Introduction
IP address tracing is a fundamental skill in cyber crime investigation. Every device connected to the internet has an IP address that can help identify its location and owner. This section will teach you how to trace IP addresses, use WHOIS lookup, detect VPNs and proxies, and perform geo-location.
After this part, you will be able to trace IP addresses, perform WHOIS lookup, identify VPN and proxy usage, and use geo-location techniques to identify the physical location of an IP address.
IP Address Tracing
IP tracing is the process of finding the owner and physical location of an IP address. This is often the first step in identifying cyber criminals.
Steps for IP Tracing
- Obtain IP Address: From email headers, server logs, or network traffic
- Identify IP Type: Check if it's public or private, static or dynamic
- WHOIS Lookup: Find the registered owner of the IP block
- Geo-location: Determine approximate physical location
- ISP Contact: Request subscriber details through legal process
Where to Find IP Addresses
Email Headers
X-Originating-IP, Received headers contain sender's IP address.
Server Logs
Web servers, FTP servers, and application logs record client IP addresses.
Website Analytics
Services like Google Analytics track visitor IP addresses.
Chat Applications
Some applications log IP addresses in their databases.
Command Line Tools
WHOIS Lookup
WHOIS is a protocol that provides registration information for domain names and IP addresses. It is one of the most important tools for cyber crime investigation.
WHOIS for IP Addresses
WHOIS lookup for an IP address provides:
- Network Owner: Organization that owns the IP block
- Address Range: CIDR notation of the IP block
- Contact Information: Technical and abuse contacts
- Regional Registry: Which RIR allocated the IP
- Country: Country where IP is registered
Regional Internet Registries (RIRs)
| RIR | Region | WHOIS Server |
|---|---|---|
| ARIN | North America | whois.arin.net |
| RIPE NCC | Europe, Middle East, Central Asia | whois.ripe.net |
| APNIC | Asia Pacific (including India) | whois.apnic.net |
| LACNIC | Latin America | whois.lacnic.net |
| AFRINIC | Africa | whois.afrinic.net |
Sample WHOIS Output
WHOIS Tools
Many domain registrars offer WHOIS privacy services that hide registrant information. In such cases, you need to contact the privacy service provider with legal documentation to obtain actual registrant details.
VPN and Proxy Detection
Criminals often use VPNs (Virtual Private Networks) and proxies to hide their real IP addresses. Detecting these is an important skill for investigators.
Types of Anonymization Services
VPN (Virtual Private Network)
Encrypts all traffic and routes it through a server in another location. Changes visible IP address.
Proxy Server
Acts as intermediary for web requests. May not encrypt traffic. HTTP/SOCKS proxies common.
Tor (The Onion Router)
Routes traffic through multiple encrypted layers. Very difficult to trace. Exit nodes are public.
Residential Proxies
Use real residential IPs. Harder to detect than datacenter IPs.
VPN/Proxy Detection Techniques
| Technique | Description |
|---|---|
| IP Database Check | Use databases like MaxMind, IP2Location to check if IP belongs to known VPN/proxy provider |
| PTR Record Check | Reverse DNS may reveal VPN provider names (e.g., vpn-123.nordvpn.com) |
| Port Scanning | Open VPN ports (1194, 443, 500) may indicate VPN server |
| ASN Analysis | Check if ASN belongs to known hosting/VPN providers |
| Tor Exit Node List | Check against public list of Tor exit nodes |
| HTTP Headers | X-Forwarded-For, Via headers may reveal proxy use |
VPN Detection Tools
- IPHub: API for VPN/proxy/hosting detection
- ip-api.com: Provides VPN/proxy detection in API
- Shodan: Identifies open ports and services
- Tor Project Exit List: check.torproject.org
- AbuseIPDB: Community database of malicious IPs
If a VPN is detected, the investigation doesn't end. Options include:
- Request logs from VPN provider (if they maintain logs)
- Analyze timestamps to correlate with other evidence
- Look for IP leaks (WebRTC, DNS leaks)
- Check if user made mistakes revealing real IP elsewhere
Geo-location
IP geo-location is the technique of determining the physical location of an IP address. While not 100% accurate, it provides a good starting point for investigation.
How IP Geo-location Works
Geo-location databases use various data sources:
- RIR Data: Regional registries provide country-level accuracy
- ISP Data: Internet service providers provide city-level data
- User Data: Aggregated from websites, GPS, Wi-Fi, etc.
- Latency Measurements: Network latency helps triangulate location
Accuracy Levels
| Level | Accuracy | Notes |
|---|---|---|
| Country | 95-99% | Highly reliable |
| State/Region | 80-90% | Generally reliable |
| City | 50-80% | Varies by location |
| Postal Code | 30-50% | Often inaccurate |
| Street Level | Very Low | Not reliable for IP |
Geo-location Tools
- Mobile IPs may show ISP headquarters, not actual location
- VPNs and proxies will show server location, not user location
- Corporate networks may centralize internet access
- IP assignments change over time
Always corroborate geo-location with other evidence.
Legal Process for IP Investigation
Steps to Identify Subscriber
- Document the IP: Record IP address, timestamp, timezone, and source
- WHOIS Lookup: Identify the ISP that owns the IP block
- Preservation Request: Send immediate preservation request to ISP
- Legal Request: Prepare Section 91/92 CrPC (or BNSS 94/95) request
- Submit to ISP: Submit through proper channel (nodal officer)
- Receive Subscriber Details: ISP provides subscriber information
Information ISPs Can Provide
- Subscriber name and address
- ID proof submitted during registration
- Contact number and email
- Service address and billing address
- MAC address of customer premises equipment
- Connection logs for the requested time period
Major ISP Nodal Officers
In India, major ISPs have dedicated nodal officers for law enforcement requests:
- Airtel: Nodal Officer handles requests for Airtel Broadband, Mobile, DTH
- Jio: Separate teams for different services
- BSNL: Circle-wise nodal officers
- Vodafone-Idea: Combined nodal team
- ACT Fibernet: City-wise contacts
ISPs typically require:
- FIR copy or court order
- Exact timestamp with timezone
- IP address (and port number for CGNAT)
- Official letter on department letterhead
Response time varies from 24 hours to 2 weeks depending on ISP and case priority.
- IP addresses can be found in email headers, server logs, website analytics, and application databases
- WHOIS lookup provides information about the registered owner of IP blocks
- RIRs (ARIN, APNIC, RIPE, etc.) maintain WHOIS databases for different regions
- VPNs, proxies, and Tor are commonly used to hide real IP addresses
- VPN detection can be done using IP databases, PTR records, and port scanning
- Geo-location accuracy decreases from country level (95%+) to street level (very low)
- Always include exact timestamp with timezone when requesting subscriber details from ISPs
- Geo-location has limitations - mobile IPs and VPNs can give misleading results