I have updated the Google Doc with all my edits from my plane trip.

Marika or someone on our team should put this into the “final” format without instructions at the front and cleaning things up.

Cheers,

Rod

On Oct 26, 2017, at 9:37 AM, Ayden Férdeline <ayden@ferdeline.com> wrote:

Hi,

I have not reviewed the Google Doc too comprehensively just yet, as I have been in an event at Chatham House the past few days, but I will try to review this tomorrow or Saturday once I am in Abu Dhabi. Thanks, and safe travels to all.

—Ayden 


-------- Original Message --------
Subject: Re: [Gnso-rds-pdp-7] [Ext] Notes & action items today's DT7 meeting
Local Time: 26 October 2017 12:29 PM
UTC Time: 26 October 2017 11:29
To: Rod Rasmussen <rod@rodrasmussen.com>

Dear All,

Sorry about not replying sooner buts trying to find some alone time here when its your conference was proving a real challenge. How ever i have managed to ‘list’ few things that LEA use the DB before. No investigation is the same and i haven’t really packaged it around an actually case.

I haven’t attached this to the google doc as not sure where to put it. I arrive at the conference hotel tomorrow afternoon, around 3pm, it might be a good idea if we could have a quick get together and finalise the document.

From experience and dependent on the WHOIS tool used (I have taken the Centralops domain dossier as the WHOIS template below and picked out the relevant fields that could be returned) :

Domain WHOIS record


  • Registrant (Name, Address, email address). Use - identification, information and intelligence gathering etc
  • Creation date, renewal date, last updated date, expiry date. Use - is it recently registered (maybe a DGA etc) ; Is it a long time registered / historic domain - if so perform a WHOIS history check on it to look at identifying the registrant...before they changed over to a privacy/proxy registrar to hide their details
  • Registrar. Use - further enquiries with an disclosure authority/court order.
  • NS records (Nameserver - used to direct the traffic of your website to a specific web server at a web host.) Use - what other domains point to this NS - this could provide you with a whole host of intelligence on other domains controlled by the same person/organisation. 



Network WHOIS record

Abuse contact (for further enquiries - disclosure authorities)

CIDR space of network provider (use - if they own for example a /24 - try some passive DNS to see what other domains point to these IPv4 addresses - may give you more intelligence on malicious domains associated to a rogue server etc)


DNS records

MX record. Use - which network provider provides mail for the domain ? 


Bad WHOIS data of value

A false domain name, registrant, address, email 

Uses - bad/false/stolen/incomplete domain whois data may give an investigation a new lead in terms of intel gathering, linked accounts showing the same false data through a registrant search of the WHOIS record for similarly registered domains.

That's what I can think of so far..

Cheers

Dick

Richard Leaning
External Relations
RIPE NCC




On 26 Oct 2017, at 12:38, Rod Rasmussen <rod@rodrasmussen.com> wrote:

Getting ready to get on my plane to Abu Dhabi from AMS, so will be finishing things up in the next few hours and then uploading once I land.  I have made some more changes, adding an important category that I ended up leaving off by focusing too much on issues directly tied to a domain name.  This new section covers use of the RDS when a particular domain, registrant, e-mail, or other element stored in the RDS comes up in association with a crime/abuse issue not directly tied to a domain name itself.  Think of things like finding a criminal’s e-mail address and using reverse-whois queries to see if he has registered a domain in the past to find potential attribution.

Lots of other stuff in that bucket, but it’s an important one we cannot ignore. (whether we agree it is legitimate use or not in some cases - we’ll get to that after we get the actual uses catalogued).

Cheers,

Rod

On Oct 24, 2017, at 11:11 AM, Marika Konings <marika.konings@icann.org> wrote:

I’m also arriving in Abu Dhabi early Thursday evening, so I won’t be able to send anything before that time in any case so happy to wait for you to finalize your edits on the plane. Of course, if there are further questions from DT members on those further additions, these can always be discussed during the WG meetings.
 
Best regards,
 
Marika 
 
From: Rod Rasmussen <rod@rodrasmussen.com>
Date: Tuesday, October 24, 2017 at 12:03
To: Marika Konings <marika.konings@icann.org>
Cc: "gnso-rds-pdp-7@icann.org" <gnso-rds-pdp-7@icann.org>
Subject: [Ext] Re: [Gnso-rds-pdp-7] Notes & action items today's DT7 meeting
 
Marika,
 
EOD Thursday in what time zone?  Since I’m going to be flying from Amsterdam to Abu Dhabi and getting in early Thursday evening local time, I can likely finish up all the “empty” slots during that flight and submit them.  I realize this doesn’t help with our review process and will endeavor to get more done prior to then, but if I can take advantage of that flight time to make things a lot more clear, I’d like to.
 
Cheers,
 
Rod
 
On Oct 24, 2017, at 10:58 AM, Marika Konings <marika.konings@icann.org> wrote:
 
Dear all,
 
Thank you to those that were available to participate in today’s DT meeting. As there is little time left before people start travelling, please take note of the action items below. The objective is to submit the template to the full WG by the end of day on Thursday so the DT will need to have completed its work by then. As per action item #3, please find attached the latest draft of the legal action DT. The latest draft of the regulatory & contract enforcement can be found here: https://docs.google.com/document/d/1NvoYYmMsjqgt48mAYt5nCr8uPk-E-2IngGt50wDkaFU/edit. As noted, these DTs may have some overlap with the purpose described by this DT.
 
Best regards,
 
Marika
 
 
Notes – DT7 Meeting on 24 October 2017:
 
1. Roll call / Welcome
  • On call today: Dick Leaning, Marc Anderson, Raoul Plommer, Rod Rasmussen
 
2. Review, discuss and confirm support and understanding of all input received to date (see https://docs.google.com/document/d/19fUlV3HEyZ0IYFOY-r4KGoN25ICHPf1wDjUA_ZMx3yc/edit#heading=h.gjdgxs[docs.google.com])
  • See latest version at link above
  • Initial draft expanded by adding a number of additional use cases to give a broader flavor of this particular purpose, both for individual investigations as well as automated processes. 
  • RDAP protocol would facilitate automated process
  • Description has been provided for each use case as well as the overall structure and distinction between different use cases (individual investigations vs. automated processes and various stages of an investigation)
  • Around automated processes for reputation services - is an area that hasn't really been discussed in the larger WG, so might be of broader interest to highlight that use case. 
  • Is a separate category needed for copyright infringement - likely covered by another DT, but may be worth flagging to ensure that it is not lost. May need to conduct a gap analysis once all DTs have presented their work to make sure nothing is forgotten. Similarly content on web-sites (e.g. pharma) may fall in different categories even though they may follow similar steps and/or require similar information. Difference may be in the asking to determine in which DT it belongs. Info-sec and other private actors aren't usually interested in attribution, so that's a big difference.
 
Action item #1: Rod to add additional use case concerning compromise of account / hijacking / domain shattering
Action item #2: All to review template and aim to flesh out use cases to ensure a comprehensive overview and understanding of data elements required for criminal investigation / DNS Abuse Mitigation purpose.
Action item #3 - Staff to share latest drafts of enforcement and legal actions DT so that the DT can see what is being covered in other DTs and flag accordingly what may require further attention. 
Action item #4 - DT encouraged to ask questions should certain aspects not be clear to make sure that the template is understandable for a broad audience
 
3. Confirm what further updates / edits need to be made prior to submission to the full WG (deadline Thursday 26 October)
4. Identify team members who will attend ICANN60 sessions:
Saturday 28 October and Wednesday 1 November
In person or remote
Volunteer to introduce the team's output?
  • Consider having a high level overview on a slide - Rod to discuss with Lisa
  • Rod and Dick normally available to present
  • Aim to ensure that Rod is available to present as he is the expert
 
Action item #5 - Rod to check breaks for SSAC session so that DT7 update could be scheduled in accordance with the breaks
Action item #6 – Staff to work with the leadership team to schedule the DT7 update at a time that works with Rod’s schedule
 
Marika Konings
Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) 
 
Follow the GNSO via Twitter @ICANN_GNSO
Find out more about the GNSO by taking our interactive courses and visiting the GNSO Newcomer pages
 
<RDS WG DT6 Draft - Revised 10.23.2017.docx>_______________________________________________
Gnso-rds-pdp-7 mailing list
Gnso-rds-pdp-7@icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7
 

_______________________________________________
Gnso-rds-pdp-7 mailing list