The following explains some of the terms used in Internet forensics, and suggests where relevant clues about a domain name may be hiding:
Each and every computer on the Internet has a unique address – just like a telephone number or street address – which is a rather long and complicated string of numbers. It is called its “IP address” (IP stands for “Internet Protocol”). IP Addresses are hard to remember, so the Domain Name System makes using the Internet far easier for humans by allowing words in the form of a “domain name” to be used instead of the arcane, numerical IP address. So instead of typing 220.127.116.11, you can just type that IP address’ domain name, and you would then be directed to the website that you are seeking connected to that domain name.
It is possible to “geolocate” an IP address by using a variety of free services available on the Internet. Geolocation is the practice of determining the physical, real world location of a person or computer using digital information processed and collected on the Internet.
Geolocation can offer the city, ZIP code or region from which a person is or has connected to the World Wide Web by using their device’s IP Address, or that of a nearby wireless access points, such as those offered by coffeeshops or internet cafes.
Determining the country of an Internet user based on his or her IP address is relatively simple and accurate (95%-99% percent) because a country is required information when an IP range is allocated and IP registrars supply that information.
Determining the specific physical location of an IP Address down to a city or ZIP code, however, is a little more difficult and slightly less accurate because there is no official source for the information. Further, users sometimes share IP addresses and Internet service providers often base IP addresses.
Even when not accurate, though, geolocation can place users in a bordering or nearby city, which may be good enough for the investigation.
Internet Corporation for Assigned Names and Numbers (ICANN)
The Internet Corporation for Assigned Names and Numbers (ICANN) is an internationally organized, non-profit corporation that has the ultimate responsibility for Internet Protocol address space allocation, generic (gTLD) and country code (ccTLD) Top Level Domain name system management, and root server system management functions. As a private-public partnership, ICANN is dedicated to preserving the operational stability of the Internet; to promoting healthy and lawful competition; to achieving broad representation of global Internet communities; and to developing policies to foster these goals.
Registrants are individuals or entities who register unique domain names through Internet Registrars. The Registrant is required to enter a registration contract with his Registrar, which sets forth the terms under which the registration is accepted and will be maintained. The Registrant’s data is ultimately recorded in a number of locations: with the Registry, the Registrar, and, if applicable, with his webhosting provider.
Domain names are registered by individual Registrants through many different companies known as Internet “Registrars.” GoDaddy, for example, is a major ICANN-accredited Registrar. There are currently approximately 430 accredited Internet Registrars. A complete listing of accredited Registrars is in the ICANN Accredited Registrar Directory. A Registrar asks individuals, or “Registrants”, various contact and technical information that makes up the official registration record. The Registrar maintains detailed records of the Registrant’s contact information and submits the information to a central directory known as the “Registry.” The Registry provides other computers on the Internet the information necessary to send the Registrant e-mail or to find the Registrant’s Website on the Internet.
The Registry is the authoritative, master database of all domain names registered in each Top Level Domain. The Registry operator keeps the master database and also generates the “Zone File” which allows computers to route Internet traffic to and from Top Level Domains (TLD’s) anywhere in the world. Internet users don’t interact directly with the Registry; users can register names in TLDs by using an ICANN-Accredited Registrar (see above). Two of the largest Registries are Verisign (with authority over.com and.net TLDs, among others), and the Public Interest Registry (“PIR”)(with authority over.org TLD’s).
Top Level Domain (TLD)
Top Level Domains (TLDs) are the names at the top of the DNS naming hierarchy. They appear in domain names as the string of letters following the last (rightmost) “.”, such as “net” in “http://www.example.net”. The administrator for a TLD controls what second-level names are recognized in that TLD. The administrators of the “root domain” or “Root Zone” control what TLDs are recognized by the DNS. Generally speaking, two types of TLDs exist: generic TLDs (such as.com,.net,.edu) and country code TLDs (such as.jp,.de, and.cn).
All domain name Registries operate a “Whois” server for the purpose of providing information about all the Internet domain names registered with them. In a Shared Registry System, where most information about a domain name is held by separate individual Registrars, the Registry’s Whois server provides a referral to the Registrars own Whois server, which provides more complete information about the domain name. The Whois service contains Registrant, administrative, billing and technical contact information provided by Registrars for domain name registrations.
By collecting and analyzing the Whois data, the Registry data, the Registrar data, and other bits and pieces of data about any websites associated with the domain name(s) you are interested in, a forensic investigator can often reconstruct a Registrant’s identity, location and other contact information (e-mail, etc.).