For some time, I've used an Android tablet, for the simple reason that Android offered more security and networking utilities. The availability landscape has changed, and I've found iPad apps that meet my mobile needs for five tools I use routinely from a laptop to query domain, IP address, autonomous system, registration and reputation information. I'd encourage anyone who investigates DNS or IP badness to try these.
DNS Stub Resolver
Regardless of the kind of crime you're investigating, you will invariably find a need to look up domain names, IP addresses or autonomous systems. For this you'll need a client app that behaves like a stub resolver. Since I also want to be able to configure the recursive resolver I'll use for investigations (who knows who's logging what?). I like:
NSLookup Plus. Using defaults, this app returns ANY records for a name you query. You can choose query type, class, timeout and name server. You can also choose to use recursion, cache or to force authoritative. Responses are "Explorer-formatted": you can drill down on NS and MX names to resolve these. This app saves your responses: tap the submission form to reveal your previous queries in an editable list.
You'll also want to learn who's registered domain names. For these purposes, you'll want a Whois app but you'll also want your Whois client to query IP and ASN information. I looked for an app that allows me to choose my Whois server. For a standalone app that gives you a classic look, Linux command line response, try
Deep Whois. This app lets you to specify Whois server and timeout and you can add support for new TLDs as they are delegated. It stores your queries, has a convenient copy or mail feature and supports multiple languages. It handles IP and ASN Whois correctly. Does the job well and quickly.
Geolocation Service (Geo-IP)
While Geo-IP is not a reliable indicator of the actual location of a host/IP, it's often useful in fraud or other investigations. The folks at Dayana Networks who developed NSLookup Pro offer geolocation service for free via an app called
IPLocation. Submit the IP, get a pin drop on a map, satellite image or hybrid of the two. You can accumulate pins for a list of addresses you've queried, which can give some very interesting results. A multiple entry submission form would be a nice addition.
Anonymity is important for an investigator. If I have to explain why, you may be reading the wrong post, but read Want Tor to Really Work? for insights. Tor Project doesn't have an app for iOS so knowing that all the browsers I found at the App Store are derivative-developed, I am happy with:
Red Onion Browser. All the anonymity and privacy hooks seem to be here. You can customize your Tor config and Tor bridges and create new identities. If you've enabled Touch ID, you'll be challenged to verify your identity.
Reputation (Blocklist) Checker
If you are investigating a domain, IP or URL, there's a good chance that someone else is, too. Or has. It's good practice to check a domain, URI, or URL at VirusTotal early in your investigation. It's also good practice to check a reputation list to see if someone's already identified your target as malicious or criminal. While you can use the DNS stub resolvers I mentioned to check individual reputation lists (e.g., Spamhaus DBL), try
RBL Status. This terrific app is similar to Jerry Gamblin's Python script, isthisIPbad? It checks the IP or domain you submit against a long and customizable list of reputation services. So far as I can tell, it's the only app of this kind and it rocks.
My colleague and friend, Allen Gwinn, is the Socratic ideal form for a mobile worker who can do everything from an iPad. I'm still carrying a Macbook Air on my travels and while I remain skeptical that I can do everything from my iPad, I'm enthusiastic that I can do far more than I had anticipated. Try these apps - you too, Allen - and share your favorites!
You can follow this conversation by subscribing to the comment feed for this post.