Identification of web resource owners


A WEBSITE (or simply a site) is a collection of web pages and related resources that are accessible via the Internet. Each web page within a site has a unique URL (Uniform Resource Locator) that allows users to easily find and access a specific page. Web pages are usually linked together by hyperlinks to enable navigation throughout the site. Websites can be static or dynamic. A static site consists of pre-built web pages that remain the same for all users. A dynamic website is built on templates and a database, which allows you to generate unique content and interact with users.

WHO IS THE OWNER OF THE SITE?

The site owner is the person or organization that owns the domain name and/or hosting. Depending on his status, he can be an individual or a legal entity. A website administrator is usually the name of the person or group of people responsible for managing and maintaining the site. It can perform tasks such as hosting management, installing and updating software, backing up data, managing access rights, etc. A website developer is responsible for creating and programming the website itself. He is involved in code development, design creation, functionality implementation, integration of third-party services and technical support. The site administrator and developer, as a rule, may have significant information about its owner, since they were in the process of negotiations or contractual relations with him.

DOMAIN NAME

A website domain name is a unique identifier that is used to identify the address of your website on the Internet. It serves to make it easy for people to remember and access your website.


Typically a domain consists of 3-4 parts. "http://" is an application layer protocol for data transfer, initially in the form of hypertext documents in HTML format, currently used to transfer arbitrary data) and its more secure version "https://", which allows the site to exchange with the user data so that the site administrator cannot see user actions. "subdomain" - in this case, the word "subdomain" is a subdomain, this is the word that is located under the main domain. "domain" - domain name, main domain. "com" is a domain zone that indicates the status of the domain, in this case "com", which means that it is an international domain. Domain names can contain letters, numbers, and hyphens, but not spaces or special characters. ist of domain zones: https://www.nic.ru/info/domains/all/

DNS (Domain Name System) records are used to translate domain names into their corresponding IP addresses and vice versa. They are structured information that is stored on DNS servers and is used to determine the location and availability of resources on the Internet. Most often, DNS is used to obtain an IP address from a domain name, obtain information about mail routing and/or domain serving nodes.


Domain names are managed by an organization called a domain registrar. When registering a domain name, you must select an available name and domain extension, check its availability, and register it through the registrar. Typically, you are given the option to register a domain name for a specific period of time, such as one year, and renew it as needed. Once you register a domain name, you can associate it with your hosting provider so that your website can be accessed through that domain name. Some hosting providers provide domain name registration service along with hosting, making the process of managing your website more convenient. Currently, according to information from the RU/RF Domain Registration Center (cctld.ru/.рф), more than 50 domain name registrars are accredited in Russia. Popular registrars include: "RU-CENTER", "Reg.ru", "Webnames.ru", "Nic.ru", "Hostmaster", "Jino", "1C-Bitrix" and others.

WHOIS (from English "who is?", who is it?) is a protocol used to query information about the owner of a domain name or IP address from the registrar's or IP registrar's database. WHOIS provides public access to information about registered domains, such as domain owner, contact information, domain registration and expiration dates, and DNS server information. A WHOIS database query can be made through various online tools or command line commands by specifying the domain or IP address of interest. Results may vary depending on the policies of the specific organization administering the domain registration.


LIST OF POPULAR WHOIS SERVICES:

WHAT TO DO IF YOUR WHOIS DATA IS HIDDEN?

WHOIS registration information may be hidden for several reasons. Firstly, in connection with the implementation of requirements for the protection of personal data of their owners (GDPR). This OSINT limitation can be removed by using historical WHOIS records made before the requirement to protect personal data. Archived WHOIS records are available in the following services: http://whoishistory.ru/, https://drs.whoisxmlapi.com/whois-history, https://www.whoxy.com/archive.php, https://osint.sh/whoishistory/, as well as directly from domain name registrars upon formal request from a lawyer, law enforcement or judicial authority.

Secondly, they can be deliberately hidden or changed by offenders in order to hinder the work of law enforcement agencies. Most often, this is done using specialized services such as Cloudflare (or its analogues). When you use Cloudflare's WHOIS privacy service, Cloudflare's contact information will appear in place of your personal information in the WHOIS database. This way, your personal information remains hidden from public access. Cloudflare's protection can be partially removed using OSINT methods only in relation to the actual IP address where the website under investigation is registered. This can be done by checking DNS records (https://dnsdumpster.com/) or using data collected by software products such as https://www.virustotal.com/ (in the "Relations" tab), https://urlscan.io/ (in previous website indexes) and CrimeFlare (https://github.com/zidansec/CloudPeler).


HOSTING PROVIDER

Website hosting is a service that allows you to host your website on a server so that it can be accessed over the Internet. When you create a website, all of its content (text, images, videos and other files) must be stored on a server so that users can access it through a browser. Hosting providers provide the server space and other resources needed to run your website. They provide constant internet connection and server maintenance so that your website is available 24 hours a day, 7 days a week. There are many hosting providers of different sizes and specializations operating in Russia. Well-known hosting providers include: "Timeweb", "Beget", "Reg.ru", "Jino", "1C-Bitrix", "Hostinger", "ihc.ru", "Majordomo" and many others.


HOW TO IDENTIFY YOUR HOSTING PROVIDER?

There are several methods you can use to find out where a specific website is hosted:

a) use online tools, such as https://ru.hostadvice.com/tools/whois/, as well as specialized systems designed to study network infrastructure ("SpyderFoot", "Maltego"). You will need to enter the site URL or its IP address and the service will provide information about the hosting provider.

b) Use the "ping" command in the command line (on Windows) or terminal (on iOS or Linux). Enter the command “ping example.com” in it (replace “example.com” with the name of the site that interests you). Next to "Pinging" or "Reply from" there will be an IP address, which you can then use to determine the hosting provider using services such as https://www.maxmind.com/en/geoip2-precision-demo.

c) use DNS lookup services (https://dnsdumpster.com/, https://hackertarget.com/dns-lookup/). You will need to enter the site URL and get the hosting provider information from the DNS records.

OBTAINING CONTACT AND OTHER DATA FROM THE WEBSITE

Check the website for "About Us", "Contact Us" or similar sections that may include the owner's contact information. This may be an indication of a legal entity (including in the personal data policy and privacy policy), email, phone number, registration address, link to a group or channel on social networks and payment details, including addresses of cryptocurrency wallets. There may not be any “About Us” or “Contacts” sections on the website. Often the contacts page is simply removed from the menu, but remains on the resource, so it is not visible to the user. In this case, you can try to search for hidden sections using a site map that is created for search robots. This is an XML file that contains the paths to the pages. To open it in the browser, write the direct path in the address bar - domain.com/sitemap.xml. Finding contact information published on the website can be facilitated using the following services: https://hunter.io/, https://phonebook.cz/).


Please be aware that contact details and content on the website may have changed over time. To view archived versions of websites, you should use the following services: https://archive.org/, https://archive.md/, https://web-arhive.ru/. For the same purposes, you can use viewing cached (archived) versions of a website through Google search services (example of an extended search operator cache:domain.com) and Yandex (item "Saved copy" in the context menu of the found website). As a rule, email addresses are created according to the same principle: info@domain.com; admin@domain.com; support@domain.com; contact@domain.com; office@domain.com, etc. We change the domain in the address to the desired one and compose an extended search query to Google, for example, site:domain.com + info@domain.com | admin@domain.com | support@domain.com | contact@domain.com | office@domain.com. Google will find all web pages with addresses and display them in the list of results.

Before writing a letter, it is worth checking the email address, as it may be inactive or non-existent. To check, use an SMTP request, invisible to the owner of the email address, which allows you to determine its activity, as well as obtain other technical information (including information about the mail server used). Such services include: https://ivit.pro/services/email-valid/, https://htmlweb.ru/service/email_verification.php.

To search for embedded documents and databases on a website using advanced search operators (dorks), the following types of queries should be used: site:domain.com filetype:xls (it should identify all xls (excel) files that are publicly available on the site ). In addition to searching for "xls" files, you can use search for documents with other formats (doc, ppt, txt, etc.). You should also pay attention to the site:domain.com filetype:log (detects public logs), site:domain.com filetype:csv (detects public databases).

Pay attention to the files (documents, photographs, videos and audio recordings) located on the website. They store metadata in their composition. Photo and document metadata contains information about the file, such as creation date, author, camera (in the case of photos), resolution, geographic coordinates (if geolocation was used), and other information that can be used to identify and classify the file. To download and view document metadata, you can use the following resource: https://www.metadata2go.com/. Some documents on the website may be hidden. To search for them, write the direct path in the address bar - domain.com/robots.txt. In this file, website owners indicate those files and folders that they close from indexing by search engines. There may be old pages with personal information or photographs. Many people use their servers as cloud storage and place personal documents there. As a rule, the robots.txt file is located in the root directory of the site.

LINK FROM OTHER WEBSITES

Affiliation (relationship) between different websites can be established by identifying a match in the owner's name (sources https://whoisology.com/, https://phonebook.cz/, https://2ip.ru/domain-list-by-email/), contact information (phone number or email address), as well as the IP address of the website location (sources https://mxtoolbox.com/reverselookup.aspx, https://www.cy-pr.com/tools/oneip/, https://hackertarget.com/reverse-ip-lookup/, https://osint.sh/reverseip/). As a rule, such a connection is automatically established when using specialized software products "SpyderFoot" and "Maltego".


REFERENCE ANALYSIS

We are looking for those websites that link to the domain name (Backlink Checker). This can be done using an advanced search query (link:domain.com) as well as specialized services Majestic Moz and Ahrefs. Often, website owners post links to it in their profiles on forums and social networks, and also order the publication of articles about themselves through specialized platforms. Often, in posts and comments, administrators indicate an email for contacting potential clients or their personal information. Examine the references and context in which the resource is mentioned.


TECHNOLOGIES USED ON THE WEBSITE

CMS (Content Management System) is an information system or computer program used to provide and organize the collaborative process of creating, editing and managing website content. Popular CMS include: WordPress, Drupal, Joomla!.

Websites may also use various advertising identifiers and counters for various purposes, such as traffic analytics, ad monetization, content personalization, and targeted advertising. To detect them, we will need to open the source code of the page (Ctrl+U) or use services such as: https://urlscan.io/, https://pagexray.fouanalytics.com/, https://pulsedive.com/ or https://themarkup.org/. Advertising identifiers and counters include the developments of Google Analytics (in the page code "UA-"), AdSense (in the page code "Pub-" or "ca-pub"), Amazon (in the page code "&tag="), AddThis (in the page code "#pubid" or "pubid"), Rambler (in the page code "top100"), Mail.ru (in the page code "Top.Mail.Ru") and Yandex.Metrica (in the page code "mc. yandex" or "ym"). Typically, a counter on a website is listed with a unique ID that can be used to reveal the site's public statistics.


For example, like this:

https://metrika.yandex.ru/dashboard?id=ADD_ID
https://top100.rambler.ru/search?query=ADD_ID
https://top.mail.ru/visits?id=ADD_ID

Analysis of public website statistics should begin from the moment the counter code is implemented. This will allow you to obtain the social graph (gender, age, region of residence) of the first visitor recorded by him. Most likely, such a visitor will be the administrator or developer of the website who directly integrated the counter itself.

By the way, do not forget to review the HTML code of the website and for various comments with the names and nicknames of the developers.

In addition, the website may contain technologies such as built-in chat or a feedback form; banking Internet acquiring; authorization via social account; integration with CRM and accounting system; external APIs (Application Programming Interfaces); CSS (Cascading Style Sheets) is a style language that defines the appearance and design of a web page; various JavaScript libraries, frameworks and databases. Most of them are business entities that have the opportunity to transfer, at the request of a law enforcement agency, information about persons and contacts who have integrated their solutions into the code of the site under study.

Igor S. Bederov

Comments

Post a Comment

Popular posts from this blog

Top of my free OSINT tools in 2023

Image
In this article, we will look at the tools that are used every day in my work related to the investigation of crimes. Last year was tough but interesting. Some developments stopped working in Russia. Many, on the contrary, were created in our country. Including with my participation. So let’s go! Datashare and Pinpoint Datashare Pinpoint Datashare and Pinpoint are for eDiscovery… The term is unfamiliar for Russia, so I’ll explain it. eDiscovery is the process of identifying, collecting, validating, and analyzing digital evidence. If it is quite simple — the electronic material of the investigation. Compare, 10 volumes of a criminal case or a link to a similar case that can be shared online with external users, and it also has the ability to end-to-end analytics and search through materials. In other words, a must have for the execution of investigations. Archivarius 3000 and DtSearch Archivarius 3000 DtSearch Archivarius 3000 and DtSearch are designed to work with arrays of textual
Read more

OSINT by nickname…

Image
OSINT by nickname is the process of collecting and analyzing information about a nickname on the Internet. Thanks to this collection method, we can build a chain of all mentions on the Internet, be it social networks or websites. WhatsMyName — a simple, fast and reliable service. Presented as an online service and open source software . Checks the presence of a nickname (strict compliance only) on 600 web resources. Also displays results from Google’s main search results and document searches. It does not provide additional types of search. Maigret is a more advanced service. Presented in the form of a Telegram bot and open source software . Checks the presence of a nickname (strict compliance only) on 3000 web resources. Allows you to upload an extended report on the inspection performed, including additional data on identified profiles. It does not provide additional types of search. mailcat is a service designed to search for the use of a nickname as part of an electronic address
Read more