Dark Web ToR Forensics

Tor forensics involves investigating activities conducted over the Tor network, identifying hidden services, and analyzing artifacts related to anonymized browsing or illicit activities.

Techniques & Tools:

1. Preserve Evidence
   1. Securely collect system images, network traffic captures, and logs from devices suspected of Tor usage.
   1. Tools: FTK Imager (Download), Belkasoft Evidence Center (Download).
2. Identify Tor Artifacts
   1. Search for Tor browser installations, usage logs, configuration files (e.g., torrc), and traces of .onion domains in browsing history.
   1. Tools: Browser History Viewer (Download), Tor Browser Examiner (Download).
3. Analyze Network Traffic
   1. Examine captured traffic for patterns of Tor usage, such as connections to Tor entry nodes and relay servers.
   1. Tools: Wireshark (Download), NetworkMiner (Download).
4. Analyze Hidden Services
   1. Investigate .onion URLs and interactions with dark web sites using tools for intelligence gathering and mapping.
   1. Tools: OnionScan (Download), Ahmia (Download).
5. Perform OS and Memory Forensics
   1. Extract RAM and analyze for Tor-related processes, URLs, or decryption keys.
   1. Tools: Volatility (Download), Magnet RAM Capture (Download).