Claim ID: 00007

The following claim is used to discredit some of the forensic work in the mercenary spyware space:

it’s impossible to analyse a domain that has expired

The claim is considered: FALSE

Why is it false?

Expired domains are not currently active and do not have the original content¹. However, this doesn’t mean that the domain historical content cannot be analysed. One of the ways in which historical records of a domain name can be accessed is through passive DNS². This tool has been an industry standard for over a decade. It would allow to see the historical IP addresses associated with the domain name, as well as other records. Such information can provide insights into the historical setup of a domain name. Some other tools, like VirusTotal, provide even more information, e.g. previous TLS certificates associated with a domain name³. All this combined means that there is a wealth of information from which a forensic investigation can infer what the domain was used for in a particular time in the past.

The statement is therefore false, as the domain does not have to be active in the moment when the investigation is performed.

Statement sources

The websites below repeat the claim. This is not a full list of websites.

• Gregorio Martín Quetglas, testimony to the PEGA Commission - link

Campaigns

The misinformation campaigns below have used this claim.

• Pegasus misinformation campaign.

Footnotes

1. What happens when my domain expires? ↩

2. What is Passive DNS? A beginner’s guide ↩

3. historical_ssl_certificates ↩