sign in sign up
<<
Home , Dark web, ProtonMail

Dark Web 2 investigations

Glenn K. Bard CISSP, EnCE, CFCE, CHFI, A+, Network+, Security+, ACE, AME PATCtech Chief Technical Officer PA State Trooper – Retired NCMEC – Project ALERT

What is the Dark Web

• In simplest terms: • It is part of the – And means that its contents are not indexed by conventional search engines such as Google, Bing and so on. • However there are Onion search engines like Duck Duck Go which indexes Onion addresses for Services. • It must be accessed using specific software. Normal web browsers can not access Dark Web sites. • One of the most popular resources used to access the Dark Web is TOR, formerly known as The Onion Router. • There are others though, such as and .

What is the Dark Web

• What is it used for? • Many people use it just to stay . • Others use it to commit . • There are also very useful benefits: • Citizens in oppressed countries researching science, religion, democracy and so on.

1 How do you access the Dark Web

• As with all things, make sure you download the tools directly from the source. For example, only download TOR from TORproject.org. Don’t get it from other websites as it can be filled with viruses.

Tor

• What is Tor? • “Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.” • It ca be obtained from: • ://www.torproject.org/

Tor

2 But there are others

• Freenet • I2P •

Freenet

• What is Freenet? • “Freenet is a peer-to-peer platform for censorship-resistant communication and publishing.” • It ca be obtained from: • https://freenetproject.org/author/freenet-project-inc.html

Freenet

3 I2P

• What is I2P? • “I2P is an anonymous - a network within a network. It is intended to protect communication from dragnet surveillance and monitoring by third parties such as ISPs.” • It can be obtained from: • https://geti2p.net/en/

I2P

Tails

• What is Tails? • “Tails is a live that you can start on almost any computer from a USB stick or a DVD.” • It can be obtained from: • https://tails.boum.org/

4 Tails

It is important to remember

sites CAN be accessed from Tor. • Onion sites CAN NOT be accessed from the Clearnet.

It is important to remember

Clearnet on Tor Onion site on Clearnet

5 Three important rules to survival

• Never let Tor be full screen • Never have another browser open • Never open any downloaded files while Tor is still open

• It is also a good idea to create a protonmail.com account to communicate with people on the Dark Web.

Protonmail.com

• Based in Switzerland • Many Dark Web entities require using it • Fully encrypted communication

Protonmail.com

6 Protonmail.com

So how does the data travel?

In common language, it allows someone to access a network within the , and selects a random exit point to the internet, referred to as Clearnet. It does NOT spoof the IP, or change the IP address of the source computer. It just simply allows for the computer to exit to the Clearnet through a different gateway. And all of the data is encrypted as it traverses the network, and only decrypts when it exits Tor.

But officially:

The Onion Router

7 What is ?

• Layers of , with each layer being decrypted by successive relays, revealing only the next relay

• The final layer decrypts the original data and sends it to its destination

How does Tor work?

• Free software

• More than 5,000 worldwide volunteer relays

• Tor software encrypts the original data and destination IP address, and then wraps multiple levels of encryption around it

• Each relay only decrypts the identity of the next relay

• Data will appear to originate from its Tor exit node

8 So basically

• When we see an IP address, it is the IP of the exit from the network to the Clearnet, and it is NOT the IP address of the suspect computer.

• Let’s try some experiments

9 Tor Hidden Services

• Websites and other servers configured to only accept inbound traffic through Tor

• No exit node from Tor, so the entire connection is encrypted • Black Market Guns, Onion Pharma, Bit pharma • One thing important to remember is that it is very common for these sites to go up and down regularly.

Some good starting points

• Torch http://xmh57jrzrnw6insl.onion/

• TorLinks http://torlinksd6pdnihy.onion/

• DuckDuckGo http://3g2upl4pq6kufc4m.onion/

• The Hidden http://zqktlwi4fecvo6ri.onion/wiki/index./Main_Page

• Survival Guide https://ssd.eff.org/

Some good starting points

• Let’s check a few of these starting points out.

• But I must warn you, this is the Dark web, and I don’t control the content of these sites. So we will probably see things like guns, , counterfeit money, and drugs.

10 Payment options

• As we just saw, the items for sale had to be purchased by , or other Cryptocurrency.

Bitcoin

• So, What is Bitcoin?

Bitcoin

• Bitcoin is a cryptocurrency and payment system that unveiled in January of 2009. It works without a central repository meaning that the transactions occur directly from user to user and there is no middle man, for example a bank or government. • The amount of the Bitcoin blocks are controlled, so it is fairly immune to inflation.

11 Blockchain

• So what keeps people from just replicating or reproducing Bitcoin? • Answer: Blockchain

Blockchain

• A blockchain is a list of growing records, known as blocks, that link to other records and blocks using Cryptography. Generally speaking it lets people see the blocks and point to the previous block along with a time stamp, but is resistant to modification. This is important because Bitcoin uses this technology to monitor the records. • In simple terms, it allows people to see the data without replicating/ modifying the data. Which of course is important when dealing with currency.

Bitcoin Miner

• So how are any of the transactions confirmed? • A Bitcoin miner

12 Bitcoin Miner

• “Bitcoin Mining is a peer-to-peer computer process used to secure and verify bitcoin transactions—payments from one user to another on a decentralized network. Mining involves adding bitcoin transaction data to Bitcoin's global public ledger of past transactions. Each group of transactions is called a block.”

Bitcoin Miner

Cryptocurrency

• So how do we confirm Cryptocurrency is being used? • Digital Wallet • Mobile phone based • Computer based • Cloud based • PGP Key

13 Mobile phone

Computer applications

Cloud applications

14 PGP

How do we find the evidence

• Examine the RAM • Examine the APPS • Locate the digital wallets

15 16 17 Any traces on a smartphone?

• Not many, but there are a few:

18 19