<< Return to Advanced Computing

Internet Forensics

Internet Forensics uses the combination of advanced computing techniques and human intuition to uncover clues about people and computers involved in Internet crime, most notably fraud and identity theft.

Craic has a particular interest in this aspect of computer security and undertakes research and education in the field.

Internet Forensics - The Book

Internet Forensics by Robert Jones was published by O'Reilly Media in 2005.

The book describes a wide range of practical techniques for tracking down the sites and servers behind phishing scams, spam and other forms of Internet fraud.


You can read parts of Internet Forensics for free on Google Books and all of Chapter 4 (Obfuscation) for free at oreilly.com

You can read the Japanese Translation of 'Internet Forensics' for free on Google Books

View and Download Code Examples from the Book

Buy the Book from amazon.com

Dynamic DNS and Location Tracking

Dynamic DNS allows a static hostname to be associated with residential or mobile computers that are assigned dynamic IP address by their ISPs.

However, this convenience comes with a potential risk to privacy in that one can easily monitor the IP address assigned to any given FQDN using basic DNS lookup tools. It is possible to track changes in the IP addresses used by a mobile user over time and, in many cases, infer the approximate geographical location of that user.

While there are legitimate uses for such monitoring, it can also represent a significant risk to the privacy of certain users. This risk is largely unrecognized by users of Dynamic DNS services. The issues are described in the following Technical Report.

Dynamic DNS and Location Tracking - Risks and Benefits (Craic Tech Report 2006-1)

An Analysis of Abusive Usenet Postings

Abusive messages are a common problem on many Usenet groups. These can range from childish insults to outright threats of violence. They represent a nuisance comparable to spam and, like spam, there is not a lot that can be done about them as the original senders often disguise their identities.

But in some cases one can uncover information about the origin of a message from the IP address of the NNTP posting host. Reverse DNS and WHOIS lookups can identify a user's ISP and sometimes provide their approximate geographic location. If a particular individual is suspected of being the source of messages then one can correlate the IP addresses of abusive postings with other activities of that user such as email or visits to a web site. That can prove or disprove the linkage between the user and the abusive messages.

In 2007 Brian Mottershead, a systems administrator with the United States Chess Federation (USCF) performed this type of analysis on a series of abusive Usenet posts in which the sender impersonated other individuals. These messages were suspected as trying to discredit certain candidates in the run-up to an election to the USCF Executive Board.

The strong personalities and opinions of some of the USCF members involved in this issue led to a storm of accusations and a lawsuit. The case was reported in the New York Times.
Chess Group Officials Accused of Using Internet to Hurt Rivals
The Lawsuit Against Polgar and Truong: A Closer Look

In November 2007 Dr. Robert Jones was asked by a USCF member to review the data used by Mr. Mottershead and provide an independent assessment of his report. Our report on the case is available here (PDF). The core technical conclusions were in aggreement with those of Mr. Mottershead.