Elsevier

Digital Investigation

Volume 22, September 2017, Pages 133-141
Digital Investigation

Registration Data Access Protocol (RDAP) for digital forensic investigators

https://doi.org/10.1016/j.diin.2017.07.002Get rights and content

Abstract

This paper describes the Registration Data Access Protocol (RDAP) with a focus on relevance to digital forensic investigators. RDAP was developed as the successor to the aging WHOIS system and is intended to eventually replace WHOIS as the authoritative source for registration information on IP addresses, Domain Names, Autonomous Systems, and more. RDAP uses a RESTful interface over HTTP and introduces a number of new features related to security, internationalization, and standardized query/response definitions. It is important for digital forensic investigators to become familiar with RDAP as it will play an increasingly important role in Internet investigations requiring the search and collection of registration data as evidence.

Section snippets

Historic overview of WHOIS

The original specification for WHOIS was written in 1982 as Request For Comments (RFC) document RFC-812. It was created to provide a directory of contact information for users of systems and networks on the ARPANET. The WHOIS specification was updated several times and in 2004 the RFC-3912 became the final WHOIS RFC published (IETF, 2004a).

The WHOIS protocol is simply a TCP connection to port 43 of a WHOIS server, and a query submitted with a trailing newline. To illustrate the simplicity of

Introduction to RDAP

The need for a successor to the WHOIS protocol was clear to the IETF, and the Registration Data Access Protocol, or RDAP, was put forward as the replacement. The WHOIS databases at different registries have been a valuable source of intelligence, evidence, and investigative information for many years. RDAP will continue to provide this information to digital forensic investigators, but with a number of improvements.

Authoritative sources and bootstrapping

An important concept in the field of digital forensics is finding authoritative sources of evidence. This can be difficult on the Internet where caching, proxying, relaying, web application front-ends, replication, and abstraction all distance the investigator from the original authoritative evidence source. Evidence is at risk of becoming stale, corrupted, modified, or partially deleted. RDAP helps facilitate the identification and use of authoritative sources. The ability to automatically

RDAP as a forensic evidence source

Several security considerations not found in traditional WHOIS are of interest in a digital forensic context.

The confidentiality of RDAP queries can be guaranteed through TLS, which is a requirement specified in the RFCs. This restricts knowledge of operationally sensitive query activity to the investigator making the query and the RDAP server operator. This is unlike WHOIS requests which are not protected and visible to anyone with access to the underlying network infrastructure. This is

RDAP tools and resources

As of this writing there are a handful of tools available for querying RDAP servers. Several of these tools are described in the following section which a forensic investigator may find useful. There are also resources available to find more information about RDAP and to follow the effort to replace the traditional WHOIS system.

RDAP query examples

Several practical examples of RDAP queries are shown here using different tools and methods. These are typical examples that can be used by digital forensic investigators to collect evidence, gather intelligence, or find other information about various RDAP objects. For each example the full RDAP query URL is shown followed by a different tool usage and output.

Conclusion

Knowledge of the RDAP protocol and infrastructure is important for digital forensic investigators. RDAP is intended to replace the traditional WHOIS system with a modern design, and offers a number of features which are useful in a forensic and investigative context. Of particular interest are the improved security of the protocol, the ease of automation and tool integration, and the ability to ensure use of authoritative data sources.

As of this writing, bootstrap files for the IPv4 and IPv6

Bruce Nikkel is the director of Cybercrime Intelligence & Forensic Investigation at UBS. He has worked for the bank's Security and Risk departments since 1997. Bruce also works part-time as a professor at the Bern University of Applied Sciences, teaching and researching digital forensics and investigative methods. He holds a PhD in network forensics and is the author of the book 'Practical Forensic Imaging'.

References (12)

  • Bruce Nikkel

    Domain name forensics: a systematic approach to investigating an Internet presence

    Digit. Investig.

    (December 2004)
  • IETF

    A Survey of Advanced Usages of X.500

    (July 1993)
  • IETF

    Referral Whois Protocol (RWhois)

    (June 1997)
  • IETF

    WHOIS Protocol Specification

    (September 2004)
  • IETF

    Cross Registry Internet Service Protocol (CRISP) Requirements

    (February 2004)
  • IETF

    IRIS: the Internet Registry Information Service (IRIS) Core Protocol

    (January 2005)
There are more references available in the full text version of this article.

Cited by (3)

Bruce Nikkel is the director of Cybercrime Intelligence & Forensic Investigation at UBS. He has worked for the bank's Security and Risk departments since 1997. Bruce also works part-time as a professor at the Bern University of Applied Sciences, teaching and researching digital forensics and investigative methods. He holds a PhD in network forensics and is the author of the book 'Practical Forensic Imaging'.

View full text