Dark web Forensics

 The web as three layers: the surface web, deep web, and dark web. While the surface web and deep web are used for legitimate purposes, the dark web is mostly used by cyber criminals to perpetrate nefarious/antisocial activities. Access to the dark web requires the use of the Tor browser, which provides users a high level of anonymity through a complex mechanism, thereby allowing criminals to hide their identities. This module outlines the fundamentals of dark web forensics, describes the working of the Tor browser, and discusses steps to perform forensic investigation of the Tor browser.

Understanding the dark web

1.Surface Web :  It is the visible part of the web and contains content that can be accessed by search engines such as Google and Yahoo

2.Deep Web : The deep web can only be accessed by an authorized user having a valid username, password, etc. It includes contents such as legal documents, financial records, government reports, and subscription information.

3.Dark Web :

It is an invisible or a hidden part of the web that requires specific web browsers such as the Tor browser to access; such browsers protect the anonymity of the users.

TOR, Illegal Information, Sillk Road

Dark Web Search Engines :

Torch, DuckDuckGo, The hidden Wiki, Ahmia, haystak, Not Evil, Candle, dark Search, kilos

Working of the Tor Browser

 The Tor browser is based on Mozilla’s Firefox web browser and works on the concept of onion routing In onion routing, the traffic is encrypted and passed through different relays present in the Tor circuit. This multi-layered encrypted connection makes the user identity anonymous.

 The Tor browser provides access to .onion websites available on the dark web

 Tor’s hidden service protocol allows users to host websites anonymously with .BIT domain and these websites can only be accessed by users on the Tor network

Tor Bridge Node

 The Tor relay nodes are publicly available in the directory list, but the bridge node is different from relay nodes

 Bridge nodes act as a proxy to the Tor network which implies that they follow different configuration settings to forward the traffic to the entry node

 This makes it difficult for organizations or governments to censor the usage of Tor and list the bridge nodes on the public directory of Tor nodes

Dark Web Forensics

 Dark web forensics involves identification and investigation of illicit activities on the dark web performed by attackers/malicious users

 To investigate the malicious activities performed using the Tor browser, the investigator should obtain memory dumps from the suspect machine and examine them to extract valuable information such as websites browsed, emails accessed, etc

Identifying Tor Browser Artifacts: Command Prompt

When Tor browser is installed on a Windows machine, it uses port 57722/9151 for establishing connection via Tor nodes

When investigators test for the active network connections on the machine by using the command netstat -ano, they will be able to identify whether Tor was used on the machine

Identifying Tor Browser Artifacts: Windows Registry

 When the Tor browser is installed on a Windows machine, the user activity is recorded in Windows Registry

 Forensic investigators can obtain the path from where the TOR browser is executed in the following Registry key


Identifying Tor Browser Artifacts: Windows Registry (Cont’d)

 Extract last execution date and time of the Tor browser:

 On a suspect machine, the investigator analyzes the ‘State‘ file located in the path where the Tor browser was executed

 The directory of the State file in the Tor browser folder

 \Tor Browser Browser Tor Browser\Data\Tor\

Identifying Tor Browser Artifacts: Prefetch Files

When the Tor browser is uninstalled from a machine, or if it is installed in a location other than the desktop (in Windows), it will be difficult for investigators to know whether it was used or the location where it is installed

 Examining the prefetch files will help investigators in obtaining this information. The prefetch files are located in the directory, C:\WINDOWS\Prefetch on a Windows machine. Using tools such as WinPrefetchView, investigators can obtain metadata related to the browser, which includes

1.Browser created timestamps

2.Browser last run timestamps

3.Number of time the browser was executed

4.Tor browser execution directory


Dark Web Forensics Challenges

 High level of anonymity

 The dark web allows perpetrators to carry out illegal activities by hiding their identity.

 Encrypted networks

 Tracing the physical location of the perpetrators is difficult.

 Limited number of traces

 When the Tor browser is uninstalled on a suspect machine, the investigator is left with a limited number of artifacts, which makes the investigation process difficult

 Legal jurisdiction issues

 The criminal activities on the dark web occur irrespective of the jurisdiction, posing legal jurisdiction issues to investigators and law enforcement agencies.

Tor Browser Forensics: Memory Acquisition

 RAM contains volatile information pertaining to various processes and applications running on a system

 Examining RAM dumps can provide deep insights regarding the actions that occurred on the system

 Forensic investigators can examine these dumps in an attempt to extract various Tor browser artifacts that help in reconstructing the incident

 The results obtained by examining these artifacts differ based on the following condition:

 A memory dump taken while the browser is opened collects the most number of artifacts, while a dump taken post browser uninstallation collects the least.

 Memory dumps taken while the browser is closed contain most of the information that is found in memory dumps collected, while the browser is left opened.

Collection And Analyzing Memory Dumps

 Investigators need to acquire a memory dump of the suspect machine to begin the forensic examination

 Tools such as Belkasoft LIVE RAM Capturer and FTK Imager can help capture RAM

 The memory dump collected from the suspect machine not only contains artifacts related to the browser, but also all the activities that occurred on it.

Memory Dump Analysis: Bulk Extractor

 The memory dump acquired from the machine must be examined on the forensic workstation to discover artifacts that may potentially be helpful during investigation

 Tools such as Bulk Extractor help in processing these dumps and providing useful information such as the URLS browsed, email IDs used, and personally identifiable information entered in the websites..

TOR Market OSINT Framework

 Dark Web Search Engines :

 Torch, DuckDuckGo, The hidden Wiki, Ahmia, haystak, Not Evil, Candle, dark Search, kilos

 Dark Web Email Providers: Proton Mail, Bitmessage etc.

 Dark Web Chat Rooms: Cryptodog,Dainel’s chat Room etc.

 Dark Web Markets: Dream Market, Bana Market, Silk Road etc.

 Dark Web Social network:

 Galaxy3 , Facebook, DarkDir etc.

The Hidden Wiki

 This is a fantastic site to visit if you’re really new to the Dark Web. Much like the real Wikipedia, The Hidden Wiki has tons of information and links you can jump through to really get to know the Dark Web. It is one of the stalwarts among.onions and doubtless will remain so for many years to come.

 onion link: http://zqktlwi4fecvo6ri.onion/

 Onion Site Link: https://thehiddenwiki.com/

Dream Market

 Now you have a way to sign up for things (anonymous email) and also pay for them (anonymous Bitcoin), wander over to Dream Market and browse the goods. This is one of the smaller .onion marketplaces and that’s probably why they are still in operation. The FBI has been conducting sweeps across the Dark Web to stamp out illegal trade and many famous marketplaces such as Silk route have been stamped out.

 onion link: http://bananadw6brvgj3bx2pmnfwtevpmvbqycjvhhr26hj3advsg4dum7iad.onion/

The Hidden Wallet

 Knowing that there are tons of things you can buy here, you’ll probably know you have to pay for it as well. This site is sort of like a digital wallet and allows you to transact in Bitcoins. The big difference though is that most digital wallet sites are not anonymous and many even have to comply with financial regulations as well. The Hidden Wallet is… well, hidden

 Hidden wallet is the most popular anonymous wallet on the deep web. We are on a mission to build a more open, anonymous, and fair financial future integrated in a single piece of software.

 onion link: http://nql7pv7k32nngor2.onion/


 It’s really strange that the world’s largest social media platform would have a .onion address, but there you are, Facebook is. This part of Facebook was supposedly developed by them to cater to those who want a social network that’s anonymous. I’m not quite sure how ‘anonymous’ and ‘social’ work together, but the .onion Facebook claims not to keep logs of user activity.

 .onion link: https://www.facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion/

Impreza Hosting

 Don’t trust your local web hosting company with your .onion site? Not to worry, the Dark Web has something for every paranoid being on earth! Impreza offers secured and anonymous web hosting. You can host your website as a hidden service on the Tor network for as low as $8.00 per month. A random .onion domain will be assigned to your package.

 onion link: http://imprezawcjntsdf2.onion/

Dark Web Chat Rooms

 Dark web chat rooms are often used for illegal activities, such as drug dealing, human trafficking, and cybercrime. However, they are also used by legitimate users who want to communicate anonymously or privately. For example, journalists, activists, and whistleblowers may use dark web chat rooms to communicate with sources without being tracked.Exm :Crypto dog Chatroom, Denial Chatroom etc.

Dark Web Emails

 Dark web emails can be used to communicate with others without revealing your real identity or location. This can be useful for journalists, activists, and whistleblowers who need to protect their sources.

 Exam: Proton mail, Bitmessage mails Geteway etc.

Leave a Reply

Your email address will not be published. Required fields are marked *