By Steve Adams
The dark web contains a wealth of information for criminal investigators to uncover. As the dark web continues to grow as a platform for illicit activity, it’s more important than ever for investigators to equip themselves with the right tools to navigate it.
But first, let’s start with the basics.
Real quick, remind me what the dark web is?
The dark web is a section of the internet that is hidden and cannot be accessed through traditional web browsers, such as Chrome or Firefox. The dark web enables anonymous and secure communication channels, which are used by governments, activists and oppressed citizens. The dark web also provides an encrypted hub for criminal activity to take place where sellers and buyers can conduct transactions digitally and anonymously using cryptocurrency. Dark web marketplaces enable the trade of illegal goods and services, including child sexual exploitation materials, drugs, weapons and stolen personal data.
How does the dark web complicate criminal investigations?
Dark web activity is conducted anonymously, meaning law enforcement struggles to link activity to offenders. Adding to investigative complexity, dark web-based criminal activity occurs worldwide and often outside a law enforcement agency’s jurisdiction. Given that, these investigations frequently require collaboration between international law enforcement agencies.
While accessing the dark web is legal, trading illegal items on it is not. Items may be sold disguised as innocuous items, such as sneakers, while advertised with an established code that represents illicit materials. This practice, which occurs on both the surface web and dark web, enables crimes like human trafficking to go undetected by law enforcement. Norwich University has estimated that there is roughly $100,000,000 worth of revenue generated annually from transactions of goods and services on the dark web.
Dark web investigations in the real world
A notable example of a collaborative dark web investigation is Operation DisrupTor, which involved several separate but complementary operations coordinated by Europol and Eurojust. These operations, which targeted illegal marketplaces, involved law enforcement agencies across North America, Europe and Australia.
Several law enforcement agencies have created teams that specialize in conducting dark web investigations; the FBI has established the Hi-Tech Organized Crime Unit, while the UK’s National Crime Agency developed the Darkweb, Intelligence, Collection and Exploitation (D.I.C.E) team. However, dark web-based investigations cannot rely exclusively on specialized teams due to the scale of activity that takes place. Therefore, law enforcement officers must be able to safely conduct their own dark web research.
Know before you go
Investigators who conduct activity on the dark web require specialized training and tools, such as Tor, VPNs and screen capture software. An audit must be created to record any investigative activity because dark web content can be explicit and illegal. Screen recordings should be taken during all activities to ensure that an investigator can show that materials were featured as part of an investigation, not sought out for personal use.
There are mental health risks associated with dark web-based research, as materials may contain images and videos that can leave a negative impact. The necessity of tools and the risks associated with conducting activity can put off law enforcement officers. However, not all dark web research requires investigators to access the dark web itself.
How to capture dark web information
Dark web information can be collected on the surface web and deep web from several sources. Below is an outline of possible steps that can be taken by a digital investigator to manually capture information from the dark web.
Have I Been Pwned enables users to identify whether an email address or phone number has been compromised within any data breaches. This site is intended for use by internet users to check their own personal details. However, it can also be used by investigators to check their subject’s personal details.
Files sold on the dark web frequently contain data leaked from online services that contain personally identifiable information. These files are indexed by services, including Have I Been Pwned, which enables you to search them for names, email addresses and phone numbers. Have I Been Pwned will tell you if an email address or phone number has been breached and from which sources. During an investigation, the breach sources can provide an insight into a subject, such as identifying them as heavy users of pornography or of online marketplaces.
Dehashed and Snusbase are low-cost services that allow you to build on the information learned from Have I Been Pwned. You can search for breached data relating to a range of information including IP addresses, usernames, email addresses and more. Unlike Have I Been Pwned, these services provide relevant breached data, including passwords and IP addresses. Data can also be reverse searched in-platform, so any information like IP addresses that are found from a search can be searched themselves to find any other accounts linked to that data point. Usernames identified can also be reverse searched on the surface web and deep web using platforms like Whatsmyname.
Intelligence X is a search engine and data archive that lets you search for records in Tor and I2P, and data leaks against domain names, URL’s email addresses and IP addresses. Unlike Dehashed and Snusbase, Intelligence X includes a limited number of free searches. The data is also less extensive or is redacted.
ipapi.co allows you to search for an IP address to retrieve details including location, ISP, timezone and currency. ipapi tells you the exact location of any IP address found during your investigation, enabling you to conduct a physical investigation or pass information to the correct law enforcement agency. ipapi is also an API service, which allows you to incorporate data from the platform into your own technical solutions.
Dread Forum and dark.fail provide a list of active dark web marketplaces for occasions where investigations require investigators to access the dark web. Dark web marketplace URLs change to keep law enforcement at bay; therefore, it is necessary to get the latest URL from these sites before accessing any marketplace. Any URL on these lists should be accessed using the TOR browser.
Skopenow.com is an automated solution that enables digital investigators to incorporate dark web data into their investigations without the need for manual processes. Skopenow enables users to search for dark web data, including web domains, IP addresses, cryptocurrency and bank/credit cards and uses any discovered dark web data to search for matches within the surface web and deep web. Association links can be identified on any data type within Skopenow, which means that dark web data relating to two different subjects, like IP addresses, can be searched for any links between those two individuals on the internet.
Recognizing the value of information available from the dark web, particularly personal identifying information contained within data breaches, can enhance your digital investigations, providing further information and value to your investigations.
About the author
Steve Adams is a criminal intelligence specialist who works with a focus on internet investigations. Steve is the Product Marketing Manager at Skopenow, where he communicates the features and benefits of Skopenow’s products and demonstrates techniques for internet investigations (OSINT) through webinars and written communications. Steve previously worked in UK law enforcement and has extensive experience providing training in criminal and security intelligence. Steve also presents Skopenow’s free monthly OSINT webinars, which you can find out more information about here.