Dark web Forensics
The web as three layers: the surface web, deep web, and dark web. While the surface web and deep web are used for legitimate purposes, the dark web is mostly used by cyber criminals to perpetrate nefarious/antisocial activities. Access to the dark web requires the use of the Tor browser, which provides users a high level of anonymity through a complex mechanism, thereby allowing criminals to hide their identities. This module outlines the fundamentals of dark web forensics, describes the working of the Tor browser, and discusses steps to perform forensic investigation of the Tor browser.
Understanding the dark web
1.Surface Web : It is the visible part of the web and contains content that can be accessed by search engines such as Google and Yahoo
2.Deep Web : The deep web can only be accessed by an authorized user having a valid username, password, etc. It includes contents such as legal documents, financial records, government reports, and subscription information.
3.Dark Web :
It is an invisible or a hidden part of the web that requires specific web browsers such as the Tor browser to access; such browsers protect the anonymity of the users.
TOR, Illegal Information, Sillk Road
Dark Web Search Engines :
Torch, DuckDuckGo, The hidden Wiki, Ahmia, haystak, Not Evil, Candle, dark Search, kilos
Working of the Tor Browser
The Tor browser is based on Mozilla’s Firefox web browser and works on the concept of onion routing In onion routing, the traffic is encrypted and passed through different relays present in the Tor circuit. This multi-layered encrypted connection makes the user identity anonymous.
The Tor browser provides access to .onion websites available on the dark web
Tor’s hidden service protocol allows users to host websites anonymously with .BIT domain and these websites can only be accessed by users on the Tor network
Tor Bridge Node
The Tor relay nodes are publicly available in the directory list, but the bridge node is different from relay nodes
Bridge nodes act as a proxy to the Tor network which implies that they follow different configuration settings to forward the traffic to the entry node
This makes it difficult for organizations or governments to censor the usage of Tor and list the bridge nodes on the public directory of Tor nodes
Dark Web Forensics
Dark web forensics involves identification and investigation of illicit activities on the dark web performed by attackers/malicious users
To investigate the malicious activities performed using the Tor browser, the investigator should obtain memory dumps from the suspect machine and examine them to extract valuable information such as websites browsed, emails accessed, etc
Identifying Tor Browser Artifacts: Command Prompt
When Tor browser is installed on a Windows machine, it uses port 57722/9151 for establishing connection via Tor nodes
When investigators test for the active network connections on the machine by using the command netstat -ano, they will be able to identify whether Tor was used on the machine
Identifying Tor Browser Artifacts: Windows Registry
When the Tor browser is installed on a Windows machine, the user activity is recorded in Windows Registry
Forensic investigators can obtain the path from where the TOR browser is executed in the following Registry key
Computer\HKEY_USERS\S-1-5-21-3120115095-3236523142-1472636409-1001\SOFTWARE\Mozilla\Firefox\Launcher
Identifying Tor Browser Artifacts: Windows Registry (Cont’d)
Extract last execution date and time of the Tor browser:
On a suspect machine, the investigator analyzes the ‘State‘ file located in the path where the Tor browser was executed
The directory of the State file in the Tor browser folder
\Tor Browser Browser Tor Browser\Data\Tor\
Identifying Tor Browser Artifacts: Prefetch Files
When the Tor browser is uninstalled from a machine, or if it is installed in a location other than the desktop (in Windows), it will be difficult for investigators to know whether it was used or the location where it is installed
Examining the prefetch files will help investigators in obtaining this information. The prefetch files are located in the directory, C:\WINDOWS\Prefetch on a Windows machine. Using tools such as WinPrefetchView, investigators can obtain metadata related to the browser, which includes
1.Browser created timestamps
2.Browser last run timestamps
3.Number of time the browser was executed
4.Tor browser execution directory
5.Filename
Dark Web Forensics Challenges
High level of anonymity
The dark web allows perpetrators to carry out illegal activities by hiding their identity.
Encrypted networks
Tracing the physical location of the perpetrators is difficult.
Limited number of traces
When the Tor browser is uninstalled on a suspect machine, the investigator is left with a limited number of artifacts, which makes the investigation process difficult
Legal jurisdiction issues
The criminal activities on the dark web occur irrespective of the jurisdiction, posing legal jurisdiction issues to investigators and law enforcement agencies.
Tor Browser Forensics: Memory Acquisition
RAM contains volatile information pertaining to various processes and applications running on a system
Examining RAM dumps can provide deep insights regarding the actions that occurred on the system
Forensic investigators can examine these dumps in an attempt to extract various Tor browser artifacts that help in reconstructing the incident
The results obtained by examining these artifacts differ based on the following condition:
A memory dump taken while the browser is opened collects the most number of artifacts, while a dump taken post browser uninstallation collects the least.
Memory dumps taken while the browser is closed contain most of the information that is found in memory dumps collected, while the browser is left opened.
Collection And Analyzing Memory Dumps
Investigators need to acquire a memory dump of the suspect machine to begin the forensic examination
Tools such as Belkasoft LIVE RAM Capturer and FTK Imager can help capture RAM
The memory dump collected from the suspect machine not only contains artifacts related to the browser, but also all the activities that occurred on it.
Memory Dump Analysis: Bulk Extractor
The memory dump acquired from the machine must be examined on the forensic workstation to discover artifacts that may potentially be helpful during investigation
Tools such as Bulk Extractor help in processing these dumps and providing useful information such as the URLS browsed, email IDs used, and personally identifiable information entered in the websites..
TOR Market OSINT Framework
Dark Web Search Engines :
Torch, DuckDuckGo, The hidden Wiki, Ahmia, haystak, Not Evil, Candle, dark Search, kilos
Dark Web Email Providers: Proton Mail, Bitmessage etc.
Dark Web Chat Rooms: Cryptodog,Dainel’s chat Room etc.
Dark Web Markets: Dream Market, Bana Market, Silk Road etc.
Galaxy3 , Facebook, DarkDir etc.
The Hidden Wiki
This is a fantastic site to visit if you’re really new to the Dark Web. Much like the real Wikipedia, The Hidden Wiki has tons of information and links you can jump through to really get to know the Dark Web. It is one of the stalwarts among.onions and doubtless will remain so for many years to come.
onion link: http://zqktlwi4fecvo6ri.onion/
Onion Site Link: https://thehiddenwiki.com/
Dream Market
Now you have a way to sign up for things (anonymous email) and also pay for them (anonymous Bitcoin), wander over to Dream Market and browse the goods. This is one of the smaller .onion marketplaces and that’s probably why they are still in operation. The FBI has been conducting sweeps across the Dark Web to stamp out illegal trade and many famous marketplaces such as Silk route have been stamped out.
onion link: http://bananadw6brvgj3bx2pmnfwtevpmvbqycjvhhr26hj3advsg4dum7iad.onion/
The Hidden Wallet
Knowing that there are tons of things you can buy here, you’ll probably know you have to pay for it as well. This site is sort of like a digital wallet and allows you to transact in Bitcoins. The big difference though is that most digital wallet sites are not anonymous and many even have to comply with financial regulations as well. The Hidden Wallet is… well, hidden
Hidden wallet is the most popular anonymous wallet on the deep web. We are on a mission to build a more open, anonymous, and fair financial future integrated in a single piece of software.
onion link: http://nql7pv7k32nngor2.onion/
It’s really strange that the world’s largest social media platform would have a .onion address, but there you are, Facebook is. This part of Facebook was supposedly developed by them to cater to those who want a social network that’s anonymous. I’m not quite sure how ‘anonymous’ and ‘social’ work together, but the .onion Facebook claims not to keep logs of user activity.
.onion link: https://www.facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion/
Impreza Hosting
Don’t trust your local web hosting company with your .onion site? Not to worry, the Dark Web has something for every paranoid being on earth! Impreza offers secured and anonymous web hosting. You can host your website as a hidden service on the Tor network for as low as $8.00 per month. A random .onion domain will be assigned to your package.
onion link: http://imprezawcjntsdf2.onion/
Dark Web Chat Rooms
Dark web chat rooms are often used for illegal activities, such as drug dealing, human trafficking, and cybercrime. However, they are also used by legitimate users who want to communicate anonymously or privately. For example, journalists, activists, and whistleblowers may use dark web chat rooms to communicate with sources without being tracked.Exm :Crypto dog Chatroom, Denial Chatroom etc.
Dark Web Emails
Dark web emails can be used to communicate with others without revealing your real identity or location. This can be useful for journalists, activists, and whistleblowers who need to protect their sources.
Exam: Proton mail, Bitmessage mails Geteway etc.