Conducting an online investigation means an attempt to find correlations between pieces of data, in order to draw conclusions. Unfortunately, however they are rarely conclusive in isolation and mostly it’s a case of analyzing commonalities, like linkages between objects flagged as anomalies, to create bits of a picture.

Understanding domain names

Once an offending site is found, it’s necessary to analyze its footprint. That doesn’t mean only searching content but understanding how to read its domain name to extract ownership and activity details, and find possible ways the investigative effort can be expanded.

How domain names work

Typically, domains are two or three parts, each separated by a dot and read right-to-left, with identifiers which go from most general to most specific. For example, http://www.mywebsite.com

Firstly, the root domain – represented by an empty tag – is the highest hierarchical level of the Internet. The COM part is the top-level domain or TLD. The second level – mywebsite, followed by the third level – www. Then if applicable, followed by subdomains or DNS zones e.g., www.blogspot.mywebsite.som

The root domain, or top-level, is managed by Internet Corporation for Assigned Names and Numbers (ICANN). ICANN assigns top-level domains, such as .uk and .com, and maintains technical and administrative details.

ICANN also delegates the authority of queries to a registry that handles the TLD, such as Verisign. A registry provides domain name registry services and infrastructure, which enables navigation plus security, stability, and resiliency of those key services. Verisign for example, provides root zone maintainer services, operating two of the 13 global root servers plus registration and resolution for .com and .net TLD’s.

A registry delegates registration of the second-level domains to registrars – companies that can register a domain name for a person or organization. A well-known registrar such as GoDaddy then registers the domain to a registrant, in this case mywebsite, to the owner of the domain. The registrar has a special relationship with the registry which permits them to administrate and ensure there’s only one designation.

Registry, registrar, and registrant are important terms when you’re trying to communicate about online investigations and each have very different functions.

A registry doesn’t generally keep information about the registrant. If you wish to find information about a registrant, going to the registry would not help.

gTLDs and ccTLDs

Another important piece of information is understanding the difference between g- and ccTLDs.

A generic top-level domain (gTLD) is a top-level domain (TLD) category that is easily recognized by a suffix attached to a domain name. These are used by DNS, also controlled by ICANN. Examples of well-known gTLDs are com, org, info, net, and biz. Generic and restricted TLDs require proof of eligibility for domain name registration. These TLDs are gov, mil, int and edu.

Expand domain coverage

A ccTLD shows users and search engines in what country, sovereign state, or dependent territory a domain is registered — and usually, by extension, where in the world searchers who will find this site registration. For example, mywebsite.de would indicate the site has a ccTLD in Germany.

Many ccTLDs are closed and restricted, as they are managed exclusively by their respective countries. Registration for these ccTLDs usually involve a standard process required by the country’s authority, and may differ from each other. Some require proof of residency. However, there are also some countries which do not restrict their ccTLDs. They openly market and encourage people from around the world to register and use them, like “.me”, “.co”, “.tv”, “.fm” are such ccTLDs. These are useful indicators to start the investigation, where the registration might exist.

Locating the owner of a domain name

So, suppose now you need to find the owner. The investigation must be a combination of looking at the ccTLD or gTLD to understand which territory the site is hosted and, contacting the registries in that location, analyzing the zone files, and ultimately trying to locate the registrar. Only the registrar, handles the registration of the domain owner. They keep the personal information about the registrant because he’s their customer. In most cases, this is the only way to find an owner.

Some cases are easier than others and tracing a registrant can be complicated using only domain information. The registrant might have transferred his relationship to different registrars, and some deleted his record. Registrar records might be incomplete or there is little in terms of regulation, depending on which territory the site is hosted.

Generally locating an owner is a combination of techniques with domain name research only one piece in the jigsaw puzzle.


Domain Research

Extensive data source for digital investigations


Regular reports on your zone file / DUM