WORKING WITH WHOIS DATA
WEB DATA INVESTIGATION 101
When we locate a website that seems to be selling fake goods, we can start working with WHOIS data to help identify the domain owner. WHOIS is a list of records that tie owners’ information to domain names and a WHOIS lookup can be performed to search those records.
WHOIS isn’t an acronym or abbreviation, it’s the name of the system that asks the question, who is responsible for a domain name or an IP address. It’s an essential part of the integrity of domain name ownership and registration process, and overseen and regulated by the Internet Corporation for Assigned Names and Numbers (ICANN)
A WHOIS record contains the following information:
- Name, address, email address, and phone number of the person or organization that registered the domain
- Contact details of the registrar
- Name servers
- Registration date
- Date last updated
- Expiry date
- Technical contact information
WHOIS and GDPR
Although the system overseen by ICANN has no anonymity, personal Information about the owner of a domain contained in the WHOIS records is usually not available, either due to EU Law on the Protection of Personal Data (GDPR), or the use of a WHOIS protection service by the domain owner. (Some registrars offer a service to keep domain ownership information private.) But we can still use whatever information is inside the record in order to take next steps.
For domains belonging to large organizations, usually all information is visible thus making this task more straightforward.
Performing a WHOIS lookup is fairly easy, at least for those parts that are publicly available. Usually, the WHOIS service is available on the website of a registry of the domain name. Or just by googling ‘WHOIS lookup’ brings up many sites that can provide instructions.
Whilst WHOIS information for the present time is valuable, it does not always provide everything required for an IT forensic specialist. In this case, it is also important to look through the historical records.
WHOIS History is a powerful investigative tool, allowing you to “look back in time” to spot significant changes in the ownership, hosting, registration, and other information about the domain.
In order to view these historical WHOIS records, you’ll need to turn to specialist service providers like DomainCrawler. Our Domain Research platform has WHOIS data of over 1.4 billion domain names. Next, it’s possible to search through historical records. The platform has saved over 80 billion records of historic data since 2008 and will identify any changes in ownership data.
This is an example of a WHOIS record for Domaincrawler.com, and how it appears using our Domain Research platform. Notice the Newer and Older buttons at the top of the block. Using those buttons user can access historic records.
What should we look for in the record?
When conducting a digital investigation and inspecting the WHOIS record, we should pay particular attention to the following:
- Creation Date
Creation date reveals info about when the domain was registered or re-registered. The age of a domain name is a major indicator of its trustworthiness and reliability.
Drop-catching, also known as domain sniping, is the practice of registering a domain name once registration has lapsed, immediately after expiry. Fraudulent merchants who are actively trying to boost their visibility in order to get more traffic are likely to try to ’drop-catch’ domains, in order to profit from the domain’s residual trust and search engine ranking. This behavior could be an indicator of malicious registrations. According to the correlation between new, re-registered, and drop-caught domain names, in almost 90% of cases, a drop-caught domain will be a fake web-shop. From an investigation of the WHOIS record, it’s possible to identify such activity.
- Registrar information
The registrar is an organization that stores information about a domain owner, so it is them whom to contact in order to progress further or take down a domain name. Usually, WHOIS records contain an email address in order to contact and/or report abuse.
Why use DomainCrawler WHOIS lookup
First of all, it’s straightforward enough to enter a domain name in the search bar and the system will return all the data on that particular domain name.
Secondly, as mentioned earlier, the Domain Research database has WHOIS data of over 1.4 billion domain names and over 80 billion records of historic data since 2008. So, if there were changes in ownership you most likely find it.
Lastly, the possibility to combine WHOIS data with all other pieces of data. Whilst WHOIS lookup is beneficial and provides some useful information, its only part of it. Additional data which can be found using other DomainCrawler tools including snapshots of the website’s pages, DNS data, SSL certificate, HTML data, and more provide the rest. Only when an overall picture is obtained, we can improve understanding, enhance monitoring, and make effective decisions.