Investigating Using the Dark Web
8 likes8,841 views
The document is a presentation by Chad Los Schumacher, team lead at ithreat cyber group, introducing the dark web and its components, including the deep web and surface web. It discusses the uses of the dark web, both positive and negative, how to access it using tools like Tor, and challenges faced during investigations. The presentation also highlights methods for uncovering connections between dark web and clear web entities.
Investigating Using the Dark Web
- 1. Investigating Using the Dark Web Chad Los Schumacher, Team Lead, iThreat Cyber Group
- 2. Introduction • About Chad Los Schumacher • Project manager and DNS investigator at iThreat Cyber Group • MS in Intelligence Analysis from Mercyhurst University • Has trained international LE, at conferences, and more • About iThreat Cyber Group • Assist clients in with intelligence programs • Provide tech enhanced services, enhanced data services, and SaaS • Founded in 1997 in Princeton, New Jersey
- 3. Have you used Tor/the Dark Web? a. Yes, and I’m familiar. b. Yes, a few times. c. No, but I’ve seen it used. d. No, and I have no experience. Quick Poll
- 4. Session Objectives • Define what the dark web is • Locate common hubs and key resources • Introduce tools/methods for unmasking dark web sites
- 5. Warning… • The dark web is filled with some awful things that cannot be unseen • Ask yourself if this is really the job for you before starting • Review the risk/reward as it may create other headaches
- 6. Understanding the Parts of the Web Deep web: Information that is more hidden or restricted, such as academic databases, newspaper archives, etc. Surface web: Where most of your day-to-day activity takes place, sites visible to search engines. Dark web: Internet within an internet, designed to be anonymous and obfuscated
- 7. Key Differences • Requires special software to access, an Internet within an Internet • Resistant to indexing, not easily searched • Indices are similar to Yahoo! in 1995 (Directories vs. Search Engine) • Communications within the network are always encrypted
- 8. Uses for the Dark Web For better… • To circumvent government censorship • To provide whistleblowers protection • To avoid monitoring For worse… • Enables sales of illegal firearms, drugs, counterfeits, etc. • Human exploitation (porn, trafficking, etc). • Hire hitmen, hackers, etc.
- 9. Three Major Dark Webs • The Onion Router (Tor) - Focus for this presentation • The biggest, most well known dark web. • Most Internet-like • Invisible Internet Project (I2P) • Up and coming • Focuses on services (ie: instant messaging, email, websites, etc). • Freenet • Distributed file sharing • Offers communications
- 10. How Tor Works
- 11. About .onion Sites • Can only be accessed when using Tor • No master database of all .onion sites • Use of Tor allows for the creation of .onion sites • Domains are randomly generated, either 16 or 56 characters long
- 12. Challenges with Tor Investigations • The network was designed to provide anonymity • Best chance at unmasking means finding a clear web connections • They don’t take PayPal, so be ready for Bitcoin • Accounts need to be anonymized and not tied to your person • There’s no Google, so you may not find what you’re after • Cultural distrust of others
- 13. WHERE TO BEGIN Locating Starting Points & Accessing
- 14. Google It! • Using Google/Bing provide excellent list of starting points • Reddit, Twitter discuss dark web markets in open (r/deepweb) • Dedicated sites in open web help new users find dark web markets (deepdotweb.com, darkwebnews.com) • May have to get into deep web to find other markets Deepdotweb.com
- 15. Searching the “Search Engines” • Several Tor “search engines” exist that claim to scan/index Tor sites • Each use their own techniques • Nowhere near the power/sophistication of Google, Yahoo, etc • Typically unreliable – data can be stale • Biggest names: ahmia.fi and Torch Tor Search Engine
- 16. Other Lists/Resources • Hunchly Daily Hidden Service • New .onions found daily by Justin Seitz at Hunchly – darkweb.hunch.ly • Reddit • https://www.reddit.com/r/onions/search?q=url%3A.onion& sort=new&restrict_sr=on
- 17. Two Fast Ways to Access Tor Browser • Developed by Tor Project • Custom version of Firefox • Provides plugins and tips to keep you anonymous • This is the best/safest option Tor2Web Gateways • Add .to, .casa, .direct, or .rip to access Onion sites directly • These are often run by individuals or organizations • It is unclear what some are doing with the data (especially .link) • Use with caution! • Ex: facebookcorewwwi.onion.to
- 18. BRINGING THE DARK TO THE LIGHT Techniques and Tools
- 19. Find Clear Web Mentions • Do you see any of the following referenced? • A clear web domain (example.com, example.net, etc) • A social media account like Facebook or Twitter • A clear web email (Gmail, Hotmail, or other custom domain) • Payment methods like PayPal, Venmo, Zelle, etc. • Right click on the page and select “View Page Source” • Search the page for .com, .net, @gmail.com, etc for potential hidden links • Webmasters may make mistakes and point to a clear web domain instead of a .onion These data points are present more often than you think!
- 20. Examples of Clear Connections psychonaut3z5aoz.onion a9a19b3635191ebe97b9d3f61addc93a.endcha n5doxvprs5.onion
- 21. Do Not Underestimate This! • Ross Ulbricht advertised Silk Road on a bitcoin forum – a breakthrough discovered by a tax investigator using Google • Vanity Jones, a major player on Silk Road, was ousted as Thomas Clark when his identity discovered on an old cannabis forum • David Ryan Burchard attempted to trademark his brand of marijuana sold on the dark web in his name
- 22. Leaking IP Address with Censys.io • Service scans IP address space for running services and makes it searchable by domain or IP address • Entering a .onion can return an IP if a server is misconfigured
- 23. Example of Leaking .onion
- 24. Check for Sites on the Same Server • Only works for sites running Apache web server • Visiting example.onion/server-status can reveal: • Server information (operating system, uptime status, creation date) • Other domains using the same server • IP addresses accessing the server • What resources (pages, images, etc) are being accessed
- 25. Example Apache Server Status Page
- 26. In Conclusion • Covered definitions of the dark web, how Tor works • Reviewed where to find dark web sites and resources • Provided resources and ways to potentially de-anonymize a .onion
- 27. Thank you for participating Contact Chad Los Schumacher cls@icginc.com / inquiries@icginc.com @itisjustchad https://www.linkedin.com/in/chadls/ Contact i-Sight j.gerard@i-sight.com Find more free webinars: http://www.i-sight.com/resources/webinars @isightsoftware
Editor's Notes
- #3: Introduction of myself and iThreat. Overview for iThreat: We assist companies in their intelligence programs no matter where they are in their program. We do everything from supplying data and alerts to embedding analysts part or full time and have software that can make the management of data easier. Our key services with this include monitoring and investigations.
- #7: Graphic: https://i1.wp.com/techlog360.com/wp-content/uploads/2017/04/Darknet-vs-Dark-Web-vs-Deep-Web-vs-Surface-Web.jpg?fit=900%2C500&ssl=1 Discuss what the dark web is, some of the software used (Tor being the biggest), and show how it fits into the iceberg image. Freenet is a peer-to-peer platform for censorship-resistant communication and publishing. I2P is an anonymous overlay network - a network within a network. It is intended to protect communication from dragnet surveillance and monitoring by third parties such as ISPs. I2P is used by many people who care about their privacy: activists, oppressed people, journalists and whistleblowers, as well as the average person. No network can be "perfectly anonymous". The continued goal of I2P is to make attacks more and more difficult to mount. Its anonymity will get stronger as the size of the network increases and with ongoing academic review.
- #11: Quick overview of how Tor works. Traffic entering and within the network is encrypted Traffic exiting the network is unencrypted, but is meaningless to the operator of the exit node The same route is never taken twice