IP Addresses

Very often in forensic work you need to deal with IP addresses. Some scripts I use very often are:

get-ipgeo.ps1

get-ip.ps1 gets the IP address geo information from ip-api.com and converts it to a PowerShell object. It accepts input from the pipeline so you can pipe a list of IP addresses to it. Since it outputs a PowerShell object you can send it to out-csv to create a csv file.

The way I usually use it is to create a file with one IP on each line and send it to the script like this:

ps> type ip.txt | .\get-ipgeo.ps1 | out-csv -notype ip.csv

get-ip-fromfile.ps1

A simple script get-ip-fromfile.ps1 that uses select string to find IP addresses in a file can be used to pull all IP addresses from log files.

I often use this to create the file I feed to get-ipgeo.ps1. I feed the output of this script to a file with redirection. I then remove the duplicates like this:

ps> $tmp = get-content ip.txt;$tmp | select -unique | out-file -encod utf8 ip.txt

Note: I output to UTF8 because it is about 1/2 the size of the default encoding 'UCS2 LE BOM' and works well with Linux utilities.

get-iphost.ps1

Another script I often use get-iphost.ps1 is used similar to get-ipgeo.ps1. It takes a list of either IPs or Host names and returns the IP, Hostname, Reverse Lookup and if it is pingable.

Like get-ipgeo.ps1 I feed it a list one per line and output to out-csv.

ps> type ip.txt | get-iphost.ps1 | out-csv -notype ip.csv