Professional Documents
Culture Documents
R
Investigation
Lingaraju.S
I.P.D.R
Investigation
Index Pg.No
1 Network & IP Address 1
1.1 Protocol: 1
1.2 IP Address: 2
1.3 IANA / ICANN: 5
1.4 Internet: 7
2 Computer Ports 8
3 IPDR 12
3.1 We can ask IPDR of 12
3.1.1 IPDR sample based on MSISDN: 13
3.1.2 IPDR sample based on IPv4 address: 13
3.1.3 IPDR sample based on IPv6 address: 14
3.2 Various metadata field found in an IPDR; 15
3.2.1 Meaning of terminologies: 16
3.3 What information we can get from IPDR? 18
3.4 Investigation Process: 18
3.4.1 Analysis of MSISDN IPDR: 18
3.4.2 Analysis of Public IP IPDR: 20
1.1 Protocol:
It is a type of language for communication. In the network both
the workstation and the Server communicate with each other through a
language called protocol. It is a set of rules or procedures for computer to
communicate with each other. Without a protocol, a transmitting
computer, for example, could be sending its data in 8-bit packets while the
receiving computer might expect the data in 16-bit packets. Protocols are
established by international or industry wide organizations (OSI).
a) Internet Protocol (IP): This is used to send the data in the network by
dividing data into small packets and it contains addressing and control
information. It is responsible only for delivering the packets.
1
c) Hyper Text Transfer Protocol (HTTP): is an application layer protocol
used for distributed, collaborative, and hypermedia information systems. It
works on a client-server model, where the web browser acts as the client.
Data such as text, images, and other multimedia files are shared over the
World Wide Web using HTTP.
1.2 IP Address:
It is a logical address which is used to identify a particular
computer and to communicate in the network. But for every computer
there will be a physical permanent address called MAC (Media Access
Control) address, which is a unique identifier assigned to network
interfaces for communication.
IPv6 Address: Allocation of the IPv6 began in 1999 which has 128-bit
numbers and are conventionally expressed using hexadecimal
strings and supports approximately 340 trillion trillion IPs / 3.4 x 1038
i.e. 2128 .
(Eg:- FE80:0000:0000:0000:0202:B3FF:FE1E:8329)
2
Note: MAC address is a permanent address assigned for a PC Hardware.
But IP Address is a Logical address assigned for Computer. This is because
in Network terminology the MAC address is note understood by
computers, so for easy communication in the Network and to search the
desired PC in the network IP address is compulsory.
Private IP Address: Private IPs are the addresses which can be allotted
to private organization/ company/School/colleges etc., to create their
own computer network within their organization. By using these
ranges of IPs we can configure our own computer network which can
communicate only within our organization. These IPs are also
assigned to computer peripherals like Printer, Switches, Scanners etc,.
3
Public IP Address: A Public IP Address is the address that is assigned
to a computer/Computing device to allow access to Internet. A Public
IP address is globally unique and is assigned to a unique computer/
computing device.
Range of Public IP addresses:
All the remaining IPs except IPs used by Private and APIPA.
4
Type netsh then press enter in command prompt (cmd),
Now type the following command and press enter
Click on Start button type ‘cmd’ in run command and press enter key
black command prompt screen gets open here type ‘ipconfig/all’ and
press enter
Some results are displayed; now here see the results under Ethernet
Adapter Local Area Connection - you can see your IP address and MAC
address under their respective rows with dhcp yes or no option.
5
for global coordination of the Internet Protocol addressing systems, as
well as the Autonomous System Numbers used for routing Internet traffic.
Users are assigned IP addresses by Internet service providers
(ISPs). ISPs obtain allocations of IP addresses from a local Internet registry
(LIR) or National Internet Registry (NIR), or from their appropriate
Regional Internet Registry (RIR):
6
CNNIC, China Internet Network Information Center
JPNIC, Japan Network Information Center
KRNIC, Korea Internet & Security Agency
TWNIC, Taiwan Network Information Center
VNNIC, Vietnam Internet Network Information Center
IRINN, Indian Registry for Internet Names and Numbers
e) IRINN, Indian Registry for Internet Names and Numbers: Govt. of India,
Department of Electronics & Information Technology approved &
sanctioned the operations of National Internet Registry (NIR) to National
Internet Exchange of India (NIXI).
1.4 Internet:
This is a network of networks, WAN. It is a very large network that
connects computers all over the world using huge tele-communication
links. It is a huge encyclopedia of information. There is no owner for the
internet. Even the Internet Service providers for whom we pay to access
internet is just like a gatekeeper.
Data and information at different sites (hosts) are shared here.
There should be a Source IP & Destination IP for every computer to
communicate in Internet. And this is called as Public IP Address. Example:
123.7.1.10 the address will be in a Public IP series explained above. But it is
not a must that one should remember this IP to communicate with each
other in the net. Instead of this IP we can have the name as per our taste
like www.ksp.gov.in, www.amazon.com etc,. This is possible by DNS
(Domain Naming System).
7
Topic-2: Computer Ports
1024 – 49151: these are registered ports and can be registered with ICANN
for specific services.
49152 – 65535: are unassigned ports and can be used by any type of service
and are called dynamic/private/ephemeral ports. These can be used by any
service on an ad hoc basis. Ports are assigned when a session is
established, and released when the session ends.
8
routed correctly when someone comes up from outside world and wants
to meet you particularly.
Ex:
SP Office, Mandya – IP Address (118.198.218.233) / domain name
(www.mandya.gov.in)
Computer Section – Port Number (118.198.218.233:80)
A port is always associated with a protocol. Generally, this is
provided with Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP) for communication at the Transport layer of OSI model.
Both of these are protocols are involved in the process of transmission of
data. While UDP is used in situations where the volume of data is large and
security of data is not of much significance. TCP is used in those situations
where security of data is one of the main issues. The port is specified by
having the URL or IP address followed by a colon then the port number --
as examples, 10.0.0.1:80 or www.techtarget.com:443. With all internet
communication, there is always an associated port, but it may not be
shown to the user as it is often implied by the type of communication.
9
161, 162 Simple Network Management Protocol (SNMP) TCP & UDP
443 HTTP with Secure Socket layer (SSL) TCP & UDP
3389 Remote Desktop Protocol TCP & UDP
Ports used:
Whatsapp:
TCP Ports= 80, 443, 4244, 5222, 5223, 5228, 5242, 50318, 59234
(used for whatsapp chatting)
UDP Ports= 34784, 45395, 50318, 59234
(used for whatsapp calling)
10
Command Verifying NAT with PAT Configuration in routers:
11
Topic-3 : IPDR
In this scenario we can have the detailed record of all the activities
done by the suspect using smart phone with mobile internet even if he has
not made any calls or messages but used mobile internet once for any
purpose is more enough to get the details of the culprit. This can be
achieved by GPRS CDR, which does not contain any details about calls and
sms, but purely the GPRS details and all the important parameters to find
the location of the suspect.
SO, we law enforcement agency officers should have the
knowledge of extracting the details from the ISP or related organization.
The Government of India has already passed an order to all the ISPs
regarding maintaining and storing the IPDR parameters with respect to
Internet and GPRS services. (The copy can be downloaded from net).
12
Request to be submitted to the nodal officer of Internet Service
Provider (ISP) u/s 92 of CrPC to furnish the IPDR for the relevant period as
per IPDR mandate of GOI.
13
This consists of:
MSISDN
IMEI
IMSI
Downlink-Vol
Uplink-Vol
Session Start-Time
Connection Type
Home Roaming Circle
Roaming Network Indicator
ICR operator Name
Home Circle
Public IP
Public Port
Destination IP
Destination Port
Source IP
Source Port
Duration
Cell ID1
Cell ID2
14
This consists of:
Landline/MSISDN for Internet Access
Source IP
Source Port
Public IP
Public Port
Destination IP
Destination Port
Start Date & Time of Public IP Allocation
End Date & Time of Public IP Allocation
Device Identification number (IMEI)
IMSI
CGI ID
15
IMSI International Mobile Subscriber Identity number can
identify the user of a mobile network.
START_DATE, Record start date and time
START_TIME
END_DATE, Record end date and time
END_TIME
IMEI International Mobile Equipment Identity Number that
can uniquely identify the mobile phone
CELL_ID ID of the Cell Tower
UPLINK_VOLUME Amount of data uploaded
DOWNLINK_VOLUME Amount of data downloaded
TOTAL_VOLUME Total volume of the data
I_RATTYPE identifies whether it is 2G /3G data
ii. Public IP: this is the IP address allotted by ISP to the subscriber which
helps you actually to work with internet. This Public IP changes very
often, each time when you connect to your mobile data. This IP
identifies the subscriber over internet and helps in tracking the
criminal on internet.
Steps to know Public IP: connect your mobile dataopen internet
browser go the google search there type show my pubic ip or
what is my public ip press enter now google shows the result, this
will be your temporary Public IP for the period.
Steps to know the SIM telecom operator of the Public IP: go to
website www.ip-tracker.org here type the Public IP of your phone
16
in the space provided and click on the option lookup IP address
with IP lookup now the result will be displayed with the details like
SIM operator/organization, city, state, country etc,.
iv. Cell ID: this shows the location of the caller/person with time & date
when the internet activity is done. Significantly most of the mobile
apps get itself updated by their own as soon as it get connected to
internet, even though if you don’t open/use them. At this time the cell
ID automatically extracts the details of the smart phone for this
process.
v. Downlink: total amount of data used for download activity in bytes in
single session.
vi. Uplink: total amount of data used for upload activity in bytes in single
session.
vii. From/Start date & time: this column shows information about the
start point when user used internet or any internet active session
started/updated itself.
viii. To/End date & time: this column shows information about the end
point when user used internet or any internet active session
ended/updated itself.
17
ix. Network/I_Rattype: displays the connection type 2G/3G,
roaming/home network details etc,.
3.4.1 Analysis of MSISDN IPDR: IPDR called for particular mobile number-
18
During the time of analysis of MSISDN IPDR, the following aspects
need to be high lightened:
Destination IP Address
Destination Port
Device Identification Number (IMEI number)
Date and time of activity
CGI ID
ii. In the same way the Destination Port Number will also be helpful
during the analysis:
Eg: TCP Port Numbers 80, 443, 4244, 5222, 5223, 5228, 5242, 50318,
59234 are used for WhatsApp chatting and UDP Port Numbers 34784,
45395, 50318, 59234 are being used for WhatsApp calling.
iii. IO has to find out whether the user has accessed any website at the
specific date & time, so that it will be helpful for him to establish the
activity of the user.
iv. CGI ID is found to be very helpful to prove the presence of the user at
that particular date & time.
Cell Global Identity (CGI) = Mobile Country Code (MCC)+
Mobile Network Code (MNC)+ LAI
Location Area Code (LAC)+
Cell Identification (CI) CI
CGI = (MCC+ MNC + LAC) + CI
LAI (Location Area Identity) = MCC + MNC + LAC
CGI= LAI +CI
19
v. Public IP Address in respect of the particular destination IP address
could be discovered which helps the IO to find the ISP accessed by the
suspect for extending internet connection.
Further IO can ask concerned ISP to send the details of particular IP
address at that particular date and time.
3.4.2 Analysis of Public IP IPDR: IPDR called for particular Public IP address-
117.217.197.111 20569 157.240.0.1 443 25.43.145.140 20569 1.993 18/03/2021 15:17:04 0 INTERNET 40586100D6411 351578101350015 405861078701228
117.217.197.111 32855 157.240.0.1 443 25.43.145.140 32855 1.992 18/03/2021 15:17:04 0 INTERNET 40586100D6411 351578101350015 405861078701228
117.217.197.111 22758 157.240.0.1 443 25.102.4.226 22758 9.587 18/03/2021 15:17:09 0 INTERNET 4058610545A30 355362115904992 405864072788972
117.217.197.111 28299 157.240.0.1 443 25.102.4.226 28299 8.99 18/03/2021 15:17:10 0 INTERNET 4058610545A30 355362115904992 405864072788972
117.217.197.111 24792 157.240.0.1 443 25.102.4.226 24792 4.467 18/03/2021 15:17:14 0 INTERNET 4058610545A30 355362115904992 405864072788972
117.217.197.111 18263 157.240.0.1 443 25.75.245.129 18263 1.964 18/03/2021 15:17:14 0 INTERNET 4058612046910 355458114218978 405861086182742
117.217.197.111 50629 157.240.0.1 443 25.75.245.129 50629 107.41 18/03/2021 15:17:14 0 INTERNET 4058612046910 355458114218978 405861086182742
117.217.197.111 39482 157.240.0.1 443 25.75.245.129 39482 78.572 18/03/2021 15:17:14 0 INTERNET 4058612046910 355458114218978 405861086182742
117.217.197.111 59695 157.240.0.1 443 25.75.245.129 59695 91.411 18/03/2021 15:17:14 0 INTERNET 4058612046910 355458114218978 405861086182742
117.217.197.111 42360 157.240.0.1 443 25.75.245.129 42360 102.805 18/03/2021 15:17:14 0 INTERNET 4058612046910 355458114218978 405861086182742
117.217.197.111 35160 157.240.0.1 443 25.84.9.49 35160 12.356 18/03/2021 15:17:19 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 15595 157.240.0.1 443 25.84.9.49 15595 14.841 18/03/2021 15:17:19 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 36671 157.240.0.1 443 25.84.9.49 36671 16.357 18/03/2021 15:17:19 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 27272 157.240.0.1 443 25.84.9.49 27272 312.791 18/03/2021 15:17:19 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 37453 157.240.0.1 443 25.84.9.49 37453 320.096 18/03/2021 15:17:19 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 36696 157.240.0.1 443 25.14.55.249 36696 242.912 18/03/2021 15:17:22 0 INTERNET 4058610491F10 862384053525783 405861064463562
117.217.197.111 15386 157.240.0.1 443 25.84.9.49 15386 1.992 18/03/2021 15:17:23 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 15278 157.240.0.1 443 25.84.9.49 15278 300.739 18/03/2021 15:17:25 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 42871 157.240.0.1 443 25.106.217.10942871 149.131 18/03/2021 15:17:27 0 INTERNET 4.05861016E+22 911533150095642 405861053448398
117.217.197.111 27722 157.240.0.1 443 25.106.217.10927722 157.719 18/03/2021 15:17:27 0 INTERNET 4.05861016E+22 911533150095642 405861053448398
117.217.197.111 25415 157.240.0.1 443 25.84.9.49 25415 7.701 18/03/2021 15:17:28 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 33198 66.111.48.0 443 25.108.204.83 33198 70.747 18/03/2021 15:17:30 0 INTERNET 40586104ED624 862757045130913 405856058284391
117.217.197.111 13448 66.111.48.0 443 25.108.204.83 13448 68.508 18/03/2021 15:17:30 0 INTERNET 40586104ED624 862757045130913 405856058284391
117.217.197.111 26786 66.111.48.0 443 25.84.9.49 26786 7.884 18/03/2021 15:17:30 0 INTERNET 405861040B718 864799047270667 405861058030366
117.217.197.111 24638 66.111.48.0 443 25.84.9.49 24638 365.144 18/03/2021 15:17:30 0 INTERNET 405861040B718 864799047270667 405861058030366
Step-3: After getting the IPDR for the above period. Here for
analysing without using software, the IO should have an idea about the
ports of facebook as well as IP spaces used by Facebook.
List of IP spaces used by whatsapp: 66.111.48.0/24, 66.111.51.0/24
List of Ports used by whatsapp: TCP 80, 443,
20
List of IP spaces used by facebook: 31.13.24.0/21, 31.13.64.0/18,
45.64.40.0/22, 66.220.144.0/20, 69.63.176.0/20, 69.171.224.0/19,
74.119.76.0/22, 102.132.96.0/20, 103.4.96.0/22, 129.134.0.0/16,
147.75.208.0/20, 157.240.0.0/16, 173.252.64.0/18, 179.60.192.0/22,
185.60.216.0/22, 185.89.216.0/22, 199.201.64.0/22, 204.15.20.0/22
List of Ports used by facebook: TCP 80, 443
Step-4: Now filter the IPDR w.r.t port numbers 80 and 443 from
the received 2042 IPDR records. We will get around 200 records.
Step-5: From the 200 IPDR record found, search the mobile phone
number used to access facebook.
Step-6: You will find mobile numbers accessed facebook from the
above logs. Eg: 9980856723, 8861655112, 7044880044
Step-7: Now IO should collect SDR, DOA, CDR & CAF in respect of
the MSISDN used for accessing the alleged website by sending notice to
nodal officer of MSP u/s 92 of CrPC.
21