A Framework of Darknet Forensics
Leng Tao1,2,3,4 * Yu Aimin1,2
1.Chinese Academy of Sciences, Institute of Information
Engineering,
[email protected]
; 2.University of Chinese Engineering,
[email protected]
; 2.University of Chinese
Academy of Sciences, School of Cyber Security; 3.Sichuan
Police College, Department of Computer Science and
Technology; 4.Sichuan Police College, Criminal Inspection
Sichuan Provincial University Key Laboratory
ABSTRACT
The dark web market is full of illegal and criminal activities such
as the sale of sensitive personal information, guns, drugs, and ter-
rorist videos. Cybercriminals use The Onion Router(TOR) browser
to enter the dark web for information publishing and trading. Be-
cause the onion router browser provides privacy protection and
anonymity, it is widely used. This privacy protection mode has
brought great challenges to network investigators. This article aims
to detect the use of the latest Tor browser, compare and analyze the
evidence information contained in the registry, memory images,
hard disk files, and network data packets through forensic exper-
iments. At the same time, it compares and analyzes the different
access modes of the Tor browser, and collects and uses Tor brows-
ing. Evidence of cybercrime committed by a device is helpful to the
development of electronic data forensics analysis.
CCS CONCEPTS
• Security and privacy; • Human and societal aspects of secu-
rity and privacy;
KEYWORDS
tor browser, memory forensic, network forensic, artifacts
ACM Reference Format:
Leng Tao1,2,3,4 * and Yu Aimin1,2. 2021. A Framework of Darknet Forensics.
In 2021 3rd International Conference on Advanced Information Science and
System (AISS 2021) (AISS 2021), November 26–28, 2021, Sanya, China. ACM,
New York, NY, USA, 6 pages. https://doi.org/10.1145/3503047.3503082
1 INTRODUCTION
In recent years, as the awareness of personal privacy protection has
increased, network traffic is encrypted with HTTPS , and endpoint
browsers provide privacy-protected modes for trace-free browsing.
The dark web offers a wealth of resources that require access with
a dedicated browser, such as Tor. The Tor browser is designed to
achieve anonymity and protect privacy. Accessing the dark web
with Tor ensures users’ private information, but also increases
cybercrime. The dark web market is flooded with many sales of
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specific permission and/or a
fee. Request permissions from
[email protected]
. and anonymous traffic is forwarded over anonymous communica-
AISS 2021, November 26–28, 2021, Sanya, China
© 2021 Association for Computing Machinery.
ACM ISBN 978-1-4503-8586-2/21/11. . . $15.00
https://doi.org/10.1145/3503047.3503082
1.Chinese Academy of Sciences, Institute of Information
Academy of Sciences, School of Cyber Security
personally identifiable information, child pornography, guns, drugs,
murder buying, and terrorist activities, which poses a great chal-
lenge for cybersecurity law enforcement and requires research
on forensic methods for the dark web. Previous studies have fo-
cused on Tor traffic identification and monitoring, Tor user identity
studies, and some studies have analyzed Tor browser usage traces
from a forensic perspective. The goal of this paper is to establish
a systematic and repeatable framework for dark web forensics,
the framework will involve registry forensics, hard disk file foren-
sics, memory forensics, database forensics, network forensics, etc.
The system platforms cover windows, Linux, mac os, and android.
There are three challenges.1). How to form a set of frameworks for
dark network forensics for multiple scenarios of cybercrime using
the dark network.2) Previous research mainly focused on memory
forensics, a few referred registry monitoring, Tor browser file foren-
sics, this paper will combine darknet forensics, improve memory
forensics, registry, hard disk forensics, based on the addition of
network forensics. (3) Previous research verifies the privacy secu-
rity of Tor browser from the perspective of experiments, and dark
web forensic analysis from the perspective of forensic investigators
presented as evidence that.
Our Contributions are as follows:1) Giving a complete framework
for dark web forensics. 2) For the first time, we analyze Tor Browser
forensics from 4 aspects (registry, memory, hard disk files, and
network forensics.3) Verify the privacy-preserving features of the
latest Tor browser and conduct a forensic case study from the
investigator’s perspective.
2 BACKGROUND AND RELATED WORK
Tor is a second-generation onion-routed anonymous communica-
tion system that has become the most popular and low-latency
anonymous communication system. Tor provides plenty of ways
to use it, making it easy to use in different scenarios.
2.1 Tor network
The Tor network consists of an authoritative directory server, onion
routing, and onion proxy. The authoritative directory server is the
core of the Tor network, responsible for maintaining node infor-
mation throughout the network, such as storage and retrieval, and
distributing it to Tor clients in the form of node snapshots and node
descriptors. Onion routes are the foundation of the Tor network,
tion links composed of multiple onion routes. Encrypted data is
transmitted between two onion routes via a secure transport layer
protocol. The onion proxy runs on the Tor client and provides a
AISS 2021, November 26–28, 2021, Sanya, China Tao Leng and Aimin Yu

Table 1: Tor browser forensic

Paper Registry Memory Hard disk Network Windows/linux/Mac os/ Tor version
artefacts artefacts artefacts Artefacts Android
(database)
Jadoon et al. 2019 [1] ✓ ✓ ✓ × Windows8.1 Tor 7.0.2
W.Darcie et al. 2014 [2] ✓ ✓ × ✓ Win7 Tor 3.6.1
A. Al-Khaleel et al. 2014 [3] × ✓ × × Win7 -
A. Warren et al. 2017 [4] ✓ ✓ ✓ × Win10 Tor5.0
Runa A Sandvik(2013) [5] ✓ × ✓ × OS X 10.8, Win 7, Tor2.3.25-6
Debian 6.0 .
M.-J. Chiu Huang(2018) [6] × ✓ ✓ × Win10 Tor7.5.2
D.Dayalamurthy (2013) [7] × ✓ × × windows Latest
Kulm 2020 [8] ✓ ✓ ✓ × Windows/Mac New
Tails
Vatsavayi, 2021 [9] × ✓ × × Win10 -
A. Chetry 2021 [10] × ✓ × × Win10 -
P. P. Sajan ,2021 [11] × ✓ ✓ × Win10 -
Muir,2019 [12] ✓ ✓ ✓ × Win10 Tor7.5.2
Al Barghouthy,2013 [13] × × ✓ × Android2.3.3 Orweb v2.28
Al Barghouthy,2014 [14] × × ✓ × Android4.0.3 Orwebv2.28
Claudia Meda ,2016 [15] × × ✓ × Android -
Ours ✓ ✓ ✓ ✓ Win10 Tor10.5.5
Attention: ✓delegate contain, × delegate no, - delegate no mention.

local socks proxy that establishes anonymous links and relays net-
work traffic between the user’s application and the Tor anonymous
link.
2.2 Related work
Jadoon et al. [1] performed forensics on Tor Browser in windows
8.1, including registry, memory, hard disk footprint, etc. However,
no network forensics were performed and rarely connected to dark
websites. W. Darcie et al.[2] set up four virtual scenarios, registry
analysis, memory forensics, and network forensics for each scenario.
network forensics statistics on-network data flow and protocol layer
statistics. Al-Khaleel et al.[3] considered only the Tor memory foren-
sics scenario, which separately considered Tab page open and close
state, entire Tor closed state, and close the browser for 15 minutes.
Warren et al. [4] took three snapshots, Filesystem Artifacts about
prefetch, hives, memory artifacts. Runa A Sandvik et al. [5] con-
siders three object scenarios, the scope of the study is defined as a
user who does not have administrative privileges or does not know
how to delete Tor Browser traces, uses three virtual machines, does
not use a browser to download the Tor Browser, but connects an
external drive and then copies it, only the traces left behind after the
Tor Browser is deleted and the system is completely shut down will
be considered, and consider only the traces left by the Tor browser
itself.M.-J. Chiu Huang et al. [6] start with cybercrime analysis,
focusing on the different modes of different browsers. Compare Tor
browser, chrome firefox, however, only memory images and cookie
databases are considered. D.Dayalamurthy et al. [7] proposed a
memory forensic framework for tor browser without experimental.
Validation. Kulm et al.[8] considered windows and mac os operating
systems, the study considered only the traces left by the Tor browser
accessing the dark web in the host and designed a framework for
Tor host traces study in general. Vatsavayi et al. [9] analyzed user
activity using memory forensics. Chetry 2021 [10] presented the
steps of an investigator’s work against the dark web, the paper con-
forms to the general steps of an investigator, but the investigation
evidence acquisition is incomplete. P. P. Sajan et al. [11] considered
windows system memory, system local files. Muir,2019 et al. [12]
considered both online forensic and static analysis methods. Al
Barghouthy et al. [13] considered root mode and non Evidence
information in both scenarios root mode and non-root mode, Only
root mode can get some information. Al Barghouthy,2014 [14] com-
pared the image extraction results of rootkit mode and Recovery
mode, both results are the same. Claudia Meda et al. [15] proposed
the Tor The focus of browser trace forensic analysis. Furthermore,
Rathod et al. [16] discusses a framework for dark web forensics and
argues that dark web forensics includes registry, network, memory,
and data forensics as well as cryptocurrency wallet analysis. The
related works of literature are as follows (Table 1).
3 APPROACH
Since many cybercriminal activities involve the dark web, such as
buying and selling personal private information, purchasing drugs
and guns, etc. Some criminal suspects establish dark networks and
engage in illegal activities through them. From the investigator’s
perspective, we designed a framework for dark network forensics
(Figure 1). It consists of two main components, Tor browser foren-
sics, and dark web (web) forensics. Tor browser forensics focuses
on obtaining evidence at the host side. Host forensics focuses on
accessing the dark web through the Tor browser, making related
A Framework of Darknet Forensics
Figure 1: Darknet Forensic Framework
Figure 2: Pro Procedure
purchases or posting illegal information, and using bitcoin for trans-
actions. Host forensics takes windows systems as an example, and
mainly includes registry, memory, hard drive files, and network
forensics. Dark network (web) forensics focuses on remote server
forensics, mainly for dark web sites established by users or dark
web sites that publish illegal information on the dark web, we have
discussed dark web forensics in our previous article [17], so we do
not discuss it in this paper. The following section focuses on the
design of experiments to obtain relevant evidence at the host side.
In order to collect the complete traces of Tor browser, we de-
signed the following experiment with a pure windows 10 virtual
machine with the latest tor browser installed.
3.1 Experiment Setup and tools
Build a pure Win10 virtual machine, install Tor Browser, access
the explicit and dark web, close Tor Browser, and relate the win-
dows system. Use related tools to record registry, memory, capture
packets, etc. (Figure 2).The detailed process is described in section
4.2. Tools used include Vmware workstation 15 Pro, torbrowser-
install-win64-10.5.6_zh-CN, Regshot1.9.0, Volatility 2.6, Access Data
FTK Imager, Bulk extractor, HxD, Rawcap, Networkminer.Registry
viewer.
AISS 2021, November 26–28, 2021, Sanya, China
3.2 Procedure
First, prepare the win10 operating system, install the Regshot soft-
ware and save the first snapshot.then, install the tor browser, use
Regshot to compare the registry changes, and save the second
snapshot. Third, start capture packets, use the tor browser Visit
Facebook, telegram, dark web sites and save the third snapshot.
Fourth, close the Tor browser and close the packet capture. The
browsing modes of browsing websites include regular privacy mode
and customed record browsing history mode. The browsing activity
design is shown in Table 2. Memory data collection considers two
modes, the browser is open, and the browser is closed.
4 ANALYSIS AND RESULTS
4.1 Registry analysis
Under win10 system, startup Regshot software, take the first snap-
shot, install tor browser, choose to install only and not start im-
mediately, take the second snapshot, and compare with the first
snapshot, find that the changes in the Tor browser. (Table 3)
Besides, we use AccessData Registry Viewer to analyze
NTUSER.dat under the user of the win10 system. Use the Tor
browser as a keyword search analysis result, find relevant infor-
mation under six catalog items (Table 4). Through the registry
analysis, the forensics personnel can obtain the tor browser version,
installation location and installation time installed by the user.
4.2 Memory analysis
Memory forensics can be analyzed by volatility tools, commonly
used plugins are cmdline, dlllist, dumpfiles, envars, pslist, pstree,
shellbags, timeliner. Bulk extractor can find a website domain
name, email, and other useful information in memory, but after Tor
browser close it is less than Tor browser open (Figure 3, Figure 4),
moreover, there is no user email information for login to Facebook.
Therefore, at the crime scene, ensure that the suspect’s computer
is not closed and the tor browser is not closed for volatile data
extraction.
AISS 2021, November 26–28, 2021, Sanya, China Tao Leng and Aimin Yu

Table 2: Browsing activity

Website Activites Accounts used on tor

facebook Open website [email protected]
Login
Browsing website
Download video
telegram Open web app (https://web.telegram.org/)\penalty-\@M user2
Login
Join group (@awlgff, @binancechinese )
Chat in the group
Chat with one person
Delete the message
http://alibaba2kw6qoh6o.onion/ Open website tor_user1
Login
Browsing website

Table 3: Registry arfefacts

S.no Registry artefacts Description

1 HKLM\SYSTEM\ ControlSet001\ Services\ Tor Browser configuration
bam\State\UserSettings\S-1-5-21-1501606697-969712618-2041226544- information is included in
1002\Device\HarddiskVolume3\tools\torbrowser-install-win64-10.5.5_zh-CN.exe: 63 51 4C the system default
7C 5B AC D7 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 configuration
2 HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21- The current system
1501606697-969712618-2041226544-1002\Device\HarddiskVolume3\tools\torbrowser- configuration contains Tor
install-win64-10.5.5_zh-CN.exe: 63 51 4C 7C 5B AC D7 01 00 00 00 00 00 00 00 00 00 00 00 00 Browser configuration
02 00 00 00 information
3 HKU§-1-5-21-1501606697-969712618-2041226544-1002\Software\Microsoft\Windows Indicates where the Tor
NT\CurrentVersion\AppCompatFlags\Compatibility Browser is stored
Assistant\Store\C:\tools\torbrowser-install-win64-10.5.5_zh-CN.exe: 53 41 43 50 01 00 00 00
00 00 00 00 07 00 00 00 28 00 00 00 D0 D9 70 04 E3 37 71 04 01 00 00 00 00 00 00 00 00 00 00 0A
00 21 00 00 63 1F 6E 6F 0E DE D4 01 00 00 00 00 00 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5D 16 02 00 00 00 00 00 01 00 00 00
01 00 00 00

Table 4: ntuser.dat artefacts

Num Catalog item description

1 NTUSER.DAT\Software\Microsoft\Internet audio
Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\bc92de0a_0
2 NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\de\7651cace-
Store cache
d119-427e-b663-6b0545630146\windows.data.unifiedtile.localstartvolatiletilepropertiesmap\Current
3 NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\UFH\SHC Start menu
lnk
4 NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags\1\Desktop Iconlayouts
5 NTUSER.DAT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Path for file
Assistant\Store store
6 NTUSER.DAT\Software\Mozilla\Firefox\Launcher Firefox
Launcher
A Framework of Darknet Forensics
Table 5: profile.default files artefacts
Analysis item normal open Definition open
Visit history Nothing all websites visited
Form history Nothing Facebook websites form have username login
Tor form have no results
Figure 3: URL history (Tor browser opened)
Figure 4: URL history(Tor browser closed)
4.3 Hard disk analysis
The image file was analyzed in [1], and information such as PUBLIC
Key was found. This result was also verified in our experiment. Now
we will Focus on the analysis of files such as profile.default and
prefetch.
4.3.1 profile.default files. Use tor browser to visit the website,
choose the default regular mode and custom two modes. In the
custom mode, set to remember browsing and download history,
remember to search and form history, and clear the history when
you close the tor browser. Analyze the database files under the
profile.default file, and the results are in Table 5. If you use the
default tor standard installation mode, the tor browser installation
AISS 2021, November 26–28, 2021, Sanya, China
Defintion close
Nothing
Nothing
directory database file will have no record. If you modify the in-
stallation mode and record information, you can find the browsing
record in the database
4.3.2 prefetch files. Through experiments, we can find three files
related to tor browser in Prefetch file, use winPrefetchView to load
and view (WinPrefetchView.exe /folder F:\anwang\results\pf), you
can get tor browser creation time, modification time, running times,
and running time, As shown in Figure 5. This information can be
correlated and analyzed with the case timeline.
4.4 Network analysis
Because Tor Browser uses a local proxy for access, it can sniff the
local before it is encrypted. Use Rawcap 127.0.0.1 .\torcap.pcap to
capture the data packet, and then use Networkminer to analyze,
the result is shown in Figure 6. If the Tor encrypted data packets
are captured on the export traffic of operators, deep learning is
now used to identify Tor traffic. This article will not discuss such
situations.
5 BITCOIN WALLET FORENSIC
Bitcoin forensics mainly considers Bitcoin client file analysis, brows-
ing Bitcoin-related websites, and relevant information in social chat
messages. The Bitcoin-Qt folder mainly contains Blocks, Chanstate,
Debug.log, Peers.dat, Walet.dat, etc. Here, we give a real example of
a hacker using Bitcoin to conduct transactions, and after re-copying
his backup wallet to the local wallet, check the transaction infor-
mation. From the Figure 7 we can see the time and amount of the
transaction.
6 CONCLUSION
In this paper, we described the composition and working principle
of TOR ,Proposed a framework for dark web forensics, mainly based
on the latest tor browser under the windows platform, carried
out registry, memory, file, network forensics and digital wallet
forensics.Tor browsers on android, mac, linux and The relationship
data mining is our future work.
ACKNOWLEDGMENTS
grant sponsor by Criminal Inspection Sichuan Provincial University
Key Laboratory.Grant no:2020ZD03
REFERENCES
[1] Jadoon, A. K., Iqbal, W., Amjad, M. F., Afzal, H., & Bangash, Y. A. (2019). Forensic
analysis of Tor browser: a case study for privacy and anonymity on the web.
Forensic science international, 299, 59-73.
[2] Darcie, W., Boggs, R. J., Sammons, J., & Fenger, T. (2014). Online anonymity:
forensic analysis of the tor browser bundle. Technical Report, 1-34.
[3] Al-Khaleel, A., Bani-Salameh, D., & Al-Saleh, M. I. (2014, January). On the memory
artifacts of the tor browser bundle. In The International Conference on Computing
AISS 2021, November 26–28, 2021, Sanya, China Tao Leng and Aimin Yu

Figure 5: prefetch files artefacts

Figure 6: network artefacts

Figure 7: bitcoin wallet forensic
Technology and Information Management (ICCTIM) (p. 41). Society of Digital
Information and Wireless Communication.
[4] A. Warren, Tor Browser Artifacts in Windows 10, (2017) Retrieved from SANS
Institute website: https://www.sans.org/reading-room/whitepapers/foren-sics/
tor-browser-artifacts-windows-10-37642
[5] Sandvik, R. A. (2013). Forensic Analysis of the Tor Browser Bundle on OS X,
Linux, and Windows. Technical Report, 1-13.
[6] Huang, M. J. C., Wan, Y. L., Chiang, C. P., & Wang, S. J. (2018, October). Tor
browser forensics in exploring invisible evidence. In 2018 IEEE International
Conference on Systems, Man, and Cybernetics (SMC) (pp. 3909-3914). IEEE.
[7] Dayalamurthy, D. (2013). Forensic Memory Dump Analysis And Recovery Of
The Artefacts Of Using Tor Bundle Browser–The Need.
[8] Kulm, A. (2020). A Framework for Identifying Host-based Artifacts in Dark Web
Investigations.
[9] Vatsavayi, V. K., & Varma, K. S. (2021). Retrieving TOR Browser Digital Artifacts
for Forensic Evidence. In Machine Intelligence and Soft Computing (pp. 265-274).
Springer, Singapore.
[10] Chetry, A., & Sharma, U. (2021). Dark web Activity on Tor—investigation chal-
lenges and retrieval of memory artifacts. In International Conference on Innova-
tive Computing and Communications (pp. 953-964). Springer, Singapore
[11] P. P. Sajan and E. Al, “Tor Browser Forensics,” Turkish Journal of Computer and
Mathematics Education (TURCOMAT), vol. 12, no. 11, Art. no. 11, May 2021
[12] Al Barghouthy, N., Marrington, A., & Baggili, I. (2013, March). The forensic
investigation of android private browsing sessions using orweb. In 2013 5th
International Conference on Computer Science and Information Technology (pp.
33-37). IEEE.
[13] Al Barghouthy, N., & Marrington, A. (2014, March). A comparison of forensic
acquisition techniques for android devices: a case study investigation of orweb
browsing sessions. In 2014 6th International Conference on New Technologies,
Mobility and Security (NTMS) (pp. 1-4). IEEE.
[14] Claudia Meda, Mattia Epifani.(2016). Study and Analysis of Orweb Anonymizer
on Android Devices. DFRWS EU 2016,1-25
[15] Muir, M., Leimich, P., & Buchanan, W. J. (2019). A forensic audit of the tor browser
bundle. Digital Investigation, 29, 118-128.
[16] Rathod, D. (2017). Darknet forensics. future, 11, 12.
[17] Leng Tao, Gao Binhan, Xiong Yue, Xie Keng. Design and implementation of a
monitoring platform based on dark network[J]. Network Security Technology
and Applications,2021(08):26-28.