Certificate Transparency (CT) Logs
Location
Public CT log servers (crt.sh, Google Argon, Cloudflare Nimbus) or CT monitoring services (Censys, CertStream)Description
Public append-only logs recording all TLS/SSL certificates issued by participating Certificate Authorities. Searchable by domain name, providing a complete issuance history for any domain with certificate details, validity period, and issuing CA.
Forensic Value
CT logs detect fraudulently issued certificates for organizational domains that could enable man-in-the-middle attacks. Monitoring CT logs proactively reveals when attackers obtain certificates for lookalike phishing domains (typosquatting) before attacks begin. During incident response, CT log searches identify all certificates issued for compromised domains, including wildcard certs that may have been issued to attacker-controlled infrastructure. Historical certificate issuance timelines help establish when attacker infrastructure was prepared.