1	IP TRACING A Primer in tracing IP and email addresses
2	Email Most widely used Internet application Email can reach users in almost every country User’s ID and geographic location can usually be determined Anonymous re-mailers Web based Mail
3	Structure of Email Address
4	Email Headers Most important part of the message Usually hidden Tells you where the message originated, where it has been, and where it is received
5	Examining Email Headers
6	Tracing Email Today’s email Software must be set to display email headers – each email client does this differently Usually, when saving the email to text file, the headers are also saved along with the message text Find the originating server domain name and IP address
7	Outlook Example To display the full message header in Outlook, from the main menu click on View/Options
8	WHOIS Searches It used to be that you could go to: http://www.internic.net/whois.html Enter IP address or Domain Name Get information on the domain registrant “Privacy” concerns, multiple Registrars, & new top level domain names have made it more difficult to get this information For a listing of Registrars: http://www.internic.net/alpha.html
9	Now, You May Have to Visit Multiple WHOIS Sites There are many websites that offer Whois search engines; two good ones are at: http://www.better-whois.com/ http://whois.enom.com Several different tools are also found at: http://www.samspade.org Domain Name Registrars usually offer Whois search, e.g., http://www.namecheap.com As a last result, this information can be obtained by subpoena (if available) Hackers may have falsified their domain registration data
10	Whois Search Results [whois.enom.com] Registration Service Provided By: NameCheap.com Contact: support@NameCheap.com Domain name: cfedc.org Registrant Contact: Washington Metro Chapter of CFEs Phillip Rodokanakis (phil_r@cox.net) 703-766-0500 FAX: 703-736-0817 3173 Ramesses Ct. Oak Hill, VA 20171 US Also gives data on Administrative, Billing, & Technical contacts. It usually also includes DNS server information as well as creation, expiration and update dates
11	Review Whois Data Against Email Header
12	Advanced Network Tools NSLookup: Looks up IP address from domain name Whois: Searchable database that contains information about networks, domain names, and their contacts (several Whois databases exist) Finger: Tells you the name or entity associated with email address; it may also tell you if address owner is online (does not work on all systems) All of these tools and more can be found at: http://tools.bintec.com/ or http://www.samspade.org
13	IP vs. Name Based Sites With the proliferation of Internet Networks and websites, IP Numbers are becoming scarce Hosting companies now employ a named based scheme, so that each website hosted on a virtual server shares the IP No. of the server For example, CFEDC.ORG & CFEMD.ORG have the same IP number, because they are hosted on the same server which uses named based hosting
14	Example: CFEDC.ORG
15	IP No. Shows Hosting Co., not CFEDC Info
16	"Phillip Rodokanakis" Phillip Rodokanakis, CFE Managing Partner U.S. Data Forensics, LLC 4520 East West Hwy Suite #640 Bethesda, MD 20814 Tel. 301-657-5600 FAX 301-907-9227 phil@usdfllc.com www.usdataforensics.com