PMI RAVEN TRACE

Raven Trace is a PMI-built program for the Cyber Forensics Division designed to help investigators trace IP addresses, trace emails through header parsing, and turn technical indicators into clear, case-ready visuals. It brings the most common starting points in cyber investigations, such as a suspicious IP or a questionable email, into a single workflow that supports fast analysis and consistent documentation.

At its core, Raven Trace is built for IP tracing. An investigator can enter a target IP address and quickly develop useful context by running enrichment that helps identify who the address is associated with and where it is generally located. This is not about guessing an exact physical address. It is about producing practical investigative leads and organizing them in a way that supports correlation across a case.

Raven Trace also supports email tracing by allowing investigators to paste email headers and automatically extract IP addresses found in the routing and transfer information. This is especially useful in phishing and business email compromise investigations where understanding the infrastructure behind an email can help identify patterns, connections, and next steps. By turning complex header data into traceable points, Raven Trace helps investigators move from raw artifacts to actionable findings quickly.

Once trace points are identified, Raven Trace displays them on a global map to help tell the story visually. Seeing IP targets and related trace points plotted geographically can reveal clusters, highlight patterns, and make technical findings easier to explain to supervisors, clients, attorneys, and courts. When traceroute data is collected, Raven Trace can also visualize hop progression to support a clearer understanding of how traffic is routed toward a target from the investigator’s system at the time of testing.

To support reporting and courtroom needs, Raven Trace can generate a PDF report that includes a structured summary and a record of case artifacts produced during the session. The output is designed to be professional and easy to attach to investigative reports, filings, or discovery packages, while keeping the underlying work organized and repeatable.

As with any cyber forensic tool, Raven Trace results should be interpreted appropriately. GeoIP data is approximate and should be treated as investigative context rather than definitive proof of a person’s physical location. Network path outputs like traceroute reflect conditions from the investigator’s system and network environment at the time the trace is executed. Used with proper context and supporting evidence, Raven Trace helps investigators present digital trace work clearly and defensibly.