©All Rights Reserved – John B. Minor



What’s in a Domain Name – Leads & Evidence!


Most of you are familiar with company web sites and how to access www.company.com. Did you know that many different computers or hosts can be associated with the domain company.com? For example, a different computer may be associated with the New York, London, and Paris offices and customers or company users could access the computers by navigating in a web browser to NewYork.company.com, London.company.com, and Paris.company.com.


Email, Online Payment Processing, and Blogs often operate on different computers associated with the domain company.com. For example, Mail.company.com, Payments.company.com, and Blog.company.com are examples of resource names that might be used to designate, find and access these computers.


How do experts learn that different computers exist with host or resource names that are associated with company.com? Many times a company web site will have links to the different host computers enabling customers or company users to simply click on each web link to access the computer.


In cases involving fraud or deception a variety of host computers are often used to obscure activities. In these instances the domain name often holds answers that can uncover the obscurity.


Domain name registration and configuration  for company.com follows procedures outlined in Internet standards called RFC’s (Request for Comments). Domain name information is maintained by registration authorities or Registrars and domain name configuration information is maintained by Authoritative  Name Servers. Domain name servers maintain resource records in Zone Files that may contain valuable evidence in an investigation.


A zone file maintained by domain name servers may point to additional host computers used to perform a variety of functions such as referenced earlier. These host computers may be the target of fraud or deception investigations.


Another important aspect of the zone file is how modifications are documented. As the zone file is modified to add or remove pointers to host computers a serial numbering system is utilized to document the date and time of the changes. Documenting the modification dates can be very important to an investigation.


Obtaining a zone file from domain name servers is done automatically from domain name server to domain name server in a process called a DNS zone transfer. However, obtaining a zone file for personal examination can be a daunting task because the administrator of the zone file often prohibits such transfers. Zone files, in possession of the wrong hands, often contain sensitive information about computers in a company’s network and can be used for hacking  or denial of service attacks. Thus, valuable investigative resources are kept secret. A subpoena or court order may be required to gain access to this information.


Use a communications expert to perform domain name investigations. Such an expert should be able to research a domain name, determine the registration authority, and locate domain name servers that contain the zone files associated with the domain name. Composition of the technical content of a subpoena or court order is critical to obtaining domain name evidence. Once in the possession of an expert, review of the zone file often reveals additional computers that can be located and targeted in a fraud or deception investigation.


About the Author – John B. Minor is a practicing communications expert and digital Investigator. John has leveraged huge successes for litigation teams by locating digital evidence under unusual scenarios. John’s casework takes his expertise to the corners of the globe in a variety of investigations ranging from terrorism threats to financial fraud and to more common civil and criminal venues including homicides. See http://johnbminor.com for more information about Mr. Minor.











    Home      About       Articles        Graphics/FAQ’s       Recent Projects         Areas of Expertise         Contact