Who Owns a Domain?

---

A registrar is an organisation authorised to sell and manage domain names on behalf of individuals or companies. When a person registers a domain, the registrar acts as the intermediary between the buyer and the global registry responsible for maintaining top-level domains such as .com or .org. The registrar records essential details, including who purchased the domain, when it was created, and which name servers it uses.

For investigators, the registrar is often the first administrative point of contact in a domain’s lifecycle. Repeated use of the same registrar across multiple suspicious domains, or registration through providers based in low-compliance jurisdictions, can expose operational habits, geographic links, and the level of anonymity the operator is attempting to maintain.

When a domain is registered, the registrar collects a range of identifying and operational data. This typically includes the registrant’s name, date of birth (if required), postal address, phone number, and email address. Technical logs often record the IP address used to create the account, along with timestamped login IPs for later access to manage domains or services. Registrars also retain financial records linked to purchases or renewals, covering both conventional payment methods such as card, bank transfer, or PayPal, and more privacy-orientated options such as cryptocurrency.

While some registration details appear in public records, the majority of this data is held internally and accessible only through lawful requests. For investigators with appropriate authority, registrar records can provide a direct link between a domain and its controlling entity, revealing both the human and technical footprint behind a web presence.

WHOIS is the public registry service that records key details about domain ownership and management. Every time a domain is registered, the registrar submits information into the WHOIS system, including the domain’s creation and expiry dates, the registrar name, the name servers in use, and often contact details for the registrant. That database is publicly searchable by anyone, making it the natural first step when you want to know who is responsible for a domain.

Many registrars offer privacy protection for a fee. When privacy protection is enabled, the public WHOIS entry does not show the real owner. Instead it lists the details of the privacy service or proxy. These privacy companies act as a buffer: they accept registration contact details on behalf of the true registrant, forward necessary messages, and replace personal data in the public record. That protects legitimate users from spam and harassment, but it also provides concealment that can be abused by malicious operators.

Even when a domain uses privacy protection, you can usually still identify the registrar. The public WHOIS typically still contains the registrar name and the registrar abuse contact. Those values tell you where the domain was purchased and who to contact for abuse or preservation requests. In practice the registrar is the administrative gatekeeper and often retains the full, unredacted registration record internally.

Below are practical ways to query WHOIS, capture results, and preserve them for evidence. The steps are written for Windows users and use digitalshadow.org as the example domain.

How to query WHOIS using the web

1. Open your browser and go to https://www.whois.com/whois or another domain search tool.
    
2. Enter the domain name digitalshadow.org into the search field and submit the query.
    
3. The page will return the WHOIS record. Note the registrar field and any name server entries. If the contact details are redacted behind a privacy service, the privacy service name will usually be visible.
    
4. Save a copy of the WHOIS page or use the browser save as function to preserve a dated snapshot. Record the URL and the time of the lookup in your case notes.
   
    

How to set up WHOIS on Windows and run a command line lookup

1. Open Command Prompt as an administrator. Press Start, type cmd, right click Command Prompt, and choose Run as administrator.
    
2. If you do not have a whois utility installed, use the Windows package manager to install one. In Command Prompt type: 'winget install Microsoft.Sysinternals.Whois'. You will be asked to accept the terms of usage. Type 'Y' and press enter.
    
3. Once installed, verify it by typing: 'whois -h'
    
4. To perform a lookup for digitalshadow.org, type: 'whois digitalshadow.org'
    
5. The output will list registrar, creation and expiry dates, name servers, and any available contact information.
    
6. If you wish to save a copy of the result to a text file, the easiest way is to redirect the whois response from the command prompt console to a text file. You can do this by typing 'whois digitalshadow.org > digitalshadow_whois.txt'

Understanding how to perform a WHOIS lookup is only half the process. The true value lies in knowing how to interpret what the response reveals. Each field within a WHOIS record, whether a registrar name, creation date, or name server, can point to ownership, intent, or hidden infrastructure. Being able to recognise patterns across these entries is what turns a simple lookup into meaningful intelligence. In our next article, we will break down the WHOIS response in detail, explaining what each field means, how to read it effectively, and how investigators can use this data to uncover the story behind any domain.