Tradecraft Training Q&A: How to Use the Dark Web for Your Investigations

by A8 Team on April 12, 2021

In the recent Tradecraft Training: How to Use the Dark Web for Your Investigations, we addressed the basics of the dark web and precautions when venturing out into its murky depths.

During the webinar, we received many interesting questions and comments — too many to answer during the live training. Several attendees asked for more training for online investigators. We love sharing our knowledge and best practices with the online research community!

If you are interested in additional training resources, we invite you to take a look at Authentic8 OSINT Academy – a collection of online training resources, designed to help analysts learn new skills and techniques. Also, keep an eye on our events page — we have dark web training scheduled for April and June and registration will open soon.

If you missed the webinar, or want to share it with a colleague, you can register here for access.

Sponsorships Available

Q&A from the Webinar

Do VPN and private browsing protect your identity?

While a VPN is a good place to start, it doesn’t offer complete protection because the webcode is still executing directly on your machine, and the VPN service can still lead an adversary back to you, your organization, and your network. Similarly, when using private browsing (incognito mode), search engines can still track your activity through canvas fingerprinting, e-tags or tracking a mobile phone across multiple contexts using battery status API. There’s an excellent blog on what is and isn’t concealed by VPN and private browsing — check it out!

If you want to learn more about your browser fingerprint and managed attribution, check out the upcoming webinar: Naked & Exposed: Stop Investigating Online Without Managed Attribution.

Does using Google search maintain a history while on the dark web?

If using the Silo for Research browser, a fresh disposable browsing session is started each time you use the application. This allows you to safely access the Dark Web with no persistent tracking mechanisms. However, if you sign into a service (such as Google), activity on that service would be associated with your account.

What was that Twitter link that was mentioned?

Here’s the link to the Twitter feed for Rakesh Krishnan that we mentioned during the training. Rakesh describes himself as the person who “sheds light on the dark web”, and has lots of useful information for investigators.

Is it legal to view leaked or stolen data and analyze crypto exchanges?

Authentic8 is prohibited from offering you legal advice. Please consult your attorney or your organization’s attorney for legal advice.

With respect to the utility of viewing leaked or stolen data, investigators frequently gain useful insights from reviewing data that was obtained as a result of a compromise or fraud. Knowing what specific information was stolen as a result of a breach or leak could help with incident investigation; a list of stolen usernames and email addresses could help reveal which user accounts have been compromised and offer additional views into criminals’ motives and methods.

With respect to the utility of analyzing crypto exchanges, they can be a great tool for tracking specific transactions. If you have a cryptocurrency wallet address, you can run it through a blockchain search tool to follow the wallet’s incoming and outgoing transactions.

Additionally, you might review Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources, published by the Department of Justice Cybersecurity Unit.

Is all web content sandboxed inside Silo for Research?

Yes! Silo for Research creates an impenetrable isolation layer between users and the web, delivering a remote browser session that keeps web code from reaching the environment or end device.

Do I need a different computer (other than my normal workstation) to use Silo for Research?

No! Silo for Research can be installed as a web browser application on your current computer, or can be accessed via a legacy web browser without any installation or changes to the endpoint. Silo’s isolation technology conveniently allows use of your existing computer to safely access needed web content without attribution.

Silo uses managed attribution to allow researchers to spoof their location, manipulate their hardware and software fingerprints, and to collect, annotate and securely store internet-based data – even on the dark web – without exposing their devices and networks to potential malware traps or revealing their intent. No need to maintain a separate infrastructure or “dirty” networks – once the session is closed, Silo safely disposes of all potentially dangerous content.

Can a site visited using Silo for Research detect that an investigative browser is being used?

Silo for Research gives investigators the appearance of being an ordinary, everyday internet user. Nothing distinguishes an investigator from a person using a traditional internet service or a regular commercial browser.

Is there any way to connect Maltego through Silo?

If Maltego is a web app or an add-on through Firefox, we can definitely add it to Silo. For specifics, we recommend contacting the Authentic8 support team – our engineers can walk you through linking other services to Silo to support analysts’ specific workflows.