Investigating the Dark Web: What Law Enforcement Personnel Should Know
Work Tips
2022-09-19
Although the search engine crawlers and various digital archives have managed to index almost every digital thing in existence, not everything that takes place on the internet is visible to everyone.
Ask yourself this:
Can anyone access your email inbox or personal messages?
What about your bank account’s transaction history?
Just like certain parts of our lives (such as what we do in the bathroom or in the bedchambers), some parts of the internet should stay private.
In fact, it’s a necessity.
However, a very small percentage of the internet (roughly 0.01%) consists of places that are darker and much more sinister.
Behold the depths of the internet otherwise known as the dark web.
In essence, the dark web consists of places not indexed by search engines.
Its inherent anonymity allows for shady dealings to take place between two or more unidentified individuals that often use nicknames to prevent their real identity.
Examples of illegal services traded on the dark web:
Hitman for hire
Drugs
Illegal adult material
Stolen passwords, credit numbers, etc.
Malware or zero-day OS vulnerabilities
Since the dark web is inaccessible to search engine crawlers, you won’t be able to find it on Google.
The access to Dark Web
Typically, you’re going to need a password to get in.
Not only that, the URL of the meeting place is often not accessible through an actual domain, so you would need to know the exact IP address of the website.
Of course, nothing prevents its administrators from using other measures to restrict its accessibility even further, an example of which is only allowing certain IP addresses to connect or perhaps limiting the range of IPs to the ones that originate from a certain country.
The invisible parts of the web do not necessarily mean “illegal activity”
Note that the inaccessible parts of the dark webwebsites do not necessarily need to host illegal content or act as a gathering place for criminals.
Even in this day and age, certain authoritarian countries with oppressive political regimes are very aggressive when it comes to prosecuting their political opponents.
As such, the need may arise for like-minded individuals to voice their opinion and interact with each other in a safe place where simply speaking one’s mind won’t lead to undesirable consequences or endanger one’s freedom and safety.
To counteract the oppressive regime of certain countries, journalists and free thinkers often use the same tools as cybercriminals to secretly communicate with each other.
Regardless of the fact that members of such a hidden open-minded conversation spot aren’t involved in any kind of illegal activity, they may use the exact same means of concealing their true identity that criminals would resort to.
Keep in mind that in most countries, merely the act of concealing your true identity on the internet (as well as other personally-identifiable factors such as one’s IP address) is NOT considered a crime.
However, one of the rare examples of the norm is China which had decided to ban the use of VPNs and incorporate them with their Great Firewall internet protection years ago. If you’re caught using one in China, you could be likely charged with a crime despite having committed no otherwise ethically or legally questionable deeds.
Dividing the worldwide web into 3 categories based on searchability / visibility
When investigating any kind of online activity, it’s important to keep in mind that the world wide web can generally be classified into 3 tiers based on how easy it is to access.
Surface web
This is the traditional internet as we know it.
The surface web consists of web pages anyone can access (typically, these are crawlable by Google’s spiders, thus making it searchable as well).
Examples:
Forums
eCommerce websites
Ordinary websites
Web galleries
YouTube
etc. (basically any publicly accessible website)
Deep web
Delving a little bit deeper into the invisible layers of the internet, we have the deep web.
Since these kinds of pages tend to require the right login credentials for you to access them, search engine crawlers will be unable to archive this content.
As you can see from the examples below, deep web features elements of privacy, but not those of criminal activity.
Therefore, there is no reason to conceal one’s identity while accessing it.
Examples:
Court records
Subscription-based services
Personal messages and email accounts
Dark web
The dark web is where shady dealings tend to happen.
As a general rule of thumb, you will not be able to access it without knowing the exact IP address of the website, and even then, the contents may be protected with a password.
Oftentimes, these will be .onion websites that are only accessible via the tor browser dark web. The people who post on these dark corners of the internet will never reveal their real name (and if they do, you can be absolutely sure it’s a fake or a pseudonym).
Examples of illegal services that get traded on the dark web:
Drug trade
Weapons dealing
Human trafficking
Hacks and exploits
Illegal adult videos
Is accessing the dark web illegal per se?
In short, NO.
After all, observing a crime is not the same as participating in it.
However, investigators should document every step and consult the legal department (more on this in the sections below).
How malicious actors hide their identity when accessing the dark web?
Since hardly anyone would be careless enough to leave a trail behind when accessing the dark web (remember, your IP can be traced back to your physical location), malicious actors use a plethora of tools designed to anonymize their identity.
Below, we’ll list some of the common ones:
Tor
Originally designed in the 90s, The Onion Router (or Tor for short) is a popular open source software for anonymizing one’s IP address (and thus identity).
In addition, it also masks info pertaining to the local PC, thereby thwarting all fingerprinting attempts.
By using it, it’s possible to establish anonymous communication with others. In essence, it works by routing the connection between thousands of volunteer networks.
Although it can also be classified as a dark web service, one of its uses is acting as means of communication between intelligence professionals. At the time of writing, it’s the largest and most widely recognized open-source service of its kind.
TOR was designed for privacy in mind.
ZeroNet
ZeroNet follows a peer-to-peer web hosting model, which means the dark web that can be accessed through it is not actually hosted on any domain. Not only does this make it hard to trace by design, but it’s also next to impossible to shut down the content that gets distributed through it.
After all, it’s not hosted in a single place.
Unlike some similar solutions, you can use a regular browser to access the desired dark web content as long as you have the application running in the background.
As a dark web investigator, please keep in mind that ZeroNet does NOT anonymize your connection by default, so additional safety measures will be needed.
I2P
Available since 2003, I2P is a tool through which you can access the dark web.
Since it heavily focuses on encryption and anonymization, your connection and IP will stay safe from prying eyes.
One major difference between I2P and TOR is that the latter uses a single thread for encryption while the former handles encryption through a peer-to-peer model.
To access the dark web via I2P, you’re going to need to connect through a browser while the application is running in the background.
Since the connection is bounced through many peers, each of them serving as a node, it’s impossible for someone to trace your IP address.
Note that not everyone who uses I2P is a bad actor, since It’s also used by journalists from countries with oppressive regimes who want to spread the news without repercussions from the government.
Freenet
Freenet was created in the year of 2000 as a means of sharing decentralized data. It uses a peer-to-peer model, meaning that no one can stop the flow of data between individuals (since it’s not hosted on any domain or server).
One of its distinct features is that it has 2 modes:
Open net: a mode that allows for establishing a connection between any 2 users
Dark net: a mode that only allows sharing data between 2 specific friendly individuals
The core concept of its design is to provide a safe and anonymous way for 2 known contacts to exchange information with one another.
Although the service was originally intended to be used by innocent civilians to outrun an oppressive regime, nowadays, it’s most often used by criminals for exchanging illegal content.
VPN
A Virtual Private Network (or VPN for short) is a middleman that acts as an intermediary between the local client and the server you’re trying to connect to, effectively forwarding the data received back to the local machine.
By establishing an encrypted tunnel between these two destinations, no one can intercept the data being exchanged.
In addition, it also masks your IP.
Nowadays, there are more VPN service providers than you can count.
To get a hold of someone’s real identity that was masked by a VPN, an investigator would have to present a court order to the company operating the service. However, even then, you may find that they hold a policy of not storing data about their clients, thus leading the investigation to a dead end.
A VPN protects against many things, including leaking your IP address and having your data intercepted by an unauthorized third party.
The importance of digital footprints in a digital crime investigation
Digital footprints are a way to identify someone even if they try to conceal their IP through a VPN. They are comprised of various information such as:
Browser (name, version)
OS
Hardware (graphics card, type of device…)
Locale
Keyboard configuration
Installed software
Battery status
As a dark web investigator, be advised this applies to you as well.
In other words, even if your IP is protected by a VPN, certain identifiable variables could still leak through (please see the list above).
Therefore, it’s of paramount importance to take the necessary precautions.
Digital fingerprinting collects data from your device to track you, even if your IP is hidden.
The risks of investigating the dark web (and how to stay safe)
Malware
Simply by accessing a suspicious website, you could subject your PC to the risk of a malware infection.
To mitigate the risk and prevent the potential malware from spreading to your main device, you should consider accessing it from a virtual device (see virtualization solutions such as Virtualbox).
At the same time, a virtual environment will also minimize your digital footprint.
Being identified
Leaking your real identity and placing it in the hands of criminals is never a good idea – you don’t want to alert them of your presence!
Not only could this jeopardize the entire digital forensics investigation, but also invite harm’s way in the form of physical retaliation.
Therefore, you should hide your IP and digital footprint to avoid spooking them off or you yourself being marked as a criminal by other online investigators.
Legal
During a dark web investigation, the last thing you’d want is to be confused with a criminal, so you should consult your legal department about the possible ramifications and prepare the necessary rules of engagement (in other words, the dos and don’ts should be transparent and clear).
The investigative work you do must always comply with your organization’s policies. In addition to that, you should document every move you make.
In case your organization ever faces any legal pressure, you will be able to present all the necessary paperwork and thus give your actions the necessary legal framework.
Given all of the above, you should always ask yourself this: is accessing the dark web paramount to cracking the case, or is perhaps the information you seek obtainable from other sources?
Remember that the sheer act of accessing the dark web browser comes with inherent risks. In case the information you seek can be found elsewhere, you should check these first before taking on any unnecessary risk.
Avoid these big dark web investigation no-no's
MISTAKE 1: Revealing someone’s true identity
Whether it be someone else’s identity or your own, you should never reveal it. The reason being is that masquerading as another real person could endanger their safety and you could even face legal repercussions.
If you must, use a fictitious persona instead.
MISTAKE 2: Waltzing off with no direction
Every single step you make on the dark web should be strategized well in advance of committing to it.
Having a documented plan of engagement will also cover you in case your organization comes under scrutiny from another law enforcement organization.
MISTAKE 3: Trying to access password-protected content
During your dark web investigation, you may come across certain sections that require additional login credentials for you to access them.
If you don’t know the password, don’t try to guess your way though! You don’t want to let them know that they have unwelcome guests.
There are tools that can help you unmask the criminals
As untraceable as the dark web may seem, there is a glimmer of hope. In other words, there is no such thing as a perfect crime and criminals often make mistakes or leave accidental traces behind.
The tools listed below can help steer your investigation the right way:
Bitcoin Who’s Who
When seeking payment for their illegal services, criminals will use Bitcoin as their currency of choice due to its (pseudo)anonymous nature.
Unless the necessary precautions are taken, however, certain personally-identifying information can be attached to someone’s Bitcoin address, including the last known IP address.
Bitcoin Who’s Who lets you trace it.
Therefore, when investigating Bitcoin transactions, see how many BTC are on there and if the address is associated with someone’s real-life identity.
In addition, there are online tools that will help you monitor it by sending out automated alerts when transactions are being made with it.
Blockchain Explorer
This tool works similarly to the one listed above, with the addition of also supporting Ethereum.
If you know someone’s digital wallet address, you will be able to see all the transactions made to and from it.
It also allows you to make a search based on certain parameters such as block hash, transaction hash, public key, block number, etc.
Tools that let you read EXIF data
When someone takes a photo with a digital device, it stores certain information about where it was taken, what device it was taken with, and even the lens that was used.
Certain tools like DRS allow you to extract and investigate such data, potentially giving you an important clue about where a criminal may be located.
Conclusion
The dark web can be a scary place indeed.
However, by learning how to conduct the investigation the right way, you will be able to stay safe and not give away unnecessary information about you and your organization during the investigation.
At the same time, you should take care to stay on the right side of the law at all times.