±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 36459
New Yesterday: 5 Visitors: 160

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

anonymous ip logging in forums

Discussion of legislation relating to computer forensics.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

4n6art
Senior Member
 

Re: anonymous ip logging in forums

Post Posted: Jul 19, 11 20:05

From what I understand, most forums have the capability of logging IP addresses - this is generally to allow forum admins to ban certain IPs (ranges) based on abuse. However, if I am not mistaken there are settings that the admin can choose on whether to track or not track the IP. If the IP is not tracked - that's it.

David's point is well taken - there is an option of going to the upstream provider, but they would have to implicitly show that the IP accessed the forum (and not just the website hosting the forum - like FF for example) - but it may be a start.

I know there is no legal requirement on the part of a forum admin to track or save IPs. I would assume that if a cooperative admin was approached by an LEA on a knock-n-talk and asked to track IPs to see future messages or posts, they would/could do it. The operative phrase being "cooperative admin" Smile

-=Art=-  
 
  

suxnet
Newbie
 

Re: anonymous ip logging in forums

Post Posted: Jul 19, 11 20:14

THANKS all for your responses.
Personally I think it would be beneficial to have ip tracking. Trying to prove someone guilty of one crime based on one forum post might be hard. But ip tracking, it would allow forensics investigators to find patterns in behavior.  
 
  

4n6art
Senior Member
 

Re: anonymous ip logging in forums

Post Posted: Jul 19, 11 20:28

Possibly... but that assumes that the person would be using the same username or handle in every forum and they have a static IP address assigned to them - or you could be targeting an entire company since their external (static, generally) IP would be the same for a lot (or all) of their employees.

- suxnet
THANKS all for your responses.
Personally I think it would be beneficial to have ip tracking. Trying to prove someone guilty of one crime based on one forum post might be hard. But ip tracking, it would allow forensics investigators to find patterns in behavior.
 
 
  

lucpel
Senior Member
 

Re: anonymous ip logging in forums

Post Posted: Jul 20, 11 04:25

Websites are usually not obligated to keep track of ip's, unless they are required to do it , like electronic bank services , or e commerce websites(of course, depends the jurisdiction). In criminal law cases law enforcement agents can order ISP's to show and preserve records.
But at the end, very few investigations will succeed , considering:
1) An ip address by itself won't be enough evidence to convict someone.
2) If the supicious or the web server is located in other country than yours, you will first have to determine the applicable law, the natural court, so even if you get the location of the suspicious, the case will have to be very relevant in order to get international cooperation.  
 
  

Passmark
Senior Member
 

Re: anonymous ip logging in forums

Post Posted: Jul 26, 11 17:05

There is another important point that I don't think was mentioned. Web servers running forum software typically have more than 1 layer of logging.

So there is the logging in the forum software itself (at least for the major packages) and there is also logging going on by the web server software (typically this is Apache or IIS)

So even if the forum logging is disabled, then the web server might have server logs with IP addresses that the hosting company could provide.

For example here is the Apache log entry of someone logging in and making a post in our forum.

178.45.49.75 - - [02/Jun/2011:00:14:45 -0400] "POST /forum/login.php?do=login HTTP/1.0" 200 20758 "http://mail.passmark.com/forum/newthread.php?do=newthread&f=6" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"


178.45.49.75 - - [02/Jun/2011:00:14:44 -0400] "GET /forum/newthread.php?do=newthread&f=6 HTTP/1.0" 200 23836 "http://mail.passmark.com/newthread.php?do=newthread&f=6" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"


You get their IP address and a lot of other information besides.  
 
  

jhup
Senior Member
 

Re: anonymous ip logging in forums

Post Posted: Jul 26, 11 23:49

For a busy website, I would keep no more than a few days worth of server logs, and only a subset/statistics thereafter.

- Passmark
There is another important point that I don't think was mentioned. Web servers running forum software typically have more than 1 layer of logging.

So there is the logging in the forum software itself (at least for the major packages) and there is also logging going on by the web server software (typically this is Apache or IIS)

So even if the forum logging is disabled, then the web server might have server logs with IP addresses that the hosting company could provide.

For example here is the Apache log entry of someone logging in and making a post in our forum.

178.45.49.75 - - [02/Jun/2011:00:14:45 -0400] "POST /forum/login.php?do=login HTTP/1.0" 200 20758 "http://mail.passmark.com/forum/newthread.php?do=newthread&f=6" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"


178.45.49.75 - - [02/Jun/2011:00:14:44 -0400] "GET /forum/newthread.php?do=newthread&f=6 HTTP/1.0" 200 23836 "http://mail.passmark.com/newthread.php?do=newthread&f=6" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01"


You get their IP address and a lot of other information besides.
 
 
  

dwhyte
Newbie
 

Re: anonymous ip logging in forums

Post Posted: Jul 29, 13 11:01

There are two parts to the problem on forums like this, they may have logs despite saying they don't the fact is they wont comply because they're based offshore in a 'safe haven' and the parent ISP won't comply either, at the moment there are alot of issues with this with cybercrime forums based in Romania, Russia and certain NL providers - so this is common.

The easiest way to prove someone is hoping they have the same handle, same link signatures... things like that. You could ask upstream providers to log originators to the website - this is done already i'm sure to some current websites, but it's easy to get a free VPN and hook up TOR - you're then pretty much anonymous... providing credentials and profile data aren't the same as other forums they use.

Many of the gh0stmarket cybercrime forum got caught by having xbox gamer tags the same as handles on the forum :), they were suitably 'safe' with setup but not with forum profile Very Happy

Bit of a tough one, but the above are what you need to be aware of, IMO.  
 

Page 2 of 2
Page Previous  1, 2