Law Enforcement & Cybercrime

Pivot from indicators to operators using WHOIS, registrar relationships, hosting providers, and historical infrastructure.

Updated May 2026recipes Integration

Law Enforcement & Cybercrime Documentation

You're building a documented infrastructure map for criminal investigation. Every query here uses public data only.

Quick Triage

IP Attribution Chain

Trace a suspicious IP to its responsible network operator for legal process.

-- Full attribution: IP -> prefix -> ASN -> operator name
MATCH (ip:IPV4 {name: "185.220.101.1"})
      -[:ANNOUNCED_BY]->(ap:ANNOUNCED_PREFIX)
      -[:ROUTES]->(a:ASN)
RETURN ip.name AS ip, ap.name AS prefix, a.name AS asn

Sample output:

[{"ip": "185.220.101.1", "prefix": "185.220.101.0/24", "asn": "AS60729"}]

Tip: The ASN identifies the network operator responsible for the IP block. Use CALL explain("ASXXXXX") to get the operator's name and country, which you'll need to identify the correct legal process jurisdiction.

Full Ownership Chain

Document all publicly available registration data for a suspicious domain.

-- Complete ownership record for a domain
MATCH (h:HOSTNAME {name: "cloudflare.com"})
OPTIONAL MATCH (h)-[:HAS_REGISTRAR]->(r:REGISTRAR)
OPTIONAL MATCH (h)-[:HAS_EMAIL]->(e:EMAIL)
OPTIONAL MATCH (h)-[:HAS_PHONE]->(p:PHONE)
OPTIONAL MATCH (h)-[:REGISTERED_BY]->(org:ORGANIZATION)
OPTIONAL MATCH (h)-[:PREV_REGISTRAR]->(pr:REGISTRAR)
RETURN h.name,
       collect(DISTINCT r.name) AS current_registrar,
       collect(DISTINCT pr.name) AS previous_registrars,
       collect(DISTINCT e.name) AS emails,
       collect(DISTINCT p.name) AS phones,
       collect(DISTINCT org.name) AS organizations

Sample output:

[{
  "h.name": "cloudflare.com",
  "current_registrar": ["iana:1910"],
  "previous_registrars": ["registrar:network solutions, llc.", "iana:1910", "iana:2"],
  "emails": ["domains@cloudflare.com", "noreply@data-protected.net"],
  "phones": ["+10000000000", "+16503198930"],
  "organizations": ["cloudflare hostmaster", "cloudflare,"]
}]

Tip: PREV_REGISTRAR gives the historical registrar chain — useful for documenting when a domain changed hands. Phone numbers are in E.164 format when available.

Deep Dive Investigation

Related Domain Discovery via Shared Contact

Pivot from a known suspicious domain to related infrastructure through shared registration attributes.

-- All domains registered with the same contact email
MATCH (h1:HOSTNAME {name: "cloudflare.com"})
      -[:HAS_EMAIL]->(e:EMAIL)
      <-[:HAS_EMAIL]-(h2:HOSTNAME)
WHERE h1 <> h2
RETURN h2.name AS related_domain, e.name AS contact_email LIMIT 20

Tip: Document the pivot chain clearly: "Domain A shares email address X with Domain B, as confirmed by WHOIS data captured [date]."

Web Link Evidence

Document hyperlinks between domains for demonstrating operational connections.

-- Pages this domain links to
MATCH (h:HOSTNAME {name: "github.com"})-[:LINKS_TO]->(target:HOSTNAME)
RETURN target.name LIMIT 20

Sample output:

[
  {"target.name": "34c3ctf.ccc.ac"},
  {"target.name": "10xse.academy"},
  {"target.name": "01.ai"}
]

Tip: Web link data is crawl-based and reflects the web graph at the time of last indexing. Include the timestamp from CALL whisper.history() when citing graph data in legal documents.

Historical Registration Evidence

Pull timestamped WHOIS history for evidentiary documentation.

-- Historical WHOIS snapshots with timestamps
CALL whisper.history("google.com")

Tip: Each row in the result includes a queryTime field showing when that WHOIS snapshot was captured. When citing this data as evidence, include the full snapshot timestamp and the source attribution.

PreviousCyber Insurance & Third-Party RiskNextSecurity Researchers & Academics