<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Yet IP Whois will usually only yield the webhost or the IS. How
is having to ask them for the data any different from having to
ask the registrar. Are LEAs lobbying for webhost and internet
subscriber public whois?</p>
<p>Best,</p>
<p>Volker</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">Am 04.08.2016 um 17:09 schrieb Terri
Stumme:<br>
</div>
<blockquote
cite="mid:CAGvh5H5-34aL1Qny6i=yT+dtcFt2ydkqq2WX_jj7ErUot48a4g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:georgia,serif;font-size:small">Law
enforcement investigative methodologies are not typically
divulged, for obvious reasons; there are several approaches to
cyber investigations, and depending on the type of criminal
activity, different methodologies utilized. There is domain
name Whois and IP Whois -- both critical first steps.</div>
<div class="gmail_default"
style="font-family:georgia,serif;font-size:small"><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 4, 2016 at 10:49 AM, Volker
Greimann <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:vgreimann@key-systems.net" target="_blank">vgreimann@key-systems.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>I think we are forging ahead into territories reserved
for future times, but when that time comes, I will be
interested in learning however law enforcement manages
to do its job without this needed and useful data in
areas where it is not public, such as web hosting,
twitter, forum posts, etc. <br>
</p>
<p>Best,</p>
<p>Volker<br>
</p>
<div>
<div class="h5"> <br>
<div>Am 04.08.2016 um 16:31 schrieb Terri Stumme:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:georgia,serif;font-size:small">Absolutely,
Greg. The 2009 law enforcement recommendations
regarding amendments to the RAA addressed Whois
data, specifically the need for validating
registrant information. The reason this
recommendation was included in the
recommendations is because LE utilizes the data
in cyber investigations. There are many
transcripts related to this issue, and LE has
conveyed to the ICANN community on several
occasions the importance of Whois data, and how
LE utilizes the data in cyber investigations.</div>
<div class="gmail_default"
style="font-family:georgia,serif;font-size:small"><br>
</div>
<div class="gmail_default"
style="font-family:georgia,serif;font-size:small"><br>
</div>
<div class="gmail_default"
style="font-family:georgia,serif;font-size:small"><br>
</div>
<div class="gmail_default"
style="font-family:georgia,serif;font-size:small"><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 4, 2016 at
8:59 AM, Mounier, Grégory <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:gregory.mounier@europol.europa.eu"
target="_blank">gregory.mounier@europol.<wbr>europa.eu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">Dear Rob,<br>
<br>
Thanks for sharing the outcome of your chat
with ex-FBI and UK LEA agents. I feel that I
need to step in to provide a different
perspective than the one you just gave on the
law enforcement use of the WHOIS. It might be
a matter of interpretation but the views
expressed by your interlocutors are not shared
by my colleagues working throughout European
police cyber divisions.<br>
<br>
If European cyber investigators are obviously
all aware of the fact that WHOIS registration
data can sometime be inaccurate and not
up-to-date (ICANN compliance reported that for
the first quarter of 2015, WHOIS inaccuracy
comprised 74.0 % of complaints), in 90% of
cases they will start their investigations
with a WHOIS lookup. This is really the first
step.<br>
<br>
Despite the lack of accuracy, WHOIS
information is useful in so many different
ways. One of the first them is to make
correlations and link pieces of information
obtained through other means than from the
WHOIS. This was the point I tried to make on
Tuesday during the conference call.<br>
<br>
Accurate and reliable WHOIS data helps crime
attribution and can save precious
investigation time (you can rule out wrong
investigative leads).<br>
It raises the bar and makes it more difficult
for criminals to abuse domain names. It pushes
them to resort to more complex techniques such
as ID theft to register domains for malicious
purposes.<br>
<br>
In short, for LEA WHOIS is certainly not the
silver bullet to attribute crime on line but
it is an essential tool in the tool box of law
enforcement.<br>
<br>
Best,<br>
<br>
Greg<br>
<br>
<br>
-----Original Message-----<br>
From: <a moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg-bounces@icann.org"
target="_blank">gnso-rds-pdp-wg-bounces@icann.<wbr>org</a>
[mailto:<a moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg-bounces@icann.org"
target="_blank">gnso-rds-pdp-wg-bounce<wbr>s@icann.org</a>]
On Behalf Of Rob Golding<br>
Sent: 04 August 2016 01:46<br>
To: RDS PDP WG<br>
Subject: Re: [gnso-rds-pdp-wg] Use cases:
Fundamental, Incidental, and Theoretical<br>
<br>
>> Theoretical<br>
>> ===========<br>
>> We have seen a couple of proposed use
cases that seem to be ideas<br>
>> that people have for useful or
harmful ways that RDS can be used, but<br>
>> that do not exist today (at least not
that anyone can fully<br>
>> document).<br>
>><br>
>> For example, there seems to be a
desire to use the RDS as a way to<br>
>> issue warrants for information about
registrants. While this may be<br>
>> useful, this is not possible today
(even with RDAP, I note).<br>
<br>
It not only is possible today, it's also
"common" (although thankfully not frequent)<br>
<br>
Registrars get served warrants for details
about registrants, and the _only_ information
from WHOIS that's "needed" or used for such
cases is the name of the Registrar.<br>
<br>
I had the pleasure of meeting Chris Tarbell,
ex-FBI Cyber Crime, at HostingCon last week -
asked about WHOIS/domain data he said "we dont
use it"<br>
<br>
Last year at the UKNOF event in Sheffield I
spent quite some time talking with some
amazing people from the UK CyberCrime
departments - asked the same questions, they
confirmed that although whois _might_ be
looked at to see if it matches _data they
already have_ for confirmation, it's not used
or relied on.<br>
<br>
Which beggars the question, should
"LawEnforcement" use cases even be part of the
discussions ?<br>
<br>
Rob<br>
--<br>
Rob Golding <a moz-do-not-send="true"
href="mailto:rob.golding@astutium.com"
target="_blank">rob.golding@astutium.com</a><br>
Astutium Ltd, Number One Poultry, London. EC2R
8JR<br>
<br>
* domains * hosting * vps * servers * cloud *
backups * ______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg@icann.org"
target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
<a moz-do-not-send="true"
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
rel="noreferrer" target="_blank">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a><br>
*******************<br>
<br>
DISCLAIMER : This message is sent in
confidence and is only intended for the named
recipient. If you receive this message by
mistake, you may not use, copy, distribute or
forward this message, or any part of its
contents or rely upon the information
contained in it.<br>
Please notify the sender immediately by e-mail
and delete the relevant e-mails from any
computer. This message does not constitute a
commitment by Europol unless otherwise
indicated.<br>
<br>
*******************<br>
<br>
______________________________<wbr>_________________<br>
gnso-rds-pdp-wg mailing list<br>
<a moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg@icann.org"
target="_blank">gnso-rds-pdp-wg@icann.org</a><br>
<a moz-do-not-send="true"
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
rel="noreferrer" target="_blank">https://mm.icann.org/mailman/l<wbr>istinfo/gnso-rds-pdp-wg</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font size="2"><span
style="background-color:rgb(159,197,232)"><i>Terri
Stumme</i></span></font>
<div><font size="2"><span
style="background-color:rgb(159,197,232)"><i>Investigative
Analyst</i></span></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>______________________________<wbr>_________________
gnso-rds-pdp-wg mailing list
<a moz-do-not-send="true" href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank">gnso-rds-pdp-wg@icann.org</a>
<a moz-do-not-send="true" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
</div></div><pre cols="72">--
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann
- Rechtsabteilung -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: <a moz-do-not-send="true" href="tel:%2B49%20%280%29%206894%20-%209396%20901" value="+4968949396901" target="_blank">+49 (0) 6894 - 9396 901</a>
Fax.: <a moz-do-not-send="true" href="tel:%2B49%20%280%29%206894%20-%209396%20851" value="+4968949396851" target="_blank">+49 (0) 6894 - 9396 851</a>
Email: <a moz-do-not-send="true" href="mailto:vgreimann@key-systems.net" target="_blank">vgreimann@key-systems.net</a>
Web: <a moz-do-not-send="true" href="http://www.key-systems.net" target="_blank">www.key-systems.net</a> / <a moz-do-not-send="true" href="http://www.RRPproxy.net" target="_blank">www.RRPproxy.net</a>
<a moz-do-not-send="true" href="http://www.domaindiscount24.com" target="_blank">www.domaindiscount24.com</a> / <a moz-do-not-send="true" href="http://www.BrandShelter.com" target="_blank">www.BrandShelter.com</a>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
<a moz-do-not-send="true" href="http://www.facebook.com/KeySystems" target="_blank">www.facebook.com/KeySystems</a>
<a moz-do-not-send="true" href="http://www.twitter.com/key_systems" target="_blank">www.twitter.com/key_systems</a>
Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken
Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP
<a moz-do-not-send="true" href="http://www.keydrive.lu" target="_blank">www.keydrive.lu</a>
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
------------------------------<wbr>--------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann
- legal department -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: <a moz-do-not-send="true" href="tel:%2B49%20%280%29%206894%20-%209396%20901" value="+4968949396901" target="_blank">+49 (0) 6894 - 9396 901</a>
Fax.: <a moz-do-not-send="true" href="tel:%2B49%20%280%29%206894%20-%209396%20851" value="+4968949396851" target="_blank">+49 (0) 6894 - 9396 851</a>
Email: <a moz-do-not-send="true" href="mailto:vgreimann@key-systems.net" target="_blank">vgreimann@key-systems.net</a>
Web: <a moz-do-not-send="true" href="http://www.key-systems.net" target="_blank">www.key-systems.net</a> / <a moz-do-not-send="true" href="http://www.RRPproxy.net" target="_blank">www.RRPproxy.net</a>
<a moz-do-not-send="true" href="http://www.domaindiscount24.com" target="_blank">www.domaindiscount24.com</a> / <a moz-do-not-send="true" href="http://www.BrandShelter.com" target="_blank">www.BrandShelter.com</a>
Follow us on Twitter or join our fan community on Facebook and stay updated:
<a moz-do-not-send="true" href="http://www.facebook.com/KeySystems" target="_blank">www.facebook.com/KeySystems</a>
<a moz-do-not-send="true" href="http://www.twitter.com/key_systems" target="_blank">www.twitter.com/key_systems</a>
CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken
V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP
<a moz-do-not-send="true" href="http://www.keydrive.lu" target="_blank">www.keydrive.lu</a>
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
</pre>
</div>
______________________________<wbr>_________________
gnso-rds-pdp-wg mailing list
<a moz-do-not-send="true" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a moz-do-not-send="true" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/gnso-rds-pdp-wg</a>
</blockquote></div>
<div>
</div>--
<div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font size="2"><span style="background-color:rgb(159,197,232)"><i>Terri Stumme</i></span></font><div><font size="2"><span style="background-color:rgb(159,197,232)"><i>Investigative Analyst</i></span></font></div></div></div></div></div></div></div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann
- Rechtsabteilung -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: <a class="moz-txt-link-abbreviated" href="mailto:vgreimann@key-systems.net">vgreimann@key-systems.net</a>
Web: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a> / <a class="moz-txt-link-abbreviated" href="http://www.RRPproxy.net">www.RRPproxy.net</a>
<a class="moz-txt-link-abbreviated" href="http://www.domaindiscount24.com">www.domaindiscount24.com</a> / <a class="moz-txt-link-abbreviated" href="http://www.BrandShelter.com">www.BrandShelter.com</a>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
<a class="moz-txt-link-abbreviated" href="http://www.facebook.com/KeySystems">www.facebook.com/KeySystems</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/key_systems">www.twitter.com/key_systems</a>
Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken
Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP
<a class="moz-txt-link-abbreviated" href="http://www.keydrive.lu">www.keydrive.lu</a>
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann
- legal department -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: <a class="moz-txt-link-abbreviated" href="mailto:vgreimann@key-systems.net">vgreimann@key-systems.net</a>
Web: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a> / <a class="moz-txt-link-abbreviated" href="http://www.RRPproxy.net">www.RRPproxy.net</a>
<a class="moz-txt-link-abbreviated" href="http://www.domaindiscount24.com">www.domaindiscount24.com</a> / <a class="moz-txt-link-abbreviated" href="http://www.BrandShelter.com">www.BrandShelter.com</a>
Follow us on Twitter or join our fan community on Facebook and stay updated:
<a class="moz-txt-link-abbreviated" href="http://www.facebook.com/KeySystems">www.facebook.com/KeySystems</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/key_systems">www.twitter.com/key_systems</a>
CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken
V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP
<a class="moz-txt-link-abbreviated" href="http://www.keydrive.lu">www.keydrive.lu</a>
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
</pre></body></html>