Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do I find an IP history?


  • Please log in to reply
18 replies to this topic

#1 phantomenforcer

phantomenforcer

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 14 November 2014 - 09:28 AM

I had a question from someone I work with about a computer that she suspected was stolen from her by an estranged ex-husband.  Anyway she has the computer back now and wants to know if I can tell where it was used since there is changes to it.

 

My question is how do I pull up a history of the ip addresses that the computer connects to?  Not specific websites, but the IP address assigned to the computer when connecting to the network.  I figure if I can trace that IP, then it may give a pretty good idea where the computer was used and who may have used it. 



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 AM

Posted 14 November 2014 - 11:37 AM

Is this a Windows laptop? Which version?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 robby501

robby501

  • Members
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:03 AM

Posted 14 November 2014 - 11:51 AM

I'll be following this thread with interest as I'd like to achieve the same thing.

I partially managed to succeed by accessing my wifi 'Hub Manager' from my Windows 8.1 'start' menu (after installing the appropriate software on the disk supplied by my ISP)

Then, after entering the Admin password which it prompted me for AFTER clicking on 'settings', I searched in the 'A-Z index' and came across something that said 'event log'.

After accessing this, it gave me several choices as to WHAT exactly I wanted to search for, most of which was in some sort of code that I wasn't too familiar with. But after flicking through all the choices, I came across something i recognised as IP address numbers listed back to (only) the 2nd November. 

So I was seemingly able to check my IP history this way, but not back further than about 10 days or so.

I live in UK by the way, and my services are provided by BT - if that's any help to you.

As you might be able to guess by the way I write, I am not the most technically-knowledgeable guy/girl to ever grace these forums, so please listen to what others have to say here before deciding on whether or not what I have posted here is going to be of any real help to you! lol


Edited by robby501, 14 November 2014 - 12:03 PM.

Im a rookie and purely recreational pc user. Im utterly obsessed with security (even though I consider myself a safe and law-abiding internet user!) and run a combo of the following freeware security suites.....

Windows Defender/firewall

Regular scans with Malwarebytes, AdwCleaner, JRT, HitmanPro

 

 

 


#4 phantomenforcer

phantomenforcer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 14 November 2014 - 02:10 PM

Is this a Windows laptop? Which version?

 

Windows 7



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 AM

Posted 14 November 2014 - 03:49 PM

The IP address this laptop receives via DHCP is almost always a private IP address. You can not geolocate private IP addresses.

 

What you could do is take a look at the Wifi networks to which the laptop connected and remembered.

Open a command line (cmd.exe) and type the following command:

 

netsh wlan show profiles


Edited by Didier Stevens, 14 November 2014 - 03:49 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 phantomenforcer

phantomenforcer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 14 November 2014 - 04:06 PM

The IP address this laptop receives via DHCP is almost always a private IP address. You can not geolocate private IP addresses.

 

What you could do is take a look at the Wifi networks to which the laptop connected and remembered.

Open a command line (cmd.exe) and type the following command:

 

netsh wlan show profiles

 

Does that mean that the IP address I would find is the router ip? Kind of like 192.0.0.1 or something like that and not the ip I would see using a website to show me the ip I'm using?

 

The wifi profile may be helpful.



#7 phantomenforcer

phantomenforcer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 14 November 2014 - 04:09 PM

Another quick question. My coworker has told me that there may have been changes to her online accounts.  Would she be able to ask the online company for ip addresses that accessed her account?  Would they supply that information?



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 AM

Posted 14 November 2014 - 05:32 PM

 

The IP address this laptop receives via DHCP is almost always a private IP address. You can not geolocate private IP addresses.

 

What you could do is take a look at the Wifi networks to which the laptop connected and remembered.

Open a command line (cmd.exe) and type the following command:

 

netsh wlan show profiles

 

Does that mean that the IP address I would find is the router ip? Kind of like 192.0.0.1 or something like that and not the ip I would see using a website to show me the ip I'm using?

 

 

The IP address assigned to your machine by the router is a private IP address, often starting with 192.168

 

Here's more info about private and public IP addresses:

http://www.bleepingcomputer.com/forums/t/536252/how-to-tell-if-you-have-a-private-ip-address-or-a-public-ip-address/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Ezzah

Ezzah

  • Members
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:03 PM

Posted 15 November 2014 - 12:25 AM

Private and public ip addresses are two completely different things and purposes. Their only similarity is that they both are identifiers for a network of computers or computer. Your private ip address is assigned to by your router, which allows identification within the constraints of your local area. Whilst, your public ip address is assigned to you by your ISP (Internet Service Provider), which is your public identifier on the web (kind of like your home address, but not as obvious). If you are unsure what you've found to be public or private, private ip addresses tend to start with 192 or 10 or 172. Still if unsure, you can run it through on a tracer:
 
http://www.ip-adress.com/ip_tracer/
 
Finding an approximate geolocation of previous connections, would require knowledge of the IP addresses that were entailed (you can trace locations). However, I highly doubt that Windows retains the public address of their nature on the computer. If your online accounts have been modified, services like Gmail, enable login history and the ip address that accessed them.

mYIGVc5.png


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 AM

Posted 15 November 2014 - 05:26 AM

I removed my comment: it was about a typo that is now fixed.


Edited by Didier Stevens, 15 November 2014 - 10:22 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Ezzah

Ezzah

  • Members
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:03 PM

Posted 15 November 2014 - 06:22 AM

Oops my bad, let me edit that. Good catch.

 

Oh wait, nevermind, can't edit it now.


Edited by Ezzah, 15 November 2014 - 06:22 AM.

mYIGVc5.png


#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 AM

Posted 15 November 2014 - 06:41 AM

No, go ahead and edit it, then I'll edit my post and remove my comment.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Ezzah

Ezzah

  • Members
  • 438 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:02:03 PM

Posted 15 November 2014 - 07:01 AM

I don't have an edit option, I guess it disappears after a certain time limit has been reached.


mYIGVc5.png


#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 AM

Posted 15 November 2014 - 08:03 AM

I don't think there is a time limit, I went back a week and still have the edit option. Maybe it is because I quoted you. If someone can confirm this is the case, I can remove my quote.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:03 AM

Posted 15 November 2014 - 08:37 AM

I don't think there is a time limit, I went back a week and still have the edit option. Maybe it is because I quoted you. If someone can confirm this is the case, I can remove my quote.

I think it depends on what member group you belong to. Normally, it's 24 hours or until someone replies I believe if you are a member or trainee. If you are an advisor/mod/instructor then you can always edit your posts.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users