Notifications
Clear all

Tracebuster 3000

14 Posts
8 Users
0 Likes
579 Views
(@richardhall)
Posts: 9
Active Member
Topic starter
 

As you're probably aware, proxy servers now present a big problem for us investigators in attempting to trace-to-source criminal actions.

Consider the following scenario each proxy represents a hijacked home computer being abused as an open proxy without the owner's consent or knowledge. The criminal is using software that's clever enough to keep varying the combination of proxies used, the number of proxies used in the chain (normally 12+) and the order the proxy servers are being used within the chain, and each chain configuration is cycled every 3-5 minutes on average.

Suspect –> Proxy1 –> Proxy2 –> .. Proxy11 –> Proxy12 –> Server

The suspect is based in the UK but a good number of the proxies used are not based within the UK so the solution cannot easily involve communication with or integration with ISPs who are rarely able to assist with specific enquiries on a time-critical basis in any case.

How can we trace the user to location whilst they are online (i.e. within those 3-5mins)? I'm looking for realistic solutions, don't worry about the legality of methods at this stage.

Well sorry to disappoint but there is no Tracebuster 3000 that solves this problem with an ounce of magic (at least as far as I know). I'll bet this one keeps you guys puzzled at least for a few consecutive minutes! Looking forward to your replies/solutions..

 
Posted : 23/03/2006 10:35 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

http//forensictracer.com/

 
Posted : 24/03/2006 12:53 am
(@richardhall)
Posts: 9
Active Member
Topic starter
 

Correct me if I'm wrong but after just trying their service it seems to me they are only able to trace the first step in the route. As soon as they hit the first open proxy thats the end of the line in their books. Because we're talking about a live trace assume ISP proxy log files are also unavailable- they take time to acquire.

 
Posted : 24/03/2006 8:21 am
m7esec
(@m7esec)
Posts: 45
Eminent Member
 

I am not a networking expert, but… If one assumes that they have control of the recieving server, such as a honeypot, they should be able manipulate the returning packets to the originating machine to include a traceroute program in the payload that would be able report on every "hop" between the server and the destination.

Kinda like traceroute in reverse.

Richard, I am assuming due to your occupation, that you have figured out a program for things such as this, and I do enjoy a good brain twister, but if this is a marketing ploy I will be very dissappointed in your use of these forums.

 
Posted : 24/03/2006 7:42 pm
(@richardhall)
Posts: 9
Active Member
Topic starter
 

I'm afraid I haven't figured out a solution to this (hence posting- its not a marketing ploy) but I am already working with a ton of security experts on trying to produce a solution because the problem is real. I just thought I'd open up the field of discussion to include those involved in computer forensic analysis/investigation.

Thats the kind of idea I'm looking for, I'm not convinced its possible however I'll run it by some networking experts and post back. You have understood correctly what I'm trying to accomplish though- essentially a reverse traceroute.

(My participation on this forum relates to investigative responsibilities I have outside of my day job as a software developer.)

 
Posted : 25/03/2006 10:03 am
(@mindsmith)
Posts: 174
Estimable Member
 

Interesting subject. I have experienced this problem many times - a couple of solutions that have workd in the past for me - one of which is

1. If the person is using MSN, add them to your MSN list & use a tool like MSNDetective when they're online to send them a file. even if they dont accept it - you should be able to determine their IP address. Likewsie sending a very large file via MSN & then check your netstat table for a new IP address - which is actually their address. Dont know if this wporks with the current version of MSN. Did it about a year ago.

 
Posted : 25/03/2006 4:18 pm
(@richardhall)
Posts: 9
Active Member
Topic starter
 

Thats great but given that we're trying to trace a connection and therefore only have an IP (essentially of Proxy12) there's no way of knowing what their MSN email address is, assuming they use MSN and that they're logged in. I tend to find these days whenever anyones doing anything they shouldn't, especially the professional/organised ones, they don't use MSN anymore because of its insecure protocols. They're moving to using skype instead and whilst I'm already working with Kurt at Skype on tracing back skype users this is a separate issue, so lets not deviate from the challenge at hand!

 
Posted : 26/03/2006 12:08 am
(@youcefb9)
Posts: 38
Eminent Member
 

knowing the IP address of proxy12 make a response packet with the same TCP/IP details but with a varying TTL value that expires at each node. you would eventually get a response from the orignating PC at some stage (within 3-5 min interval).

youcef

 
Posted : 27/03/2006 10:45 pm
(@richardhall)
Posts: 9
Active Member
Topic starter
 

How would you do this? What commands/software? Please could you give me a walk through example?

Thanks.

 
Posted : 20/04/2006 11:02 pm
 nate
(@nate)
Posts: 20
Eminent Member
 

This document might be of assistance. You can find it on the web.

Nate

The Session Token Protocol for Forensics and
Traceback
Brian Carrier
Center for Education and Research in
Information Assurance and Security (CERIAS)
Purdue University
West Lafayette, IN 47907
carrier@cerias.purdue.edu
and
Clay Shields
Department of Computer Science
Georgetown University
Washington, D.C., 20057
clay@cs.georgetown.edu

 
Posted : 20/04/2006 11:46 pm
Page 1 / 2
Share: