What is the dark web and how does it vary from the internet most of us use everyday? Which darknet should I use for my investigation? And how can I access it safely?
The dark web is an area of the internet only available via software clients. It is most notoriously known for the illegal activity it sometimes facilitates. However, there are practical uses for its existence as well, and industry professionals can benefit from becoming familiar with the crucial information that may be lurking there.
The dark web allows users to have encrypted, private access to information, websites and marketplaces. It cannot be found by search engines and requires specific software installation to access. The peer-to-peer sharing model allows for decentralization and anonymity amongst users and generators.
Perhaps best known for its association with criminal activity, platforms such as The Silk Road have become infamous for their use of the dark web in the illegal drug trade. But there are less nefarious reasons to access the encrypted dark web. In many countries it allows demonstrators to subvert authoritarian regimes and provides a free and open internet model that can evade censorship and provide privacy.
The sites that make up the dark web are similar in content and style to the surface web, or the internet most people are familiar with, but the traffic is routed and shared differently, making it more difficult to shut down or find the original sources of content.
For investigators, it can hold crucial information that would be otherwise inaccessible. To acquire these datasets, it is important to understand each area of the web, the different clients available to use them and what precautions should be taken before diving in.
The internet most of us use daily is what’s known as the open web or surface web. It is the traditional format of the web, composed of open pages easily accessed by search engines on any browser.
The deep web is the next layer of internet information. These are sites that require login or subscription services, such as academic journals, court record databases or even services like Netflix. The deep web has some barriers to accessibility while being adjacent to the surface web and is typically accessed via the same browsers.
The dark web is the area of the internet that can only be accessed by using a specific software. There are different versions available, from the most well-known, such as The Onion Router (most commonly known as Tor) to the lesser used such as Freenet.
Of all internet traffic, the dark web only composes a very small amount. But to leave the information past the surface web untouched is to miss out on information that could prove to be essential.
To access the dark web, a special software or client is needed. Each version of the dark web provides its own dataset, encryption services and risks from attempting to access it.
Tor, The Onion Router
The most commonly used darknet service is Tor (pronounced /tôr/). It stands for The Onion Router, developed by the U.S. Naval Research Laboratory in 2002. It was created to provide layers of encryption (hence the reference to onions) in order to anonymize communication between intelligence professionals.
By diverting traffic through multiple nodes on its way to the client, the originator of files and sites can be hidden, making them more difficult to trace. The multi-layered encryption gives anonymity to its users and service providers alike. Many sites are given a random URL which ends in .onion. However, like any browser, there are still ways to track activity and hacking risks.
In Tor, the biggest weakness is the point information travels between the exit node and the destination site. This unencrypted area presents a vulnerability to users.
Lesser known darknets include ZeroNet, a peer-to-peer- based web hosting model developed in 2015 that doesn’t use IP addresses or domains for websites. Sites are not hosted via a typical service and can only be accessed by public key. It makes sites free to create and share and almost impossible to shut down.
To access ZeroNet, you can use a regular browser with the application running in the background. Information from it can also be downloaded and made available offline. The content is made available via BitTorrent, which shares bits of information across many peers, each one hosting a piece of the information needed. By distributing the information through many hosts, it makes it nearly impossible to track down or scrub all of the pieces of content from the web. Each peer can then reshare and distribute themselves once they have downloaded it.
Unlike Tor, ZeroNet is not anonymous.
I2P, Invisible Internet Project
Another network is I2P, or the “Invisible Internet Project,” released in 2003. Unlike the previous two sources for websites and file sharing, I2P focuses mostly heavily on encrypting communication between users. Unlike Tor, it encrypts via a peer-to-peer model instead of a single thread.
Access to I2P uses a browser and an application in the background. It provides untraceable communication by establishing one-way tunnels through peers. Each client becomes a node in the tunnel and tunnels then expire after 10 minutes. The system is referred to as “garlic routing.” The one-way messages are encrypted for recipients, as well as their delivery instructions.
Freenet is another peer-to-peer network for sharing decentralized data created in 2000. It is used in two forms – the “opennet” allows connection to any user, while the “darknet” connects only to friends. The ability to access only known contacts, provides a higher degree of trust than other softwares.
Access is created through a backend web application and requires a key to access. While it was originally used by dissidents to circumvent censorship laws, it is now popularly used by cyber criminals to offload stolen and malicious content.
The traffic is routed via the closest nodes in the open net to create efficient routing. In the darknet, routes are set up manually and only trusted parties know your node’s IP address. The inconvenience of the darknet infrastructure is outweighed by the security it provides. In this system, information stays available after the publisher has disconnected.
Each of these darknet services can benefit investigators. They can help to evaluate leads, corroborate or disprove information and track data leaks. They can also provide context of how criminal marketplaces are operating and what tactics are being used to commit hacks and fraud.
Many hackers discuss trade secrets in dark web forums. This information can help mitigate cyberthreats before they are committed or be used to recover leaked data from a breach. They may also post leaked passwords and accounts or sales of hacked devices. Financial crimes are often the subject of posts too. Stolen online bank account access or credit cards may be traced on the dark web.
When tips come in, following them in all places they lead may necessitate dark web access and help gain information on how bad actors operate.
Despite the benefits, many may have reasonable doubts and concerns about accessing the dark web. While accessing it is not illegal per se, it is important to take steps to mitigate any risks or potential legal threats, especially when entering areas of the dark web where illegal activity is being conducted.
First, develop processes and procedures for your company and any employees who may be utilizing the dark web for their research. Be sure to consult your company’s legal counsel in this step, as they will have the best guidance for your circumstances and organization.
Since dark web marketplaces or forums are often monitored by law enforcement, it can be difficult to distinguish between criminal actors and good faith investigators. Avoid implications or attributions by having a plan. Be sure to document your plan of operation before gathering information or accessing a criminal forum. Maintain a complete record of activities while on the dark web and have a policy in place for “rules of engagement” when on sites where criminal activity may occur.
For more resources on the legality of dark web access, consult Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources by the United States Department of Justice.
Other risks include security of investigators and their machines. While the dark web’s purpose is to provide some anonymity, there are still risks of malicious content or attribution when accessing. The safest way to gain access is by using a secure cyber service product.
Each dark web service can be accessed via self-installed software from the services themselves. However, it may come with malicious content, attribution or risk your company’s IT or security policies.
When accessing via a secure client, such as Silo for Research, the product allows you full access with easy-to-use service that works in sync with your company’s IT security and compliance. There are security controls in place and built-in auditing.