Domain Theft Forensic Workflow

When a domain name is stolen or transferred without authorization, the damage can be immediate. Websites go offline, email stops working, and brand trust erodes. Bill Hartzer provides a structured forensic workflow for domain theft matters and serves as an expert witness in related litigation.

Key Questions in Domain Theft Cases

• When did the domain transfer occur, and between which registrars?
• Who controlled the registrar account and contact email address?
• Were standard security measures (locks, 2FA, registry locks) in place?
• Did any party ignore or override security warnings?
• What steps were taken to recover or secure the domain?

Forensic Workflow Overview

• Collecting WHOIS, RDAP, and historical ownership records
• Reviewing registrar logs, email confirmations, and transfer notices (where available)
• Mapping the path of the domain between registrars and accounts
• Identifying gaps in security practices and account controls
• Documenting the timeline in a format suitable for court

Bill’s workflow focuses on verifiable technical evidence. He explains the sequence of events, highlights critical decision points, and provides opinions about how industry-standard practices compare to what occurred in the specific case.