Hi all,
If someone posted a comment in a company website, can we trace the ip address who posted the message?
If I'm not wrong, is just like sending an e-mail right?
Greetings,
It depends on the server supporting the web site and the software used to handle the postings. Apache, on Linux, out of the box, will log requests. If you can associate a particular request with the entry of that comment, you should be able to get an IP address.
The forum (?) software enters the comment in a database (flat file, MySQL, email, something.) Does it log any other information along with the comment, like the IP address, time entered, etc?
-David
blueDragon,
While you may be able to trace the IP address to an ISP responsible for the corresponding address block, mapping that IP address to an individual will require the cooperation of the ISP which in most countries requires a court order.
Good Luck..
Rich
If the comment was posted from a work PC and you can ascertain when it was posted, you may be able to find out where it came from by going through your router logs and then filtering them by the appropriate date & time and IP addresses. You could then go to your DHCP server logs and link the IP to a MAC address. (Just remember that some logs are only kept for a week so grab them ASAP.)
Then you have to figure out which machine has that MAC address.
As Kovar noted however, if your web server is logging the IP addresses of machines that post messages, you should find the posting machine’s IP address in the web server logs. (And then be able to trace the IP to a MAC address via your DHCP logs.)
Once you find the PC, with any luck the message and the web interface for posting messages got cached to the hard drive. A final step would be to figure out who was logged in to the PC at that date/time (using event logs, physical access, etc).
On the other hand, if you suspect a particular individual (or group of individuals), you could simply do a preliminary search on their PC(s) using EnCase or some other tool – just make sure you search for something that indicates who posted the message, not simply who viewed it.
Depending on the size of your company, your sysadmin’s records, how your internal subnets are set up, and what you are logging, this approach may get a fair bit more difficult and complicated.
Anyway, that’s just a few thoughts…