A Forensic Analysis : HTTP Protocol

v1.0 - January 2004

Alex Dyatlov <alex [at] gray-world.net>

Gray-World Team


In most cases fraud and system abuse issue investigations start with malicious remote system analysis and collection of specific data about the attacker in order to form subsequent reports to administrators in charge of this system network activity as well as to various national governmental organizations, which deal with cyber crimes committed in public networks.

This paper contains a set of basic and advanced techniques of gathering data about HTTP protocol users. We confine our investigation area to HTTP protocol analysis and at the beginning all we have is the remote system IP address and the HTTP request information. This data may be stored on the attacked web server, where it can be further analyzed. What we are going to do is to initiate a set of active and passive actions aimed at learning more about the attacker. Under "active" actions we mean establishing direct TCP network connections to the remote system using specific ports. "Passive" actions presuppose HTTP data analysis, sending whois queries etc.


This article is actually a CGI script and contains "active" components to demonstrate the type of data that can be gathered from your computer or proxy provided you continue to use them at the moment. Thus, the script will try to establish the following TCP connections to your IP address:

localhost ---> 3128 / TCP
localhost ---> 8080 / TCP

All the data collected in respect of your computer is not intended to be saved anywhere beyond the standard log file on the web server and shall not be subject to sharing with third parties.

Should the system administrator in charge of your firewall, proxy or other computer system consider the aforementioned actions to be system abuse please make use of the following link (to set HTTP header analysis only):

Hereby I acknowledge having carefully read the above notice and agree that the described actions will cause my computer no harm. However, should any harm occur I have no claims to present against the author of the article: