1 / 13

Domain name forensics: a systematic approach to investing an internet presence

Domain name forensics: a systematic approach to investing an internet presence. Source : Digital Investigation (2004) 1, 247-255 Date : Mar. 7 th , 2006 Reporter : Sparker, Yao Professor : Shiuh-Jeng, Wang. Our scheme. Introduction Advantages of complexity

erv
Download Presentation

Domain name forensics: a systematic approach to investing an internet presence

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Domain name forensics: a systematic approach to investing an internet presence • Source : Digital Investigation (2004) 1, 247-255 • Date : Mar. 7th, 2006 • Reporter : Sparker, Yao • Professor : Shiuh-Jeng, Wang

  2. Our scheme • Introduction • Advantages of complexity • Identifying points of responsibility --- Domain name registrars --- Domain name registrants --- DNS server owners --- Regional Internet registries --- Network owners --- Web server owners --- Email server owners --- Upstream ISP --- Telecommunications carriers --- Routes and AS owners --- Other responsible parties --- The next generation, IPv6

  3. Our scheme (cont.) • Collecting and preserving the evidence --- Preparing for the investigation --- Investigating the domain registry and registrant --- Investigating the DNS owners --- Investigating the IP network owners --- Investigating the reverse DNS --- Investigating the webserver owner --- Investigating the upstream ISPs --- Investigating the routing information --- Investigating the physical location --- Investigating the email owners --- Finding additional information

  4. Our scheme (cont.) • Packaging and preserving the evidence • Presenting the evidence • Conclusion and future work

  5. Motivation • Finding the parties responsible for the different infrastructure areas has become time consuming and error prone. • Systematic approach to investigating a complex Internet presence --- collecting --- time-stamping --- packaging --- preserving --- presenting

  6. Advantages of complexity • Having critical infrastructure spread across multiple parties can help investigators overcome legal jurisdiction hurdles, as well as solve issues regarding anonymity. • Illegal activity done using Internet infrastructure residing outside a local jurisdiction has always been difficult to bring under control. • The more parties involved in the existence of an Internet presence, the more difficult it becomes for an entry to remain completely anonymous.

  7. Identifying points of responsibility • Domain name registrars : --- TLD (top level domain) --- ccTLD (country code TLDs) --- gTLD (generic TLDs) • Regional Internet registries : --- ARIN --- LACNIC --- APNIC --- RIPE

  8. Collecting and preserving the evidence • Use the Unix script command to keep a record of everything we see or type, for human errors from graphical interactions such as coping and pasting are eliminated. • For example : • $ mkdir evidence • $ cd evidence • $ script record.txt • $ ntpq –p > timesync.txt • $ date

  9. Collecting and preserving the evidence (cont.) --- Investigating the domain registry and registrant --- Investigating the DNS owners --- Investigating the IP network owners --- Investigating the reverse DNS --- Investigating the webserver owner --- Investigating the upstream ISPs --- Investigating the routing information --- Investigating the physical location --- Investigating the email owners --- Finding additional information

  10. Packaging and preserving the evidence • Package the collected evidence using the Unix tar command : • $ exit • $ cd .. • $ tar cvf evidence.tar evidence • Make a cryptographic hash of the tar file : • $ md5 evidence.tar > evidence.md5

  11. Presenting the evidence • Without going into too much technical detail, we have created a report during the course of the investigation that non-technical staff can use within the content of their roles. • The information in the report can be independently verified based on the data in the evidence.tar file. • The integrity of the evidence.tar file can be verified with the evidence.md5 file.

  12. Conclusion and future work • Defined the points of responsibility related to an Internet presence. • Systematically collected and time-stamped the evidence which identifies these parties. • Saved and packaged the evidence in an organized manner. • Created a cryptographic hash of the evidence to ensure integrity is preserved. • Created a verifiable report presenting the contact information found in the evidence.

  13. 簡報完畢 敬請指教!

More Related