Why you should use the dark web in your investigation, where to begin and how to protect yourself (and your company) along the way.
When you embark on an online investigation, you often have to explore beyond the surface web via dark web investigations to uncover critical intelligence that isn’t visible through traditional Google searches. You have to understand each layer of the internet to conduct an effective online investigation, from the open web to the darknets that host hidden forums, marketplaces, and data sources. Once you learn how to safely navigate platforms like Tor, I2P, Freenet, and ZeroNet, you can uncover invaluable insights while controlling and protecting your digital footprint throughout the process.
Why should you use the dark web in investigations?
For investigators in search of information, what they search for is rarely surface deep. Some investigations may take hours or even months of searching, following leads and sifting through dense evidence to determine what is useful. With all this time and effort, it would be a shame not to have the best resources at your fingertips.
While most internet traffic remains on the open (or surface) web, effective dark web investigations often trace leads into hidden networks that reveal threat actor activity and stolen data. Rather than leave those crucial bread crumbs unfollowed, investigators should learn how to safely access the dark web as it can become a powerful tool.
What can be found on each darknet?
There are several dark web services you can use, depending on what you’re looking for. Tor (The Onion Router) is the most well-known, but many may also find they need to access Zeronet, Freenet and I2P. To find out what darknet might be best for what you’re researching, first consider how they each work and what kind of information you can find with them.
For more information on how the various darknets work, read the first blog in our dark web series, Understanding the Dark Web >
Tor, The Onion Router
Tor routes traffic through layers of nodes to create better anonymity for its users and sites. It is the largest dark web service, and you can find everything from file shares to organizing political dissidents to dark marketplaces.
Even with all its layers of encryption, there are still security threats and tracking mechanisms in play. There are still ways of applying analytical methods on unique identifiers to track individuals, making it essential to take security into account when accessing the service.
ZeroNet
ZeroNet provides peer-to-peer web hosting through a distributed model.
Since data is distributed amongst peers, each acting as a host in their own right, it is nearly impossible to shut down information. The requester can always find more peers to host and download from even if one is taken offline. This has made it more popular among criminals, particularly terrorist organizations, in recent years. For example, the terrorist organization ISIS (Islamic State in Iraq and Syria) made the switch to ZeroNet in 2016.
The ability to keep content and access it offline once it is downloaded is another aspect that can be helpful for both good and bad actors. Investigators should keep in mind that ZeroNet is not anonymous by default when trying to access these private and public encryption keys.
I2P, Invisible Internet Project
As opposed to the file sharing and site traffic model of the previously mentioned darknets, I2P (Invisible Internet Project) is more focused on communication from peer to peer.
You can use I2P for everything from chat services to content. You access by running the I2P software application in the background and using a regular browser. Each message is sent through a layered encryption tunnel, referred to as garlic routing, which only flows one way and expires after 10 minutes.
The communication on I2P is popular among criminals and those trying to circumvent censorship laws alike. Cybercriminals sometimes use the service to communicate about breached data, vulnerabilities or to sell malware; whereas dissidents may use it to speak out and receive unfiltered news.
Freenet
Freenet is another peer-to-peer network that delivers decentralized data without censorship. There are two forms of Freenet:
- Opennet, which is available to any user
- Darknet, which only connects to known contacts who are found through public keys
Similar to Zeronet, data remains available even after one party disconnects.
Like I2P, Freenet is an application that runs in the background while using existing browsers. This source is popular for “off-network” data storage. Both bad actors and threat researchers find Freenet useful for its ability to privately share large files, but cybercriminals may employ Freenet to deliver illegal and malicious content to verified customers. However, the service was originally used by dissidents to avoid censorship laws.
How do you choose the right dark web service?
So which dark web service should you use? That depends on what you’re looking for.
Here’s a comparison table that highlights various use cases for each dark web service.
| Dark web service | Common use cases | Pros | Cons |
|---|---|---|---|
| Tor (The Onion Router) | Anonymous browsing, hosting hidden services, communicating securely under surveillance | Provides true anonymity through layered encryption Supports access to .onion sites | Vulnerable to tracking and analytical attacks Used for illegal marketplaces and illicit content Slower performance due to multiple routing layers |
| ZeroNet | Peer-to-peer website hosting and file sharing | Distributed model makes content resilient to takedown Offline access after download No centralized server | Not anonymous by default Popular among criminal and terrorist groups (e.g., ISIS) Potential for misuse due to unregulated hosting |
| I2P (Invisible Internet Project) | Secure peer-to-peer communication and messaging | Anonymity for communications Uses garlic routing (multi-layer encryption tunnels) Expiring tunnels increase privacy | Complex setup for casual users Can be used for selling malware and exchanging stolen data Limited to I2P network (not for open web browsing) |
| Freenet | Decentralized file storage and data sharing | Resistant to censorship Supports opennet and darknet modes Enables private large file sharing | Can host illegal content May be exploited by criminals for malicious distribution |
How can dark web monitoring be used for OSINT?
Any good investigator may already find themselves among a sea of information and may already be conducting open source intelligence gathering (otherwise known as OSINT, intelligence developed from sources that are free and publicly available). It’s important to remember that the dark web is part of OSINT — there is plenty of information to be found on sites open to anyone looking; however, the webmaster may be looking back.
Investigators need to protect themselves, their organization and their research and control the details they disclose to sites in the course of their investigation. Without proper management of their digital fingerprint, adversaries and investigative targets could use disclosed details to uncover their identity and intent, spoil the investigation or seek retribution.
Additionally, accessing the dark web has its own considerations in regards to internal policies as well as legality. To not run afoul of compliance teams, regulators or law enforcement, proper policy and audit capabilities need to be in place, including the ability to track what has been gathered and when.
For the best protection when using the dark web, use a purpose-built solution to protect yourself and your company, such as Silo for Research: Dark Web. Proper tools help protect researchers from tipping off investigative targets, track activity and seamlessly integrate with your company’s current IT network and policies.
Learn more, visit our website or request a demo.
More from our dark web blog series:
- Understanding the dark web and how it can aid your investigation: What is the dark web and how does it vary from the internet most of us use everyday? Which darknet should I use for my investigation? And how can I access it safely?
- 3 things to consider before you start your dark web investigation: When trying to determine if you should begin a dark web investigation, ask yourself these three questions concerning content, risk and precautions.
- Essential tools for improving surface and dark web research: Leveraging these easy-to-use tools for surface as well as dark web investigations can help improve the quality and speed of your research.
- Best practices for creating a dark web access policy: Protect your company and employees by creating a dark web access policy to set protocol for investigations to mitigate security and legal challenges.
- 4 things you shouldn’t do on the dark web: Avoid a world of trouble by following these four simple recommendations of what not to do on the dark web during online investigations.
How to leverage the dark web in online investigations FAQs
What is the dark web used for in investigations?
Investigators use the dark web to uncover information that isn’t available on the surface web. Some investigations take hours or even months of searching through dense evidence and online sources—including dark web forums, file shares or marketplaces—to find valuable intelligence. Following these digital breadcrumbs helps uncover stolen data, threat activity or context that may not appear in traditional OSINT searches.
Which darknet is best for OSINT research?
Each darknet serves a specific purpose for OSINT investigations. Tor is the largest and most widely used for hosting sites, forums, and dark marketplaces. ZeroNet is valuable for content that can’t be taken down, I2P supports encrypted peer-to-peer communication, and Freenet enables decentralized file sharing. The best darknet depends on the type of intelligence you need to collect.
Is it legal to access the dark web for investigations?
Yes, accessing the dark web for legitimate research and investigations is legal when performed within compliance and organizational policies. Investigators should avoid engaging in illegal activity, ensure proper auditing of research activity, and follow internal procedures. Maintaining visibility into what is accessed and when helps meet both legal and regulatory standards.
How can you protect your identity on the dark web?
You can protect your identity by using secure, purpose-built tools that isolate activity and control exposure. Without these safeguards, adversaries could identify who is viewing their content or compromise an investigation. For example, Silo enables analysts to safely access dark web sources, preserve anonymity and automatically record activity for compliance and accountability.
What tools should you use for dark web research?
To safely and efficiently gather dark web intelligence, you should use a managed research platform such as Silo. It provides controlled, anonymous access, integrates with IT and compliance policies and tracks all actions for audit purposes. Using specialized tools helps investigators protect their organization while gathering verifiable intelligence from high-risk online sources.
Tags Dark web basics Dark web research
