Transcription of Domain Name Forensics: A Systematic Approach …
1 Domain name Forensics: A Systematic Approachto Investigating an Internet Presenceby Bruce J. published by Elsevier in Digital InvestigationThe International Journal of Digital Forensics and Incident ResponseVol. 1, No. 4 ( )August 1, 2005 AbstractOver the last few years the typical Internet presence has becomea crowded outsourcing arrangement of multiple organizations dividingup the complexity of maintaining various parts of an the parties responsible for the different infrastructure areashas become time consuming and error prone.
2 This paper presents asystematic Approach to investigating a complex Internet presence, in-cluding collecting, time-stamping, packaging, preserving, and present-ing evidence. It is geared towards the network forensics :Digital Forensics, Network Forensics, Domain NameInvestigation, Domain name Forensics, DNS Investigation, WebsiteInvestigation1 Contents1 Introduction32 Advantages of Complexity33 Identifying Points of Domain name Registrars .. Domain name Registrants .. DNS Server Owners.
3 Regional Internet Registries .. Network Owners .. Web Server Owners .. Email Server Owners .. Upstream ISP .. Telecommunications Carriers .. Routes and AS owners .. Other Responsible Parties .. The next generation, IPv6 .. 74 Collecting and Preserving the Preparing for the Investigation .. Investigating the Domain Registry and Registrant .. Investigating the DNS Owners .. Investigating the IP Network Owners .. Investigating the Reverse DNS.
4 Investigating the Webserver Owner .. Investigating the Upstream ISPs .. Investigating the Routing Information .. Investigating the Physical Location .. Investigating the Email Owners .. Finding Additional Information .. 155 Packaging and Preserving the Evidence166 Presenting the Evidence177 Conclusion and Future Work1721 IntroductionTools such as whois or nslookup have traditionally provided a quick andsimple method of investigating who is behind a particular Internet , the number of involved parties playing a role in maintainingan Internet presence has increased dramatically over the past few yearsmaking it more difficult for an investigator to identify those responsible fora site or it s typical modern Internet presence has become a crowded outsourcingarrangement of multiple organizations dividing up the complexity of main-taining various parts of an infrastructure.
5 Today there are often separateorganizations managing the DNS, the IP network, and the various otherserver system platforms (email, web, application, and database servers, etc.).Servers are physically co-located, websites are virtually hosted, and othercritical infrastructure components are sub-contracted out. Even the previ-ously centralized role of Network Solutions turned into a largecompetitive market of used to be a trivial investigative task has now become time con-suming and error prone. A more Systematic Approach is needed which iden-tifies the various responsible parties in an orderly manner and treats theinformation gathered as evidence.
6 A method for collecting, time-stamping,packaging, preserving, and presenting this evidence is needed. This paperoutlines some simple procedures for achieving this Advantages of ComplexityIn spite of the issues just mentioned, the additional complexity brings someinteresting benefits for investigators. Having critical infrastructure spreadacross multiple parties can, in some cases, help investigators overcome legaljurisdiction hurdles, as well as solve issues regarding activity done using Internet infrastructure residing outside a localjurisdiction has always been difficult to bring under control.
7 But with moreparties involved, the chances of having a piece of critical infrastructure re-siding within a region s legal jurisdiction are increased. This could provideinvestigators with additional sources of evidence, or even opportunities todisable a the sole registrar for .com, .net, and .edu3 The privacy and protection offered by anonymity is continuously misusedby criminals to hide their identities from law enforcement and other inves-tigative bodies. The more parties involved in the existence of an Internetpresence, the more difficult it becomes for an entity to remain completelyanonymous.
8 Each outsourced party may have a certain amount of infor-mation about the anonymous entity (billing, registration, physical location,etc.). Piecing this information together could assist in the identification ofthe anonymous Identifying Points of ResponsibilityIn order to systematically proceed with an investigation, we need to identifythe major parties responsible for maintaining an Internet presence. Thissection outlines the major responsible parties involved, identifies informationeach party may be able to provide, and identifies the capability they haveto disable an Internet presence (if legally or ethically compelled to do so).
9 Domain name RegistrarsBefore a Domain name is recognized, it must be registered with the registrarof a Top Level Domain (TLD). Most countries centrally manage registra-tions to their own Country Code TLDs (for example .uk or .ch). GenericTLDs (for example .com or .org) are managed by independent registrars (forexample Network Solutions Inc, or ). Among other things, theregistrar is responsible for maintaining contact information and name serverinformation for registered domains under its control. A registrar also hasthe ability to deactivate or delete Domain names under its Domain name RegistrantsThe Domain name registrants are those parties responsible for registeringand maintaining a Domain name .
10 This typically includes the registrant,an administrative contact, a technical contact, and possibly a billing con-tact. These Domain owners have the ability to deactivate their Domain orto modify the information specifying the DNS servers and DNS Server OwnersName server owners control the DNS zones which resolve IP addresses anddomain names. Maintaining DNS servers for a Domain can be done by any-one, anywhere on the Internet (for example, a remote ISP, the registrar,dynamic DNS hosters, etc.). The DNS server owners can provide informa-tion about other hosts within the same Domain or IP range.
