Attack traceability and attribution are two of the main tasks of IT forensics. To support this, IT forensics is not limited to investigate data after the attack has taken place. Already before the attack, an optimal environment for a subsequent investigation has to be created. While this is primarily focused on ordinary logging, we propose to set both degree and characteristics of logging, based on geolocation. Thus, for conspicuous locations, more knowledge is gathered and stored in advance (georeputation). Next to this, due to the fact that the distribution of IP addresses is not static, additional information is stored to, e.g., determine the Internet service provider, which was responsible for the IP at the time the crime was committed.
This additional data also contains geoinformation that can be used later to reconstruct attack routes and to identify and analyze distributed attacks. For these purposes, however, the IP localization mechanisms, i.e., the underlying method for geolocation, must be very accurate. Therefore, next to highlighting, the benefits of including geobased information and providing our architecture in order to do so, this publication also investigates accuracy and reliability of geoinformation and provides its own geolocation architecture and a corresponding prototype, including an evaluation.