đ Welcome to the 93rd issue of The OSINT Newsletter. This issue contains OSINT news, community posts, tactics, techniques, and tools to help you become a better investigator. Hereâs an overview of whatâs in this issue:
-
Introduction to Domain OSINT
-
Beginner tools for Domain OSINT
-
Case study in Domain OSINT
đŞ If you missed the last newsletter, hereâs a link to catch up.
⥠How I Discover New OSINT Methods
đď¸ If you prefer to listen, hereâs a link to the podcast instead.
Letâs get started. âŹď¸
Domains are the real estate of the internet. From the swishest company site, to the jankiest homepage, to the most self-indulgent blog, every website on the net is like a piece of land – and every piece of land has an owner. The âaddressâ to this land is the domain name. So if you investigate that domain right, it could lead you straight to the landlordâs door.
In this issue, weâre exploring domain OSINT; one of the most useful (and most misunderstood) starting points for investigation. Weâll cover:
-
What domains can actually tell you
-
Beginner tools for domain OSINT
-
How to pivot from domains to other intel
-
A practical example of domain OSINT in action
By the end, youâll know how to go from one innocent-looking URL to a whole new world of intelligence. Itâs free real estate.
Domain OSINT is pretty self explanatory; itâs the act of investigating a domain name and the infrastructure around it. Itâs easy to assume that itâs just about âwho owns this website?â – of course, thatâs super important information to learn (and has cracked some very high-profile cases). But the intelligence value of the average address is much more than a less OSINT-savvy realtor would tell you. A domain connects to:
-
Registrant information
-
Hosting providers and IP ranges
-
Subdomains and services
-
Email infrastructure
-
Historical versions of websites
-
Other domains owned by the same entity
Pretty much anything. Each of the above points of data you can get from a domain also have a corresponding intelligence use. After all, in super pretentious terms, a domain is a behavioural artifact: someone registered it, configured it, hosted it, maintained it, and used it for a purpose. Every one of those decisions leaks information, like layers of old wallpaper that tell you your houseâs walls used to be puke-green. You can uncover:
-
Ownership: When the owner of the site got the domain, they likely had to provide the hosting provider with some identifying data: an email address, a real name, or the name of an organisation theyâre connected to. You can get this data.
-
Connected Sites: Any subsidiaries, backups, or even scammy clones of the target domain. They could also be hosting the page within another site, or own other sites under the same personal ID – which shows up a clear link to other activity.
-
Email Activity: Some domains allow email hosting. A hosted email address has obvious pivot potential; you can look at MX records, plus all the other stuff we covered in our previous email issue.
-
Hosting Behaviour: Are they using a cheap hosting provider? Or maybe itâs bulletproof hosting, or even sophisticated enterprise infrastructure? The type of hosting your target domain uses can indicate the purpose (and dodginess) of the site.
-
Also consider operational maturity: a fancy term for âhow long itâs been there.â A newly-created site might be used like a burner phone, whilst a long-established asset domain might suggest legitimacy.
-
-
Geographic Location: You can use the address to find out where the domain is hosted; just look at the country code at the end. Also, the language used will tell you who wrote it, and who the intended audience is.
Of course, itâll still take some classic investigatorâs instinct to turn this information into insights. But even the most elusive info – intent, for example – is discoverable once youâve got this know-how. Say you find a domain built yesterday, hosted on a bargain VPS, with no history and several clones⌠Itâs easy to see how that could become evidence.
Now we know what domain OSINT can do, we can get into the tooling. You donât need anything elite or expensive; our basic toolkit is all free (or freemium), fast and extremely effective.
đ WHOIS Lookup
WHOIS lookup is synonymous with domain OSINT. WHOIS search is a handy protocol that lets you search databases for information about registered users of domain names and IP addresses. That includes their contact details, the date they got the address, and more. You can also look into historical WHOIS data; ownership changes over time are often more interesting than current data.
𧹠DNS Tools
Tools like DNS Dumpster and SecurityTrails go through DNS records and associated infrastructure. Give them a hostname, and theyâll reveal subdomains, DNS changes, name servers, and any other associated digital assets the domain owner forgot to take down. In addition, you can also get statistics, like how many other hostnames have the same IP.
đ Reverse IP Search
Reverse IP search can show you what else is hosted on the same server as your target domain. Often, people will reuse cheap hosting servers; itâs common in networks of scammers, for example. Infrastructure reuse will betray any hidden relationships.
đ The Wayback Machine
Want to know what a site used to look like? Check it out on the Wayback Machine. The Internet Archive stores captures of sites from the past, so you can see previous versions. You might find old branding, evidence of previous owners, or deleted content. Sudden pivots (e.g. from âcrypto projectâ to âconsultancyâ) are classic red flags.
đ§ Email Infrastructure Checks
MX records show how the site handles email. Usually, theyâre used to check if an email address is fake without sending a humiliating (or dangerous) bounceback message. However, they can do even more for domain OSINT, too. Find out which email provider they use, and whether the email works at all. A âprofessionalâ company with no proper email setup is⌠suspicious.
Letâs test our skills on an example. Imagine youâve found a site from a company offering âinternational geomarketing servicesâ. Their website is slick – full of stock photos of serious people in suits staring at maps. The domain address: red-ball-market-global.com.
Youâve called their phone number, but youâre on hold. So while youâre waiting, you do a little domain OSINT.
You plug the address into a WHOIS search, hoping to find registration details. The domain itself was registered 11 days ago via a budget registrar, which does seem suspicious for a legitimate âglobalâ firm. Theyâve also enabled privacy protections, so no contact details.
You run a DNS enumeration, and turn up some results for connected subdomains: mail.red-ball-market-global.com, and portal.red-ball-market-global.com. Mail does exist – and explains the email you received. Portal redirects you to a generic login page.
Reverse IP search shows four other domains on the same server as red-ball-market-global.com:
None of these are older than two months, and their relevance to âinternational geomarketingâ is⌠weak. Clearly, the original red-ball siteâs owner has a diverse business portfolio. Too diverse to trust.
In the Internet Archive, you uncover a previous version of red-ball-market-global.com. A year ago, it was selling cheap office furniture under the âRed Ballâ name; with Trustpilot reviews in the dirt. This confirms that youâre looking at the operatorâs latest scam, not a legitimate global agency.
So, red-ball-market-global.com is one big, red, spherical flag. But at least their hold music was catchy.
Hopefully, youâve now got your first step on the OSINT property ladder. You should know:
-
Who owns the internet? Domain registrars, thatâs who. Every site has an owner, and every owner has their details stored somewhere.
-
Landlords exist: Some people have multiple sites. Connecting them is key.
-
Patterns are pivots: Even if the contacts are privacy protected, you can still analyse the targetâs behaviour around a domain.
-
Itâs free real estate: Domain tools are free, and good enough to get results.
See you next issue, investigators!
â Thatâs it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.
By upgrading to paid, youâll get access to the following:
đ All paid posts in the archive. Go back and see what youâve missed!
đ If you donât have a paid subscription already, donât worry. Thereâs a 7-day free trial. If you like what youâre reading, upgrade your subscription. If you canât, I totally understand. Be on the lookout for promotions throughout the year.
đ¨ The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.
