OSINT: The Key to Dark Web Investigations for Law Enforcement 

By Stuart Clarke

Person analysing data

    Get the latest news and insights sent straight to your inbox

    The dark web has gained widespread notoriety in recent times, with increased scrutiny on surface web activities appearing to drive an influx of new users, including sellers of illicit goods. It now functions as a segment of the internet where criminal networks can operate more openly, and terrorist networks can keep their communications secure. 

    Law enforcement agencies are increasingly concentrating efforts onto disrupting these markets. Yet the ease with which new websites and forums can be created, and the sheer scale of dark web criminality can limit their success. Identifying the people and networks behind these crimes is key to effective prevention.  

    This is where Open Source Intelligence (OSINT) plays a key role: usernames, contact details and conversations on dark web forums can all be exploited by law enforcement investigators.  In this article, we will explore the challenges and opportunities associated with using dark web investigations for law enforcement, and explore best practices for doing so.

    Suggested reading: If you’re interested in learning about  open source investigation best practices, check out our free eBook — The OSINT Handbook for Law Enforcement

    What is the dark web?

    The dark web originated from a 1990s US Naval Research Laboratory funded attempt to protect intelligence communications by routing traffic via a network of multiple relays known as The Onion Routing (Tor) Project. Since then, Tor has been backed by numerous organisations and institutions, including Human Rights Watch, Facebook, and Google.  

    Despite this, the term ‘dark web’ still implies some kind of illicit activity for many, and some of the content you can find on the dark web certainly helps it live up to this reputation: 

    • Around 50,000 terrorist networks communicate on the dark web, including ISIS, who spread propaganda on .onion forums ahead of the 2015 Paris terrorist attacks. 
    • Approximately 57% of dark web sites contain illegal content1. Personal information and sensitive data, including debit and credit card numbers, can be sold for as little as $152
    • Illicit drugs dominate dark web markets, comprising around 48% of listings3
    New call-to-action

    Is the dark web secure?

    It’s a common misconception that accessing content via a dark web browser like Tor provides instant security and anonymity. The Tor Browser is robust, but sites on the dark web are unregulated, meaning that it’s easy to download malware and viruses accidentally.    Appropriate precautions when browsing web pages on the dark web can include: 

    • Using a VPN: The first threat to dark web browsing lies at the entry node. Employing a Virtual Private Network (VPN) ensures that traffic heading from the computer to the entry node is encrypted upon arrival. This prevents the entry node from seeing the connecting device’s IP address. 
    • Staying up to date: Tor is constantly updated, and older versions are easier to track. If you are using Tor for OSINT purposes, ensure it’s up-to-date before each session. 
    New call-to-action

    Dark web opportunities in OSINT investigations 

    In recent years the dark web has become one of the richest sources of insight into illicit networks and criminal activity for OSINT investigations. Let’s take a look at some opportunities the dark web provides within investigations: 

    • Understanding large criminal networks: As stolen or illicit goods are more easily sold on the dark web, often using cryptocurrencies, criminal networks are likely have a substantial footprint there. Investigators can map out likely connections between both users and goods, forming an understand of how networks operate so they are better equipped to combat criminals. 
    • Identifying individuals:  The implied safety of the dark web offers a seemingly safe haven for criminals to operate, but poor user habits can lead to accidental self-identification. For example, a dark web forum user might use the same username published on social networks, or their language, terminology, or profile picture might match surface web profiles. 
    • Monitoring trends in illicit activities:  Dark web forums, marketplaces, and messaging services are easily accessible, providing a straightforward means of monitoring users and discussions. Investigators can therefore utilise dark web sites to uncover a rich account of contemporary trends in drug dealing, financial crime, firearms sales and even human and wildlife trafficking. 
    • Evaluating existing leads:  It’s possible to evaluate leads using dark web whistleblowing resources, including GlobaLeaks, Independent Media Center and other services operated by the Associated Whistleblowing Press. This also provides an opportunity to corroborate or disprove information found on the surface web. 

    Dark web challenges in OSINT investigations

    Dark web challenges in OSINT investigations

    Despite the potential for utilising the dark web for optimised threat intelligence and investigations, it’s crucial to first understand the challenges that dark web data searches and mining present to investigators: 

    • Poorly structured and hard to search:  The dark web is not indexed by surface web search engines like Google, but is explorable via specialist dark web search engines, though these are generally slow and cumbersome. Dark web addresses are often changed to make them challenging to trace. 
    • Storing and tracking evidence: Criminals trying to evade detection have been found to be creating then deleting small-scale sites4, meaning that evidence can vanish quickly. Tracking every source and screenshotting findings manually is time-consuming and error-prone, running the risk that important evidence is lost.  
    • Browser fingerprinting:  Browser fingerprinting is a tracking technique that subverts onion routing security. While it might be nearly impossible to track users via their traffic, browser fingerprinting aims to identify users by the unique properties of their browser and machine. Tor is designed to protect against fingerprinting by blocking scripts, utilising the same default fallback fonts in every browser and blocking WebGL and the Canvas API, thus making it tricky to differentiate one browser from another. Nevertheless, The Tor Project admits that opportunities to identify users via their Tor browser fingerprint are inevitable. 
    • Avoiding human error:  Researchers are prone to human error in the same way that dark web users might reveal their own identities. While OSINT investigators will be able to apply their existing skills to dark web searches, it’s essential to be careful about what evidence is left behind. This is particularly true when it comes to exhaustive OSINT operations, which may leave researchers weary and more prone to error.  
    • Exposure to illegal or traumatic material:  Web pages on the dark web host vast quantities of illegal and potentially traumatic material, most of which is purposefully uncensored or unmoderated. This introduces a legal and ethical dilemma — researchers need to develop strategies that moderate or triage certain content so they can access it at arm’s length. 

    Make the most of the dark web with Videris

    Information on the dark web can be crucial to ensuring successful investigative outcomes. Unfortunately, the logistical and security challenges of using the dark web in investigations are difficult to overcome using manual techniques. That’s where leading OSINT tools come in. 

    Our OSINT platform, Videris, provides secure, seamless access across the internet. Rather than working through Tor, Videris pulls data from the surface, deep and dark web into one secure ecosystem. This accelerates the OSINT gathering process and provides the detail required for modern investigations.  

    Videris comes with a wide range of functionality that can help expedite criminal investigations, including: 

    • Videris Search pulls back data from diverse sources across the surface, deep and dark web. Filtering and categorisation helps investigators cut through noise, ensuring that they can get to the information they need fast.  
    • Interactive network mapping helps investigators to understand networks at speed by automatically presenting social networks and organisational structures in clear, intuitive charts or graphs.  
    • Cross-matching tools highlight hard-to-spot links between seemingly disparate sources, empowering researchers with incisive decision-making. 
    • Automated sourcing captures the source of any information brought into the investigation automatically, helping investigators to avoid error-prone manual sourcing. Every step of the investigation is also logged to ensure investigation transparency and consistency.  

    Furthermore, Videris facilitates ethical investigations by blocking the distressing images that investigators may come across when conducting these kinds of investigations on the dark web.  

    Hosted securely in the cloud or a standalone corporate network, Videris integrates seamlessly into your current infrastructure. Book a demo with Blackdot today and explore how Videris can help you overcome the challenges of using dark web data in investigations. 

    New call-to-action

    1Terrorist Migration to the Dark Web

    2ID Agent – Are Your Passwords Safe?

    3Statista – Darknet Markets

    More insights