It has become necessary for cybersecurity professionals to use whatever means are available to them to detect and thwart ongoing and future attacks. To police the Web, cybersecurity analysts and law enforcement agencies often employ WHOIS data, among other sources, to build threat actor profiles. With the help of WHOIS information, finding out who owns domains can provide invaluable clues for advancing investigations and sometimes even up to case resolution.
In 2018, however, the Internet Corporation for Assigned Names and Numbers (ICANN) issued a policy that mandates registrars to comply with the General Data Protection Regulation (GDPR). That allowed domain registrants, particularly those from the European Union (EU), to anonymize their WHOIS information.
Unfortunately, cybercriminals can also abuse this sanctioned redaction to evade detection. This particular limitation made digging into a domain’s past more critical in finding clues. That’s why we listed down two useful products that can help users know more about a domain’s WHOIS history and see what can be deducted from there.
WHOIS History Search is part of the Domain Research Suite (DRS). It is a Web-based service that lets users access a connected WHOIS database for their investigations. Its repository contains information on more than 7 billion historical WHOIS records for over 582 million domains spanning more than 2,864 top-level domains (TLDs). These records are a result of more than a decade of web crawling for useful data regarding domain registrations.
All users need on hand is the domain or IP address they are investigating. When queried, the tool gives them a list of all WHOIS records connected to it. These are arranged by update date from newest to oldest. When clicked, they would see the domain’s registration data that includes its owner, registrar, and their respective contact details. All reports are available for download in PDF format in case users need to submit these as evidence.
Users of WHOIS History Search who want to do more thorough research on or monitor specific details such as a domain or a registrant can also do so with the same DRS dashboard. They can use their DRS credits with the other tools included in the suite.
Investigators who encounter dead ends in their searches due to WHOIS data redaction can look at the last known owner of a domain and proceed from there. Or, if they are working with law enforcement agents, they can discover the domain’s registrar so the agents can do the necessary legwork to get to its owner.
WHOIS History API, meanwhile, works just like WHOIS History Search but is in a different format. Because it’s an API, users can integrate it into security orchestration, automation, and response (SOAR), security information and event management (SIEM), and other threat intelligence applications. It provides the same information that WHOIS History Search does, which it pulls from the same comprehensive database. Users can see query results in JSON or XML format. A command-line utility is also provided for those who want to perform current and historic queries in a way similar to the traditional “whois” command.
To see a demonstration of how the tool works, visit its homepage and enter a domain name or an IP address into the search field. Users will see the same data they would from WHOIS History Search. A free subscription for the API, limited to 50 queries is also available.
---
Domain history lookups reveal a lot about any domain or IP address. While privacy protection may limit the wealth of information on WHOIS records, looking into the past with the help of tools such as WHOIS History API and WHOIS History Search can be an alternative to obtaining more insights that can lead to case resolution.