How does archived WHOIS and contact page scraping reveal hidden ownership data?
Domain owners frequently update or remove contact information from their websites — switching to privacy-protected WHOIS records, replacing personal emails with generic addresses, or removing team pages entirely. However, the Internet Archive's Wayback Machine preserves historical snapshots of these pages going back decades. Max Intel's WHOIS History tool leverages the Wayback Machine CDX API to discover every archived version of contact, about, team, legal, imprint, and privacy pages for a target domain, then scrapes each snapshot to extract personally identifiable information (PII) using pattern-matched extraction across seven data categories. According to the OWASP Testing Guide v4.2, historical WHOIS and contact data analysis is a recommended passive reconnaissance technique that reveals infrastructure ownership patterns invisible in current records.
What types of intelligence are extracted from archived pages?
The tool extracts seven categories of structured data from raw HTML: email addresses (filtered to exclude asset URLs, noreply addresses, and common false positives), phone numbers in US and international formats (7–15 digit validation), person names from Schema.org Person markup, vCard/hCard classes, meta author tags, mailto display text, and byline patterns. Physical addresses are matched using US/UK/CA street type recognition (Street, Avenue, Boulevard, and 20+ variants). Social profiles are detected across 10 platforms including Twitter/X, LinkedIn, Facebook, Instagram, and GitHub. Organization names are identified by matching 30+ business entity suffixes (Inc, LLC, Ltd, GmbH, AG, SA, and more). Technical identifiers include Google Analytics UA/G-IDs, GTM container IDs, Stripe live keys, AWS access keys, and GitHub personal access tokens — all of which can reveal infrastructure relationships and organizational connections as documented by SANS Institute digital forensics methodology.
How does the two-phase discovery and extraction process work?
Phase 1 queries the Wayback Machine CDX API for all archived snapshots of known contact-related URL paths (contact, about, team, legal, imprint, privacy, terms, support, and user-defined paths) plus wildcard pattern searches. It deduplicates URLs and selects an evenly-spaced sample across the full time range to maximize temporal coverage within the configured snapshot limit. Phase 2 fetches each archived snapshot using the id_ URL modifier (which returns raw HTML without the Wayback toolbar) and applies regex extraction patterns to both the raw HTML (for social URLs and structured markup) and cleaned plaintext (for emails, phones, addresses, and organizations). Findings are merged by type and normalized value, tracking first-seen and last-seen dates plus source page URLs to build a comprehensive ownership timeline. The Internet Archive CDX API documentation specifies the collapse parameter used to deduplicate snapshots by month, ensuring efficient coverage across long time periods.
- WHOIS History
- A record of historical domain registration data including registrant names, email addresses, phone numbers, and organization details that have changed over time, revealing past ownership and contact patterns no longer visible in current WHOIS records.
- Wayback Machine CDX API
- A programmatic interface to the Internet Archive's URL index, enabling queries for all archived snapshots of a URL with filtering by status code, timestamp, and MIME type. The CDX API returns structured data about when and how each URL was archived.
- Passive Reconnaissance
- An intelligence-gathering methodology that collects information about a target without directly interacting with the target's live systems — relying instead on publicly available sources such as search engines, archives, certificate logs, and DNS records.
- Entity Extraction
- The process of identifying and classifying structured data (names, emails, phone numbers, organizations, addresses) from unstructured text or HTML using pattern matching, regular expressions, and contextual analysis of document structure.