Skip to main content

Using GeoIP Services to Augment a Digital Investigation

February 06, 2014

IP to geographical correlation is not something new. However, when performing digital investigations it can be helpful when trying to separate traffic originating from known good locations versus suspicious locations.

How does IP to location translation work?

GeoIP data is not 100% accurate, but it can get very close. When discussing the accuracy of GeoIP, it is important to understand how the location data is gathered. The Internet Assigned Numbers Authority (IANA) is the organization responsible for all IP addresses in the world. IANA divides all of the IP addresses up between five Regional Internet Registries (RIR). The RIR territories are shown below in the graphic.

After that, the RIR assigns IP addresses to ISPs. From there it is up to the ISP to accurately register that and its physical location. The last stage is where the inaccuracies can occur. ISPs can get as granular or as vague as they want.

Investigating Suspicious VPN Logins – Use Case

Depending on the geographical spread of your company’s employees you can use GeoIP data to check the physical origination of VPN connections. For example, if your business is only in California and your employees are allowed to connect from home using VPN, it would be easy to run all of the connecting IP addresses through GeoIP and filter out who connected from outside of California.

If you had connections coming in from outside California, you could check with those particular users and confirm they were near that area during those times. If they were not, this could be an attack from someone who has compromised that account.

Geographical IP Correlation (GIPC) - A Tool

Last year, I released a tool to help me quickly take a very large list of IP addresses and pull the location data. The tool can display the results within itself, generate a CSV file and generate a heat map using the Google API. A screenshot of the tool is below on the left and the heat map that it generates is on the right. The tool can be downloaded here: http://sourceforge.net/projects/jcsocal/

This tool requires the MaxMind Geo IP Database. While they do provide a free version of the database, keep in mind that some of the information may be outdated. If accuracy is important, it may be worth purchasing their commercial database.

Related Blogs

March 14, 2018

Observations on Smoke Tests – Part 1

Smoke testing in the traditional definition is most often used to assess the functionality of key software features to determine if they work or perfo...

See Details

January 31, 2014

SDN APIs: A New Vocabulary for Network Engineers

Whiteboards and slides have been instrumental for networking discussions for a long time! Color-coding markers and those fancy “glass whiteboards” are...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

October 11, 2017

Security Solutions

Optiv is a market-leading provider of end-to-end cyber security solutions. View our services here.

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

August 24, 2017

Enterprise Incident Management Brief

Learn how Optiv’s workshop helps security leaders evolve their technical incident response practices to broad scope enterprise incident management.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.