Search Tip: Finding Historic WhoIs Data

The WhoIs system used to be a goldmine for OSINT investigators. It was usually possible to find out the address, phone number, and e-mail address of the person who owned or at least registered the website. However the increasing use of privacy services by domain registrars, as well GDPR, has drastically reduced the usefulness of the WhoIs service as an OSINT tool.

However it is still possible to harness the power of the Wayback Machine to find historic WhoIs data from the days before privacy and GDPR were such a concern. By combining a URL from the Wayback Machine with a URL from who.is, it is possible to determine the correct URL to find historic WhoIs records.

In this example I’m going to look up WhoIs information for thomascook.com, the travel agent who recently went bankrupt. By way of a benchmark, here’s the current WhoIs information for the domain:

It doesn’t really give any information that would be much use if we wanted to use WhoIs to start researching the company. There’s a contact detail for Comlaude, who register domains for large companies, but there isn’t much other useful information that an open source investigator would find useful. There’s no need to give up at this point though, the Wayback Machine will help us turn the clock back to a time before domain registration privacy was such a concern.

The URL for WhoIs lookups from who.is always takes the formula:

https://who.is/whois/example.com

And when entered into the Wayback Machine, the URL for searches of archived pages always takes the format:

https://web.archive.org/web/*/https://example.com

So by combining these two together, it is always possible to predict the URL to search for the historic WhoIs record for any given website. It will be:

https://web.archive.org/web/*/https://who.is/whois/example.com

So in this case when I want to search for the historic record for thomascook.com I use the URL:

https://web.archive.org/web/*/https://who.is/whois/thomascook.com

And sure enough, it brings back some old pre-GDPR results:

This is what the oldest archive WhoIs record looks like:

Using this technique brings back a real person’s name, a physical address, and a regular landline phone number – all excellent starting points for further exploration. Even though the person’s e-mail address is obscured, because we already know the domain, we can easily use a tool like Hunter.io to work out what their e-mail address most likely is. This is a much better result from WhoIs than if we’d just relied on the most recent registrar information.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.