UNDERSTANDING DOMAIN NAMES
WEB DATA INVESTIGATION 101
Conducting an online investigation means an attempt to find correlations between pieces of data, in order to draw conclusions. Unfortunately, however they are rarely conclusive in isolation and mostly it’s a case of analyzing commonalities, like linkages between objects flagged as anomalies, to create bits of a picture.

Once an offending site is found, it's necessary to analyze its footprint. That doesn’t mean only searching content but understanding how to read its domain name to extract ownership and activity details, and find possible ways the investigative effort can be expanded.
How domain names work
Typically, domains are two or three parts, each separated by a dot and read right-to-left, with identifiers which go from most general to most specific. For example, www.mywebsite.com.
Firstly, the root domain - represented by an empty tag – is the highest hierarchical level of the Internet. The COM part is the top-level domain or TLD. The second level - mywebsite, followed by the third level – www. Then if applicable, followed by subdomains or DNS zones e.g., www.blogspot.mywebsite.som
The root domain, or top-level, is managed by Internet Corporation for Assigned Names and Numbers (ICANN). ICANN assigns top-level domains, such as .uk and .com, and maintains technical and administrative details.
ICANN also delegates the authority of queries to a registry that handles the TLD, such as Verisign. A registry provides domain name registry services and infrastructure, which enables navigation plus security, stability, and resiliency of those key services. Verisign for example, provides root zone maintainer services, operating two of the 13 global root servers plus registration and resolution for .com and .net TLD’s.
A registry delegates registration of the second-level domains to registrars – companies that can register a domain name for a person or organization. A well-known registrar such as GoDaddy then registers the domain to a registrant, in this case mywebsite, to the owner of the domain. The registrar has a special relationship with the registry which permits them to administrate and ensure there's only one designation.
Registry, registrar, and registrant are important terms when you're trying to communicate about online investigations and each have very different functions.
A registry doesn't generally keep information about the registrant. If you wish to find information about a registrant, going to the registry would not help.
gTLDs and ccTLDs
Another important piece of information is understanding the difference between g- and cc-TLDs.
A generic top-level domain (gTLD) is a top-level domain (TLD) category that is easily recognized by a suffix attached to a domain name. These are used by DNS, also controlled by ICANN. Examples of well-known gTLDs are com, org, info, net, and biz. Generic and restricted TLDs require proof of eligibility for domain name registration. These TLDs are gov, mil, int and edu.
