I have a list of IP Addresses that were used in a test case to log on to an email account in 2008!!
Is there any way to run a trace for a specific date using the IP address to establish a location city and/or account user address etc?
Can anyone explain to me how IP Addresses work?
I have been told that IP addresses will stay with the registered telephone company, i.e, British Telecom or Telstra (Australia), is this true.
I have also been told that IP addresses tend to stay in the same city, is this true?
How does the whole IP thing really work?
Is there any way to run a trace for a specific date using the IP address to establish a location city and/or account user address etc?
Not really. You may get lucky and find, for example, that 12.13.14.15 (say) belongs to a range of IP addresses that were assigned to a particular company 20 years ago, and hasn't been reassigned since then. However, that only moves the question to how that company have uses that particular address. You'd need to be lucky to find that they have kept records.
If the address has been used for DHCP address assignments, the log who it has been assigned to is usually gone a few days after it was used. There's rarely any business need for archiving it. If there is a legal requirement to keep it, it's rarely for as long as two years.
I have been told that IP addresses will stay with the registered telephone company, i.e, British Telecom or Telstra (Australia), is this true.
They will stay with the primary assignee. But assignees are bought and sold, and occasionally go out of business. That changes things.
And if the primary assignee is an ISP, they in turn will assign it to one of their customers. And when that sub-assignee stops being a customer, the IP address range in question tends to pass to another customer.
So … your question might be answered in your particular case. In the general case, though, you'd need a lot of luck to find an answer.
I have also been told that IP addresses tend to stay in the same city, is this true?
That depends on how the assignee builds their IP networks. It would not be unexpected, but there are all kinds of ways it need not be true in any particular case.
However, if you don't understand IP networks, you won't understand my reply. I can't help there. I'd suggest something like 'Networking for Dummies' – though if you don't know this series of books, that might even sound offensive. In general, the '… for Dummies' series provides a very quick and easy introduction to various technical subjects. Even so, it often takes face-to-face instruction to get some points about IP networking and addressing across.
http//
As said above, information may be out of date, will give a general city level fix. Keep possible inaccuracies in mind.
From the perspective of a non-ISP, IP addresses were neither geo referential data in 2008 nor they are today. All you can get by tracing tools is an allegation of the respective ISP.
If you are lucky enough that the logs have captured the MAC address, and providing the computer fleet is still the same as when the incident occurred, then that is going to provide more usable information. MAC addresses are (supposedly) unique..although I have had an instance where 2 switches on the network had the same MAC).
Again, the availability of that information will entirely dependent on the log file format/capability.
As far as the IP goes, if the company is using a big enough private IP pool (DCHP scope is bigger than the number of clients it will be issuing addresses to), then Windows DHCP servers tend to re-issue the same address to the client when the lease expires. It sees no need to give a client a different address when the old one is available (as a general rule)
And after all that, and re-reading the original post, these comments are only relative to a corporate network…not a public one like the interweb.
I have a list of IP Addresses that were used in a test case to log on to an email account in 2008!!
Is there any way to run a trace for a specific date using the IP address to establish a location city and/or account user address etc?
Can anyone explain to me how IP Addresses work?
For explanations, see the other posts.
One other tip that might work if the IP addresses are static and public, is just try and run them through a search engine.
YMMV, but I've had some results with this technique, including a 4-year old logfile enry that I could link to a mobile number mentioned in an ad, and the mobile number was linked to a street address -)
It's not solid, because IP addresses can change, but it can still provide an interesting lead sometimes.
IP2Location services can work also, but the results very wildy, even among the best ones.
-Roland
From the perspective of a non-ISP, IP addresses were neither geo referential data in 2008 nor they are today. All you can get by tracing tools is an allegation of the respective ISP.
In every single instance I've seen, you can also get the country, and the city.
I have a list of IP Addresses that were used in a test case to log on to an email account in 2008!!…..
…I have been told that IP addresses will stay with the registered telephone company, i.e, British Telecom or Telstra (Australia), is this true.
These will be WAN IP addresses supplied by the service provider. They should have a range of IP addresses which they use so you should be able to at least find out who they are. I'm sure service providers in the UK have to keep a log for a specified period of time. Of what I'm not sure.
If you are lucky enough that the logs have captured the MAC address, and providing the computer fleet is still the same as when the incident occurred, then that is going to provide more usable information. MAC addresses are (supposedly) unique..although I have had an instance where 2 switches on the network had the same MAC).
You can manually change the MAC address of a device but generally its not recommended as it can cause a conflict on the network as like you say they should be unique.
In every single instance I've seen, you can also get the country, and the city.
You will get a country and a city.
The country mostly is correct because of legal issues ISPs have to deal with, but often, unfortunately, not in countries from which cybercrime typically comes from, e.g. central Africa or South Asia. In those regions it's my experience that the city is never correct. The ISPs let you "trace" it either to the capital or their headquaters by default, even if the network infrastructure is as diversified as in North America or Europe.
Second, at least in central europe, ISPs for mobile data services do the same for privacy reasons (usually positioning would be less accurate than for a DSL endpoint but possible).
Accuracy is the third thing. I'm writing from a big city, using DOCSIS 3.0 which is specific for this city. Usually my tracing is correct, but since two or three days it's messing around in a circle of 150 miles (~15 million households) for any reason. ip2location.com is totally wrong for me at the moment.
Yes, it makes sense to trace IPs routinely, especially within twelve hours after an incident, just to get the data. But there is no chance trying to get actionable intelligence from a three years old IP list without having any support from networking companies.
As this is a test case you may have to assume or ask if you can assume if the current IP delegation can be considered valid.
If this were a real case.
First you would need to determine if the IP(s) in question are still with the same company. In order to do this you would most likely need to send a query to Arin.net ,RIPE.net, latnic (depending on IP zone) request records of which company the IP address(es) were delegated to.
From there you may (hope ) request* the company to provide the scope of the IP address(es) (single city / multiple cities). As this was not presented as a LE case, the providing of data would be voluntary.
Even though the IP address(es) may belong to one company the entire time it IS possible that IP addresses may have been reallocated with in the same company to use NATting in an effort to preserve IP-4 addresses.(if not already done).
Now the "fun" begins, was the IP address tied to a HIGH speed lan (ISP side) for their clients to connect to. In this case the city would be the same. If this were a "dial up" with out static IP, the city could be anywhere that a person could dial in from.
And no, you can not depend soley on the MAC of the connecting device. There are several MAC spoofing applications that can be used to modify/obscure a MAC.