Guide: Dark Web Investigation
Guide: Dark Web Investigation
Guide: Dark Web Investigation
GUIDE
Contents
1. Introduction 3
2. Setting up Chrome for Dark Web Access 5
3. Setting up Virtual Machines for Dark Web Access 9
4. Starting Points for Tor Investigations 20
5. Technical Clues for De-Anonymizing Hidden Services 22
5.1 Censys.io SSL Certificates 23
6. Conclusion 26
2
Dark Web Investigation Guide
1
1. Introduction
3
Introduction
There is a lot of confusion about what the dark web is vs. the deep web. The dark web is part of the
Internet that is not accessible through traditional means. It requires that you use a technology like
1
Tor (The Onion Router) or I2P (Invisible Internet Project) in order to access websites, email or other
services.
The deep web is slightly different. The deep web is made of all the webpages or entire websites that
have not been crawled by a search engine. This could be because they are hidden behind paywalls
or require a username and password to access.
We are going to be setting up access to the dark web with a focus on the Tor network. We are going
to accomplish this in two different ways.
The first way is to use the Tor Browser to get Google Chrome connected to the the Tor network. This is
the less private and secure option, but it is the easiest to set up and use and is sufficient for accessing
material on the dark web.
The second way is to use a virtual machine setup to create a much more secure environment to
perform investigations. Don’t be afraid of the terminology, this is pretty straightforward. It’s also a bit
more resource intensive, but that shouldn’t be a problem as long as your computer is reasonably
modern.
The reason we focus on Chrome is that we hope you are going to take Hunchly along for the ride so
that you can automatically capture hidden service pages, extract EXIF metadata from photos, and
leverage some of the investigative tools in Hunchly to make your life easier.
!
WARNING
This is important. This guide is NOT a guide on how to remain hidden, anonymous or
how to perform undercover operations online. This goes for the dark web or otherwise.
This guide is here to help you get setup using Google Chrome to access Tor resources,
and how to leverage Hunchly to capture evidence while you do it.
There are numerous references online that you can find that will help you with staying
hidden. This is not one of them.
4
Dark Web Investigation Guide
2
2. Setting up Chrome
for Dark Web Access
5
Setting up Chrome for Dark Web Access
Be warned this is the least secure method for accessing Tor with Chrome but I often use it for quick
hidden service checks.
Step 1
Download and install Tor Browser: https://www.torproject.org/download/download
Step 2
Download and install Google Chrome: https://www.google.com/chrome/
Step 3
Start Tor browser and leave it running. This will provide our connection to Tor for us.
Step 4
Now we need to get Chrome to proxy its traffic through Tor. The setup is slightly different for each
operating system:
Windows
1 You should have a Chrome shortcut on your desktop. Right-click on it and select Copy.
6
Setting up Chrome for Dark Web Access
Step 4 continued...
2
5 In the target field add the following after the chrome.exe part:
--proxy-server="socks5://localhost:9150" --host-resolverrules="MAP *
~NOTFOUND , EXCLUDE localhost"
7 Make sure you have all Chrome windows closed and then double click your Chrome Tor
shortcut.
8 You should see Chrome open and you can now proceed to step 5 below to verify for your
connection.
Mac OS X
1 If Chrome is open, close it (right-click on Chrome in the dock and select Quit).
3 Double-click on Terminal.
4 Copy and paste this command into the Terminal window, and press Enter:
5 Chrome should open and you can now proceed to step 5 below to verify for your
connection.
Linux
Generally Chrome will be installed as google-chrome and can be accessed from anywhere in
your terminal. As Linux installs vary greatly we are going to assume this is the case.
7
Setting up Chrome for Dark Web Access
Step 4 continued...
2
1 If Chrome is open, close it.
3 Copy and paste the following command into the terminal window:
4 You should see Chrome open and you can now proceed to step 5 below to verify for your
connection.
Step 5
Now we need to verify that everything is working. In your Chrome Tor browser window head to:
https://check.torproject.org
You should see a message that you are connected to Tor but not using a Tor Browser. This indicates that
you have set everything up successfully.
8
Dark Web Investigation Guide
3
9
Setting up Virtual Machines for Dark Web Access
We will use Buscador, an OSINT-focused virtual machine by David Westcott and Michael Bazzell,
for our investigation virtual machine. The gateway virtual machine that will forward all traffic will use
Whonix.
One awesome thing with Buscador is that it is configured to automatically allow you to browse both
Tor and I2P by default. So you may wonder to yourself: well why go through all of the trouble of setting
up these two virtual machines? The answer is that with our setup, we will route all traffic through Tor.
This means any command line tools or additional software on Buscador will also use Tor and not just
your web browser.
If you don’t feel like setting up the full “paranoid” version, you can stop after getting Buscador imported
and starting it up, and skip all of the networking / Whonix parts.
Step 1
Download and install Virtual Box for your operating system here:
https://www.virtualbox.org/wiki/Downloads
Step 2
Download the Buscador virtual machine:
https://inteltechniques.com/buscador/
Step 3
Download the Whonix Gateway virtual machine (only the gateway is required):
https://www.whonix.org/wiki/VirtualBox/CLI
Once you have all three downloaded and Virtual Box installed we can now begin importing the virtual
machines. First we will import the Whonix Gateway.
10
Setting up Virtual Machines for Dark Web Access
Step 4
3
From the File Menu select Import Appliance. On the next screen click the folder icon and browse to the
location where you stored the Whonix Gateway download:
Step 5
Click the Continue button and on the resulting screen click Import and then Agree.
11
Setting up Virtual Machines for Dark Web Access
Step 6
3
The import can take a few seconds to a few minutes depending on your computer hardware. When it is
finished you should see the virtual machine in the left hand panel of virtual box as shown below.
Step 7
Click on the Whonix gateway virtual machine and then click the Start button above it. You will see a new
window open with the Whonix Gateway starting up.
12
Setting up Virtual Machines for Dark Web Access
Step 8
3
Now you can login by using the user “root” and the password “changeme”. This should kickoff the
Whonix setup. If you do not see the setup screen shown below, simply type: whonixsetup and hit Enter
on your keyboard.
Step 9
Hit Enter with the OK button highlighted, and in the next screen hit Enter again. You should see a
message that Tor has been successfully enabled. Hit OK and you can now minimize the window.
NOTE: to get your mouse out of the virtual machine you hit CTRL+ALT on your keyboard
(CTRL+COMMAND on Mac).
Step 10
Now we’ll import the Buscador virtual machine. Click File - Import Appliance, then select the location of
your Buscador download and click Import.
Step 11
Once it is successfully imported we need to change its network configuration to force all traffic out of our
Whonix gateway. Select the Buscador virtual machine and click the Settings button.
13
Setting up Virtual Machines for Dark Web Access
Step 12
3
Click on the Network tab and set Interface 1 to connect to the internal network Whonix as shown below.
Step 13
Click the OK button which will close the Settings panel. Now select the Buscador virtual machine and
click Start.
Step 14
Once the virtual machine has started the password is: osint to login to the machine.
14
Setting up Virtual Machines for Dark Web Access
Step 15
3
Now we need to reconfigure the Buscador VM so that it will route all of its traffic through our Whonix
gateway. Click the Network icon shown below, and select the PCI Ethernet Connected item to expand
it and then click Wired Settings.
Step 16
In the next view click the Gear icon in the bottom right as shown below.
15
Setting up Virtual Machines for Dark Web Access
Step 17
3
Click the OK button which will close the Settings panel. Now select the Buscador virtual machine and
click Start.
Step 18
In the properties screen we need to make a number of adjustments, and each are labelled in the figure
below. When you are done, click the Apply button.
16
Setting up Virtual Machines for Dark Web Access
Step 19
3
Once you have clicked Apply toggle the interface off and then on for it to pick up your new settings. You
should see your IP address be set to 10.152.152.11 as shown below.
Step 20
Awesome, now we can test that our connection is going out through Tor. Click the Browsers shortcut
in the left hand toolbar in Buscador and double click the Google Chrome icon. Once Chrome starts
browse to: https://check.torproject.org
17
Setting up Virtual Machines for Dark Web Access
Step 21
3
If all goes well you should see a message similar to the one below that indicates you are connected to
the Tor network.
Step 22
Now we just have one more slight thing to change in Chrome to enable us to browse to hidden services.
By default Buscador will allow you to visit .onion addresses through a Tor proxy. We need to disable this
extension by going to: chrome://extensions in your Chrome URL bar. Find the Proxy SwitchyOmega
extension and toggle it off as shown below.
18
Setting up Virtual Machines for Dark Web Access
Step 23
3
Great! Now we can test that we can reach hidden services by clicking the Duck (Onion) bookmark as
shown. If DuckDuckGo (the hidden service) loads up for you then you are done with your setup and you
can begin doing some investigations on Tor!
OPTIONAL
Improve your Dark Web Investigations with Hunchly
19
Dark Web Investigation Guide
4
20
Starting Points for Tor Investigations
Often first-time dark web investigators are faced with the immediate problem of finding a starting point
4
to begin dipping their toes in. There are a few resources that you can tap into that can help create a
starting point for your investigations.
2 Reddit/r/onions
This is a good place where Reddit contributors are discussing hidden services on Tor and can
sometimes yield good starting points for investigations.
3 DeepDotWeb.com
This is a news site for all things dark web, and they also include up to date information on dark web
marketplaces on Tor. Definitely a site to watch or use as a jumping off point.
Using any one of these resources will give you a place to start accessing Tor hidden services and start
to see how they operate. You’ll be pleasantly surprised that they work exactly like surface websites.
21
Dark Web Investigation Guide
5
22
Technical Clues for De-Anonymizing Hidden Services
You can actually search through Censys.io for these tidbits of information. For example, to find all surface
web sites that have a .onion SSL certificate (meaning they are already de-anonymized potentially):
443.https.tls.certificate.parsed.names: onion
This should give you a list of IP addresses where there were SSL certificates that had hidden service
addresses in them.
23
Technical Clues for De-Anonymizing Hidden Services
ssl:“.onion”
“.onion”
By examining the results you can spot any sites that may be misconfigured that may indicate where they
are located.
24
Technical Clues for De-Anonymizing Hidden Services
Finding the Real Origin IPs Hiding Behind CloudFlare or Tor - SecJuice
OnionScan (tool)
25
Dark Web Investigation Guide
6
6. Conclusion
26
Conclusion
6
Dark web investigations are not as scary as one might think, but it is important to have your investigation
goals set out before you start poking around. Think about your target, the risk of you being discovered,
and ultimately what you are trying to glean.
The rest of it is just simply applying all of your investigative knowledge like you would any other
investigation. Look for email addresses, try to spot patterns, and more than anything be tenacious.
If you need a hand with anything or have any questions please just send me a note: [email protected]
Happy hunting!
Justin Seitz
27
www.hunch.ly