Domain name forensics: a systematic approach to investing an internet presence - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Domain name forensics: a systematic approach to investing an internet presence

Description:

Systematically collected and time-stamped the evidence which ... Created a verifiable report presenting the contact information found in the evidence. ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 14
Provided by: Impos
Category:

less

Transcript and Presenter's Notes

Title: Domain name forensics: a systematic approach to investing an internet presence


1
Domain name forensics a systematic approach to
investing an internet presence
  • Source Digital Investigation (2004) 1, 247-255
  • Date Mar. 7th, 2006
  • Reporter Sparker, Yao
  • Professor Shiuh-Jeng, Wang

2
Our scheme
  • Introduction
  • Advantages of complexity
  • Identifying points of responsibility
  • --- Domain name registrars
  • --- Domain name registrants
  • --- DNS server owners
  • --- Regional Internet registries
  • --- Network owners
  • --- Web server owners
  • --- Email server owners
  • --- Upstream ISP
  • --- Telecommunications carriers
  • --- Routes and AS owners
  • --- Other responsible parties
  • --- The next generation, IPv6

3
Our scheme (cont.)
  • Collecting and preserving the evidence
  • --- Preparing for the investigation
  • --- Investigating the domain registry and
    registrant
  • --- Investigating the DNS owners
  • --- Investigating the IP network owners
  • --- Investigating the reverse DNS
  • --- Investigating the webserver owner
  • --- Investigating the upstream ISPs
  • --- Investigating the routing information
  • --- Investigating the physical location
  • --- Investigating the email owners
  • --- Finding additional information

4
Our scheme (cont.)
  • Packaging and preserving the evidence
  • Presenting the evidence
  • Conclusion and future work

5
Motivation
  • Finding the parties responsible for the different
    infrastructure areas has become time consuming
    and error prone.
  • Systematic approach to investigating a complex
    Internet presence
  • --- collecting
  • --- time-stamping
  • --- packaging
  • --- preserving
  • --- presenting

6
Advantages of complexity
  • Having critical infrastructure spread across
    multiple parties can help investigators overcome
    legal jurisdiction hurdles, as well as solve
    issues regarding anonymity.
  • Illegal activity done using Internet
    infrastructure residing outside a local
    jurisdiction has always been difficult to bring
    under control.
  • The more parties involved in the existence of an
    Internet presence, the more difficult it becomes
    for an entry to remain completely anonymous.

7
Identifying points of responsibility
  • Domain name registrars
  • --- TLD (top level domain)
  • --- ccTLD (country code TLDs)
  • --- gTLD (generic TLDs)
  • Regional Internet registries
  • --- ARIN
  • --- LACNIC
  • --- APNIC
  • --- RIPE

8
Collecting and preserving the evidence
  • Use the Unix script command to keep a record of
    everything we see or type, for human errors from
    graphical interactions such as coping and pasting
    are eliminated.
  • For example
  • mkdir evidence
  • cd evidence
  • script record.txt
  • ntpq p gt timesync.txt
  • date

9
Collecting and preserving the evidence (cont.)
  • --- Investigating the domain registry and
    registrant
  • --- Investigating the DNS owners
  • --- Investigating the IP network owners
  • --- Investigating the reverse DNS
  • --- Investigating the webserver owner
  • --- Investigating the upstream ISPs
  • --- Investigating the routing information
  • --- Investigating the physical location
  • --- Investigating the email owners
  • --- Finding additional information

10
Packaging and preserving the evidence
  • Package the collected evidence using the Unix tar
    command
  • exit
  • cd ..
  • tar cvf evidence.tar evidence
  • Make a cryptographic hash of the tar file
  • md5 evidence.tar gt evidence.md5

11
Presenting the evidence
  • Without going into too much technical detail, we
    have created a report during the course of the
    investigation that non-technical staff can use
    within the content of their roles.
  • The information in the report can be
    independently verified based on the data in the
    evidence.tar file.
  • The integrity of the evidence.tar file can be
    verified with the evidence.md5 file.

12
Conclusion and future work
  • Defined the points of responsibility related to
    an Internet presence.
  • Systematically collected and time-stamped the
    evidence which identifies these parties.
  • Saved and packaged the evidence in an organized
    manner.
  • Created a cryptographic hash of the evidence to
    ensure integrity is preserved.
  • Created a verifiable report presenting the
    contact information found in the evidence.

13
????
  • ????!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Domain name forensics: a systematic approach to investing an internet presence" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!