My Approach to Dark Web Investigations

anonymous woman on stairs at computer
Photo by Surface on Unsplash

After numerous presentations and trainings on darknet investigations, here's my advice and approach. This is just how I've evolved to do them over the past decade. Your process and results may vary. I'm interested in learning more, always. My contact page is accurate.

Background

My presentations give a lot of the background as to why I do them this way, but I'll spare you the 45 minutes of sharing stories and make this post concise. In fact, let's build up to the approach I use today. I'm using the terms darknet and darkweb fairly interchangeably. For most people, they are the same. We can discuss nuances in the dark network versus dark web site or browser later. These levels are the base setup. Once setup, then use your normal open source intelligence (OSINT) techniques. 

101

  1. Create a new user on your device (laptop, desktop, tablet, phone, etc). Logout from your account and login to the new user account.
  2. Download Tor Browser, ZeroNet, or whatever is your target darknet for wherever you can safely find it (website, app store, etc)
  3. Take lots of screenshots or "print to pdf" as you do your investigation.  Bookmark lots of pages as you investigate. Number your bookmarks as you save them, e.g. 3-forum post of username X. Or something along those lines. It'll help you remember the state of the investigation as you were doing it.

201

  1. Use a clean device; preferably a laptop or desktop. Install a fresh operating system, whichever with which you are most familiar (Windows, MacOS, Redox OS, etc).
  2. Download Tor Browser, ZeroNet, or whatever is your target darknet for wherever you can safely find it (website, app store, etc)
  3. Take lots of screenshots or "print to pdf" as you do your investigation.  Bookmark lots of pages as you investigate. Number your bookmarks as you save them, e.g. 3-forum post of username X. Or something along those lines. It'll help you remember the state of the investigation as you were doing it.

202

  1. Acquire a used laptop or desktop from eBay, Craigslist, or any secondhand used market you prefer. Flea markets are great for this purpose. 
  2. Securely erase the disk and install an operating system, whichever with which you are most familiar (Windows, MacOS, Redox OS, etc).
  3. Dedicate a mobile hotspot or an old mobile phone to be used as a hotspot. Only connect your device from #1 to this hotspot. Never let the device connect to any other Internet connection or network.
  4. Create a new user for each investigation with a name that reflects the case, e.g. "Walmart Labs", "FBI Case 1", "Retirement Fraud Case 3". Only use the named user with the named case, e.g do not investigate the FBI case as the user "Walmart Labs".
  5. Download Tor Browser, ZeroNet, or whatever is your target darknet for wherever you can safely find it (website, app store, etc)
  6. Take lots of screenshots or "print to pdf" as you do your investigation.  Bookmark lots of pages as you investigate. Number your bookmarks as you save them, e.g. 3-forum post of username X. Or something along those lines. It'll help you remember the state of the investigation as you were doing it.
  7. All of the history and data is saved as each user. So long as you stick to the plan, the data is there until you decide to wipe it.

301

  1. Acquire a used laptop or desktop from eBay, Craigslist, or any secondhand used market you prefer. Flea markets are great for this purpose. 
  2. Securely erase the disk and install an operating system, whichever with which you are most familiar (Windows, MacOS, Redox OS, etc).
  3. Acquire a prepaid SIM card and a midrange smartphone or hotspot. Only connect your device from #1 to this hotspot. Never let the device connect to any other Internet connection or network.
  4. In your new operating system, create an administrator user. Login to this admin user and create a temporary user. Use this temp user account to create a fake person using one of the many websites available. Save everything about this fake person to  a common place on the filesystem, but outside of the temporary user's home. Generally someplace like C:\Temp or /tmp/, depending on your operating system.
  5. Logout from the temp user, login as admin. Delete the temporary user. Create a new user named as the fake person you just generated.
  6. Install your favorite virtual machine software (VMware, VirtualBox, KVM, QEMU, etc).
  7. Create a new virtual machine using your second most familiar operating system. For example, if Windows is your main system, use Ubuntu Linux or something.
  8. Create a virtual machine for every investigation. Use it only for that investigation.
  9. Setup the virtual machine according to the steps in 101.

302

Same as 301, but between 3 and 4, get a VPN provider. The base OS should use the VPN all the time. Route all traffic through the VPN. If you can, have the VPN block all traffic until it connects. Some VPNs do this natively. Some can be configured to do so. If your chosen one cannot, then choose another.

303

  1. Create a new user on your device (laptop, desktop, tablet, phone, etc). Logout from your account and login to the new user account.
  2. Use a remote virtual desktop. Sign up with AWS Workspace, Paperspace, Azure Windows Virtual Desktop, or Macstadium. 
  3. Follow steps 4-7 from 202 above.

More Complex

If you want to get more complex, prior to the steps in 302 or 303,

  1. Create a fake person using one of the many websites available. Get a prepaid mobile phone or virtual number in the name of this fake person.
  2. Get a prepaid debit card or gift card. Signup as the fake person. 
  3. And then use the steps in 303. Steps 2 and 3 may not be legal in your jurisdiction, country, etc.

Background Redux

Another way to think of this is either increasingly mitigating risk or simply more paranoid.

The new account at least mitigates basic risks around someone from finding out your personal info in your normal account.

A clean device separates your personal info from the investigation by clear physical separation. 

A used, clean device separates the history of the device from you and accomplishes the separation. 

A hotspot/mobile phone separates the other devices on your network from the investigation. It also makes it less obvious to an outside observer what you are doing and what you are investigating.

A prepaid hotspot/phone does the same as the last risk, but also separates it from your personal or work mobile account.

The naming of accounts by cases, keeps each investigation separate so you don't cross contaminate any evidence. Using separate virtual machines does this as well.

Using a virtual machine separates risks in the base operating system, the virtual machine software, and the operating system in the virtual machine from each other. I've investigating malware which attempts to break out of the operating system and into the base OS to figure out who/what/where the investigation is occurring.

Using a remote virtual desktop separates the investigation from your network. Same basic concept as the hotspot. Don't risk your other devices to one click.

The assumption is you will get infected with malware at some point. A virtual machine or remote virtual desktop at least can try to separate this infection from your local network and devices.

The fake persona is so any malware or information disclosure by your software is not tied to you. Lots of chat software will share your system username with others by default.

The VPN software will disconnect at the worst time (typically direct file transfers). If this happens, it exposes your mobile hotspot IP addresses (v4 and/or v6) and possibly your location by IP address. Hey, everyone needs to work on business or be traveling somewhere for some reason.

Conclusion

These are the "do it yourself" instructions. There are commercial companies that can do this via automation and/or at a larger scale.  Of course, the costs are much higher than anything suggested here.