Find a Person by Their Website Link
Best OSINT tools for website and domain investigations
When I was looking into the pig-butchering scam a few weeks ago, a website that was used to defraud victims was one of the biggest sources of information. A simple search showed me that the website was new, registered in Hong Kong, and had negative online reviews. OSINT tools for websites can also help uncover personal information, connections, and other critical data.
I will show a few examples of free open-source tools that can be used to look into websites, domains, and IPs. For full disclosure, I look at these tools from an investigator's perspective, and not a programmer’s.
WHOIS Lookups
The internet has hundreds of free services available to check who is a website’s owner in a public database. Although a majority of domain sellers make the owner's information private, it’s still possible to find a lot of data, including historical records, especially for older domains.
Who.Is: a basic WHOIS lookup that also provides DNS records
Whoxy: a tool that helps to find who is the current owner of a domain, when it was registered, and shows historic records of ownership. It also does a reverse domain search via an owner or company name, email, or domain keywords.
DomainTools: this service provides similar information and also does IP searches
DNS Lookups
DNS records provide a lot of technical information that is not often used in investigations. For example, a DNS lookup can show a server name, which can be used in reverse lookups that show other websites hosted on the same server. It can help to see a network of websites that might belong to one person.
Osint.sh: a basic DNS Lookup
DNShistory: a DNS historical archive helps to find previous servers and other similar information
DNSlyrics: a reverse name server lookup for searching additional domains
Reverse-NS: another name server lookup
Reversens: another reverse server lookup for domains
Domain Crawler: provides DNS data, website metadata, and used technologies
IP Lookups
IP information is useful for identifying possible locations and finding other websites hosted on the same address
Who is mind: a basic IP lookup
IP History: historical IPs of the domain in question
Reverse IP: a service that shows other domains hosted on the same server
IP fingerprints: an IP location locator
Google Analytics
The analytics codes can help identify other websites that belong to the same owner. The code usually looks like UA-555555555-5 or G-HHHHH5HH5H. The fastest way to find the code is to click “View Page Source” and then search for gtag.js or analytics.js in the code. There is a way to look for a code for older websites on GA Checker.
Nerdy Data: a tool that helps to search if Google Analytics was used on other websites
Osint.sh: another tool for GA searches
Email Search
People reuse their emails to register different domains. Some services help to find all domains that were created with one email.
Historical Records
Nothing helps to find more information than taking a peek at deleted and archived pages of websites and social media. Wayback Machine is one of the most important OSINT tools that are out there. Another way to find deleted or changed information is to check cashed pages in Google search.
