Darkweb Forensics

Understand the Darkweb and Darkweb Forensics

The term “Darkweb” describes the final and lowest layer of the internet, which is not indexed by search engines and, as a result, keeps its contents hidden from users and standard browsers. People must use specialized browsers like Tor, which offer anonymity and protect user data, to access the black web. Criminals utilize the dark web to carry out a variety of illicit operations because it allows users to remain anonymous.

Understanding the Dark Web

The web is separated into the following three levels based on content accessibility:

  1. Surface Web: As the topmost layer, the surface web stores content that can be accessed and indexed by search engines such as Google, Bing, and Yahoo. The surface web makes it simple to access public websites like YouTube, Facebook and Wikipedia. Just 4% of the whole web is made up of the surface web.
  1. Deep Web: This layer of the web cannot be accessed by normal users because its contents are not indexed by search engines. Only authorized users can access the deep web’s contents. Military data, private company information, legal dossiers, financial records, medical records, government department records, and subscription information are all examples of the types of information that can be found on the deep web.
  1. Dark Web: The third and deepest layer of the web is this one. It is employed to engage in illegal and antisocial behavior. Search engines do not index the dark web, and users can remain completely anonymous thanks to encryption. Cybercriminals engage in nefarious activities on the dark web, including drug trafficking, antisocial campaigns, and illicit cryptocurrency transactions. A dedicated browser is required to access the dark web. One of the browsers used to access the dark web’s content is Tor.

Tor Relays

Three relays make up the Tor network: an entry/guard relay, a middle relay, and an exit relay. These relays are also called nodes or routers and allow network traffic to pass through them. Relays make the Tor network faster, more secure, and more stable.

  • Entry/Guard Relay: The Tor network can be accessed using this relay. It is possible to read the client’s IP address when trying to connect through the entry relay. The middle node receives the client’s data from the entry relay node.
  • Middle Relay: The middle relay is used for the transmission of data in an encrypted format. It receives the client’s data from the entry relay and passes it to the exit relay, acting as a second hop between them.
  • Exit Relay: As the final relay of the Tor circuit, the exit relay receives the client’s data from the middle relay and sends the data to the destination website’s server. The destination can see the IP address oof the exit relay immediately. Hence, in the event of transmission of malicious traffic, the exit relay is suspected to be the culprit, as it is perceived to be the origin of such malicious traffic. Hence, the exit relay faces the most exposure to legal issues, take-down notices, complaints, etc., even when it is not the origin of malicious traffic.

Working of Tor Browser

 

  • Mozilla’s Firefox is the foundation of the Tor browser. This browser works using a technique called “onion routing”, where user data is encrypted using several levels that resemble the layers in an onion. The data is then transmitted across the various relays of the Tor network.
  • When user data with multi-layered encryption passes through the different relays of the Tor network, one layer of encryption over the data is decrypted at each successive relay. When the data reaches the last relay in the Tor network, i.e., the exit relay, the final layer of encryption is removed, after which the data reaches the target server.
  • The destination server perceives the last relay of the Tor network, that is, the exit relay, as the origin of the data. Therefore, in the Tor network, it is extremely difficult to identify the origin of data through any surveillance system. As a result, user data and information about servers and websites are kept anonymous and secure by the Tor browser.
  • The Dark web’s onion websites can be accessed with the Tor browser. With .BIT domains, users can host anonymous websites that are only accessible by other users on the Tor network thanks to Tor’s hidden service protocol.

Tor Bridge Node

  • The Tor relay nodes are publicly available in the directory list, but the bridge node is different from the relay nodes. Nodes that are not published or included in the public directory of Tor nodes are known as bridge nodes.
  • Several entry and exit nodes of the Tor network are publicly listed and accessible on the Internet; consequently, they can be blocked by organizations and governments if they wish to prohibit the usage of Tor.
  • The usage of the Tor network is prohibited by governments, Internet service providers, and corporate entities in several authorized nations. In such scenarios, where the usage of the Tor network is restricted, bridge nodes help circumvent the restrictions and allow users to access the Tor network.
  • The usage of bridge nodes makes it difficult for governments, organizations, and ISPs to censor the usage of the Tor network.

How Bridge Nodes Help Circumvent Restrictions on the Tor Network

Bridge nodes exist as proxies in the Tor network, and not all of them are publicly listed in the Tor directory of nodes; several bridge nodes are hidden. Hence, ISPs, organizations, and governments cannot detect their IP addresses or block them. Even if ISPs and organizations detect bridge nodes and censor them, users can simply switch over to other bridge nodes.

A Tor user transmits traffic to the bridge node, which then transmits it to a guard node selected by the user. Communication with a remote server occurs normally; however, there is an additional node of transmission involved, namely the bridge node. The use of concealed bridge nodes as proxies helps users circumvent the restrictions placed on the Tor network.

 

Dark Web Forensics

Dark web forensics refers to the investigation of illegal and antisocial activities carried out on the dark web by malicious users. Examples of such activities include drug trafficking, credit cards and financial fraud, and terrorism.

The dark web is accessed through Tor browser, which ensures the safety and anonymity of user data, making the investigation of dark web crimes an extremely challenging task for the forensic investigators.

To investigate cybercrimes committed using Tor browser, forensic investigators should collect RAM dumps from the suspect machine and analyze them to determine the malicious activities performed using Tor browser, such as visiting websites, accessing emails, and installing software.

Dark Web Forensics Challenges

The following are the challenges involved in dark web forensics:

  • As the dark web allows users to hide their identities, investigators may find it more challenging to trace them during investigations.
  • Tracing the physical location of the user is more challenging due to the encrypted networks of the dark web.
  • When the Tor browser is removed from a system, it leaves behind a small number of artifacts, which complicates the investigation process.
  • Criminal activities on the dark web occur regardless of jurisdiction, posing legal jurisdiction issues for investigators and law enforcement agencies.
  • The blockchain technology used in cryptocurrency transactions on the dark web does not immediately log the ransom payer’s or the cybercriminal’s personal information.
  • Lack of proper training and expertise in using specialized tools can pose a challenge in darknet analysis and evidence extraction.
  • Detection of dark web applications developed by cybercriminals using the latest technologies becomes difficult using traditional evidence extraction and analysis tools.
  • Due to the limited availability of digital evidence on the dark web, investigators struggle to obtain warrants for search and seizure of companies involved in dark markets.
  • Chat room communications by cybercriminals on the dark web typically generate large volumes of chat logs, making the analysis a time-consuming, high configuration system and laborious task.
  • The evolving nature of the dark web requires investigators to frequently learn the latest techniques and adopt new tools and approaches for investigation.

Find Out How to Spot Tor Browser Traces While Investigating

Despite offering users anonymity, the Tor browser stores activity-related artifacts in the system RAM for as long as the computer is powered on. To find and examine the artifacts connected to the malicious use of the Tor browser, investigators can obtain a RAM dump of the live suspect computer. Investigators can also find and examine Tor browser-related artifacts stored in the Windows Registry and the prefetch folder if the Tor browser was used on a Windows computer.

Identifying Tor Browser Artifacts: Command Prompt

The Tor browser connects to Tor nodes via port 9150/9151 when it is installed on a windows computer. By using the command netstat -ano to examine active network connections, investigators can determine whether Tor was utilized on the computer.

 

Identifying Tor Browser Artifacts: Windows Registry

When Tor browser is installed on a Windows machine, the user activity is recorded in the Windows Registry. Forensic investigators can find the path from which the Tor browser is executed in the following Registry key: HKEY_USERS\<SID>\SOFTWARE\Mozilla\Firefox\Launcher.

 

Extracting Last Execution Date and Time of Tor Browser

On a suspect machine, the investigator analyzes the “State” file located at the path where Tor browser was executed. The directory of the State file in Tor browser folder is \Tor Browser\Browser\TorBrowser\Data\Tor\.

 

Identifying Tor Browser Artifacts: Prefetch Files

When the Tor browser is uninstalled from a machine, or if it is installed in a location other than the desktop (in Windows), it can be difficult for investigators to determine whether it was used or the location where it was installed. Examining the prefetch files can help investigators obtain this information.

The prefetch files are in the directory C:\WINDOWS\Prefetch on a Windows machine. Using tools such as WinPrefetchView, investigators can obtain metadata related to the browser, including browser created timestamps, browser last run timestamps, the number of times the browser was executed, Tor browser execution directory, Filename, and File Size.

 

Identifying Tor Browser Artifacts: places.sqlite File

Tor browser also stores information related to bookmarked sites, browsing history, visited websites, etc. in an SQLite file such as places.sqlite located at \Tor Browser\Browser\TorBrowser\Data\Browser \profile.default location. Extracting and examining this SQLite file helps the investigator gain more insight into the activities performed using Tor browser.

The place.sqlite database file contains multiple tables such as moz_places, moz_historyvisits, moz_bookmarks, etc. and each one stores different information. Investigators can use tools such as SQLite Database Recovery to view the data stored in the database file. The places.sqlite database file contains the moz_places table, which stores the visited websites with an ID and the URL of the website.

Tor Browser Forensics: Memory Acquisition

RAM contains volatile information pertaining to various processes and applications running on a system. Examining RAM dumps can provide deep insights into the actions that occurred on the system. Forensic investigators can examine these RAM dumps to extract various Tor Browser artifacts that help in investigating the case.

The results obtained by examining Tor browser artifacts differ based on the following conditions:

  • Tor browser opened
  • Tor browser closed
  • Tor browser uninstalled

A memory dump taken while the browser is open collects the greatest number of artifacts, while a dump taken post browser uninstallation collects the least. Memory dumps taken while the browser is closed contain most of the information that is found in memory dumps collected when the browser is left open.

 

Collecting Memory Dumps

Investigators need to acquire a memory dump of the suspect machine to begin the forensic examination. Tools such as Belkasoft LIVE RAM Capturer and FTK Imager can help capture RAM.

The memory dump collected from the suspect machine not only contains artifacts related to the browser but also related to all the activities that occurred on it.

 

Memory Dump Analysis: Bulk Extractor

The forensic workstation must analyze the System’s memory dump to find any artifacts that might be useful for the investigation. These dumps can be processed with the use of tools like Bulk Extractor, which also provide helpful information like the URLs visited, email addresses used, and personally identifiable information entered on the websites.

 

Bulk Extractor: It is a program that extracts structured information such as email addresses, credit card numbers, URLs, JPEGs, and JSON snippets from digital evidence files. A user interface for perusing features that have been extracted using the Bulk Extractor feature extraction program is called Bulk Extractor Viewer. BEViewer allows the investigators to browse multiple images and use the bookmarking and exporting features. BEViewer also provides a User Interface for launching Bulk Extractor.  

 

Using Storage Forensic Analysis to get Email Attachments (Tor Browser Open)

We have so far been able to identify emails that have been written and accessed. Since these emails have attachments, we now try to recover them by looking through the computer’s storage forensically.
The type of evidence determines the storage media. We must obtain a bit-by-bit copy of the computer’s local storage if the evidence is a physical machine. Depending on the virtualization program being utilized, we must look at virtual disk files like VMDK, VHDX, and OVF if the evidence is a virtual machine.

 

Forensic Analysis of Memory Dumps to Examine Email Artifacts (Tor Browser Closed)

In this scenario, we will be forensically analyzing the memory dump of a suspect system which was taken when the browser was closed, to examine all the email artifacts and try to reconstruct the email activities that occurred on the system. Therefore, we shall be focusing on the artifacts associated with emails, which include (but not limited to) domain.txt, email.txt, url.txt, url_facebook-id.txt and all their histogram files. The json.txt file contains crucial information related to browsing activities.

 

Forensic Analysis: Tor Browser Uninstalled

When a memory dump is collected from a machine in which the Tor browser was installed and uninstalled later, the memory dump does not contain any record of the events or activities performed using Tor browser on the machine. Therefore, when examining the memory dump using the Bulk Extractor tool, the investigator cannot retrieve any artifacts related to Tor browser activity. In such a case, the investigator must analyze prefetch files to discover Tor browser activity on the machine.

reference

1. Ec-Council CHFI Ebook