Chapter 9. People and Places

In the previous chapters, I introduced the main tools and techniques of Internet forensics that you will use all the time in your own explorations. But I am a firm believer that you can never have too many tools, so this chapter presents a miscellany of techniques that you may want to keep on hand for that special occasion.

These are the one-of-a-kind tools that, in the real world, you would find rattling around in the bottom of your toolbox among the orphaned nuts and bolts and the blunt drill bits. They are the sort of thing that you don’t need very often, but when the occasion arises, they are just right for the job.

Geographic Location

Knowing where in the world someone is located is very valuable information. In Chapter 2, I talked about how you can infer the location of a computer from its IP address and the whois record for its domain name. I also explained how many of those records contain bogus contact information that is placed there to deceive.

To recap those points, you can use the whois command with an IP address to find out the network block that contains a specific machine. This should specify the country and may be able to define the region or even the city in which it is located. Using dig -x on the IP address may return a different hostname than you started with, especially if it hosts multiple web servers. The canonical name that DNS returns for the host may contain clues about its location.

If the host lies within a country specific domain, ...

Get Internet Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.