Connecting the Dots: Profoundly Important, Curiously Satisfying! Part 1 of 2

| February 13, 2014

connect-dotsIf economics and markets reflect what’s important to people–and, almost by definition, they do–then the practically eternal markets for games, puzzles, and reading material testify to deep human passions for solving problems and gaining knowledge.

The very nature of a puzzle is that, at first, it looks like there’s not enough information to solve it. But by exploring, experimenting, and thinking it through, the mind combines information with intellect, and at some point, the solution appears. Everyone can recall the moment of triumph that came with the solution to a particularly thorny puzzle.

No wonder, then, that many DomainTools customers are so passionate about using our products, and the wealth of data behind them, to solve puzzles of attribution, discovery, identity, and more. When an important duty–such as cybercrime or fraud investigation–intersects with an engaging intellectual process, you’ll likely find people who take deep satisfaction in their work.

A lot of investigations conducted on DomainTools seek to identify a person or organization behind some kind of activity online. Sometimes it’s the source of hacking or bot activity; sometimes it’s a fraudster selling counterfeit physical goods or software via the web. Whatever the case, the starting point often has the hallmarks of a puzzle: it can appear that there’s not enough information available to reach a solution. But, as DomainTools users can affirm, a seemingly thin piece of information can be enough to lead to big discoveries.

Let’s walk through the process…

When a domain name has been identified as the source of malicious activity, the first step of the investigation usually is the Whois record for the domain. With the world’s largest database of Whois records, DomainTools offers the Internet’s best resource for domain ownership records. But, what to do if the record is cloaked in Whois privacy? Never fear: this is where DomainTools’ investigative products come into their own.

The “Contact Path” and the “Network Path.”

At this point, there are two primary paths your investigation can take, and in many cases you’ll use both; which one you try first will depend greatly on what the initial Whois search shows you. Sometimes it’s a toss-up. Incidentally, the names “contact path” and “network path” are my own and informal, but will help illustrate the ways your investigation can proceed.

The Contact Path uses contact information from current or historical Whois records to pinpoint ownership or to establish connections between domains. The Network Path involves using IP address or name server information, ultimately to the same end: to uncover connections between domains and, in some cases, ownership of domains (in an indirect way).

The Contact Path

If the current Whois record for the domain is fully privacy-protected, a good next step is often Whois History. Many domain owners originally registered their domains without privacy in place, and added it later. Whois History can therefore sometimes uncover the real owner of a domain that is currently cloaked by privacy, and the UI conveniently shows, at a glance, which records have Whois privacy in effect.

If you find a non-protected record in Whois History, take a look at Screenshot History to see what the domain looked like before and after it transitioned to Whois Privacy. If the before-and-after screenshots are consistent, there’s a higher probability that you have found the actual owner of the domain, now cloaked by privacy.

Also, privacy in the registration can sometimes be partial, rather than complete–generally not by using true Whois privacy, but by using fake data in a non-protected record. Even if the data is fake, it can point to a higher likelihood that the domains are owned by the same entity. The way to find these connections is to use Reverse Whois, which shows all of the domains that share a datapoint such as an email address, person name, organization name, phone number, or physical address. When the original target domain does not reveal the owner, one of the connected domains may. When you have identified commonality between domains, then you can begin to use other clues, such as the content of the websites (if present) to help establish a closer link between the domains, which, in turn, raises confidence that you have found the owner of the target domain.

You can also use the contact information in other ways; a standard search engine lookup on the datapoint may lead to the identity of the person or organization–or at least point to a further step or two in the process.

Often, the information on the various branches of the Contact Path will yield the information you need; but if not, never fear: the Network Path opens additional avenues of exploration. Part 2 of Connect the Dots will show you how the Network Path works.

PART 2 of this blog post is now available!

Happy exploring,
Tim Helming
Director, Product Management



Category: cyber attack, cyberdefense, Domain Tools Updates, security

About the Author ()

Tim Helming, Director of Product Management at DomainTools, has over a decade of technology product management experience. Areas of particular focus and interest are cybersecurity software and hardware, distributed storage and computing, and DNS/Whois. He has spoken at cybersecurity, technology channel, and media events worldwide.

Comments are closed.