The concept of online anonymity refers to keeping the identity of communicators hidden. Online privacy is more than just encrypting and decrypting data; it also includes the concealment of identity. The Dark Web is a section of the Internet that achieves the highest levels of anonymity and security. Dark Web, which, unlike the normal web, requires specialized access procedures, is regarded as the "Evil Twin of the Internet" since more than 57 percent of its area is occupied with unlawful content.
3. DISCLAIMER
The views expressed in this presentation is for educational & research purposes only and may be
controversial. Do not attempt to violate the law with anything contained here. of this
material nor the else affiliated in any way is liable for your actions.
The purpose of this presentation is to share, discuss, knowledge and experience happening in the cyber world.
Thank You!
DarkWeb Forensics : Overview
4. The Technology World Always has the Sharpest Brains...
There are equally sharp minds, working against you…
Src : Securus First
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
5. CYBER Of THINGS : EVERYTHING IS DIGITAL
D3PAK KUMAR
DIGITAL FORENSICS | CYBER INTELLIGENCE
C Factor and all are
interrelated
CYBER
CRIME
CYBER
SECURITY
CYBER
TERRORISM
DarkWeb Forensics : Overview
6. CYBER RELATED CRIMES
D3PAK KUMAR
DIGITAL FORENSICS | CYBER INTELLIGENCE
Online
Financial
Frauds
Social Media
Related
Data Breaches Ransomwares
Online
Phishing
Hacking,
Sabotaging
Eavesdroppin
g &
Surveillance
Crypto-
related/MLM
Dark Web
Related,
Illegal Goods
DarkWeb Forensics : Overview
7. Some Biggest Data Breaches (India/International)
TARGET
ICLOUD ANTHEM UBISOFT
GAANA
OPM
ASHLEY MADISON
• Personally Identiable Information (PII) and intellectual property (IP) are the top targets
• 205 Avg. days to discover breach & most breaches are discovered by third parties
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
DarkWeb Forensics : Overview
EBAY
ADOBE
8. CRITICAL INFORMATION INFRASTRUCTURES (CII)
EDUCATION WATER DEFENCE TELECOMMUNICATION FINANCIAL
GOVERNMENT HOSPITAL INDUSTRY ENERGY TRANSPORTATION
Critical infrastructure is a term used by governments to describe assets that are essential for the functioning of a society
and economy. Most commonly associated with the term are facilities for:
• Amateurs hack systems, professionals hack people. — Bruce Schneier
• Don’t assume that you’re not a target. Draw up battle plans. Learn from the mistakes of others
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
DarkWeb Forensics : Overview
10. KNOW THE WEB
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
DarkWeb Forensics : Overview
11. Understand the Masala under Cyber Market
According to the research results from TorStatus,
TechRepublic, WIRED, Intelliagg report, SecureWorks
Reports, BBCiWonder the record of activities has been
discovered under the dark web :
File Sharing - 29%
Leaked Data selling - 28%
Financial Fraud - 12%
News and Media - 10%
Promotion of Illegal items- 6%
Discussion Forums - 5%
Drugs selling - 4%
Internet and computing by Dark Web visitors(Except criminals
who are random or occasional visitors just) - 3%
Hacking - 3%
Selling of Weapons - 0.3%--
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
DarkWeb Forensics : Overview
12. Cyber-Crime Tools Used
• The operators in the Deep Web and Dark Web use tools which ensure the anonymity of their identity, location, transactions, and payments
• The Onion Routing (ToR) network provides anonymous browsing and access to the Deep Web sites that are identified as *.onion.
• Freenet, ZeroNet: peer to peer (P2P) platform for censorship-resistant communication.
• Invisible Internet Project (I2P) is a fully encrypted private network layer.
• Use of Bitcoins helps keep transactions anonymous as this system does not identify the buyer / seller or payer/payee except as a hash value. In
addition bitcoins can be converted to cash in currencies across the world and thus provide an unidentifiable means of stashing and transferring
money.
• Tor is a special network of computers on the
Internet, distributed around the world.
• https://www.torproject.org)
• Bitcoins are an anonymous, decentralized form
of electronic currency
• like "cash" in cyberspace - anonymous.
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
DarkWeb Forensics : Overview
• Freenet : https://freenetproject.org
• ZeroNet : https://zeronet.io
• I2P : https://geti2p.net/en
13. Crooks are smarter – and now it’s cheaper than ever!
They can buy malware, attack kits, and even ‘Crimeware-as-a-Service’!
It's as cheap as…
Drive-by Download tool kit rental
$100/WEEK
Credit card details
$ 0.50/CARDS
DDoS attacks
$10/DAY
Stolen gaming accounts
$10 EACH
Verified Spam Email Blasts
$70/MILLION
• India and Union Cabinet has already approved the ‘Smart Cities Mission’, with an outlay of 48,000 crores, under which 100 new ‘Smart Cities’ would be developed.
DarkWeb Forensics : Overview
14. Cyber-Crime Market Prices
Src : Trend Micro
• Is the Black market illegal?
• A black market or underground economy is the market in which goods or services are traded illegally. The key distinction of a black market trade is that the transaction itself is illegal. The goods
or services may or may not themselves be illegal to own, or to trade through other, legal channels.
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
DarkWeb Forensics : Overview
15. Drug dealers was selling COVID vaccines on the
Darkweb
Multiple vendors on the darknet who appeared to be selling doses of the
Pfizer/BioNTech vaccine to global customers for as much as $1,300 a
piece.” wrote Gavin Butler. Source: VICE World News
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
DarkWeb Forensics : Overview
This threat actor was offering COVID19 Vaccine on the underground
for $250. Overnight deliveries in the USA.
Source : Sixgill
17. WEB INTELLIGENCE (WEBINT)
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
DarkWeb Forensics : Overview
Surface, Tor (The
Onion Router) , I2P
(Invisible Internet
Project), Freenet
Expert Team TTPs aware Profiled
Syndicate
18. Stamped CYBER Market & Forums
• Silk Road provided a platform for drug dealers
around the world to sell narcotics through the
Internet
• 950,000+ registered user
• Taken down Sep 2013
• Darkmarket facilitated the buying & selling of
stolen financial information
• Had 2500+ members
• Taken down in 2010
Sites like Silk Road and DarkMarket
operate in the Deep Web / Dark
Web offering illegal services
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
DarkWeb Forensics : Overview
Several Collaborative Operations by International Agencies & organisation such as AlphaBay, Hansa, and Dream Market
•Ross Ulbricht advertised Silk Road on a bitcoin forum – a breakthrough discovered by a tax investigator using Google
•Vanity Jones, a major player on Silk Road, was ousted as Thomas Clark when his identity discovered on an old cannabis
forum
•David Ryan Burchard attempted to trademark his brand of marijuana sold on the dark web in his name.
28. Footprints artifacts cont..
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
Registry Details
During Live Triage Search with
the keywords
DarkWeb Forensics : Overview
29. Investigation HUMINT
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
•Tor hidden service has an associated SSL
•Searching Shodan for Hidden Services
•Checking an IP Address for Tor Usage such as ExoneraTor
•Directory listing (mod status)
•Source Code Website (.Conf)
•Verbose Signature (tokens), Error
•Badly configured services
•Reverse Domain
•Metadata Analysis of Image, Video, Keyword Search
• …
DarkWeb Forensics : Overview
30. SOME DARKWEB SEARCH ENGINES
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
DarkWeb Forensics : Overview
31. WebPage Analysis
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
DarkWeb Forensics : Overview
Study the source code, js, weblinks etc
32. LINKAGE WITH ADVERSARIES
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
DarkWeb Forensics : Overview
Role of criminal OSINT
+
LEA/LEGAL/Authorities
+
FORENSICS
REVERSE IMAGE SEARCH OF SUSPECT’S
33. TRENDING THINGS
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
✓ EXPLOIT KITS: Angler, MPack, Phoenix, Blackhole, Crimepack, RIG, Nuclear, Neutrino, and Magnitude, etc
✓ Phishing KIT: Mephistophilus
✓ DRUG, Pharmaceuticals, Narco related
✓ CRYPTO for Terror Financing
✓ Child Sexual Abuse/Exploitation, CP, CyberSex Trafficking
✓ Ransomware as a Service, Selling Breached Data, PII
✓ Fake Indian Currency Notes (FICN)
✓ Counterfeit Goods, Weapons etc….
DarkWeb Forensics : Overview
35. DIGITAL FOOTPRINTS FORENSICS (R3E)
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
Reconnaissance
• Crawler, Sensor,
API, NLP, Bots,
AI & ML, Algo,
Breached Data,
Red/Blue Team
assessment, etc
Record
• Inventory,
Indexing,
Cluster,
Database,
Grouping, Filter,
Integrated
Various Data
Sources, ISAC
Research
• Tailor-made
investigations,
Node, Pattern,
Trend, Mapping
Adversary, Time
based, Cyber
Threat Int,
Influencer,
Prediction,
Enforcement
• Legal, Lead, Co-
ordination,
Joint
Investigation,
Operation,
MLAT, SOS
DarkWeb Forensics : Overview
36. D3PAK KUMAR
DIGITAL FORENSICS | CYBER INTELLIGENCE
WEBINT
• Disseminate to Concern
• Investigation
• Forensics
Output
COTS
Twitter
iMessengers
Maltego
Etc.
Processing
There are three main steps
in analysing web media:
• Data identification,
• Data analysis, and
• Information
interpretation.
Gather actionable
insights in raw form
concerning to Subject, etc.
Input
DarkWeb Forensics : Overview
37. Resources
• Wiki , ToR, Rands, Homeland security, Kaspersky , TrendMicro, Dell, Bright talk, Securus First, National Research Council, Fas, General Accounting Office, Cyber Conflict Studies
Association, Strategic Studies Quarterly, Center for Strategic and International Studies, and Monitor reporting
• See http://www.bloomberg.com/politics/articles/2015-01-07/clapper-warns-of-more-potential-north-korean-hacksafter-sony.
• For additional information, see CRS Report RL33123, Terrorist Capabilities for Cyberattack: Overview and Policy Issues, by John W. Rollins and Clay Wilson.
• See “Challenges Remain in DHS’ Efforts to Security Control Systems,” Department of Homeland Security, Office of Inspector General, August 2009. For a discussion of how computer code
may have caused the halting of operations at an Iranian nuclear facility see CRS Report R41524, The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability, by Paul K.
Kerr, John W. Rollins, and Catherine A. Theohary.
• Executive Assistant Director Shawn Henry, Responding to the Cyber Threat, Federal Bureau of Investigation, Baltimore, MD, 2011.
• Department of Defense Deputy Secretary of Defense William J. Lynn III, “Defending a New Domain,” Foreign Affairs, October 2010.
D3PAK KUMAR (D3)
DIGITAL FORENSICS | CYBER INTELLIGENCE
DarkWeb Forensics : Overview