As you're probably aware, proxy servers now present a big problem for us investigators in attempting to trace-to-source criminal actions.
Consider the following scenario each proxy represents a hijacked home computer being abused as an open proxy without the owner's consent or knowledge. The criminal is using software that's clever enough to keep varying the combination of proxies used, the number of proxies used in the chain (normally 12+) and the order the proxy servers are being used within the chain, and each chain configuration is cycled every 3-5 minutes on average.
Suspect –> Proxy1 –> Proxy2 –> .. Proxy11 –> Proxy12 –> Server
The suspect is based in the UK but a good number of the proxies used are not based within the UK so the solution cannot easily involve communication with or integration with ISPs who are rarely able to assist with specific enquiries on a time-critical basis in any case.
How can we trace the user to location whilst they are online (i.e. within those 3-5mins)? I'm looking for realistic solutions, don't worry about the legality of methods at this stage.
Well sorry to disappoint but there is no Tracebuster 3000 that solves this problem with an ounce of magic (at least as far as I know). I'll bet this one keeps you guys puzzled at least for a few consecutive minutes! Looking forward to your replies/solutions..
http//forensictracer.com/
Correct me if I'm wrong but after just trying their service it seems to me they are only able to trace the first step in the route. As soon as they hit the first open proxy thats the end of the line in their books. Because we're talking about a live trace assume ISP proxy log files are also unavailable- they take time to acquire.
I am not a networking expert, but… If one assumes that they have control of the recieving server, such as a honeypot, they should be able manipulate the returning packets to the originating machine to include a traceroute program in the payload that would be able report on every "hop" between the server and the destination.
Kinda like traceroute in reverse.
Richard, I am assuming due to your occupation, that you have figured out a program for things such as this, and I do enjoy a good brain twister, but if this is a marketing ploy I will be very dissappointed in your use of these forums.
I'm afraid I haven't figured out a solution to this (hence posting- its not a marketing ploy) but I am already working with a ton of security experts on trying to produce a solution because the problem is real. I just thought I'd open up the field of discussion to include those involved in computer forensic analysis/investigation.
Thats the kind of idea I'm looking for, I'm not convinced its possible however I'll run it by some networking experts and post back. You have understood correctly what I'm trying to accomplish though- essentially a reverse traceroute.
(My participation on this forum relates to investigative responsibilities I have outside of my day job as a software developer.)
Interesting subject. I have experienced this problem many times - a couple of solutions that have workd in the past for me - one of which is
1. If the person is using MSN, add them to your MSN list & use a tool like MSNDetective when they're online to send them a file. even if they dont accept it - you should be able to determine their IP address. Likewsie sending a very large file via MSN & then check your netstat table for a new IP address - which is actually their address. Dont know if this wporks with the current version of MSN. Did it about a year ago.
Thats great but given that we're trying to trace a connection and therefore only have an IP (essentially of Proxy12) there's no way of knowing what their MSN email address is, assuming they use MSN and that they're logged in. I tend to find these days whenever anyones doing anything they shouldn't, especially the professional/organised ones, they don't use MSN anymore because of its insecure protocols. They're moving to using skype instead and whilst I'm already working with Kurt at Skype on tracing back skype users this is a separate issue, so lets not deviate from the challenge at hand!
knowing the IP address of proxy12 make a response packet with the same TCP/IP details but with a varying TTL value that expires at each node. you would eventually get a response from the orignating PC at some stage (within 3-5 min interval).
youcef
How would you do this? What commands/software? Please could you give me a walk through example?
Thanks.
This document might be of assistance. You can find it on the web.
Nate
The Session Token Protocol for Forensics and
Traceback
Brian Carrier
Center for Education and Research in
Information Assurance and Security (CERIAS)
Purdue University
West Lafayette, IN 47907
carrier@cerias.purdue.edu
and
Clay Shields
Department of Computer Science
Georgetown University
Washington, D.C., 20057
clay@cs.georgetown.edu