Website Investigations: Process & Techniques
Website investigations follow a basic, logical flow. The launching point tends to be a domain or an IP address. The endpoint is usually identification of the operator or finding enforcement options. But, what happens in between these points varies by investigator and website.
This post outlines a standardized process that guides new hires through website investigations with the assistance of a website investigations tool. The tool is actually a set of bookmarks organized to lead users through the process via search forms. Each form offers exposure to different techniques and different results.
Website Investigation Flow
There are advantages to standardizing this process. Each investigation is unique. Cases may solve differently, but the process of probing and then reporting the connections tends to be the same.
Process is especially important in team environments because investigators and attorneys are more effective on a common ground. By defining the investigation in steps, team members can envision and discuss websites in logical compartments. Each compartment represents a different type of investigation, a different type of enforcement.
Compartments also add organization to investigative notes. It’s infinitely easier to read and understand another investigator’s notes when the links and observations are organized with the same titled sections that you use, as opposed to the order the information was found. Organized notes are also easier to revisit and transfer into a report.
For this process, the website investigation flows through 5 compartments.
Domain / IP Addresses > Web Assets > Related Sites > Social Media > Operator ID
The process is simple. Look for data to connect the first and last compartments. Sometimes that data is found in the domain registrant contact information. In many cases, it’s found elsewhere, such as a custom name server, a unique script shared between two websites or an image hosting account. Social media bridges connections between these findings, the website and the persons involved. Operator ID confirms these connections against real world information.
The website investigation tool outlines this process. Each compartment has a dedicated tab with search forms. The search options advance in complexity from the top of the page to the bottom. The options you select depend on the circumstances at hand. Additional resources can also be found on NetBootCamp’s OSINT Tools page.
Let’s look at this process by compartment.
Domain and IP Address
This section is about operator contact info and server control. Domain registrations and IP addresses are the usual launching point for a website investigation and that’s what this section is about.
Domain and IP Address searches include, but are not limited to:
This section identifies assets used to operate websites. Observations in this section often connect to social profiles and screen names that are examined later.
Website Assets searches include, but are not limited to:
HTML code is commonly used to connect websites. These codes include visitor statistics accounts like Google Analytics, advertising publisher accounts like AdSense, as well as the publisher codes found on social media sharing widgets. Many operators avoid or discontinue using these accounts for this reason, though the codes are sometimes found in earlier versions of their websites through Archive.org.
Related Website searches include, but are not limited to:
Screen names and registrant contacts are often tied to social profiles. Profiles can also be found when these connections are not apparent. This section probes for posts and profiles that bridge connections between websites and potential operators.
Social Media searches include, but are not limited to:
Operator ID verification determines that the investigative findings are grounded, that they’re associated with an identifiable person, business or physical location. An email tied to a Facebook profile might also be found in a person’s credit report. The phone number used to initially register a website might be found in an online resume. This section finds relationships between investigative observations and identities.
Operator ID searches include, but are not limited to:
company data, incorporation data, property ownership,
building permits, political donations, freelancers, newspapers, classmates, unclaimed property, business listings, etc.
Process organizes how we collect and report data. It can also help troubleshoot the findings. You can develop your process with the assistance of the website investigation tool. It’s a training device intended to inspire problem solving and organization among new hires and junior investigators.