSet\Control\Time zoneInformation. Important notes about Time Zones • Time zones are useful to know about and they can provide some general direction about where systems are located. • The challenge, though, is that time zones are not always that reliable. • Any user can set any time zone on their system. Important notes about Time Zones • Additionally, when laptops or other mobile devices move around, the time zone typically remains unchanged, unless the user dislikes the clock on her computer being wrong for the duration of her stay in a different location. • Some protocols will include the time zone that has been configured on the server sending the information. Important notes about Time Zones • However, since this is configured, it may not provide an accurate physical location. • What you have is whatever location has been configured on the server. Using whois
• The Internet registries can also provide a large
amount of location-related information about IP addresses. • When blocks of IP addresses are allocated, the information about the new owner is registered with one of the regional Internet registries. • The same is true with domain names and other identifying information related to the Internet. Using whois
• Using this information can also help to provide
location information. Using whois
• One of the challenges with using the Internet
registries is that IP address blocks are generally registered to a company. • The company’s business information, including address and phone number potentially, may be available in the registry • there is no guarantee that the IP address you have identified is located at the address provided. Using whois
• Large companies commonly have a
headquarters and a number of other locations. • The IP address would probably be registered to the headquarters. • The physical address of the corporate headquarters is what you will be able to identify. Using whois
• It’s also possible that the information
provided within the Internet registry is the service provider that was originally provided with the IP address block. • Service providers may hand out blocks for the use of their customers without actually assigning ownership of the block to the company that is using it. Using whois
• A lot of information can be obtained from a
lookup at an Internet registry. • Fortunately, you can perform these lookups in a number of ways. Using whois
• One way is to just use the whois command.
• You can see the use of a command-line version of whois in Listing 6-3. Using whois • Using whois, we can see that: • the owner of the IP address 4.2.2.1—a common DNS caching server • that can be used by anyone on the Internet—is Level 3 Communications. • Level 3 is located in Broomfield, CO. • though from personal knowledge I can tell you that 4.2.2.1 specifically is not located there. • However, in smaller organizations that are not Internet service providers, this information may be useful. Using whois
• If you are not comfortable with command-line
utilities or you don’t have a Unix-based system to run whois from. • You can accomplish the same thing in other ways. • For example, whois utilities are available for Windows. • Additionally, a number of websites will provide you the ability to do whois lookups. Using whois
• An example of one of these sites is shown in
Figure 6-3. • This particular site is at www.whois.com Using whois
• look up domain names using the same
techniques. • Domain names are less specific than IP addresses. • though you can still obtain the same location information. • As you see in Figure 6-3, physical addresses are provided. Using whois
• you can also use DNS to obtain location
information. • At the moment of this writing, the public IP address of my cable modem is 73.219.13.135. • Using DNS tools.I can obtain the hostname of that IP address. • Though I could do this lookup in multiple ways • I am using the host utility provided in the Linux distribution I am using in Listing 6-4 to obtain the hostname. Using whois Using whois • Using the hostname, You can determine that the IP address is located in Vermont, which is correct. • the portion of the hostname that says vt.comcast.net. • This is a subdomain that Comcast uses to house IP addresses and other DNS resources for customers in Vermont. • Not all organizations use their DNS hostnames to indicate where those hostnames are located, • but generally Internet service providers do because it makes troubleshooting quite a bit easier. • It’s possible to get a collection of hostnames that can point at a particular geographic region. Traceroute
• Traceroute is a diagnostic tool used by
technical professionals looking to identify a problem with network routing. Traceroute
• Traceroute works by making use of the time to
live (TTL) IP header field. Traceroute
• IP packets include a default IP header value.
• Every time a packet passes through a routing device , the time to live field is decremented. • Once the TTL reaches 0, the device that decremented the field to 0 returns an ICMP error message to the source of the original message indicating that time to live has been exceeded in transit. Traceroute
• Traceroute will send a message out to a
destination with increasing TTL values. • The first packet being sent has a TTL of 1. • When the very first router (the default gateway on your network) receives the message, it decrements the TTL to 0 • and responds with the ICMP error message. • Once the sending system receives the message, it has the IP address of the first router. Traceroute Traceroute
• The sender only has the IP address.
• Which means that the system running traceroute has to do a DNS lookup to get the hostname that is associated with the IP address. • This is a reverse lookup and requires that whoever owns the IP address has the pointer (PTR) record configured in the DNS server. Traceroute
• Generally, service providers will keep their
DNS records up to date. • Because they are the ones who will commonly include location information in the hostnames, they are the ones we are going to be most concerned with. Traceroute
• Mac OS X system, the utility is named
traceroute. • On a Linux system, it will also be named traceroute. • On a Windows system, because traceroute exceeded the 8-character limit of the 8.3 naming convention from the DOS days, the utility is named tracert. Traceroute example
• The example shown in Listing 6-5 was done
from a Mac OS X system and the utility is named traceroute. Traceroute example Traceroute example
• A couple of notes on the traceroute
responses. • First, the times shown are the round trip times to the individual host in the path. • Second, in cases where you see multiple entries associated with a particular hop, it means that there are multiple pathways that are the same network distance to the destination. Traceroute example
• First thing in the output is the IP address of
the default gateway on local network. • The first place we get a real hostname is on line 3. You can see the hostname listed as ge- 4-19-ur01.wolcott.ct.hartford.comcast.net. • This is a port on a network device in Hartford, CT. Traceroute example • The ge indicates that this is a gigabit Ethernet (ge) port. • The numbers after that could indicate slot and port in a large chassis. • The ur01 indicates a router. • Service providers will sometimes use short names to indicate the type of router within the network. • If you see cr, it is probably a core router, meaning a device in the core or deep inside the network. • An ar router would be an access router, where customers may commonly connect. Traceroute example
• In general, you will see the type of interface
followed by the slot and port numbers if they exist, in the first part of the hostname. • After that, you may well see the location information. Traceroute example • In some cases, as in lines 3–5, the name will be pretty straightforward. • You are seeing multiple entries on those lines • because traceroute sends three messages. • If there are multiple paths through the network to get to a particular location, each successive message may hit a different router in the network. • That appears to be the case here. • It may also indicate some routing distribution or load balancing, depending on where the message is located. Traceroute example
• The Comcast entries that include ibone
indicate there are routers at 111 8th Avenue in Manhattan. • This particular building is owned by Google and has a meet-me room where multiple carriers get together and hand off traffic to one another. Traceroute example
• The traceroute goes through a few hops in
that building before departing to a number of IP addresses that don’t have reverse lookups associated with them. • Because of that, we don’t really know where they are located. • However, the traceroute terminates at the hostname lga15s44-in-f4.1e100.net. Traceroute example
• The domain name le100.net is a domain name
that Google uses to identify servers within its network. • If you see a three-letter indicator in a hostname, it may well be an airport code. • LGA is LaGuardia Airport, located on Long Island. • LGA provides services to Manhattan, so the servers that we have terminated at are located in New York. Traceroute
• Traceroute can provide a lot of details that are
not only useful for network engineers. • Can provide some location information for investigators. • once you learn how to read the output. • While IP addresses do map to hostnames. • you can get locations from IP addresses in other ways. Pathping