Webtraps

<< Back to overview

The “Webtraps” module is a tool which can be used to find the identity of a person on the internet, when all other methods fail. In contract with the other modules, the “Web trap” module does not use passive investigation techniques. Using this module, the investigator can set up one or more web traps. A web trap is a harmless looking URL and the aim is tricking the person under investigation to click this URL on his/her computer. By clicking the URL information of the client computer is logged, without the person under investigation knowing this or noticing anything unusual. The investigator receives a notice when the web trap is clicked and can start an in-depth analysis on the IP address of the client computer, using the “deep analysis” module. The “Web trap” module can for example be used to find the owner of an anonymous Hotmail e-mail address.

Walk through example

Inside the Web trap module, click on “Add web trap”.

The input for a new Web trap is displayed. The Web trap name is for your reference only, you can base it for example on the name of a case you are working on. The URL is the web address whish you will send to a suspect. It should be a normally looking URL. For the domain name part of the URL, you can choose from a set of domain names (e.g. “myworldnews.net” and www.bloggersworld.net”) or an IP address. The second part of the URL (the path and document to load) is entirely free, you can enter anything that you think will look attractive for your suspect to click on.

Note that the Web trap URL which you create is fictitious, it does not correspond to an existing web page. The domain names from which you can choose all point to a Webtracer server which takes care of processing visits to a Web trap.

The second URL to configure is the “Forward to” URL. This URL on the other hand, should be an existing URL of a live website. The webpage of the URL entered in the “Forward to” field, will be the webpage displayed to any visitor of your Web trap.

Finally you can choose whether an e-mail should be sent to you for each visit to your Web trap. All visits are logged and can be viewed in the Web trap module by logging in with your account. If the “send e-mail notifications” option is set to “yes”, the information of the visit will also be sent directly to the e-mail address that you used to register for the Webtracer.

Click on the “Save web trap” button to activate your new Web trap.

All Web traps are displayed in a box as shown in this figure:

The box visualises all settings of the Web trap. Click on “Edit” to change the settings of the web trap, click on “Delete” to permanently delete the Web trap and all its logging information.

In the grid next to “Web trap visits”, all visits of the Web trap are shown. This table is the actual logging of the Web trap. Each line corresponds to exactly one visit. Click on “Delete” to permanently remove a line from the logging table (for example to remove your own test visits). Following fields are recorded for each Web trap visit:

• Time: the time stamp of the visit in GMT (Greenwich Mean Time).
• IP: the originating IP address of the visitor. This could be the IP address of the computer on which the Web trap URL was clicked, but it can also be the IP address of a firewall behind which the computer of the visitor is located (for example if NAT is used and the computer has an internal IP address which is translated by the firewall to a public IP address). This field is the most important field. It is displayed in blue which means an in-depth analysis using the “Deep internet resource analysis” module can be performed on the IP address by clicking it.
• Language: the language setting in the browser used to visit the Web trap
• Browser: information on the browser client used and the operating system on which it was running. For example “MSIE 6.0” is Microsoft Internet Explorer 6.0.
• Referrer: the URL of a referring web page. If the Web trap URL was placed on an existing webpage as a hyperlink and the Web trap hyperlink on this webpage is clicked, the referrer field will contain the URL of this webpage. If the Web trap was clicked in an instant messenger client or in an e-mail, the referrer field will be empty. If you clicked the Web trap URL your self from the “Web trap” module (in order to test your Web trap) the referrer field will indicate “your own click”.