Untitled Document

New SEARCH Publication Addresses What Law Enforcement Needs to Know About the Internet Protocol Transition from IPv4 to IPv6

By Don Lewis

The world is facing a shortage of Internet Protocol addresses—those unique numbers that help us connect to the Internet. In fact, service providers have just about exhausted the available supply of version 4 IP addresses. So in order to keep things moving online, users are being migrated over to version 6, which has an almost infinite capacity for doling out unique numbers.

Most of us don’t even notice when the transition takes place because it’s handled by the service providers and there’s really nothing we need to do on our end. But for law enforcement investigators and forensics examiners, there’s reason to take notice.

Below are excerpts from The Internet is Upgrading: What Law Enforcement Needs to Know About the Protocol Transition from IPv4 to IPv6. The publication can be found on our High-Tech Crime Investigative Resources page and is freely available to all law enforcement.

While IPv6 resolves the shortage of available IP addresses, it presents new challenges. The two systems do not support each other, meaning IPv4 cannot route (pass information) directly to IPv6 addresses. The converse is also true—IPv6 cannot route directly to IPv4. If a website or peer-to-peer (P2P) network is on IPv6, it cannot be seen by an IPv4 system. This is an issue that law enforcement investigators and forensics techs need to recognize. IPv6 is a game changer in how IP addresses are structured, and investigators need to know that the traditional tools they have used for IPv4 may not work as expected with IPv6.

What law enforcement needs to know

Here are three important takeaways:

  • Different IPv6 implementation methods will affect online investigations and information that is retrievable by law enforcement. Encapsulation of IP addresses in tunneling can create obstacles to identifying the actual source of activities in incidents being investigated. For example, the HughesNet Gen4 High-Speed Satellite service uses a single IPv6 carrier to transmit as many as 200 IPv4 addresses simultaneously. This means identifying a single subscriber using the service will require additional identifying information.
  • In addition to the IP address and precise times of the subject activity, the investigator may need port assignment information for the activity in order to identify the service subscriber. Port assignment identifies the client software in use for data communication, such as P2P software, email clients, web browsers, social networks, etc. Having the port assignment lets Internet Service Providers (ISPs) identify the subscriber during a specific time frame related to the incident. Without the port information, the only mechanism to identify the subscriber may require a live intercept of the activity as it is in transmission, necessitating a court order for the communication intercept.
  • Implementation methods may confound investigations when one IP version is identified but the actual activity is conducted on the other (either IPv6 or IPv4). If an investigator is on IPv4 and the target of the investigation is using IPv6, the investigator may not be able work the case.

DonLewisAbout the Author

Mr. Don Lewis is a High-Tech Crime Training Specialist for SEARCH. He coordinates and provides training and technical assistance on high-tech crime investigations and forensics to local, state and federal justice and public safety agencies. He provides technical assistance to law enforcement agencies in active cases, prepares training curricula, teaches SEARCH investigative courses and speaks at conferences throughout the United States.

1 Comments  |  Category:  SEARCH News


Sgt. R. Bracamontes
Mr. Lewis, You are spot-on with respect to IPv6. Since its release into the wild, we have already begun to experience IPv6 addresses in search warrants. Investigators are so predisposed to seeing IPv4, that they have no idea what to do when they see IPv6. Moreover, unless they have had any sort of formalized training, they truly don't understand the significance or origins of IP addresses nor how to determine what step is next once they do receive an IP address. For all of these reasons combined, we've incorporated IP addresses, ICANN and Regional Internet Registries into our "Cyber 101 - Cyber Investigative Techniques" course for Los Angeles County Sheriff's investigators. 21st century criminal investigations mandate knowledge in these areas regardless of the type of investigation. These days, there is almost always a cyber nexus to most criminal investigations. Perhaps might consider putting together a reference document for agencies that do not have a training curriculum to help reinforce these concepts. Respectfully submitted.

Leave a Reply

Your email address will not be published. Required fields are marked *