Deep analysis of an internet resource
Deep analysis of an internet resource |
|
<< Back to overview
The “deep internet resource analysis” or “deep analysis” module is the most
general module. It starts from a single internet resource retrieves a set of
data for this internet resource by using multiple internet protocols. In many
cases the result is another internet resource (e.g. the IP address of a domain
name). The analysis can be continued by using the resulting internet resources
as input. This is done by expanding nodes in a tree. This method allows to dig
deeper by expanding certain paths of the tree. The tree visualises the
relationship between internet resources on the internet and it automates the
tasks as performed by internet forensic expert. By following the relationships
between internet resources experts try to find out more information on internet
resources and ultimately they hope to reveal the identity of a person,
organization or company responsible for certain actions.
An analysis starts from a single internet resource. Following internet resources can be used as input:
| Internet resource | Example |
| A domain name | msn.com, google.fr |
| A sub domain | sales.company.com, sales.france.company.com |
| An e-mail address | info@microsoft.com, john.doe@company.co.uk |
| An IP address | 100.25.36.47, 100.120.0.1:80 (includes port), 2610180551 (IP in numeric form) |
| A URL | www.google.com, http://www.msn.fr, https://www.google.com/search |
| A server name (host name) | mailserver.microsoft.co.uk, dns.nic.fr, ftp.company.com |
The Webtracer will retrieve a set of data for the input internet resource by using multiple internet protocols and algorithms. The following table shows a list of protocols and algorithms used on each kind of internet resource.
| Domain name analysis: - Support of all generic and country code TLD's (domain extensions) - Retrieve and analyse all mail servers - Retrieve and analyse all name servers - Retrieve and analyse all domain contacts - Retrieve detailed owner information - Server (host) analysis (for web servers, mail servers, name servers etc.): - Support for any server type - Retrieve and analyse domain name - Retrieve and analyse IP address - Retrieve and analyse alias names - Show website - Trace route to host, to retrieve nearby servers IP address analysis: - Support for all IP ranges - Geographic location of IP address including country & city - Reverse lookup (retrieve corresponding server name) - Retrieve and analyse IP block contacts - Retrieve IP block detailed owner information - Open proxy check - Open relay check - Indication of internal and public IP's - Trace route to IP address, to retrieve nearby servers E-mail address analysis: - Retrieve and analyse domain name - Check for free (anonymous) e-mail address, based on database with over 2000 known free mail services - Search websites containing e-mail address - Search newsgroups containing e-mail address - Search newsgroup postings from e-mail address Website and URL analysis: - Click through to website - Retrieve SSL certificate details and issuer - View full website source code, structured visualisation with colour coding - Analyse website source code: reveal hidden comments, author information etc. - Search for websites and newsgroups for links to this website - Retrieve all web pages known from this website - Find related websites - Fast automated deep searching of all web pages of a website using built-in forensic website crawler (finds hyperlinks, e-mail addresses...) |
In many cases the result of a test is another internet resource (e.g. the IP address of a domain name). The analysis can be continued by using the resulting internet resources as input. This is done by expanding nodes in a tree. This method allows to dig deeper by expanding certain paths of the tree. The tree visualises the relationship between internet resources on the internet and it automates the tasks as performed by internet forensic expert.
Let’s assume you need to find out the owner or physical
location of the website www.cnn.com, because you want illicit content from this
website removed. Go to the “deep internet resource analysis” module. Start by
typing in the website address and click the “start analysis” button.
The first node of the tree will be displayed. Click the [+] icon to expand the
node. This will trigger a first set of tests to be performed on the website
address. Note that all tests are “passive”, the owner will not notice that his
or her website is under investigation. The same is true for e-mail
investigations: no e-mails will be sent to an e-mail address as part of the
tests and no attempt to login to the mailbox account will be made.
Now that the node is expanded, the first test results are visible. Executing the tests can take 20 to 60 seconds each time a node is expanded !
Each of the result nodes is of the following form:
Icon indicating the type of internet resource
Title
Description
Detailed information
The resulting internet resource itself which can be clicked for context sensitive information on this resource and its relation to its parent
An Expand icon which can be clicked to analyse this internet resource
Question mark icon which can be clicked for background information
If we expand one of the results, a new analysis is performed. This is called a recursive analysis, since we consider each resulting resource as input for a new analysis. It allows to dig deeper and deeper until relevant information is found. Let’s click the [+] icon of the IP address 64.236.16.20.
We have now learned that one of the IP addresses for website www.cnn.com is 64.236.16.20 and that server of this IP address is located in the USA. We also find several contact e-mail addresses from the Whois database. They all are part of the aol.net domain.