University of Perugia and WhoisXML API: Advancing Investigation Techniques to Teach Law Enforcement
About
Flavio Critelli, Distinguished Professor of Digital Forensics at the Cyber Innovation and Security Lab of the University of Perugia, is currently conducting a research project that aims to advance law enforcement investigations through information gathering. The study revolved around defining and testing techniques that would eventually be taught to future law enforcement agents.
The research is part of a bachelor's degree in Investigation and Security Sciences program dedicated to training the next generation of state officials, cybersecurity professionals, and investigative experts in both the public and private sectors.
Highlights
-
Information gathering for investigations has become challenging due to hidden historical WHOIS data and other limitations.
-
The professor leveraged historical WHOIS data and reverse WHOIS lookups via Maltego transforms to trace domain ownership and uncover digital infrastructures.
-
Other WhoisXML API offerings have proven valuable in establishing reliable IP-to-domain mapping.
Lack of Visibility into Critical Data
WHOIS records are crucial for tracking domain ownership, allowing researchers and investigators to identify malicious and fraudulent actors and their website infrastructures. However, the redaction of WHOIS data and the difficulty of conducting effective reverse IP lookups posed a significant obstacle to cyber investigators, limiting users’ ability to attribute cybercrime and trace the activities of dangerous actors.
Critelli needed deeper access to historical WHOIS records and reverse WHOIS lookups within Maltego to provide students with hands-on cyber investigation training.
Access to Deep WHOIS History and Reliable IP-to-Domain Mapping
Critelli utilized WhoisXML API’s WHOIS History transform on Maltego to retrieve historical WHOIS records. He also used other company capabilities such as Reverse IP API to identify domains hosted on a given IP address.
He found that the WhoisXML API transforms provided more accurate and complete information than others offering the same capabilities. Integrating WhoisXML API data points into his investigation workflow enabled him to develop techniques that can help students and law enforcement trainees trace digital footprints, uncover hidden cyber assets, and analyze threat actors’ activities.
“Whois XML is one of the most important tools we use for domain intelligence in the Bachelor's Degree program in Investigation and Security Sciences at the University of Perugia. In particular, we appreciate the reverse research from IP to Domain and Whois with query filters. The tool is comprehensive, providing detailed information such as phone numbers, names, and other details from Whois records. While many Whois records are now covered by privacy regulations, WhoisXML API provides access to all historical WHOIS records.”
Valuable and Replicable Investigation Techniques
More Complete Contextualization Dataset
Having access to domain and IP intelligence, along with other cyber threat intelligence sources, enhanced the project’s digital attribution capability. In particular, deep WHOIS history and extensive DNS data enabled more accurate linking of malicious activities to specific actors and infrastructures.
Improved Law Enforcement Training
The researcher gained broader visibility into the crucial data points required to conduct security investigations, enabling him to formulate and deepen cyber investigation workflows crucial for law enforcement training.