Advanced research tools and techniques
by Paul Myers

Who am I?

Are these notes available?

• Yes - they are on http://researchclinic.co.uk

What we're covering

• Hidden stuff

  • Use fusker to grab hidden images on servers

  • Meta information hidden in Word documents

ht exposed. com was a radical website with anonymous articles, no contact details and fake whois information

however they had lectures downloadable as Word documents

word documents contain hidden information that can be extracted using notepad or software like docscrubber & bitform discover

 

• Wayback Machine

  • Can be used creatively for investigation

  examples

  Original Hiz b-t site

  Hiz b-t site at the time of government closure threats screengrab

• Search across multiple domains

  • search for Faroe Islands on UK government sites

  • reusable pan-Scandinavia search

  • limitations

    • countries may have registered .com

    • some countries don't have a single domain for government

    • no order to results

• WHOIS and its role in investigation

  • What is whois?

  • Are the details accurate?

  • Can they lie?

  • Can they hide details?

  • Domains can change hands.

  • Watch out for associated domains.

   

  • Martinlutherking . org

Note: WHOIS shows Hizb-ut-tahrir's current registrant to be something called "Risk Management and Disaster Recovery Services Ltd".

• Combining useful databases

  • Google

  • News sites

  • telephone directories

  • geneology / BMD sites

  • electoral role

  • business directories

  • land registries

  • patent office and other sources that list addresses

• Historical Whois

  • Used in an investigation

  • who was the previous registrant of Hizb-ut-tahrir?

• Reverse IP

  • Reverse IP allows you to see which domains are on the same server

    • significance?

    • use?

  • Domaintools looks on the MLK server?

  • Free! Whois.webhosting.info finds 7 sites on the Hydro server?

  • Domaintools finds 10 sites on the Hydro.com server

• Who's the host?

• Visualroute traces Hizb-ut-tahrir.org to a computer in Dallas

Note: the Hizb IP address 207.210.245.157 was issued by ARIN and reverse traces to a company called meta-managed based in Malaysia.

Netcraft reveals the owner of the IP address block containing 207.210.245.157 to be a company named colo4dallas

• Domain search by registrant

  • other domains registered by Stormfront

  • domains registered by Pfizer