Tapping into the Dark Side

Introduction

One of the uncanny sections of cyberspace is the dark web. When first learning about how the internet works, many do not go to the depths of the dark web. This is in large part due to the dark web representing a sanctuary for illicit activities like unauthorized markets, prohibited communications, and various forms of cybercrime. To foster cybersecurity enrichment, digital forensics professionals employ specialized knowledge, diving deep into the corners and crevices of the dark web.

Background

The vast landscape of the world wide web can be split into two parts, the surface web and the deep web. The surface web is the normal day-to-day activities that users access regularly, like web browsers such as Google Chrome, Mozilla Firefox, etc. Beneath the surface lies the deep web, a portion of the internet that can not be easily accessed through normal search engines. Within the deep web is a subset known as the dark web, which is the least accessible portion that requires specialized software or tools to access like The Onion Router (Tor) or the Invisible Internet Project (I2P) [1]. The complexity and dangers of the dark web make it crucial for users to tread cautiously, avoiding a trace of their digital footprint that could expose the investigator’s identity and intent.

Impact of the Dark Web

The reputation of the dark web has changed since its original creation. To many, the dark web is recognized as a criminal hub, where criminals take advantage of the privacy, anonymity, and encryption of the dark web to hide their identity and activity. As a result, the dark web can be home to various types of cyber challenges and crimes. These include [1, 11]:

• Marketplace selling illegally obtained items (personal information, stolen credentials, data breach information)
• Malicious insider recruitment
• Forged/Fake Data
• Malware distribution
• Cryptocurrency laundering

Despite the dangers of the dark web, there is benefit to the anonymous nature it holds. This is the case in the original intent of the dark web [4]. A prominent example are whistleblowers, who are individual(s) that report on information about activity that is deemed illegal, immoral, unsafe, etc. [12]. Usually part of the organization or party they are reporting on, whistleblowers look to the dark web for impunity. This is a way to shed light on current dangers that may have remained buried had it not been disclosed anonymously.

Investigating the Dark Web

In a combined effort, law enforcement, cybersecurity professionals, and digital forensic investigators must work together in order to traverse through the complexities that the dark web poses. Investigators must have expertise in understanding cyberspace with technical skills, legal awareness, and proficiency in deep/dark web navigation [9, 10]. Moreover, the investigators must have a mindset that embodies curiosity, perseverance, innovation, adaptability, and critical thinking to push through analysis [9]. Merging this with other forensic methods such as web crawling, data analytics, and memory dump analysis, digital detectives will be able to trace criminal activity through the dark web.

A specific technique that digital forensic detectives must have proficiency in is Open Source Intelligence (OSINT), the process of gaining and analyzing publicly available information to assess threats, make decisions or answer questions [7]. This is put into practice through research, examination, analysis, and investigation of the dark web. Therefore, investigators who excel in OSINT may uncover key dark web artifacts such as encryption keys, darknet addresses, stolen data from data breaches, and malicious TTP trends [2, 10].

Cyber Threat Intel

Oftentimes, the dark web consists of forums and communities where information is shared and bartered [10]. As a result, one of the biggest takeaways the cybersecurity realm can benefit from investigating the deep dark web is cyber threat intelligence (data collected from various sources that provide insights into threat actors, their techniques, and vulnerabilities that can be exploited) [5]. Cybercriminals tend to openly share their tactics, techniques, and procedures (TTPs) among themselves [8]. Given this, organizations looking to capitalize on the dark web may find valuable insights to their cybersecurity and data. For example, a company monitoring the dark web may find that some of their subordinates’ credentials are illegally for sale in an illicit marketplace [3]. With this in mind, the organization may look to confront this and perform their incident response well in advance in an effort to minimize damage and/or before the information becomes public. Furthermore, other cyber threat intelligence to be gained from the dark web can include planned attacks against their organization and potential insider threats [8].

Another form of cyber threat intelligence that can be gained from the dark web are indicators of compromise (IoC). According to Fortinet, an IoC is data that indicates a system may have been infiltrated by a cyber threat [6]. This is critical information that organizations can keep in their logs while staying informed with current hacker groups and aliases. When examining the dark web, forensic experts can identify common names/aliases and analyze their communications with one another. Common trends can lead to a detection of a hacktivist group, file names, and/or names of new TTPs.

Conclusion

Empowered by specialized skills and knowledge, digital forensic investigators play a significant role in disputing and detecting cybercrime. Rather than avoiding the dark web, exploring it can lead to invaluable insights that can bolster the cybersecurity of an organization. Digital forensic experts must acknowledge this and leverage the use of the dark web, as a tool that can provide digital evidence for cybercrime, enhance cyber threat intelligence, and fortify cybersecurity efforts.

References

[1] Ali, N. (2024, March 12). What is the dark web and its implications on cyber threats?. TSC. https://thesecuritycompany.com/the-insider/what-is-the-dark-web-and-its-implications-on-cyber-threats/

[2] Authentic8. (n.d.). The online investigators’ definitive guide to the dark web. silo. https://corpweb-origin.authentic8.com/sites/default/files/content/PDF_files/authentic8_gd_dark_web_investigations_v3%20(1).pdf

[3] Dark Web Investigation: Uncover Stolen Data on the Darknet. PREBYTES. (n.d.). https://www.prebytes.com/en/solutions/dark-web-investigation

[4] Five Things to Know About the Dark Web. Peraton. (2024, August 28). https://www.peraton.com/news/five-things-to-know-about-the-dark-web/

[5] Goodman, C. (2024, October 21). What is Cyber Threat Intelligence?. Balbix. https://www.balbix.com/insights/cyber-threat-intelligence-guide/

[6] Indicators of Compromise (IoCs). Fortinet. (n.d.). https://www.fortinet.com/resources/cyberglossary/indicators-of-compromise

[7] Lindemulder, G., & Forrest, A. (2024, August 23). What is OSINT (open-source intelligence)?. IBM. https://www.ibm.com/topics/osint

[8] Rodriguez, S. L. (2024, July 11). Where to Gather Intelligence for Deep and Dark Web Investigations. Maltego. https://www.maltego.com/blog/where-to-gather-intelligence-for-deep-dark-web-investigations/

[9] Singhal, A. (2023, December 30). Uncovering the Dark Web: A Digital Detective’s Guide to Investigation. Hawk Eye Forensic. https://hawkeyeforensic.com/2023/12/30/uncovering-the-dark-web-a-digital-detectives-guide-to-investigation/

[10] Tolman, J. (2023, October 20). How Digital Forensics Can Investigate the Dark Web. Security Boulevard. https://securityboulevard.com/2023/10/how-digital-forensics-can-investigate-the-dark-web/

[11] University, E.-C. (2024, July 31). Exploring the Dark Web and Its Dangers. EC-Council University. https://www.eccu.edu/blog/technology/the-dark-web-and-its-dangers/

[12] What is a Whistleblower?. National Whistleblower Center. (2021, April 19). https://www.whistleblowers.org/what-is-a-whistleblower/