IP Address Investigation
IP addresses are the digital fingerprints left by devices on networks. Every online activity - from sending emails to accessing websites to committing cyber crimes - involves IP addresses. Tracing an IP address to its user is a fundamental skill in cyber crime investigation.
However, IP tracing is not as straightforward as it may seem. Dynamic IP assignment, NAT, VPNs, proxies, and the need for legal process all create challenges that investigators must navigate.
- Obtain IP address from evidence (email headers, server logs, CDR/IPDR)
- Perform WHOIS lookup to identify the ISP/organization
- Determine if IP is residential, commercial, or VPN/proxy
- Initiate legal process to ISP for subscriber information
- Correlate timestamp with ISP's DHCP/NAT logs
- Identify the specific user assigned that IP at that time
WHOIS Lookup
WHOIS is a protocol for querying databases that store information about IP address allocations. It reveals who owns an IP address block, which is essential for knowing where to send legal requests.
Key information to extract from WHOIS:
- Organization/Network Name: Identifies the ISP to approach for subscriber data
- Country: Determines jurisdiction and applicable legal process
- Abuse Contact: Email for initial contact and emergency requests
- IP Range/CIDR: Helps identify if IP is part of residential, corporate, or data center block
Practical Tool: IP Lookup
IP Lookup Tool
Perform WHOIS lookups, geolocation queries, and gather intelligence on IP addresses. Identify ISPs, approximate locations, and determine if an IP belongs to a VPN/proxy service.
Launch IP Lookup ToolIP Geolocation
IP geolocation databases estimate the physical location associated with an IP address. However, understanding the limitations is crucial for investigations:
- Determining a suspect's physical location
- Establishing jurisdiction for prosecution
- Obtaining search warrants based solely on IP location
IP geolocation shows where the IP is registered, which may be an ISP's network operations center, not the user's location. Always obtain actual address through proper legal process with the ISP.
VPN and Proxy Detection
Criminals often use VPNs, proxies, and anonymization services to hide their real IP addresses. Identifying when an IP belongs to such a service changes the investigation approach.
🔒 VPN Services
Virtual Private Networks route traffic through servers in other locations.
- IP registered to known VPN provider
- Data center IP, not residential ISP
- Location mismatch with user's claimed location
- Multiple users sharing same IP
🌐 Proxy Servers
Intermediate servers that relay requests on behalf of users.
- HTTP headers showing proxy use
- X-Forwarded-For header present
- IP belongs to hosting provider
- Open proxy database matches
🕵 Tor Network
Anonymity network routing through multiple encrypted nodes.
- IP matches known Tor exit node
- Public Tor exit node lists available
- Very difficult to trace original IP
- Often used for serious crimes
When you encounter a VPN IP, the investigation doesn't end - it redirects:
- Request VPN provider logs: Some VPN providers maintain connection logs despite "no-log" claims. Legal process may yield results.
- Payment trail: VPN subscriptions often have payment records that can identify users.
- Alternative evidence: Look for moments when VPN was disconnected, exposing real IP.
- Correlation: Match VPN connection times with other evidence (login patterns, activity timing).
- Device forensics: VPN apps on seized devices may contain account information.
Legal Process for Subscriber Information
Once you have identified the ISP through WHOIS, proper legal process is required to obtain subscriber information. The exact address of a user cannot be determined from IP alone - it requires ISP records.
Steps to Obtain Subscriber Details
Document the IP and Timestamp
Record the exact IP address and precise timestamp (including timezone) from your evidence source. ISPs need both to identify the subscriber due to dynamic IP allocation.
Identify the ISP
Use WHOIS to determine which ISP owns the IP address. For major Indian ISPs: Jio, Airtel, BSNL, Vi, ACT, etc.
Send Preservation Request
Immediately send preservation request to ISP to prevent deletion of logs. Most ISPs retain DHCP/NAT logs for limited periods.
Initiate Legal Process
Send Section 91 CrPC notice or obtain court order directing ISP to provide subscriber details. Include: IP address, exact timestamp with timezone, case details, and specific information requested.
Obtain Subscriber Details
ISP responds with: Customer name, registered address, KYC documents, contact details, and CAF (Customer Application Form).
Key elements to include in Section 91 CrPC notice to ISP:
- FIR number, date, and police station
- Sections under which case registered
- IP Address: xxx.xxx.xxx.xxx
- Date and Time: DD/MM/YYYY HH:MM:SS (IST)
- Request for: Subscriber details, KYC, CAF, address, mobile number
- Legal provision: Section 91 CrPC / Section 175 BNSS
- Timeline for compliance
- Consequences of non-compliance
Key Takeaways
- WHOIS lookup identifies the ISP - essential for knowing where to send legal requests
- IP geolocation is not accurate enough for determining physical addresses
- Always request subscriber information with exact timestamp and timezone
- VPN/proxy detection changes investigation approach but doesn't end it
- Send preservation requests immediately - ISPs have limited log retention
- Section 91 CrPC (or 175 BNSS) is the primary legal tool for obtaining ISP records
- Dynamic IP and NAT mean the same IP may be used by different users at different times
- Correlate IP evidence with other sources for stronger case building
Module 3 Complete!
Congratulations! You have completed all six parts of Network & Communication Forensics. Test your knowledge with the module quiz.