Domain Name Investigation under cyber forensic
SaurabhShukla228405
4 views
27 slides
Oct 22, 2025
Slide 1 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
About This Presentation
This document explains the Domain Name Investigation in Cyber forensics.
Slide Content
Introduction to Domain Name
Inlaymanlanguagethewebsiteisalsoknownas
domainname.Incyberworldsomedomainnamemay
berelatedtocybercrime.Thisdomainnameprovides
ahugeamountofinformationrelatedtocyber
criminals.criminals.
DNSstandsforDomainNameSystem.Itresolvesthe
websitenametoitscorrespondingIPaddress.Inother
words,theobjectiveofDNSistoresolvethefully
qualifieddomainname(FQDN)intoanIPaddress.
Thisprocessisknownasnameresolution.
Inlaymanlanguagethewebsiteisalsoknownas
domainname.Incyberworldsomedomainnamemay
berelatedtocybercrime.Thisdomainnameprovides
ahugeamountofinformationrelatedtocyber
criminals.criminals.
DNSstandsforDomainNameSystem.Itresolvesthe
websitenametoitscorrespondingIPaddress.Inother
words,theobjectiveofDNSistoresolvethefully
qualifieddomainname(FQDN)intoanIPaddress.
Thisprocessisknownasnameresolution.
DNS Zones
TheDNShastwozones,thefirstzoneisknownas
forwardlookupzoneandthesecondisknownasthe
reverselookupzone.
ForwardLookupzone------DomaintoIPaddress
ReverseLookupzone-------IPtoDomainname
DNSperformsthequeryusingtheDNSdatabase.The
databasecontainsIPaddress,Hostname,MXrecord,
etc.ThestructureoftheDNSdatabaseisdistributed,
replicated,andhierarchicalinnature
TheDNShastwozones,thefirstzoneisknownas
forwardlookupzoneandthesecondisknownasthe
reverselookupzone.
ForwardLookupzone------DomaintoIPaddress
ReverseLookupzone-------IPtoDomainname
DNSperformsthequeryusingtheDNSdatabase.The
databasecontainsIPaddress,Hostname,MXrecord,
etc.ThestructureoftheDNSdatabaseisdistributed,
replicated,andhierarchicalinnature
DNS Database
DNS Database
CNAME Record
CNAME Record map one domain name to another
domain name
CNAME Record map one domain name to another
domain name
A Record
MX Record
SOA Record
SOA record is also known as Start of Authority Record.
It basically contains master and slave DNS record for
sync purpose only.
SOA record is also known as Start of Authority Record.
It basically contains master and slave DNS record for
sync purpose only.
Time to live (TTL)
Timetolive(TTL)iswhatdictateshowlongyourrecords
staycached.Forexample,forhowlongyourArecordwill
becachedbeforetheretrievalofanewcopyofthe
recordfromDNSservers.Therecordstorageisknownas
theDNSCache,andtheactofstoringrecordsiscalled
cachingcaching
Timetolive(TTL)iswhatdictateshowlongyourrecords
staycached.Forexample,forhowlongyourArecordwill
becachedbeforetheretrievalofanewcopyofthe
recordfromDNSservers.Therecordstorageisknownas
theDNSCache,andtheactofstoringrecordsiscalled
cachingcaching
Time to live (TTL)
Theunitsusedareseconds.AnoldercommonTTLvalueforDNSwas
86400seconds,whichis24hours.ATTLvalueof86400wouldmeanthat,
ifaDNSrecordwaschangedontheauthoritativenameserver,DNSservers
aroundtheworldcouldstillbeshowingtheoldvaluefromtheircachefor
upto24hoursafterthechange.
Theunitsusedareseconds.AnoldercommonTTLvalueforDNSwas
86400seconds,whichis24hours.ATTLvalueof86400wouldmeanthat,
ifaDNSrecordwaschangedontheauthoritativenameserver,DNSservers
aroundtheworldcouldstillbeshowingtheoldvaluefromtheircachefor
upto24hoursafterthechange.
Nameserver
ADNSresolverisapieceofsoftwarethatinitiatesDNSquerieswhenever
youtrytoaccessawebsiteorinternetresourcebydomainname.The
resolvercontactsnameserversandasks“WhatistheIPaddressforthis
domainname?”
ThenameserveristhededicatedservercomputerthathastheDNSrecords
storedandwhichlooksuptherightIPaddresstosendbacktotheresolver.
ADNSresolverisapieceofsoftwarethatinitiatesDNSquerieswhenever
youtrytoaccessawebsiteorinternetresourcebydomainname.The
resolvercontactsnameserversandasks“WhatistheIPaddressforthis
domainname?”
ThenameserveristhededicatedservercomputerthathastheDNSrecords
storedandwhichlooksuptherightIPaddresstosendbacktotheresolver.
Authoritative server
AnAuthoritativeserverprovidesdefinitiveanswersto
DNSqueries,suchasmailserverIPaddressorwebsite
IPaddress(Aresourcerecord).Itdoesnotsimply
returncachedresponsesfromanothernameserver,
butratherprovidesanswerstoqueriesaboutdomain
namesthatareconfiguredinitssystem.namesthatareconfiguredinitssystem.
Note:-“Authoritativenameserver"and"nameserver"
arenotthesame.Whileallauthoritativeserversare
nameservers,notallnameserversare
authoritative;somenameserversarerecursive
resolvers,whicharenotauthoritative.
AnAuthoritativeserverprovidesdefinitiveanswersto
DNSqueries,suchasmailserverIPaddressorwebsite
IPaddress(Aresourcerecord).Itdoesnotsimply
returncachedresponsesfromanothernameserver,
butratherprovidesanswerstoqueriesaboutdomain
namesthatareconfiguredinitssystem.namesthatareconfiguredinitssystem.
Note:-“Authoritativenameserver"and"nameserver"
arenotthesame.Whileallauthoritativeserversare
nameservers,notallnameserversare
authoritative;somenameserversarerecursive
resolvers,whicharenotauthoritative.
Commands
How DNS works in details
SupposeanorganizationABCismanagedbythreedepartmentsHR,
Accounts,andIT.
Theownermonitorstheperformanceoftheorganization.Thedepartments
HR,accounts,andIThave5memberseach.
Supposeanyonewantstocontactamemberofanydepartment.The
questionariseswherehe/sheshouldcontactfirst.
Hence,youhavetochecksalistofnamesalongwithphonenumbers.WeHence,youhavetochecksalistofnamesalongwithphonenumbers.We
knowthateachdepartmenthasaheadofdepartment(HoD)tohandlea
queryofspecificdepartment.
HoDName Department
Anju HR
Rajesh ACCOUNTS
Vishal I.T
SupposeanorganizationABCismanagedbythreedepartmentsHR,
Accounts,andIT.
Theownermonitorstheperformanceoftheorganization.Thedepartments
HR,accounts,andIThave5memberseach.
Supposeanyonewantstocontactamemberofanydepartment.The
questionariseswherehe/sheshouldcontactfirst.
Hence,youhavetochecksalistofnamesalongwithphonenumbers.WeHence,youhavetochecksalistofnamesalongwithphonenumbers.We
knowthateachdepartmenthasaheadofdepartment(HoD)tohandlea
queryofspecificdepartment.
HoDName Department
Anju HR
Rajesh ACCOUNTS
Vishal I.T
How DNS works
The members of I.T departments are Mr. Vishalis HoDof I.T department
Members Department
Tom
I.T
Jhon
RameshRamesh
The members of I.T departments are Mr. Vishalis HoDof I.T department
Members Department
Tom
I.T
Jhon
RameshRamesh
How DNS works
The list of members in the HR department are
Members Department
Rudransh
HR
Ivan
Jyoti
The list of members in the HR department are
Members Department
Rudransh
HR
Ivan
Jyoti
How DNS works
The list of members in the ACCOUNTSdepartment
Members Department
Shail
ACCOUNTS
NeerajKumar
KPSingh
The list of members in the ACCOUNTSdepartment
Members Department
Shail
ACCOUNTS
NeerajKumar
KPSingh
How DNS works
SupposeifanyonewantstocontactMr.Tomworkinginthe
I.T.department,thenhe/shemustfirstcontacttheHoDof
I.T.,thatis,Mr.Vishal,andthenhe/shecancontactthat
particularmember,thatis,TomofI.T.Now,youcan
comparethissituationtoDomainNameandIPaddress.
HereMr.Vishalworksasanameserverandphonenumber
HereMr.Vishalworksasanameserverandphonenumber
equaltoIPaddressrelatedtoaspecificdepartment.You
canassumethedepartmentnameasDomainName
andMr.TomworksasaWebserver.Inthesameway,all
membersofdepartmentsworkasawebserverandHoD
worksasnameservers.Thelistsareworksaszonesfile.
SupposeifanyonewantstocontactMr.Tomworkinginthe
I.T.department,thenhe/shemustfirstcontacttheHoDof
I.T.,thatis,Mr.Vishal,andthenhe/shecancontactthat
particularmember,thatis,TomofI.T.Now,youcan
comparethissituationtoDomainNameandIPaddress.
HereMr.Vishalworksasanameserverandphonenumber
HereMr.Vishalworksasanameserverandphonenumber
equaltoIPaddressrelatedtoaspecificdepartment.You
canassumethedepartmentnameasDomainName
andMr.TomworksasaWebserver.Inthesameway,all
membersofdepartmentsworkasawebserverandHoD
worksasnameservers.Thelistsareworksaszonesfile.
DOMAIN NAME INVESTIGATION USING OSINT
Thefirststepinyourinvestigationistovisitthewebpagesofyourtargetcompany.
Thereisalotofimportantinformationthatcanbeobtainedfromatarget's
website.Theyincludebutarenotlimitedtothefollowing.
Physical address
Branch office locations
Key employees
Current job postings (This may reveal technologies used in the company)
Phone numbers
Partner companies
Open hours and holidays
News about target organization (merger or acquisition news)
Technologies used in building the website
Email system used
IT technologies (hardware and software) used by target organization
VPN provider (if any)
Digital files and metadata
Information about the organization’s employees
Thefirststepinyourinvestigationistovisitthewebpagesofyourtargetcompany.
Thereisalotofimportantinformationthatcanbeobtainedfromatarget's
website.Theyincludebutarenotlimitedtothefollowing.
Physical address
Branch office locations
Key employees
Current job postings (This may reveal technologies used in the company)
Phone numbers
Partner companies
Open hours and holidays
News about target organization (merger or acquisition news)
Technologies used in building the website
Email system used
IT technologies (hardware and software) used by target organization
VPN provider (if any)
Digital files and metadata
Information about the organization’s employees
DOMAIN NAME INVESTIGATION USING OSINT
Thenextstepistodetermineandrecordthedomainname
registrationinformation.Thefollowingonlineresources
canbeusedtoobtainregistrationinformation:
www.network-tools.com
www.samspade.org
www.geektools.com
www.geektools.com
www.apnic.net(Asia)
www.checkdomain.com
www.lacnic.net
www.ripe.net(Europe)
www.whois.comwww.dnsstuff.com
Thenextstepistodetermineandrecordthedomainname
registrationinformation.Thefollowingonlineresources
canbeusedtoobtainregistrationinformation:
www.network-tools.com
www.samspade.org
www.geektools.com
www.geektools.com
www.apnic.net(Asia)
www.checkdomain.com
www.lacnic.net
www.ripe.net(Europe)
www.whois.comwww.dnsstuff.com
Domain name registration information
The typical information provided includes—
■Registered owner’s name and address.
■Billing information.
■Administrative contact.
■Range of IP addresses associated with the domain.
Technical contact information. ■Technical contact information.
The typical information provided includes—
■Registered owner’s name and address.
■Billing information.
■Administrative contact.
■Range of IP addresses associated with the domain.
Technical contact information. ■Technical contact information.
Where’s the evidence?
Information can be found in numerous locations,
including—
User’s computer.
ISP for the user.
ISP for a victim and/or suspect.
Log files contained on the victim’s and/or suspect’s—
Routers.
Firewalls.
Web servers.
E-mail servers.
Other connected devices.
Information can be found in numerous locations,
including—
User’s computer.
ISP for the user.
ISP for a victim and/or suspect.
Log files contained on the victim’s and/or suspect’s—
Routers.
Firewalls.
Web servers.
E-mail servers.
Other connected devices.
Information that may be obtained from the ISP includes
Subscriberinformationsuchastheregisteredowner,
address,andpaymentmethod.
Transactionalinformationsuchasconnectiontimes,
dates,andIPaddressused.
Note:-SomeISPsmaskedtherealinformationof
subscriberstorandominformation.Inthiscaseyousubscriberstorandominformation.Inthiscaseyou
havetocontacttheISPsviae-mail.Exampleisgivenin
nextslide
Subscriberinformationsuchastheregisteredowner,
address,andpaymentmethod.
Transactionalinformationsuchasconnectiontimes,
dates,andIPaddressused.
Note:-SomeISPsmaskedtherealinformationof
subscriberstorandominformation.Inthiscaseyousubscriberstorandominformation.Inthiscaseyou
havetocontacttheISPsviae-mail.Exampleisgivenin
nextslide
User information
Thank you
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 4
- Slides 27
- Age 43 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
35 views
21
Know for Certain
DaveSinNM
23 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views