Internet Forensics - Code Examples

Code examples from 'Internet Forensics'
Chapter 11 (Case Studies)

Example 11-1: confirm.php

This code fragment is a PHP script used to capture user information
by someone operating a scam. I've decided not to include it here.
It can be found in the book.

Example 11-2: extract_ipaddr.pl

#!/usr/bin/perl -w
# Example 11-2: extract_ipaddr.pl

# Excerpted from 'Internet Forensics' by Robert Jones
# Published 2005 by O'Reilly Media (ISBN 0-596-10006-X)

# Example Message separator: From - Tue Apr 06 10:20:25 2004

if(@ARGV == 0) {
    $ARGV[0] = '-';
} elsif(@ARGV > 1) {
   die "Usage: $0 <mail file>\n";
}
my $flag = 0;
my $separator = 0;
open INPUT, "< $ARGV[0]" or die "$0: Unable to open file $ARGV[0]\n";
while(<INPUT>) {
    # The following regular expression defines the message separator
    if(/^From\s+.*200\d$/ and $separator == 1) {
        $separator = 0;
        $flag = 0;
    } elsif(/^\s*$/) {
        $separator = 1;
    } else {
        if(/^Received\:.*seanet/) {
           # skip any headers from seanet (my ISP)
        } elsif($flag == 0 and /^Received\:\s*.*?\[([\d\.]+)\]/) {
            print "$1\n";
            $flag++;
        }
        $separator = 0;
    }
}
close INPUT;

Example 11-3: extract_match_ipaddr.pl

#!/usr/bin/perl -w
# Example 11-3: extract_match_ipaddr.pl

# Excerpted from 'Internet Forensics' by Robert Jones
# Published 2005 by O'Reilly Media (ISBN 0-596-10006-X)

if(@ARGV == 0 or @ARGV > 2) {
   die "Usage: $0 <ipaddr file> <mail file>\n";
} elsif(@ARGV == 1) {
    $ARGV[1] = '-';
}

my %ipaddrs = ();
loadAddresses($ARGV[0], \%ipaddrs);

my $flag = 0;
my $separator = 0;
my $text = '';
open INPUT, "< $ARGV[1]" or die "$0: Unable to open file $ARGV[1]\n";
while(<INPUT>) {
    if(/^From\s+.*200\d$/ and $separator == 1) {
        if($flag > 0) {
           print $text;
           $flag = 0;
        }
        $separator = 0;
        $text = '';
    } elsif(/^\s*$/) {
        $separator = 1;
    } else {
        $separator = 0;
        if(/^Received\:.*seanet/) {
           # skip Received: headers from my ISP
        } elsif(/^Received\:\s*.*?\[([\d\.]+)\]/ and $flag==0) {
            if(exists $ipaddrs{$1}) {
               $flag++;
           }
        }
    }
    $text .= $_;
}

if($flag == 1) {
   print $text;
}
close INPUT;


sub loadAddresses {
   my $filename = shift;
   my $ipaddrs = shift;
   open INPUT, "< $filename" or die "$0: Unable to open file\n";
   while(<INPUT>) {
      if(/^(\d+\.\d+\.\d+\.\d+)/) {
          $ipaddrs->{$1} = 1;
      }
   }
   close INPUT;
}