Who's pulling the data strings? To discover who's behind a Web site, investigators need to understand the technical terms that reveal the site's true origins.Attempts to police the lawless LAWLESS. Without law; without lawful control. frontiers of cyberspace Coined by William Gibson in his 1984 novel "Neuromancer," it is a futuristic computer network that people use by plugging their minds into it! The term now refers to the Internet or to the online or digital world in general. See Internet and virtual reality. Contrast with meatspace. are hampered by the ease with which individuals are able to create Web sites without leaving a clear trail. At a low cost and with virtually no technical know-how, anyone can create a virtual--and anonymous--presence on the Internet. A cyberinvestigator tasked with untangling the strands of this web must find clues that will identify the parties behind Web sites under investigation. But that's more challenging than it sounds, as was made clear recently when the author was called in by an investigative firm to look into Web sites suspected of circumventing state and federal regulations.
The investigative firm's client is a board representing distributors within the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. of products of an international, multibillion-dollar industry. The investigative firm was retained to discover if businesses outside of the United States were using certain Web sites to illegally participate in the marketing and sale of products to customers within the United States. The client provided the investigative firm with a list of suspect companies and the corresponding Web sites.
Armed with this list, the author's task was to seek out publicly available information sources within the technical structure of the Internet that could help identify the geographical location of the Web servers and the individuals and companies responsible for the suspect Web sites.
The information sources discovered through this investigation are discussed ahead, along with how investigators can access them for data relevant to any investigation. Because the author's investigation is ongoing and confidential, Web sites involved in the case will not be cited; instead, examples using Security Management magazine's Web site will be used.
Coming to terms. When seeking information on the legal entities that are responsible for the content and conduct of Web sites, it's necessary to understand the distinction between various Web-related terms such as domain names and IP (Internet protocol See Internet and TCP/IP.
(networking) Internet Protocol - (IP) The network layer for the TCP/IP protocol suite widely used on Ethernet networks, defined in STD 5, RFC 791. IP is a connectionless, best-effort packet switching protocol. ) addresses. These terms identify distinct concepts and provide information sources about those legal entities.
Domain name. A domain name is a word or series of words that is registered to a particular person or organization that identifies that entity's Web presence. Domain names make the Internet more easily interpretable to humans than IP addresses, which are the Internet's underlying system of numerical addresses (IP addresses are discussed in greater detail ahead). With www.securitymanagement.com, the domain name can be inferred simply by dropping the "www" prefix The beginning or to add to the beginning. To prefix a header onto a packet means to place the header characters in front of the packet. "To prefix" at the beginning is the opposite of "to append" characters at the end. See prepend.
1. (this prefix identifies a Web page), which leaves securitymanagement.com. The suffix suf·fix
An affix added to the end of a word or stem, serving to form a new word or functioning as an inflectional ending, such as -ness in gentleness, -ing in walking, or -s in sits.
tr.v. can describe the type of entity; for example, fbi.gov is a government agency; nyu.edu an educational institution; and army.mil An Internet address domain name for a military agency. See Internet address.
(networking) mil - The top-level domain for entities affiliated with US armed forces. a military organization. It can also identify the country of origin of a domain; for example, .uk for the United Kingdom.
URLs identify specific resources within a particular domain name (for example, www.securitymanagement.com/library/001465.html refers to a particular document in the online version of Security Management magazine). Like domain names, URLs are a convenience for Web users. In order to locate the resource, Web browsers The following is a list of web browsers. Historical
Historically important browsers
In order of release:
in full Uniform Resource Locator
Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. to a numerical address. This numerical address is the IP address.
To register a domain name, one must pay a fee to a registrar See domain name registrar. . Many companies provide this service. One must provide the company with certain information, such as the name of the registered owner Registered Owner
An individual or organization to whom certificates are directly issued and who, as a result, is recorded on the corporation's securityholder records (as maintained by the transfer agent). , as well as technical and administrative contact information including name, address, and phone/fax numbers. However, registrars the author dealt with did not verify the information, and the contact information may be changed at any time by the owner through a password-protected interface. Registrars do maintain information on the dates and times of the original registration of the domain name, the last update of information, or the expiration date Expiration Date
The day on which an options or futures contract is no longer valid and, therefore, ceases to exist.
The expiration date for all listed stock options in the U.S. of the domain name.
Domain name registrars This is a list of domain registrars ranked in order according to ICANN statistics at 
(body, networking) Internet Corporation for Assigned Names and Numbers - (ICANN) The non-profit corporation that was formed to assume responsibility for IP address allocation, protocol parameter assignment, domain name system management, and root server system , known as ICANN (Internet Corporation for Assigned Names and Numbers, www.icann.org) A non-profit, international association founded in 1998 and incorporated in the U.S. It is the successor to IANA (Internet Assigned Numbers Authority), which manages Internet addresses, domain names and the huge number , accredits the registrars that issue domain names. (@ Link to ICANN by visiting SM Online.) An initial inquiry about a particular domain name can be done at the Web site of any registrar, by using a service called Whois. The Whois search result will provide some of the registration information available, including the name of the specific registrar that issued the domain name. In the case of securitymanagement.com, for example, a Whois search run through a randomly chosen domain-name registrar reveals that the original registrar is Network Solutions, Inc.
Contact information. Next, inquiring inquiring,
v to draw information from a client—whether by verbal questioning or physical examination—to assess the person's state of health. at the Web site of the issuing registrar provides more detailed registration information, including the contact information for the registrant An individual or organization that signs up (registers) for a training class or service. See domain name registrar. as well as for technical and administrative inquiries. For the domain name securitymanagement.com, the search at the Network Solutions Web site reveals that ASIS International ASIS International (each letter pronounced separately), previously known as American Society for Industrial Security (ASIS) is an international organization for security professionals. Founded in 1955, it has more than 34,000 members in 204 chapters worldwide. is the registrant, and it provides a mailing address, telephone/fax numbers, and an e-mail address See Internet address.
e-mail address - electronic mail address for the (unnamed) administrative and technical contact.
In some cases, the registrar, administrative contact, and technical contact are different entities. For example, an individual may be listed as the registrant, while an ISP (1) See in-system programmable.
(2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines. (Internet service provider Internet service provider (ISP)
Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. ) or Web-hosting company may be listed for the administrative and technical contact. In other cases, the same individual is listed for all three contacts (and, as with SM Online, sometimes no particular individual's name is listed). While the contact information provided varies, sometimes telephone numbers and e-mail addresses are listed for individuals, and Web sites are supplied for ISPs.
Contact information gathered from the registrars gives investigators a lead to follow, though the information may not be accurate, because the registrant could have given false information or could have changed the information at any time. Also, the registrant of a domain name may be only indirectly involved in the business of the Web site (for example, the registrant may be paid by the real site owner, who wishes to remain anonymous). Nevertheless, this contact information is worth checking out. In the investigation mentioned at the beginning of this article, the investigative firm actively pursued background checks on the listed contacts.
IP address. An IP address specifies a connection to the Internet and identifies the computer that is using the connection. So the next step in a Web-site investigation is to determine an IP address from the URL of the Web site in question. The IP address leads to a different set of information and clues on who is behind the Web site.
Generally, IP addresses are four numbers between 0 and 255, separated by periods. For example, www.securitymanagement.com resolves to the IP address 188.8.131.52.
Several freely available tools can be used to resolve a URL into its IP address. The author most frequently uses a utility called nslookup. Given a URL as input, the utility returns the IP address associated with the URL as output. With the IP address in hand, an investigator can query IP registries for publicly available information.
Registries. As with the domain name, an IP address has registration information; however, a different group of administrative bodies Noun 1. administrative body - a unit with administrative responsibilities
Inland Revenue, IR - a board of the British government that administers and collects major direct taxes is responsible for issuing IP addresses. The official registries for IP addresses can provide a geographic location for a block of IP addresses as well as contact information on the party responsible for the administration of that block.
To get this type of information, investigators can start with the Internet Assigned Numbers Authority See IANA.
(body, networking) Internet Assigned Numbers Authority - (IANA) The central registry for various "assigned numbers": Internet Protocol parameters, such as port, protocol, and enterprise numbers; and options, codes, and types. (IANA (Internet Assigned Numbers Authority, www.iana.org) An operating unit of ICANN (Internet Corporation for Assigned Names and Numbers) that serves as a registry for both IP addresses and for a variety of protocol numbers. IANA is not an ISP and does not provide any network services. ), which works with regional registries. Registries for five geographic regions allocate IP addresses to Internet service providers (ISPs), which in turn assign them to specific users. (@ Link to LANA LANA Latency-Associated Nuclear Antigen
LANA Lymphology Association of North America
LANA Llama Association of North America
LANA Lipizzan Association of North America
LANA Low-Altitude Night Attack
LANA Lithuanian Association of Nonlinear Analysts by visiting SM Online.)
These regional registries are the next stop for the investigator. A search at the American Registry for Internet Numbers See ARIN. (ARIN (American Registry for Internet Numbers, Chantilly, VA, www.arin.net) An organization founded in 1997 to dispense IP addresses in North and South America, the Caribbean and sub-Saharan Africa. This was previous handled by Network Solutions, Inc., (InterNIC), which manages domain names. ) for 184.108.40.206 (the IP address for www.securitymanagement.com) shows that the block of IP addresses from 220.127.116.11 to 18.104.22.168 is administered by a Virginia-based ISP. Contact information (including name, address, and phone number) on that provider is available in the search results.
However, information on the specific IP address in question may reside with a third party. For example, the search results mentioned earlier also show that the Virginia ISP allocated a portion of the initial block, including SM Online's Web site, to a New Jersey web-hosting company. The contact and geographic information that the IP-address registries provide can help the investigator to pinpoint the administrator of the specific IP address and the physical location of the Web server that hosts the Web site.
More complicated scenarios exist. For example, the IP address may reference a Web server that acts as a forwarding service to the actual Web server of the Web site, similar to how call forwarding call forwarding
A telephone service that enables a customer to have an incoming call automatically rerouted to another extension.
Noun 1. transparently transfers a phone call to a new location. Forwarding has a legitimate purpose but may also be used by someone who is trying to obscure his or her location. With regard to the Web server, the information on the forwarding service provided by the initial IP address may be a useful step in the investigation. (The investigator can hire technical experts who can trace through the forwarding server to locate the Web server that hosts the site.)
Web site. The administrator of an IP address (or a block of IP addresses) may be a useful source of information on identifying the company that hosts the Web site. (In the case of www.securitymanagement.com, contact information for the New Jersey Web-hosting company was made clear from the ARIN search.) Investigators can now look to the administrator at the Web-hosting company for information on the legal entity behind the site, or to identify the Web-site developer.
Web developers can be valuable sources of information, as they have detailed knowledge of the configuration of the Web site, which may include a contact database of clients and correspondence logs. For a Web site that is a point of sale, the configuration may include electronic-payment facilities. Accessing the traffic at the Web server may complement an investigative strategy by collecting information on volume of business (for example, by monitoring the electronic contact and payment mechanisms); however, these methods require the entity managing the Web server to be cooperative and may involve obtaining explicit legal authorization.
Complications. Locating the legal entities behind a suspicious Web site is not always a straightforward process. There is not always a direct link between domain names, URLs, IP addresses, and Web sites. And the ease with which these can be altered make it tricky Adrian Thaws (born January 27, 1968), better known as Tricky, is an English rapper and musician important in the trip hop and British music scene (despite loathing the "trip hop" tag). He is noted for a whispering lyrical style that is half-rapped, half-sung. to distinguish suspicious behavior from legitimate business needs.
Flexible relationship. Despite the amount of information that can be derived from domain-name registrars and IP-address registries, it is important to remember that the relationship between domain names and IP addresses is flexible. A domain name and associated URLs may refer to different IP addresses at different points in time. This flexibility allows the legal entity to change the physical location of the Web site if it wishes to switch server-hosting companies, for example, without having to change the domain name and URLs.
At the same time, several URLs may refer to the same IP address, which allows the legal entity behind a Web site to change the domain name without changing the physical location of the Web site. And it may be that none of the publicly available information on the domain name leads directly to the legal entity that is responsible for the content and conduct of the Web site. That person or company may have chosen to remain anonymous with respect to the registration information on the domain name.
Suspicious behavior. Changing domain names, URLs, or IP addresses is not unusual in the course of maintaining a business on the Web. Companies change domain names and URLs as part of marketing strategies, and businesses may switch Web-hosting services for financial reasons. However, investigating the domain names, URLs, and IP addresses is a useful first step in gaining information on Web sites that are in question and identifying those Web sites that may be engaged in suspect practices.
For example, in the case for which the author consulted, the author monitored the IP addresses during the investigation. Over time, monitoring this information provided some useful insights into the management of the Web site and helped reveal suspicious behavior. In one case, the contact information changed over the course of a week by moving from one continent to another. This can be an indication of a site attempting to remain out of the reach of law enforcement, and the client is currently reviewing the information regarding the changing of IP addresses and the companies to which the IP addresses had been allocated.
In addition to monitoring the URLs and associated Web sites for which the IP addresses had changed over time, the author also suggested that the client trace the Web-hosting services of those Web sites that had suspect domain-name registrants and had changed IP addresses. Once these Web-hosting companies were identified, the investigative firm could begin to trace the payment transactions activity and correspondence traffic at the suspect Web sites (with the cooperation of the company or with the legal authorization).
Those seeking to exploit the lawlessness law·less
1. Unrestrained by law; unruly: a lawless mob.
2. Contrary to the law; unlawful: the lawless slaughter of protected species.
3. of cyberspace will endeavor to take advantage of the anonymity they take for granted on the Internet. A critical first step in pulling apart this web of deceit Deceit
pretends to be titled to wed into wealth. [Br. Lit.: The Beaux’ Stratagem]
lies about amount of money received for land. [N.T.: Acts 5:1–6]
all its members are liars. [Am. lies in investigating domain names, URLs, and IP addresses to gather information on Web sites that may be engaged in suspect practices. Knowledge of how Web sites are constructed and put on the Internet gives investigators an effective tool in the fight against online crime.
By Erik Nemeth, Ph.D.
Erik Nemeth, Ph.D., has a background in software development and Internet technology. He provides expertise in Internet technology and computing computing - computer systems for investigations of theft and fraud.