G
Ease of use and speed of returned results is important
Support for multiple different Regional Internet Registries, (e.g. not just RIPE NCC)
Historical whois queries and historical lookups/threat hunting (the first domain registered was in 1985)
API access for ease of use and automation is important. Ability to automate lookups/threat hunting/pivoting with Python scripts
Ability to visualize results for link analysis. The ability to quickly link domains through IP hosting history
Ability to save a group of queries into an investigation
Ability to provide Reverse whois reports
Ability to query DNS resolution info
Support for searching historical and active registration information, including date of registration and contact info - more specifically, lookups by registrant email address (current and historical) and archival screenshots of registration data (the first domain registered was in 1985)
Pivoting that allows for discovery of other unknown infrastructure being used by the adversary. Specific pivoting capabilities needed are: pivoting on domain names, subdomains, IPs, SSL certificates, email addresses, name servers, and unique web page hashes (e.g. login page for a custom C2 server control panel). Manual pivoting within an existing search is necessary, and support for automated pivoting would be a plus.
The service should provide GDPR-Protected Data where possible. Since GDPR was implemented the registrant data is largely not included on open WHOIS databases. Although there are different levels of access now, law enforcement organizations should be able to get access to the full record.
Ability to group searches by case/subject/interest/topic and save the returns in the case according to the date of your search.
Ability to provide "proactive" alerting (i.e. save queries and automatically be notified when new data matches)
Ability to trace user account usage. The service should provide the ability to trace how the analyst arrived at their answer.
The service should provide the ability to find commonalities between results/records
PassiveDNS should provide a full history with specific and accurate dates is important, including domain, IP address, first seen date (date the domain was first spotted on a specific IP address), last seen date (date the domain was last spotted on a specific IP address), requestor info (IP, datetime) in order to identify associated victims or to identify adversary testing. Also helpful, sometimes services will have a "count" field which is usually the amount of lookups or queries that were counted/noticed between the first seen and last seen dates.
_______________________________________________________________________________________
Other Thoughts and Wishes....
No Corporate/Enterprise license to mitigate risks. In other words, remove FBI attribution. Covert/mis-attribution of the account that did the lookups, specifically, the IP address of the requestor is not associated with the domain searched in any way. An arrangement where logs don't get kept or possibly an internally-hosted or separately hosted service. Security of their database of account lookups. NOT list the customer as FBI, in case the service provider is compromised.
An important consideration for a tool is the size/time frame of their data sets, the query method (website or api), the update frequency, and if the service provides a local copy of the data/db (so queries cannot be tracked by the service)
Provide a DomainTools IRIS-like capability to identify IPs and domains for parties involved in establishing complex infrastructure for a malware dropper