Why you should utilize the dark web in your investigation, where to begin and how to protect yourself (and your company) along the way.

When conducting an investigation, professionals have a vested interest in finding all information and context available. Where we look can be crucial to the success of an investigation, including in online sources. For the best outcome it’s important to become familiar with each layer of the web and how to search within them. To begin, we must understand the dark web, what information may be available there and the difference between each darknet.

Why use the dark web in investigations

For investigators in search of information, what they search for is rarely surface deep. Some investigations may take hours or even months of searching, following leads and sifting through dense evidence to determine what is useful. With all this time and effort, it would be a shame not to have the best resources at your fingertips.

While most internet traffic remains on the open web (or “surface”) web, sources may lead investigators to the dark web. Rather than leave those crucial bread crumbs unfollowed, investigators should learn how to safely access the dark web and what a powerful tool it can become.

What can be found on which darknets

There are several dark web services that can be used depending on what you’re looking for. Tor (The Onion Router) is the biggest but many may also find themselves in need of accessing Zeronet, Freenet and I2P. To find out what darknet might be best for what you’re researching, first consider how they each work and what kind of information can be found.

For more information on how the various darknets work, read the first blog in our dark web series, Understanding the Dark Web >

Tor, The Onion Router

Tor routes traffic through layers of nodes to create better anonymity to its users and sites. It is the largest dark web service, and everything from file shares to organizing political dissidents to dark marketplaces may be found there.

Even with all its layers of encryption, there are still security threats and tracking mechanisms in play. There are still ways of applying analytical methods on unique identifiers to track individuals, making it essential to take security into account when accessing the service.


ZeroNet provides peer-to-peer web hosting through a distributed model.

Since data is distributed amongst peers, each acting as a host in their own right, it is nearly impossible to shut down information. The requester can always find more peers to host and download from even if one is taken offline. This fact has made it more popular among criminals in recent years and particularly terrorist organizations. For example, the terrorist organization ISIS (Islamic State in Iraq and Syria) made the switch to ZeroNet in 2016.

The ability to keep content and access it offline once it is downloaded is another aspect that can be helpful for both good and bad actors. Investigators should keep in mind that ZeroNet is not anonymous by default when trying to access these private and public encryption keys.

I2P, Invisible Internet Project

As opposed to the file sharing and site traffic model of the previously mentioned darknets, I2P (Invisible Internet Project) is more focused on communication from peer to peer.

I2P is used for everything from chat services to content. Access is created by running the I2P software application in the background and using a regular browser. Each message is sent through a layered encryption tunnel, referred to as garlic routing, which only flows one way and expires after 10 minutes.

The communication on I2P is popular among criminals and those trying to circumvent censorship laws alike. Cybercriminals sometimes use the service to communicate about breached data, vulnerabilities or to sell malware; whereas dissidents may use it to speak out and receive unfiltered news.


Freenet is another peer-to-peer network that delivers decentralized data without censorship. There are two forms — “opennet” which is available to any user and “darknet” which only connects to known contacts who are found through public keys.

Similar to in Zeronet, data remains available even after one party disconnects.

Like I2P, Freenet is an application that runs in the background while utilizing existing browsers. This source is popular for “off-network” data storage. It can be useful for sharing large files privately, which can be for less notorious uses but is also popular amongst criminals. Cybercriminals specifically employ Freenet to deliver illegal and malicious content to verified customers. However, the service was originally used by dissidents to avoid censorship laws.

Where to look

So which one should you use? That depends on what you’re looking for.

Each dark web service has different advantages and may be utilized for different reasons. To recap:

  • Typical uses for Tor include being used by bad actors to host websites and forums, as well as dark marketplaces to sell malware and contraband; non-malicious actors also use it to spread information in censored countries
  • Less popular though still noteworthy, Zeronet is most often used to host websites that cannot be taken down and are viewable offline; it is most infamous for being utilized by terrorists like ISIS
  • I2P, on the other hand, is mostly used for encrypted communication; it is an alternative to Tor because it is less monitored
  • Freenet is often used as a delivery mechanism for selling breached data and malware

Combining dark web and OSINT

Any good investigator may already find themselves among a sea of information and may already be conducting open source intelligence gathering(otherwise known as OSINT, intelligence developed from sources that are free and publicly available). It’s important to remember that the dark web is part of OSINT — there is plenty of information to be found on sites open to anyone looking; however, the webmaster may be looking back.

Investigators need to protect themselves, their organization and their research and control the details they disclose to sites in the course of their investigation. Without proper management of their digital fingerprint, adversaries and investigative targets could use disclosed details to uncover their identity and intent, spoil the investigation or seek retribution.

Additionally, accessing the dark web has its own considerations in regards to internal policies as well as legality. To not run afoul of compliance teams, regulators or law enforcement, proper policy and audit capabilities need to be in place, including the ability to track what has been gathered and when.

For the best protection when using the dark web, use a purpose-built solution to protect yourself and your company, such as Silo for Research: Dark Web. Proper tools can help protect researchers from tipping off investigative targets, track activity and seamlessly integrate with your company’s current IT network and policies.

Learn more, visit our website or request a demo.


More from our dark web blog series

Dark web basics Dark web research