I.P.D.

R
Investigation

Lingaraju.S
 I.P.D.R
Investigation

Index Pg.No
1 Network & IP Address 1
1.1 Protocol: 1
1.2 IP Address: 2
1.3 IANA / ICANN: 5
1.4 Internet: 7

2 Computer Ports 8

3 IPDR 12
3.1 We can ask IPDR of 12
3.1.1 IPDR sample based on MSISDN: 13
3.1.2 IPDR sample based on IPv4 address: 13
3.1.3 IPDR sample based on IPv6 address: 14
3.2 Various metadata field found in an IPDR; 15
3.2.1 Meaning of terminologies: 16
3.3 What information we can get from IPDR? 18
3.4 Investigation Process: 18
3.4.1 Analysis of MSISDN IPDR: 18
3.4.2 Analysis of Public IP IPDR: 20

With due respect,

Dr. S Parashivamurthy, IPS Rtd ADGP.
Dr.K Vamsikrishna, IPS, SP.

Future crimes … will be cyber crimes !

Lingaraju.S
 Topic-1: Network & IP Address

Group of computers or computerized peripherals (Printers, PC,

Laptops, etc.) that are connected with each other for the purpose of
sharing various computer resources (Data, software and hardware) is
called as Computer Network.

Networking is featured by:

a) Types of network: LAN, MAN, PAN, WAN
b) Components of LAN: Workstation, Server
c) Networking Media: Wired media, Wireless media
d) Networking Devices: NIC Card, RJ 45 Jack, Cable, Wifi routers
e) Interconnecting devices: Repeater, Hub, Bridges, Switch, Routers
f) Networking Topology: Bus Topology, Star Topology, Ring Topology,
Mesh Topology

1.1 Protocol:
It is a type of language for communication. In the network both
the workstation and the Server communicate with each other through a
language called protocol. It is a set of rules or procedures for computer to
communicate with each other. Without a protocol, a transmitting
computer, for example, could be sending its data in 8-bit packets while the
receiving computer might expect the data in 16-bit packets. Protocols are
established by international or industry wide organizations (OSI).

Most important set of Protocols are:

a) Internet Protocol (IP): This is used to send the data in the network by
dividing data into small packets and it contains addressing and control
information. It is responsible only for delivering the packets.

b) Transmission Control Protocol (TCP): This is used to rearrange the data

which received from the sender. It provides a reliable stream delivery and
virtual connection service to applications through the use of sequenced
acknowledgement.
Note: with the coordination of IP & TCP, the sending and receiving of the
messages occurs.

1
c) Hyper Text Transfer Protocol (HTTP): is an application layer protocol
used for distributed, collaborative, and hypermedia information systems. It
works on a client-server model, where the web browser acts as the client.
Data such as text, images, and other multimedia files are shared over the
World Wide Web using HTTP.

d) Simple Mail Transfer Protocol (SMTP): is a protocol designed to

transfer electronic mail reliably and efficiently.

1.2 IP Address:
It is a logical address which is used to identify a particular
computer and to communicate in the network. But for every computer
there will be a physical permanent address called MAC (Media Access
Control) address, which is a unique identifier assigned to network
interfaces for communication.

 IPv4 address Example: it is a 32 bit ID, consisting of 4 parts separated

by 3 dots. Each part having a numerical value from 0 to 255 and as
on…… using this IPv4 we can assign a unique identity for maximum
4,29,49,67,296 I.Ps = 232 = 256 x 256 x 256x 256.
Starting IP 0.0.0.0
0.0.0.1 ………
10.7.39.100 ……..
192.168.1.100 ………..
Ending IP 255.255.255.255

 IPv6 Address: Allocation of the IPv6 began in 1999 which has 128-bit
numbers and are conventionally expressed using hexadecimal
strings and supports approximately 340 trillion trillion IPs / 3.4 x 1038
i.e. 2128 .
(Eg:- FE80:0000:0000:0000:0202:B3FF:FE1E:8329)

 MAC addresses Example: this 48 bit addressing system contains

approximately 281,474,976,710,656 possible MAC addresses i.e 248
Mac addresses.
01:23:45:67:89:ab
48:2C:6A:1E:59:3D
36:4b:9a:87:99:ff

2
Note: MAC address is a permanent address assigned for a PC Hardware.
But IP Address is a Logical address assigned for Computer. This is because
in Network terminology the MAC address is note understood by
computers, so for easy communication in the Network and to search the
desired PC in the network IP address is compulsory.

1.2.1 Classes of IP:

IPv4 address is divided into 5 classes

Class A = 0.0.0.0 - 127.255.255.255 ( Total IPs 2,14,74,83,648)
Class B = 128.0.0.0 - 191.255.255.255 ( Total IPs 1,07,37,41,824)
Class C = 192.0.0.0 - 223.255.255.255 ( Total IPs 53,68,70,912)
Class D = 224.0.0.0 - 239.255.255.255 ( Total IPs 26,84,35,456)
Class E = 240.0.0.0 - 255.255.255.255 ( Total IPs 26,84,35,456)

1.2.2 Types of IP Address:

 Private IP Address: Private IPs are the addresses which can be allotted
to private organization/ company/School/colleges etc., to create their
own computer network within their organization. By using these
ranges of IPs we can configure our own computer network which can
communicate only within our organization. These IPs are also
assigned to computer peripherals like Printer, Switches, Scanners etc,.

Range of Private IP Addresses:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
(all the IPs available from the above combinations can be used as Private
IPs)

 APIPA Address: is a feature of windows Operating System that

enables a computer to automatically assign itself an IP address when
the IP address is not assigned automatically (DHCP) or Statically.
(* IP address assigning automatically is explained below)

Range of APIPA Address (Automatic Private Internet Protocol Addressing):

169.254.0.1 - 169.254.255.254

3
 Public IP Address: A Public IP Address is the address that is assigned
to a computer/Computing device to allow access to Internet. A Public
IP address is globally unique and is assigned to a unique computer/
computing device.
Range of Public IP addresses:
All the remaining IPs except IPs used by Private and APIPA.

1.2.3 IP Assignment/ Assigning of IP to a computer/ giving IP address to a

computer:
There are 2 ways to assign (giving) IP address to computer
 Static assignment: is a type of assigning IP address to computers
manually. One has to give the IP for the computer in the place where
it is meant for by following these steps.
Step-1: Type netsh then press enter in the command prompt (cmd),
Now type the following command and press enter
Netsh>Interface ip set address name = “Local Area Connection”
static 192.168.1.10
Step-2: open run give command ncpa.cpl  right click on Ethernet
properties select Internet protocol version 4(TCP/IPv4) properties

enter the desired IP here and finally click on OK button.

 DHCP assignment: Dynamic Host Configuration Protocol is

automatically assigning of IPs to computer/computer peripherals with
the help of Modem/Routers etc,. here the work of assigning IP
addresses to computer is done by modem/router in the form of 1 st
come 1st serve basis , the 1st computer which asks the modem for IP
gets the 1st IP address in the range and the 2nd computer gets the 2nd
and so on..

4
Type netsh then press enter in command prompt (cmd),
Now type the following command and press enter

Netsh>Interface ip set address name = “Local Area Connection” dhcp

( * in this method when the DHCP server [modem/router] doesn’t allot the IP
to a computer due to some reason, then the computer automatically assigns
an IP itself this is called APIPA address)

1.2.4 To check the IP address and MAC address in a computer/laptop

Click on Start button  type ‘cmd’ in run command and press enter key 
black command prompt screen gets open  here type ‘ipconfig/all’ and
press enter

Some results are displayed; now here see the results under Ethernet
Adapter Local Area Connection - you can see your IP address and MAC
address under their respective rows with dhcp yes or no option.

Here we can find the MAC, IP address and static/dhcp IP address

assignment.

Fig: Communication between computers - Network/Internet

1.3 IANA / ICANN:

a) IANA= Internet Assigned Number Authority, a department of ICANN

(Internet Corporation Assigned Names & Numbers), a nonprofit private
American corporation assigns IP addresses globally, which is responsible

5
for global coordination of the Internet Protocol addressing systems, as
well as the Autonomous System Numbers used for routing Internet traffic.
Users are assigned IP addresses by Internet service providers
(ISPs). ISPs obtain allocations of IP addresses from a local Internet registry
(LIR) or National Internet Registry (NIR), or from their appropriate
Regional Internet Registry (RIR):

b) ICANN (The Internet Corporation for Assigned Names and Numbers) = is

responsible for managing and coordinating the Domain Name System
(DNS) to ensure that every address is unique and that all users of the
Internet can find all valid addresses.
IP addresses are hard for humans to remember, Therefore the
domain name system DNS easy to remember name concept was
developed. These domain name points to an IP address belong to a web
server. Ex: www.google.com having IP address 203.132.65.135)

c) Regional Internet Registry: manages, allocates and registers Internet

number resources within a particular region of the world.

APNIC (Asia-Pacific Network Information Center): Asia, Newzealand,

Australia and neighboring countries.
AFRINIC (African Network Information Center): Serving for African
countries.
ARIN (American Registry for Internet numbers): United States, Canada,
some parts of Caribbean regions and Antarctica.
LACNIC (Latin America and Caribbean Network Information Centre): Latin
America and remaining parts of the Caribbean region.
RIPE NCC (Réseaux IP Européens Network Coordination Centre): Serves
for Russia, Europe, Middle East and Central Asia.

d) National Internet Registry: National Internet Registry (or NIR) is an

organization and a unit of Regional Internet Registry with the task of
coordinating IP address allocations and other Internet resource
management functions at a national level within a country.
The following NIRs are currently operating in the APNIC region-
APJII (Asosiasi Penyelenggara Jasa Internet Indonesia), Indonesian ISP
Association

6
CNNIC, China Internet Network Information Center
JPNIC, Japan Network Information Center
KRNIC, Korea Internet & Security Agency
TWNIC, Taiwan Network Information Center
VNNIC, Vietnam Internet Network Information Center
IRINN, Indian Registry for Internet Names and Numbers

e) IRINN, Indian Registry for Internet Names and Numbers: Govt. of India,
Department of Electronics & Information Technology approved &
sanctioned the operations of National Internet Registry (NIR) to National
Internet Exchange of India (NIXI).
1.4 Internet:
This is a network of networks, WAN. It is a very large network that
connects computers all over the world using huge tele-communication
links. It is a huge encyclopedia of information. There is no owner for the
internet. Even the Internet Service providers for whom we pay to access
internet is just like a gatekeeper.
Data and information at different sites (hosts) are shared here.
There should be a Source IP & Destination IP for every computer to
communicate in Internet. And this is called as Public IP Address. Example:
123.7.1.10 the address will be in a Public IP series explained above. But it is
not a must that one should remember this IP to communicate with each
other in the net. Instead of this IP we can have the name as per our taste
like www.ksp.gov.in, www.amazon.com etc,. This is possible by DNS
(Domain Naming System).

This DNS resolve the name into IP and vice versa.

Whenever you want to access the internet service from your

computer the ISP gives a particular public IP address to the user, so with this
you can access internet as an owner of that public IP for the period of
allotment.
SO, if any crime happens with this internet through online, the ISP
plays a very significant role in providing the information of the Public IP
which has mapped to Private IP at a particular time during your
investigation. ISP also gives you the information about the various website
details accessed by the Public IP.

7
 Topic-2: Computer Ports

What is a computer port?

A port in computing has three main uses, each as a type of

receptacle in networking, computer hardware and software:
Networking: A port in networking is a software-defined number
associated to a network protocol that receives or transmits
communication for a specific service.
Hardware: A port in computer hardware is a jack or socket that peripheral
hardware plugs into.
Software: A port in computer software is when a piece of software has
been translated or converted to run on different hardware or operating
system (OS) than it was originally designed for.

What is a computer network port?

A port in computer networking is how a computer can use a single
physical network connection to handle many incoming and outgoing
requests by assigning a port number to each. The port numbers are from 0
to 65535 and is a 16-bit number regulated by ICANN.

0 – 1023 : well known ports assigned to common protocols and services,

these port numbers are specifically defined and always associated with a
specific type of service -- for example, File Transfer Protocol (FTP) is always
port number 21 and Hypertext Transfer Protocol web traffic is always port
80.

1024 – 49151: these are registered ports and can be registered with ICANN
for specific services.
49152 – 65535: are unassigned ports and can be used by any type of service
and are called dynamic/private/ephemeral ports. These can be used by any
service on an ad hoc basis. Ports are assigned when a session is
established, and released when the session ends.

As an illustration, Port numbers are just like various sections

(Accounts, HR, Establishment, Computer, Housekeeping, Stores, Electrical
section, etc.,) in an office in the real world. The IP Address is the address of
the whole office; the port is the section of the service you are looking for.
One should assign their particular service to a particular port so it can be

8
 routed correctly when someone comes up from outside world and wants
to meet you particularly.
Ex:
SP Office, Mandya – IP Address (118.198.218.233) / domain name
(www.mandya.gov.in)
Computer Section – Port Number (118.198.218.233:80)
A port is always associated with a protocol. Generally, this is
provided with Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP) for communication at the Transport layer of OSI model.
Both of these are protocols are involved in the process of transmission of
data. While UDP is used in situations where the volume of data is large and
security of data is not of much significance. TCP is used in those situations
where security of data is one of the main issues. The port is specified by
having the URL or IP address followed by a colon then the port number --
as examples, 10.0.0.1:80 or www.techtarget.com:443. With all internet
communication, there is always an associated port, but it may not be
shown to the user as it is often implied by the type of communication.

Well known ports are:

Port Service name Transport Protocol

20, 21 File Transfer Protocol (FTP) TCP
22 Secure Shell (SSH) TCP and UDP
23 Telnet TCP
25 Simple Mail Transfer Protocol (SMTP) TCP
50,51 IPSec
53 Domain Name System (DNS) TCP & UDP
67, 68 Dynamic Host Configuration Protocol (DHCP) UDP
69 Trivial File Transfer Protocol (TFTP) UDP
80 Hyper Text Transfer Protocol (HTTP) TCP
110 Post Office Protocol (POP3) TCP
119 Network News Transport Protocol (NNTP) TCP
123 Network Time Protocol (NTP) UDP
135-139 NetBIOS TCP & UDP
143 Internet Message Access Protocol (IMAP4) TCP & UDP

9
161, 162 Simple Network Management Protocol (SNMP) TCP & UDP
443 HTTP with Secure Socket layer (SSL) TCP & UDP
3389 Remote Desktop Protocol TCP & UDP
Ports used:
Whatsapp:
TCP Ports= 80, 443, 4244, 5222, 5223, 5228, 5242, 50318, 59234
(used for whatsapp chatting)
UDP Ports= 34784, 45395, 50318, 59234
(used for whatsapp calling)

Zoom App: TCP Ports = 80, 443, 8801, 8802

UDP Ports = 3478, 3479, 8801, 8802

10
Command Verifying NAT with PAT Configuration in routers:

Router# show ip nat translations

(with this command, displays NAT/PAT translation table)

Pro Inside local Inside global Outside local Outside global

tcp 10.10.10.10:7011 64.10.75.34:7011 74.57.43.19:80 74.57.43.19:80

Source & Destination Ports:

Source ports are user sessions: The source port is a next-available number
assigned by TCP/IP to the user's machine. This assigned client number is
how the network address translation (NAT), which typically resides in the
router, determines which user to send back the responses to. Although
that same client number is used simultaneously within thousands of
organizations, each TCP/IP network keeps track (via NAT) of its own
assigned numbers for internal use only. A "socket" is the combination of
port number and IP address.

Destination Ports are Server Applications: Destination ports may be "well-

known ports" (0-1023) for the major Internet applications, such as Web
and email. For example, all port 80 packets (HTTP packets) are directed to
and processed by a Web server. User "registered ports" (1024-49151) are
assigned to applications that are mostly vendor specific, such as Skype and
Zoom App etc.,

11
 Topic-3 : IPDR

Internet Protocol Detail Report is nothing but GPRS CDR, where

the CDR is the details of the calls made/received by cell/mobile phones like
the same GPRS CDR is the information about IP-based service usage,
performance, and other activities. It can tell number of things about
incoming and outgoing traffic like source and destination IP address, Ports,
time of access, etc.
In present generation the usage of smart phones are increasing in
huge number with all the latest technological features like Mobile internet,
MMS, Mobile apps, online mobile shopping etc,. Besides making phone
calls, nearly all smartphones today can natively provide directions through
GPS, take pictures, play music and keep track of appointments and
contacts. Through the installation of apps, the list of possible smartphone
uses multiplies by tens of thousands and grows longer every day.

In this scenario we can have the detailed record of all the activities
done by the suspect using smart phone with mobile internet even if he has
not made any calls or messages but used mobile internet once for any
purpose is more enough to get the details of the culprit. This can be
achieved by GPRS CDR, which does not contain any details about calls and
sms, but purely the GPRS details and all the important parameters to find
the location of the suspect.
SO, we law enforcement agency officers should have the
knowledge of extracting the details from the ISP or related organization.
The Government of India has already passed an order to all the ISPs
regarding maintaining and storing the IPDR parameters with respect to
Internet and GPRS services. (The copy can be downloaded from net).

3.1 We can ask IPDR of:

 IP Address
 MSISDN
 IMEI
 Particular date & time
 Cell ID and so on..

12
 Request to be submitted to the nodal officer of Internet Service
Provider (ISP) u/s 92 of CrPC to furnish the IPDR for the relevant period as
per IPDR mandate of GOI.

3.1.1 IPDR sample based on MSISDN:

This consists of:

 Source IP
 Source Port
 Public IP
 Public Port
 Destination IP
 Destination Port
 Start Date & Time of Public IP Allocation
 End Date & Time of Public IP Allocation
 Static/Dynamic IP address Allocation
 User ID for Internet Access Authentication
 Device Identification number (IMEI)
 IMSI
 CGI ID

3.1.2 IPDR sample based on IPv4 address:

13
This consists of:
 MSISDN
 IMEI
 IMSI
 Downlink-Vol
 Uplink-Vol
 Session Start-Time
 Connection Type
 Home Roaming Circle
 Roaming Network Indicator
 ICR operator Name
 Home Circle
 Public IP
 Public Port
 Destination IP
 Destination Port
 Source IP
 Source Port
 Duration
 Cell ID1
 Cell ID2

3.1.3 IPDR sample based on IPv6 address:

14
This consists of:
 Landline/MSISDN for Internet Access
 Source IP
 Source Port
 Public IP
 Public Port
 Destination IP
 Destination Port
 Start Date & Time of Public IP Allocation
 End Date & Time of Public IP Allocation
 Device Identification number (IMEI)
 IMSI
 CGI ID

3.2 Various metadata field found in an IPDR;

Metadata field Description

PRIVATE IP IP address of the mobile device/digital device
PRIVATE PORT Port number of the mobile device/digital device
PUBLIC IP Public IP address presented by the mobile/digital
device
PUBLIC PORT Public port presented by mobile/digital device
DESTINATION IP IP address of the recorded destination
DEST PORT Port of the record destination
MSISDN Mobile Station International Subscriber Directory
Number – number used to identify a mobile phone
number internationally

15
 IMSI International Mobile Subscriber Identity number can
identify the user of a mobile network.
START_DATE, Record start date and time
START_TIME
END_DATE, Record end date and time
END_TIME
IMEI International Mobile Equipment Identity Number that
can uniquely identify the mobile phone
CELL_ID ID of the Cell Tower
UPLINK_VOLUME Amount of data uploaded
DOWNLINK_VOLUME Amount of data downloaded
TOTAL_VOLUME Total volume of the data
I_RATTYPE identifies whether it is 2G /3G data

3.2.1 Meaning of terminologies:

i. Private IP: when you are connected to GPRS/mobile internet,

automatically 2 IPs are allotted to your phone. One is private IP and
the other is public IP, the Private IP is been assigned and allotted by
the service provider using NAT method & PAT Technology and
changes frequently. This IP is not sufficient enough to browse
internet, accordingly we need Public IP.
Step to know Private IP: go to settings  about phone/about device
 status  there you will find Private IP, these will be in the series
Ex:100.85.13.157 / 117.254.123.247 / 10.37.13.163 etc,. (it will be normally
in 10/100/117 series only)

ii. Public IP: this is the IP address allotted by ISP to the subscriber which
helps you actually to work with internet. This Public IP changes very
often, each time when you connect to your mobile data. This IP
identifies the subscriber over internet and helps in tracking the
criminal on internet.
Steps to know Public IP: connect your mobile dataopen internet
browser  go the google search there type show my pubic ip or
what is my public ip press enter  now google shows the result, this
will be your temporary Public IP for the period.
Steps to know the SIM telecom operator of the Public IP: go to
website www.ip-tracker.org  here type the Public IP of your phone

16
 in the space provided  and click on the option lookup IP address
with IP lookup  now the result will be displayed with the details like
SIM operator/organization, city, state, country etc,.

iii. Destination IP: this is the public IP address of the

websites/applications/services used by the user on internet for mail
service, banking, facebook, whatsapp, amazon, flipkart etc as each
and every website has a unique Private IP address. This IP address
plays a vital role in investigation process of cybercrime as it gives the
details of the websites or web services the suspect has visited and
what activities done and what information he has left on the website.

Steps to know the owner/organization of website by Destination IP:

go to website www.ip-tracker.org  here type the Destination IP in
the space provided and click on the option lookup IP address with
IP lookup  now the result will be displayed with the details like
website owner/organization, city, state, country etc,.

iv. Cell ID: this shows the location of the caller/person with time & date
when the internet activity is done. Significantly most of the mobile
apps get itself updated by their own as soon as it get connected to
internet, even though if you don’t open/use them. At this time the cell
ID automatically extracts the details of the smart phone for this
process.
v. Downlink: total amount of data used for download activity in bytes in
single session.
vi. Uplink: total amount of data used for upload activity in bytes in single
session.
vii. From/Start date & time: this column shows information about the
start point when user used internet or any internet active session
started/updated itself.

viii. To/End date & time: this column shows information about the end
point when user used internet or any internet active session
ended/updated itself.

17
ix. Network/I_Rattype: displays the connection type 2G/3G,
roaming/home network details etc,.

3.3 What information we can get from IPDR?

i. To have an idea regarding the internet activity of the user.

ii. How much time spent by the user on internet
iii. Frequently visited/accessed Internet activity of the user (facebook,
whatsapp, browser, etc,.)
iv. Nature of activity of the user during the night time.
v. Drawing of an inference that the user has visited a particular
website in a fixed date & time.
vi. Location during particular activity. To have a conclusive prove that
the user was present in a particular location during that particular
date & time.
vii. To have an overall idea about the usage/consumption of data by
the user.
viii. And the more information can be fetched based on the
investigation skill/tactics of the officer

3.4 Investigation Process:

The IPDR or GPRS CDR details are so important in investigation,

because the details of the mobile phones will be captured even if the
suspect has not made any calls or any internet activity. If the
internet/mobile data is ON in the phone that is enough for the operator to
fetch the details in the form of update process by some apps as explained
above. If the suspect makes any internet activity like online booking,
shopping it is more enough for us to get the entire details of the suspect
by getting the details of the transaction by website owners like amazon,
banks etc,.

In this case we have to ask the amazon or bank nodal officer to

give the activities done by the specific public IP address user.

3.4.1 Analysis of MSISDN IPDR: IPDR called for particular mobile number-

18
 During the time of analysis of MSISDN IPDR, the following aspects
need to be high lightened:
 Destination IP Address
 Destination Port
 Device Identification Number (IMEI number)
 Date and time of activity
 CGI ID

i. Destination IP Address is the main aspect for analysis of any type of

IPDR. By analysing the Destination IP address, details of the website
visited / accessed by the user can be ascertained.
To search bulk/multiple Destination IP addresses, the following
websites may be helpful:
 https://www.infobyip.com/ipbulklookup.php
 https://app.ipapi.co/bulk/
 https://www.showmyip.com/bulk-ip-lookup/
 https://mxtoolbox.com/BulkLookup.aspx
 https://www.bulkseotools.com/bulk-ip-to-location.php

ii. In the same way the Destination Port Number will also be helpful
during the analysis:
Eg: TCP Port Numbers 80, 443, 4244, 5222, 5223, 5228, 5242, 50318,
59234 are used for WhatsApp chatting and UDP Port Numbers 34784,
45395, 50318, 59234 are being used for WhatsApp calling.

iii. IO has to find out whether the user has accessed any website at the
specific date & time, so that it will be helpful for him to establish the
activity of the user.
iv. CGI ID is found to be very helpful to prove the presence of the user at
that particular date & time.
Cell Global Identity (CGI) = Mobile Country Code (MCC)+
Mobile Network Code (MNC)+ LAI
Location Area Code (LAC)+
Cell Identification (CI) CI
CGI = (MCC+ MNC + LAC) + CI
LAI (Location Area Identity) = MCC + MNC + LAC
CGI= LAI +CI

19
v. Public IP Address in respect of the particular destination IP address
could be discovered which helps the IO to find the ISP accessed by the
suspect for extending internet connection.
Further IO can ask concerned ISP to send the details of particular IP
address at that particular date and time.

3.4.2 Analysis of Public IP IPDR: IPDR called for particular Public IP address-

Case: Accused has created a fake facebook account in the name of

victim and posted communal harmony deteriorating content in the said
facebook account.

Step-1: Ask facebook nodal officer to furnish the public IP address

logs of the fake facebook account created & frequently accessed w.r.t to
that particular communal message.

Step-2: After getting the public IP Address Ex: 117.217.197.111,

period: 18-03-2021 10:45:00hrs to 18-03-2021 11:05:00hrs. Now call the IPDR
of 117.217.197.111 for the above period by checking the ISP of the IP address
through www.iptrackeronline.com.
Public IPv4 Public IPv6 Public Port Destination IPDestination Port Source IP Source Port Duration DATE TIME DURATION CALL TYPE FIRST CELL ID A LAST CELL ID A IMEI A IMSI A

117.217.197.111 20569 157.240.0.1 443 25.43.145.140 20569 1.993 18/03/2021 15:17:04 0 INTERNET 40586100D6411 351578101350015 405861078701228
117.217.197.111 32855 157.240.0.1 443 25.43.145.140 32855 1.992 18/03/2021 15:17:04 0 INTERNET 40586100D6411 351578101350015 405861078701228
117.217.197.111 22758 157.240.0.1 443 25.102.4.226 22758 9.587 18/03/2021 15:17:09 0 INTERNET 4058610545A30 355362115904992 405864072788972
117.217.197.111 28299 157.240.0.1 443 25.102.4.226 28299 8.99 18/03/2021 15:17:10 0 INTERNET 4058610545A30 355362115904992 405864072788972
117.217.197.111 24792 157.240.0.1 443 25.102.4.226 24792 4.467 18/03/2021 15:17:14 0 INTERNET 4058610545A30 355362115904992 405864072788972
117.217.197.111 18263 157.240.0.1 443 25.75.245.129 18263 1.964 18/03/2021 15:17:14 0 INTERNET 4058612046910 355458114218978 405861086182742
117.217.197.111 50629 157.240.0.1 443 25.75.245.129 50629 107.41 18/03/2021 15:17:14 0 INTERNET 4058612046910 355458114218978 405861086182742
117.217.197.111 39482 157.240.0.1 443 25.75.245.129 39482 78.572 18/03/2021 15:17:14 0 INTERNET 4058612046910 355458114218978 405861086182742
117.217.197.111 59695 157.240.0.1 443 25.75.245.129 59695 91.411 18/03/2021 15:17:14 0 INTERNET 4058612046910 355458114218978 405861086182742
117.217.197.111 42360 157.240.0.1 443 25.75.245.129 42360 102.805 18/03/2021 15:17:14 0 INTERNET 4058612046910 355458114218978 405861086182742
117.217.197.111 35160 157.240.0.1 443 25.84.9.49 35160 12.356 18/03/2021 15:17:19 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 15595 157.240.0.1 443 25.84.9.49 15595 14.841 18/03/2021 15:17:19 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 36671 157.240.0.1 443 25.84.9.49 36671 16.357 18/03/2021 15:17:19 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 27272 157.240.0.1 443 25.84.9.49 27272 312.791 18/03/2021 15:17:19 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 37453 157.240.0.1 443 25.84.9.49 37453 320.096 18/03/2021 15:17:19 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 36696 157.240.0.1 443 25.14.55.249 36696 242.912 18/03/2021 15:17:22 0 INTERNET 4058610491F10 862384053525783 405861064463562
117.217.197.111 15386 157.240.0.1 443 25.84.9.49 15386 1.992 18/03/2021 15:17:23 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 15278 157.240.0.1 443 25.84.9.49 15278 300.739 18/03/2021 15:17:25 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 42871 157.240.0.1 443 25.106.217.10942871 149.131 18/03/2021 15:17:27 0 INTERNET 4.05861016E+22 911533150095642 405861053448398
117.217.197.111 27722 157.240.0.1 443 25.106.217.10927722 157.719 18/03/2021 15:17:27 0 INTERNET 4.05861016E+22 911533150095642 405861053448398
117.217.197.111 25415 157.240.0.1 443 25.84.9.49 25415 7.701 18/03/2021 15:17:28 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 33198 66.111.48.0 443 25.108.204.83 33198 70.747 18/03/2021 15:17:30 0 INTERNET 40586104ED624 862757045130913 405856058284391
117.217.197.111 13448 66.111.48.0 443 25.108.204.83 13448 68.508 18/03/2021 15:17:30 0 INTERNET 40586104ED624 862757045130913 405856058284391
117.217.197.111 26786 66.111.48.0 443 25.84.9.49 26786 7.884 18/03/2021 15:17:30 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 24638 66.111.48.0 443 25.84.9.49 24638 365.144 18/03/2021 15:17:30 0 INTERNET 405861040B718 864799047270667 405861058030366

Step-3: After getting the IPDR for the above period. Here for
analysing without using software, the IO should have an idea about the
ports of facebook as well as IP spaces used by Facebook.
List of IP spaces used by whatsapp: 66.111.48.0/24, 66.111.51.0/24
List of Ports used by whatsapp: TCP 80, 443,

20
 List of IP spaces used by facebook: 31.13.24.0/21, 31.13.64.0/18,
45.64.40.0/22, 66.220.144.0/20, 69.63.176.0/20, 69.171.224.0/19,
74.119.76.0/22, 102.132.96.0/20, 103.4.96.0/22, 129.134.0.0/16,
147.75.208.0/20, 157.240.0.0/16, 173.252.64.0/18, 179.60.192.0/22,
185.60.216.0/22, 185.89.216.0/22, 199.201.64.0/22, 204.15.20.0/22
List of Ports used by facebook: TCP 80, 443

Step-4: Now filter the IPDR w.r.t port numbers 80 and 443 from
the received 2042 IPDR records. We will get around 200 records.

Step-5: From the 200 IPDR record found, search the mobile phone
number used to access facebook.

Step-6: You will find mobile numbers accessed facebook from the
above logs. Eg: 9980856723, 8861655112, 7044880044

Step-7: Now IO should collect SDR, DOA, CDR & CAF in respect of
the MSISDN used for accessing the alleged website by sending notice to
nodal officer of MSP u/s 92 of CrPC.

21