Computer Forensics on TOR
#1
Good day peeps.

I am currently working on a research paper/essay for uni on dark networks. and part of that paper needs to contrast the benefits and challenges of forensics on onion networks (and/or other popular dark networks).

My problem is - I can't think of a single advantage to forensics in these spaces. In many cases these networks and hidden services are specifically designed to be detrimental to the idea of forensics. 

So I guess the question is, if you were tracking down a criminal online - can you think of any benefits from using something like TOR or hidden services to track this person down? I guess this question could be looked at from the point of view that A) they aren't necessarily on the dark web themselves and you're just looking for information on them or B) You're trying to track them down on the dark web?

I dunno - I'm struggling to make sense of this. Any ideas/suggestions would be appreciated.
Reply
#2
There's no clear 'advantage' to being an investigator over Tor, for lack of a better description, given that Tor is made to make forensics harder, yes.
And no, I'm not saying impossible, for obvious reasons like fingerprinting and extensive use of JS (which is now disabled by default) to do all sorts of nasty stuff like STUN requests or whatever other funky xhr stuff goes on.
But, it's not really an 'advantage' considering it's all possible on any browser or regular internet connection.

The only advantage I can think of is if you're an agency (read. organization with enough legal power) and you can get an ISP to hand over a log of users who have used Tor in the last 30 days. Because let's be real, that number can be counted on one hand among the thousands of clients the ISP has who just use normal connections.

But of course, the agency would already need enough suspicion and reason to single-out a specific person already to check if they are using Tor based on ISP logs. So it's an advantage, but a very slight one since it implies you already fucked up somewhere else.
Reply
#3
(09-21-2020, 04:20 AM)poppopret Wrote: There's no clear 'advantage' to being an investigator over Tor, for lack of a better description, given that Tor is made to make forensics harder, yes.
And no, I'm not saying impossible, for obvious reasons like fingerprinting and extensive use of JS (which is now disabled by default) to do all sorts of nasty stuff like STUN requests or whatever other funky xhr stuff goes on.
But, it's not really an 'advantage' considering it's all possible on any browser or regular internet connection.

I mean, this has mostly been my take so far. It's causing me to struggle with this part of the assignment. I can't really come up with any benefit or advantage to forensics when it comes to the dark web. Not sure if it's just a badly worded statement and I've misunderstood something or what. But it's like, advantage or benefit compared to what? the regular web?

My only thought so far is really that perhaps there is a psychological aspect to people using dark nets. Like, they may inherently trust the technology and are less likely to take other precautions to protect their identity. but thats a bit of a flimsy argument.
Reply
#4
(09-21-2020, 12:17 AM)MuddyBucket Wrote: A) they aren't necessarily on the dark web themselves and you're just looking for information on them.

B) You're trying to track them down on the dark web?

Well I'm not sure if there's much "Forensic" views on these ideas. But I'm going to throw some ideas out there. If you're an actor with a lot of resources such as an intelligence agency or maybe a darknet threat intel firm. There should be some ideas.


OSINT
Lawful interception
  • As popporet mentioned. Send warrants for information to ISPs where guard nodes and exit nodes are present. Or even just normal residental ISPs.
  • Install backdoors in ISPs. Conduct live surveillance.
  • Follow the money. If we're assuming our target is using tor as their modus operandi to gather financial assets. Follow the money. From which bitcoin exchange has the target purchased it from? Blockchain is open to everyone. Send warrant and request passport information and others from the exchange. Good example on a darknet figure being caught through tracking money laundering (If I remember correctly) is the freedom host operator.

Un(lawful) interception
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Looking for DFIR500 - Windows Forensics Vice 2 2,940 07-17-2020, 09:01 PM
Last Post: paran0id1