sign in sign up
<<
Home , Clearnet (networking), Deep web

Dark Web 2 investigations

Glenn K. Bard CISSP, EnCE, CFCE, CHFI, A+, Network+, Security+, ACE, AME PATCtech Chief Technical Officer PA State Trooper – Retired NCMEC – Project ALERT What is the

• In simplest terms: • It is part of the – And means that its contents are not indexed by conventional search engines such as Google, Bing and so on. • However there are Onion search engines like Duck Duck Go which indexes Onion addresses for Services. • It must be accessed using specific software. Normal web browsers can not access Dark Web sites. • One of the most popular resources used to access the Dark Web is TOR, formerly known as The Onion Router. • There are others though, such as and . What is the Dark Web

• What is it used for? • Many people use it just to stay anonymous. • Others use it to commit crimes. • There are also very useful benefits: • Citizens in oppressed countries researching science, religion, democracy and so on. How do you access the Dark Web

• As with all things, make sure you download the tools directly from the source. For example, only download TOR from TORproject.org. Don’t get it from other as it can be filled with viruses. Tor

• What is Tor? • “Tor is free software and an open network that helps you defend against traffic analysis, a of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.” • It ca be obtained from: • https://www.torproject.org/ Tor But there are others

• Freenet • I2P • Freenet

• What is Freenet? • “Freenet is a peer-to-peer platform for censorship-resistant communication and publishing.” • It ca be obtained from: • https://freenetproject.org/author/freenet-project-inc.html Freenet I2P

• What is I2P? • “I2P is an anonymous overlay network - a network within a network. It is intended to protect communication from dragnet surveillance and monitoring by third parties such as ISPs.” • It can be obtained from: • https://geti2p.net/en/ I2P Tails

• What is Tails? • “Tails is a live operating system that you can start on almost any computer from a USB stick or a DVD.” • It can be obtained from: • https://tails.boum.org/ Tails It is important to remember

sites CAN be accessed from Tor. • Onion sites CAN NOT be accessed from the Clearnet. It is important to remember

Clearnet on Tor Onion site on Clearnet Three important rules to survival

• Never let Tor be full screen • Never have another browser open • Never open any downloaded files while Tor is still open

• It is also a good idea to create a protonmail.com account to communicate with people on the Dark Web. Protonmail.com

• Based in Switzerland • Many Dark Web entities require using it • Fully encrypted communication Protonmail.com Protonmail.com So how does the data travel?

In common language, it allows someone to access a network within the , and selects a random exit point to the internet, referred to as Clearnet. It does NOT spoof the IP, or change the IP address of the source computer. It just simply allows for the computer to exit to the Clearnet through a different gateway. And all of the data is encrypted as it traverses the network, and only decrypts when it exits Tor.

But officially: The Onion Router What is Onion Routing?

• Layers of encryption, with each layer being decrypted by successive relays, revealing only the next relay

• The final layer decrypts the original data and sends it to its destination How does Tor work?

• Free software

• More than 5,000 worldwide volunteer relays

• Tor software encrypts the original data and destination IP address, and then wraps multiple levels of encryption around it

• Each relay only decrypts the identity of the next relay

• Data will appear to originate from its Tor exit node

So basically

• When we see an IP address, it is the IP of the exit from the network to the Clearnet, and it is NOT the IP address of the suspect computer.

• Let’s try some experiments Tor Hidden Services

• Websites and other servers configured to only accept inbound traffic through Tor

• No exit node from Tor, so the entire connection is encrypted • Black Market Guns, Onion Pharma, Bit pharma • One thing important to remember is that it is very common for these sites to go up and down regularly. Some good starting points

• Torch http://xmh57jrzrnw6insl.onion/

• TorLinks http://torlinksd6pdnihy.onion/

• DuckDuckGo http://3g2upl4pq6kufc4m.onion/

• The Hidden Wiki http://zqktlwi4fecvo6ri.onion/wiki/index.php/Main_Page

• Survival Guide https://ssd.eff.org/ Some good starting points

• Let’s check a few of these starting points out.

• But I must warn you, this is the Dark web, and I don’t control the content of these sites. So we will probably see things like guns, human trafficking, counterfeit money, and drugs. Payment options

• As we just saw, the items for sale had to be purchased by Bitcoin, or other Cryptocurrency. Bitcoin

• So, What is Bitcoin? Bitcoin

• Bitcoin is a cryptocurrency and payment system that unveiled in January of 2009. It works without a central repository meaning that the transactions occur directly from user to user and there is no middle man, for example a bank or government. • The amount of the Bitcoin blocks are controlled, so it is fairly immune to inflation. Blockchain

• So what keeps people from just replicating or reproducing Bitcoin? • Answer: Blockchain Blockchain

• A blockchain is a list of growing records, known as blocks, that link to other records and blocks using Cryptography. Generally speaking it lets people see the blocks and point to the previous block along with a time stamp, but is resistant to modification. This is important because Bitcoin uses this technology to monitor the records. • In simple terms, it allows people to see the data without replicating/ modifying the data. Which of course is important when dealing with currency. Bitcoin Miner

• So how are any of the transactions confirmed? • A Bitcoin miner Bitcoin Miner

• “Bitcoin Mining is a peer-to-peer computer process used to secure and verify bitcoin transactions—payments from one user to another on a decentralized network. Mining involves adding bitcoin transaction data to Bitcoin's global public ledger of past transactions. Each group of transactions is called a block.” Bitcoin Miner Cryptocurrency

• So how do we confirm Cryptocurrency is being used? • Digital Wallet • Mobile phone based • Computer based • Cloud based • PGP Key Mobile phone Computer applications Cloud applications PGP How do we find the evidence

• Examine the RAM • Examine the APPS • Locate the digital wallets

Any traces on a smartphone?

• Not many, but there are a few: