Dark web and anonymous network forensics involves tracing activities conducted through privacy tools like Tor and I2P, where evidence extraction focuses on client-side artifacts rather than direct network interception due to layered encryption and routing.
Investigators examine browser caches, memory residues, configuration files, and endpoint logs to prove access to .onion sites or hidden services, despite design goals of anonymity.
This specialized area supports legal cases involving illicit marketplaces, data leaks, or coordinated cybercrime, balancing privacy protections with evidentiary needs in computer and cyber forensics.
Tor Network Fundamentals
Tor (The Onion Router) routes traffic through volunteer relays using layered encryption, creating circuits that obscure origin and destination.
Forensics targets client endpoints, as network traffic appears anonymized.
Client-Side Artifacts from Tor Usage
Tor leaves detectable traces on host systems despite anti-forensic measures.
Tor Browser stores URLs, downloads, and form data in isolated SQLite databases (/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/places.sqlite)
Cache files (.cache) hold .onion site resources; prefs.js configures bridges and new identity usage.
Memory forensics recovers circuit details, visited sites post-closure.
I2P and Other Anonymous Networks
I2P (Invisible Internet Project) uses garlic routing for peer-to-peer anonymity, hosting eepsites instead of clearnet exits.
Client tunnels (inbound/outbound) persist; netDb stores peer info. Artifacts mirror Tor: i2prouter config, tunnel lists in ~/.i2p/router.xml. Browser histories and caches reveal eepsite access.
Distinctions: I2P focuses internal services; forensics parses garlic routing metadata.
Memory and Registry Forensics
Post-session: Artifacts persist 10+ hours in RAM; carve browser SQLite fragments.
Browser and Cache Analysis
Detailed parsing reconstructs sessions.
WebCacheV2.dat holds thumbnails; sessionstore.js snapshots tabs. Tor-specific: State directory (/var/lib/tor) logs hidden service descriptors. Downloads folder timestamps files from markets.
Cross-validate with host artifacts (USB history for bootable TBB).
Legal and Ethical Considerations
Investigations respect jurisdictional limits on anonymity tools.
Prove access intent via correlating dark web artifacts with crimes (e.g., purchase logs + seized drugs). Warrants cover endpoint imaging; international cooperation for exit node logs rare. Ethical boundaries exclude proactive deanonymization absent suspicion.
Workflow: Image → Volatility scan → Browser parse → Timeline → Attribution.
Challenges: VM fingerprinting resistance, bridge obfuscation—memory yields most despite evasion.
