A Framework of Darknet Forensics
A Framework of Darknet Forensics
Paper Registry Memory Hard disk Network Windows/linux/Mac os/ Tor version
artefacts artefacts artefacts Artefacts Android
(database)
Jadoon et al. 2019 [1] ✓ ✓ ✓ × Windows8.1 Tor 7.0.2
W.Darcie et al. 2014 [2] ✓ ✓ × ✓ Win7 Tor 3.6.1
A. Al-Khaleel et al. 2014 [3] × ✓ × × Win7 -
A. Warren et al. 2017 [4] ✓ ✓ ✓ × Win10 Tor5.0
Runa A Sandvik(2013) [5] ✓ × ✓ × OS X 10.8, Win 7, Tor2.3.25-6
Debian 6.0 .
M.-J. Chiu Huang(2018) [6] × ✓ ✓ × Win10 Tor7.5.2
D.Dayalamurthy (2013) [7] × ✓ × × windows Latest
Kulm 2020 [8] ✓ ✓ ✓ × Windows/Mac New
Tails
Vatsavayi, 2021 [9] × ✓ × × Win10 -
A. Chetry 2021 [10] × ✓ × × Win10 -
P. P. Sajan ,2021 [11] × ✓ ✓ × Win10 -
Muir,2019 [12] ✓ ✓ ✓ × Win10 Tor7.5.2
Al Barghouthy,2013 [13] × × ✓ × Android2.3.3 Orweb v2.28
Al Barghouthy,2014 [14] × × ✓ × Android4.0.3 Orwebv2.28
Claudia Meda ,2016 [15] × × ✓ × Android -
Ours ✓ ✓ ✓ ✓ Win10 Tor10.5.5
Attention: ✓delegate contain, × delegate no, - delegate no mention.
local socks proxy that establishes anonymous links and relays net- accessing the dark web in the host and designed a framework for
work traffic between the user’s application and the Tor anonymous Tor host traces study in general. Vatsavayi et al. [9] analyzed user
link. activity using memory forensics. Chetry 2021 [10] presented the
steps of an investigator’s work against the dark web, the paper con-
2.2 Related work forms to the general steps of an investigator, but the investigation
Jadoon et al. [1] performed forensics on Tor Browser in windows evidence acquisition is incomplete. P. P. Sajan et al. [11] considered
8.1, including registry, memory, hard disk footprint, etc. However, windows system memory, system local files. Muir,2019 et al. [12]
no network forensics were performed and rarely connected to dark considered both online forensic and static analysis methods. Al
websites. W. Darcie et al.[2] set up four virtual scenarios, registry Barghouthy et al. [13] considered root mode and non Evidence
analysis, memory forensics, and network forensics for each scenario. information in both scenarios root mode and non-root mode, Only
network forensics statistics on-network data flow and protocol layer root mode can get some information. Al Barghouthy,2014 [14] com-
statistics. Al-Khaleel et al.[3] considered only the Tor memory foren- pared the image extraction results of rootkit mode and Recovery
sics scenario, which separately considered Tab page open and close mode, both results are the same. Claudia Meda et al. [15] proposed
state, entire Tor closed state, and close the browser for 15 minutes. the Tor The focus of browser trace forensic analysis. Furthermore,
Warren et al. [4] took three snapshots, Filesystem Artifacts about Rathod et al. [16] discusses a framework for dark web forensics and
prefetch, hives, memory artifacts. Runa A Sandvik et al. [5] con- argues that dark web forensics includes registry, network, memory,
siders three object scenarios, the scope of the study is defined as a and data forensics as well as cryptocurrency wallet analysis. The
user who does not have administrative privileges or does not know related works of literature are as follows (Table 1).
how to delete Tor Browser traces, uses three virtual machines, does
not use a browser to download the Tor Browser, but connects an
external drive and then copies it, only the traces left behind after the 3 APPROACH
Tor Browser is deleted and the system is completely shut down will Since many cybercriminal activities involve the dark web, such as
be considered, and consider only the traces left by the Tor browser buying and selling personal private information, purchasing drugs
itself.M.-J. Chiu Huang et al. [6] start with cybercrime analysis, and guns, etc. Some criminal suspects establish dark networks and
focusing on the different modes of different browsers. Compare Tor engage in illegal activities through them. From the investigator’s
browser, chrome firefox, however, only memory images and cookie perspective, we designed a framework for dark network forensics
databases are considered. D.Dayalamurthy et al. [7] proposed a (Figure 1). It consists of two main components, Tor browser foren-
memory forensic framework for tor browser without experimental. sics, and dark web (web) forensics. Tor browser forensics focuses
Validation. Kulm et al.[8] considered windows and mac os operating on obtaining evidence at the host side. Host forensics focuses on
systems, the study considered only the traces left by the Tor browser accessing the dark web through the Tor browser, making related
A Framework of Darknet Forensics AISS 2021, November 26–28, 2021, Sanya, China
3.2 Procedure
First, prepare the win10 operating system, install the Regshot soft-
ware and save the first snapshot.then, install the tor browser, use
Regshot to compare the registry changes, and save the second
snapshot. Third, start capture packets, use the tor browser Visit
Facebook, telegram, dark web sites and save the third snapshot.
Fourth, close the Tor browser and close the packet capture. The
browsing modes of browsing websites include regular privacy mode
and customed record browsing history mode. The browsing activity
design is shown in Table 2. Memory data collection considers two
modes, the browser is open, and the browser is closed.
Figure 2: Pro Procedure
4 ANALYSIS AND RESULTS
4.1 Registry analysis
purchases or posting illegal information, and using bitcoin for trans-
actions. Host forensics takes windows systems as an example, and Under win10 system, startup Regshot software, take the first snap-
mainly includes registry, memory, hard drive files, and network shot, install tor browser, choose to install only and not start im-
forensics. Dark network (web) forensics focuses on remote server mediately, take the second snapshot, and compare with the first
forensics, mainly for dark web sites established by users or dark snapshot, find that the changes in the Tor browser. (Table 3)
web sites that publish illegal information on the dark web, we have Besides, we use AccessData Registry Viewer to analyze
discussed dark web forensics in our previous article [17], so we do NTUSER.dat under the user of the win10 system. Use the Tor
not discuss it in this paper. The following section focuses on the browser as a keyword search analysis result, find relevant infor-
design of experiments to obtain relevant evidence at the host side. mation under six catalog items (Table 4). Through the registry
In order to collect the complete traces of Tor browser, we de- analysis, the forensics personnel can obtain the tor browser version,
signed the following experiment with a pure windows 10 virtual installation location and installation time installed by the user.
machine with the latest tor browser installed.
4.2 Memory analysis
3.1 Experiment Setup and tools Memory forensics can be analyzed by volatility tools, commonly
Build a pure Win10 virtual machine, install Tor Browser, access used plugins are cmdline, dlllist, dumpfiles, envars, pslist, pstree,
the explicit and dark web, close Tor Browser, and relate the win- shellbags, timeliner. Bulk extractor can find a website domain
dows system. Use related tools to record registry, memory, capture name, email, and other useful information in memory, but after Tor
packets, etc. (Figure 2).The detailed process is described in section browser close it is less than Tor browser open (Figure 3, Figure 4),
4.2. Tools used include Vmware workstation 15 Pro, torbrowser- moreover, there is no user email information for login to Facebook.
install-win64-10.5.6_zh-CN, Regshot1.9.0, Volatility 2.6, Access Data Therefore, at the crime scene, ensure that the suspect’s computer
FTK Imager, Bulk extractor, HxD, Rawcap, Networkminer.Registry is not closed and the tor browser is not closed for volatile data
viewer. extraction.
AISS 2021, November 26–28, 2021, Sanya, China Tao Leng and Aimin Yu
directory database file will have no record. If you modify the in-
stallation mode and record information, you can find the browsing
record in the database
4.3.2 prefetch files. Through experiments, we can find three files
related to tor browser in Prefetch file, use winPrefetchView to load
and view (WinPrefetchView.exe /folder F:\anwang\results\pf), you
can get tor browser creation time, modification time, running times,
and running time, As shown in Figure 5. This information can be
correlated and analyzed with the case timeline.
6 CONCLUSION
In this paper, we described the composition and working principle
Figure 4: URL history(Tor browser closed) of TOR ,Proposed a framework for dark web forensics, mainly based
on the latest tor browser under the windows platform, carried
out registry, memory, file, network forensics and digital wallet
forensics.Tor browsers on android, mac, linux and The relationship
4.3 Hard disk analysis data mining is our future work.
The image file was analyzed in [1], and information such as PUBLIC
Key was found. This result was also verified in our experiment. Now ACKNOWLEDGMENTS
we will Focus on the analysis of files such as profile.default and
grant sponsor by Criminal Inspection Sichuan Provincial University
prefetch.
Key Laboratory.Grant no:2020ZD03
4.3.1 profile.default files. Use tor browser to visit the website,
choose the default regular mode and custom two modes. In the REFERENCES
[1] Jadoon, A. K., Iqbal, W., Amjad, M. F., Afzal, H., & Bangash, Y. A. (2019). Forensic
custom mode, set to remember browsing and download history, analysis of Tor browser: a case study for privacy and anonymity on the web.
remember to search and form history, and clear the history when Forensic science international, 299, 59-73.
you close the tor browser. Analyze the database files under the [2] Darcie, W., Boggs, R. J., Sammons, J., & Fenger, T. (2014). Online anonymity:
forensic analysis of the tor browser bundle. Technical Report, 1-34.
profile.default file, and the results are in Table 5. If you use the [3] Al-Khaleel, A., Bani-Salameh, D., & Al-Saleh, M. I. (2014, January). On the memory
default tor standard installation mode, the tor browser installation artifacts of the tor browser bundle. In The International Conference on Computing
AISS 2021, November 26–28, 2021, Sanya, China Tao Leng and Aimin Yu
[9] Vatsavayi, V. K., & Varma, K. S. (2021). Retrieving TOR Browser Digital Artifacts
for Forensic Evidence. In Machine Intelligence and Soft Computing (pp. 265-274).
Springer, Singapore.
[10] Chetry, A., & Sharma, U. (2021). Dark web Activity on Tor—investigation chal-
lenges and retrieval of memory artifacts. In International Conference on Innova-
tive Computing and Communications (pp. 953-964). Springer, Singapore
[11] P. P. Sajan and E. Al, “Tor Browser Forensics,” Turkish Journal of Computer and
Mathematics Education (TURCOMAT), vol. 12, no. 11, Art. no. 11, May 2021
Figure 7: bitcoin wallet forensic [12] Al Barghouthy, N., Marrington, A., & Baggili, I. (2013, March). The forensic
investigation of android private browsing sessions using orweb. In 2013 5th
International Conference on Computer Science and Information Technology (pp.
Technology and Information Management (ICCTIM) (p. 41). Society of Digital 33-37). IEEE.
Information and Wireless Communication. [13] Al Barghouthy, N., & Marrington, A. (2014, March). A comparison of forensic
[4] A. Warren, Tor Browser Artifacts in Windows 10, (2017) Retrieved from SANS acquisition techniques for android devices: a case study investigation of orweb
Institute website: https://www.sans.org/reading-room/whitepapers/foren-sics/ browsing sessions. In 2014 6th International Conference on New Technologies,
tor-browser-artifacts-windows-10-37642 Mobility and Security (NTMS) (pp. 1-4). IEEE.
[5] Sandvik, R. A. (2013). Forensic Analysis of the Tor Browser Bundle on OS X, [14] Claudia Meda, Mattia Epifani.(2016). Study and Analysis of Orweb Anonymizer
Linux, and Windows. Technical Report, 1-13. on Android Devices. DFRWS EU 2016,1-25
[6] Huang, M. J. C., Wan, Y. L., Chiang, C. P., & Wang, S. J. (2018, October). Tor [15] Muir, M., Leimich, P., & Buchanan, W. J. (2019). A forensic audit of the tor browser
browser forensics in exploring invisible evidence. In 2018 IEEE International bundle. Digital Investigation, 29, 118-128.
Conference on Systems, Man, and Cybernetics (SMC) (pp. 3909-3914). IEEE. [16] Rathod, D. (2017). Darknet forensics. future, 11, 12.
[7] Dayalamurthy, D. (2013). Forensic Memory Dump Analysis And Recovery Of [17] Leng Tao, Gao Binhan, Xiong Yue, Xie Keng. Design and implementation of a
The Artefacts Of Using Tor Bundle Browser–The Need. monitoring platform based on dark network[J]. Network Security Technology
[8] Kulm, A. (2020). A Framework for Identifying Host-based Artifacts in Dark Web and Applications,2021(08):26-28.
Investigations.