CN416

Intrusion Detection and Forensics

Location Awareness I

Lecturer: Mr. Saeb Sisan

 Overview
• Acquiring a physical location can provide a point of
information that may be relevant to an investigation.
• While location information is important, because it
can tie a particular computer to a physical location.
• That doesn’t mean that the user can necessarily be tied
to that same location.
 How System Identify Location?
• Systems can identify where they are located in a
number of ways:
• Some of this information is available from the
network and can be as simple as just a time zone
from a DHCP server.
• However, smartphone applications that became
reliant on global positioning systems (GPS) to
obtain a location have driven a need for devices
to get locations in other ways.
• If you visit particular websites, you may notice
that your web browser asks if you want to
provide a location to the website.
 Location usage
• The device needs to be more aware of where it is
in time and space.
• There are a number of reasons for this.
• One reason is that many applications want to
know where you are in order to provide more
accurate information.
• Not all devices have global positioning systems
(GPS).
• however, so to provide the same level of service,
there needed to be a means that would allow
systems without GPS to know where they are.
 Tracking location
• Although databases are available that track
information related to WiFi networks in order
to provide location-based services.
• Other ways exist to get information about
where a system may be located.
• As a starting point, just knowing what public
Internet Protocol (IP) address is being used
can provide information about the location of
the system.
• You can get this information in different ways
with varying levels of accuracy.
 Time Zones
• When it comes to computers, time is relative.
• Every computer can be configured to know what
time zone it is in.
• This allows computers around the world to
correlate events across multiple systems.
• Because their timestamps can place events in a
consistent time line.
• A time zone is a recognition that the Earth is a
sphere that revolves in space.
• Providing us with a way to measure the passage
of time.
 Time Zones
• Because it’s a sphere, different parts of the globe
are at different times of the day.
• This is because we use the sun’s position in the
sky to calculate time.
• The origin or reference time zone is based on the
observatory in Greenwich, England.
• In the 1800s,in light of the importance of the
Greenwich Observatory to astronomy and
navigation.
• The prime meridian 0 was established to run
through Greenwich.
 Time Zones

• This means that the line of longitude with a

degree of 0 is the line of longitude that runs
through Greenwich.
• Every other line of longitude is calculated
mathematically based on an origin of that
prime meridian.
Time Zones
 Time Zones
• Longitude and latitude are ways of breaking the globe
up into measurable units.
• They provide a way of location orientation at any point
on the sphere we call Earth.
• Lines of longitude are those that run from one pole to
the other and as such, the measurement is east and
west.
• Where Greenwich, England is 0, anything to the west
starts counting positively from there to the opposite
side of the world at 180 degrees.
• Longitude measurements east of Greenwich are
measured in negative numbers to –180.
• This means that in total, there are 360 degrees of
longitude around the world.
Time Zones
 Time Zones

• It’s necessary to keep time zones in mind as

you are working with any piece of information
that has a timestamp.
• You need to know the time zone the system is
in so you can create a coherent understanding
of when events happened.
 Time Zones

• if you are told the time zone, you have a

better understanding of where the system is.
• This is not a guarantee, however, because
many systems are configured not to provide
that information in their network
communications.
 Time Zones

• As an example:
• Listing 6-1 shows a set of HTTP headers with a
timestamp that shows that the time is set to
be GMT, or Greenwich Mean Time.
 Operating System Time Zones

• Operating systems handle time zones in

different ways.
• Linux
• Windows
 Operating System Time Zones

• In a Linux system, for example:

• there may be a file in the /etc directory that
points to a file providing specific details about
the time zone.
 Operating System Time Zones

• You can see in Listing 6-2 that the

/etc/localtime file points to a different file
altogether.
• Indicating that this system is on the East
Coast.
 Operating System Time Zones
• Not all Unix-like operating systems will use links to point to
• the zone file.
• Some will use a copy of the zone file to stand for the
/etc/localtime file.
• While the time zone suggests it’s in New York, New York is
just one of the cities that has been designated to indicate
what time zone the system is in.
• The properties of the location “New York” convey to the
system that it is in the East Coast time zone and also
adheres to daylight savings time.
• Although you can set the time zone using the graphical user
interface components, ultimately what is happening is the
time zone is set using the /etc/localtime file.
 Operating System Time Zones

• The process is different on a Windows system,

but just as with Linux, everything related to
time is relative to where you are in the world
in relation to Greenwich Mean Time.
• In Figure 6-1, you can see a partial list of the
time zones that are available to be configured
in Windows.
• According to documentation at Microsoft’s
Developer’s Network, 75 possible time zones
can be configured on a Windows system.
 Operating System Time Zones

• In Figure 6-1, you can see a partial list of the

time zones that are available to be configured
in Windows.
 Operating System Time Zones

• According to documentation at Microsoft’s

Developer’s Network, 75 possible time zones
can be configured on a Windows system.
• Unlike Linux systems where configuration files
are typically stored in plaintext files in the /etc
directory.
• Windows systems store their configuration in
the registry.
 Operating System Time Zones

• As you can see in Figure 6-2, the time zone

setting on a Windows system is stored by
name in the registry.
• The key holding this information is
HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont
rolSet\Control\Time zoneInformation.
 Important notes about Time
Zones
• Time zones are useful to know about and they
can provide some general direction about
where systems are located.
• The challenge, though, is that time zones are
not always that reliable.
• Any user can set any time zone on their
system.
 Important notes about Time
Zones
• Additionally, when laptops or other mobile
devices move around, the time zone typically
remains unchanged, unless the user dislikes
the clock on her computer being wrong for
the duration of her stay in a different location.
• Some protocols will include the time zone that
has been configured on the server sending the
information.
 Important notes about Time
Zones
• However, since this is configured, it may not
provide an accurate physical location.
• What you have is whatever location has been
configured on the server.
 Using whois

• The Internet registries can also provide a large

amount of location-related information about
IP addresses.
• When blocks of IP addresses are allocated, the
information about the new owner is
registered with one of the regional Internet
registries.
• The same is true with domain names and
other identifying information related to the
Internet.
 Using whois

• Using this information can also help to provide

location information.
 Using whois

• One of the challenges with using the Internet

registries is that IP address blocks are
generally registered to a company.
• The company’s business information,
including address and phone number
potentially, may be available in the registry
• there is no guarantee that the IP address you
have identified is located at the address
provided.
 Using whois

• Large companies commonly have a

headquarters and a number of other
locations.
• The IP address would probably be registered
to the headquarters.
• The physical address of the corporate
headquarters is what you will be able to
identify.
 Using whois

• It’s also possible that the information

provided within the Internet registry is the
service provider that was originally provided
with the IP address block.
• Service providers may hand out blocks for the
use of their customers without actually
assigning ownership of the block to the
company that is using it.
 Using whois

• A lot of information can be obtained from a

lookup at an Internet registry.
• Fortunately, you can perform these lookups in
a number of ways.
 Using whois

• One way is to just use the whois command.

• You can see the use of a command-line
version of whois in Listing 6-3.
 Using whois
• Using whois, we can see that:
• the owner of the IP address 4.2.2.1—a common
DNS caching server
• that can be used by anyone on the Internet—is
Level 3 Communications.
• Level 3 is located in Broomfield, CO.
• though from personal knowledge I can tell you
that 4.2.2.1 specifically is not located there.
• However, in smaller organizations that are not
Internet service providers, this information may
be useful.
 Using whois

• If you are not comfortable with command-line

utilities or you don’t have a Unix-based system
to run whois from.
• You can accomplish the same thing in other
ways.
• For example, whois utilities are available for
Windows.
• Additionally, a number of websites will
provide you the ability to do whois lookups.
 Using whois

• An example of one of these sites is shown in

Figure 6-3.
• This particular site is at www.whois.com
 Using whois

• look up domain names using the same

techniques.
• Domain names are less specific than IP
addresses.
• though you can still obtain the same location
information.
• As you see in Figure 6-3, physical addresses
are provided.
 Using whois

• you can also use DNS to obtain location

information.
• At the moment of this writing, the public IP
address of my cable modem is 73.219.13.135.
• Using DNS tools.I can obtain the hostname of
that IP address.
• Though I could do this lookup in multiple ways
• I am using the host utility provided in the
Linux distribution I am using in Listing 6-4 to
obtain the hostname.
Using whois
 Using whois
• Using the hostname, You can determine that the IP
address is located in Vermont, which is correct.
• the portion of the hostname that says vt.comcast.net.
• This is a subdomain that Comcast uses to house IP
addresses and other DNS resources for customers in
Vermont.
• Not all organizations use their DNS hostnames to
indicate where those hostnames are located,
• but generally Internet service providers do because it
makes troubleshooting quite a bit easier.
• It’s possible to get a collection of hostnames that can
point at a particular geographic region.
 Traceroute

• Traceroute is a diagnostic tool used by

technical professionals looking to identify a
problem with network routing.
 Traceroute

• Traceroute works by making use of the time to

live (TTL) IP header field.
 Traceroute

• IP packets include a default IP header value.

• Every time a packet passes through a routing
device , the time to live field is decremented.
• Once the TTL reaches 0, the device that
decremented the field to 0 returns an ICMP
error message to the source of the original
message indicating that time to live has been
exceeded in transit.
 Traceroute

• Traceroute will send a message out to a

destination with increasing TTL values.
• The first packet being sent has a TTL of 1.
• When the very first router (the default
gateway on your network) receives the
message, it decrements the TTL to 0
• and responds with the ICMP error message.
• Once the sending system receives the
message, it has the IP address of the first
router.
Traceroute
 Traceroute

• The sender only has the IP address.

• Which means that the system running
traceroute has to do a DNS lookup to get the
hostname that is associated with the IP
address.
• This is a reverse lookup and requires that
whoever owns the IP address has the pointer
(PTR) record configured in the DNS server.
 Traceroute

• Generally, service providers will keep their

DNS records up to date.
• Because they are the ones who will commonly
include location information in the
hostnames, they are the ones we are going to
be most concerned with.
 Traceroute

• Mac OS X system, the utility is named

traceroute.
• On a Linux system, it will also be named
traceroute.
• On a Windows system, because traceroute
exceeded the 8-character limit of the 8.3
naming convention from the DOS days, the
utility is named tracert.
 Traceroute example

• The example shown in Listing 6-5 was done

from a Mac OS X system and the utility is
named traceroute.
Traceroute example
 Traceroute example

• A couple of notes on the traceroute

responses.
• First, the times shown are the round trip times
to the individual host in the path.
• Second, in cases where you see multiple
entries associated with a particular hop, it
means that there are multiple pathways that
are the same network distance to the
destination.
 Traceroute example

• First thing in the output is the IP address of

the default gateway on local network.
• The first place we get a real hostname is on
line 3. You can see the hostname listed as ge-
4-19-ur01.wolcott.ct.hartford.comcast.net.
• This is a port on a network device in Hartford,
CT.
 Traceroute example
• The ge indicates that this is a gigabit Ethernet (ge)
port.
• The numbers after that could indicate slot and
port in a large chassis.
• The ur01 indicates a router.
• Service providers will sometimes use short names
to indicate the type of router within the network.
• If you see cr, it is probably a core router, meaning
a device in the core or deep inside the network.
• An ar router would be an access router, where
customers may commonly connect.
 Traceroute example

• In general, you will see the type of interface

followed by the slot and port numbers if they
exist, in the first part of the hostname.
• After that, you may well see the location
information.
 Traceroute example
• In some cases, as in lines 3–5, the name will be
pretty straightforward.
• You are seeing multiple entries on those lines
• because traceroute sends three messages.
• If there are multiple paths through the network
to get to a particular location, each successive
message may hit a different router in the
network.
• That appears to be the case here.
• It may also indicate some routing distribution or
load balancing, depending on where the message
is located.
 Traceroute example

• The Comcast entries that include ibone

indicate there are routers at 111 8th Avenue
in Manhattan.
• This particular building is owned by Google
and has a meet-me room where multiple
carriers get together and hand off traffic to
one another.
 Traceroute example

• The traceroute goes through a few hops in

that building before departing to a number of
IP addresses that don’t have reverse lookups
associated with them.
• Because of that, we don’t really know where
they are located.
• However, the traceroute terminates at the
hostname lga15s44-in-f4.1e100.net.
 Traceroute example

• The domain name le100.net is a domain name

that Google uses to identify servers within its
network.
• If you see a three-letter indicator in a
hostname, it may well be an airport code.
• LGA is LaGuardia Airport, located on Long
Island.
• LGA provides services to Manhattan, so the
servers that we have terminated at are located
in New York.
 Traceroute

• Traceroute can provide a lot of details that are

not only useful for network engineers.
• Can provide some location information for
investigators.
• once you learn how to read the output.
• While IP addresses do map to hostnames.
• you can get locations from IP addresses in
other ways.
 Pathping

• Pathping is another Windows utility that can

be used to identify a network path.