Domain registration investigation analyses WHOIS records, passive DNS data, and registration metadata to identify the individuals, organisations, and infrastructure networks behind a web domain. The technique works because domain operators must supply contact information at registration: that data, even when partially redacted, leaves traces across historical snapshots, certificate logs, and hosting records. The key identifier is the registrant email address, which frequently links otherwise unconnected domains to a single operator across years of activity.
The method applies when identifying the registrant behind an anonymous site, linking multiple domains to a single operator through shared registration data, tracing hosting providers and autonomous system numbers, mapping nameserver relationships between related actors, and establishing registration timelines relative to events of interest. A single shared email address is suggestive. The same address appearing across domains, registration periods, and hosting environments, corroborated against passive DNS and certificate logs, is not.
DIG-001 sets out the methodology for querying, pivoting, and documenting domain registration and WHOIS data to evidentiary standard.
Eight workflow steps, six tooling sources, five false-positive checks, five chain-of-custody requirements.
|
01
Required Tools
Six platforms covering WHOIS, passive DNS, certificate logs, and infrastructure scanning.
|
02
OPSEC
Research browser hygiene, query logging risks, and GDPR-era snapshot strategy.
|
|
03
Workflow
Eight-step sequence from baseline WHOIS query to archive and documentation.
|
04
False Positives
Privacy proxies, shared hosting, unverified fields, and previous-owner snapshots.
|
|
05
Chain of Custody
Five requirements covering timestamps, hashing, screenshots, analyst logs, and archiving.
|
06
Key Queries
Six operator queries across ViewDNS, SecurityTrails, crt.sh, Shodan, and DomainTools.
|
Download the card.
A PDF version of DIG-001 is available below for Signal subscribers.
