The investigative skills of an attorney can be the difference between winning and losing. With more and more of what we do happening online, being able to track down web users and website information will become a very important part of online investigative work. “E-discovery” is essentially discovery dealing with evidence in electronic format. A quick google search of “computer forensics” reveals numerous tools that allow individuals to gain access to hidden data on a computer. E-discovery and computer forensics is a broad and fascinating subject. Today, I will focus on the online aspects of computer forensics, which includes WHOIS, reverse WHOIS, DNS, or IP searches.
Want to find out more information about a site making defamatory comments about a client or infringing on a client’s trademark rights? Using a WHOIS look up on a website address can yield useful information as to who registered the site, when it was registered, when registration will expire, and where the site was registered. You can also find out what other websites were registered by the same person (or company). Often times, contact information such as phone number, (real world) address, and an email address can be found when conducting a WHOIS look up. A WHOIS look up is probably the single most important query you can use to track down information about a website and it’s administrators. A DNS or IP search seem to both track down information based on an IP address.
An IP address is basically the address that your computer uses while online. It can be used to track down your location or access your computer (with or without your permission). An IP address can also be used as a website address if the site does not have a registered name. For example, wikileaks’ domain name was shut down recently, which is why they now use an IP address for those wanting to access their site. Using an IP query, you can look up their IP address, which yields a PO Box number in Australia.
When “cornell.edu” is used in a WHOIS look up, you can see that the domain name was first registered in 1985 and the contact information for a “technical contact” as well as an “administrative contact” are available.
A “reverse WHOIS” look up is used to determine what domain names are associated with a particular individual’s name, email address, or physical address.
Most domain tools websites allow you to make basic queries, but to get in-depth reports you almost always have to pay a small fee. One of the more popular domain tools websites used is http://www.domaintools.com/.