Most Innovative Company, South Africa, 2016, African Business Awards
Best Forensic Investigation Company, Africa, 2016, African Corporate Excellence Awards
Best in Security, Forensics & Investigations – 2016 – International Business Awards
tracing ip addresses

Tracing IP Addresses

An IP address (or Internet Protocol address) is a unique numerical identifier assigned to each and every device (computer, router, mobile phone, printer, etc) connected to a computer network that communicates using the Internet Protocol. The IP address serves two functions: interface identification and location addressing. Tracing an IP address involves determining which device an IP address was assigned to at a particular point in time, where it is located, and who was responsible for using that device at the time in question.

Free IP address tools

We’ve made a number of free IP address-related tools available for you to use. Please remember that the information provided to you is obtained from various external sources and records and has not been verified by ourselves. These tools are provided for informational and educational purposes only. Please do not abuse.

Geolocation Tools Lookup Tools Network Tools Discovery Tools You must be logged on to use these tools

Need professional help?

If an IP address has been spoofed or if a proxy, VPN or anonymizer has been used to conceal the user’s actual IP address then you’ll need professional help.

Our cyber investigators will use proprietary methods, paid tools, legal processes and contacts at the various Internet Service Providers and popular online services to follow the IP address trail back to the originating network.

You can submit a request by clicking on the button below. We’ll get back to you with a no-obligations quote. Please allow up to 48 hours for a response.

Request Quote

Trace IP Addresses with InterTrace

InterTrace is a service developed by investigators that is primarily for investigators who need to track and trace IP addresses.

InterTrace has access to databases that are not available in free tools like those above. The service costs R250 per IP address traced. One can also trace email addresses and phone numbers, including cellphone and landline numbers, using the InterTrace online app.

Case Study: Cyber Stalking

Successfully tracing an IP address to a person is only possible if that person’s true IP address is known. There are many ways for a person to deliberately conceal, mask, spoof or alter their IP address. Apart from that, many services, like for example, remove the user’s IP address information from the email headers, making it more difficult to trace. Our client was recently the victim of cyber stalking. She had been receiving disturbing emails, instant messages and other unwanted communications. Things went from bad to worse when her stalker began emailing her work colleagues and friends. That is where we came in.

Initial Assessment

We were able to obtain server and communication logs as well as email header information for over 300 separate messages. For each message we identified the IP address recorded as belonging to the stalker, and ended up with a list of 32 unique IP addresses, none of which were local (South African) IP addresses. IP Whois information together with a search of various commercial databases identified 15 of the IP addresses as belonging to a free VPN service based in Romania, 12 traced back to Google Inc. (specifically, the gmail message headers), 4 were linked to a free private tunnel service operated by OpenVPN in the United States, and 1 was a TOR exit node. It was clear that the stalker was aware of the possibility of being traced and made use of these services to conceal his or her actual IP address.

Plan of Action

While our investigators set out to obtain relevant user-related data from the VPN services, our Cyber Investigation Team (CIT) began working on ways to expose the stalker’s real IP address. Knowing that some web services, Gmail in particular, cannot be used with many proxy or VPN services, especially free services, they decided to target the stalker via email. The idea was that the stalker would probably need to login to Gmail directly (and not through the VPN services or TOR) so by obtaining an IP address at a time the user was connected to Gmail, we should be able to capture the stalker’s actual IP address. It was also thought that if an attachment could be included, that there was also a chance the stalker would open the attachment while not connected to any VPN. Some types of files can be embedded with URL’s that reference external content, and if that content is hosted on our server then we’d log the stalker’s IP address when that file is opened. Similarly, images or other content embedded in an email can be hosted remotely (i.e. on our server) and the user’s IP address would be logged when that email is read. The user had used 3 different Gmail accounts to email our client and others, so we targeted all three. An enticing email was composed which included a transparent 1x1px image embedded in the body as well as a PDF document attached. The email essentially warned the stalker that their identity had been compromised and that if they continued with the stalking that the attached information would be handed to the police. Of course, the attachment didn’t contain any information – it was created so as to display an error that the document could not be opened on that device. The emails were sent from our client’s email address and then we waited.

Results and Outcome

The stalker had received all three emails and as hoped, had attempted to open the attachments on a number of different devices (this would have been because the attachment displayed a fabricated message that the device being used could not display the content and that a different browser or device should be used). The stalker had also made it possible for us to capture his IP address even if he hadn’t opened the attachments at all. He had overridden Gmail’s default settings and allowed external images to be displayed in his emails (thereby sending us his IP addresses at the time each email was opened). In total, the emails were read at least 12 times, and the attachments were opened at least 7 times. We now had 4 new IP addresses that were clearly local, and were probably the stalker’s actual public IP addresses. All IP addresses were found to be corporate IP addresses that were assigned to a national insurance company’s IP network. Our client recognized the company as being the employer of a person she had suspected may have been stalking her. Our investigators, together with the client’s attorneys, were able to obtain confirmation from the company that the IP addresses logged were indeed in use by or suspect at those particular times. Further investigation could then be undertaken that resulted in both a successful Damages Claim and an ongoing criminal prosecution.