Dark Web Searching
Updated: May 11
The dark web is a subset of the internet that is accessed via special means, such as a TOR browser, and not immediately available from the clear net. The term dark web and darknet are often used interchangeably. For reference during this article, we will refer to the darknet as the network infrastructure, such as the TOR network or I2P network, and dark web as the content aspect that is accessed and viewed by users.
There are a lot of great resources that explain what the dark web is, where it originated from and the nefarious activity that occurs there on a daily basis. This article is focused on identifying safe access options and then the multiple search options available using freely available dark web search engines that crawl the dark web.
Investigators looking to conduct traditional search techniques on the dark web need to operate in a safe manner and be aware of the variation in results that are presented by different search engines & also actors who are active in different types of darknets.
Different "Dark Nets"
Most dark web articles refer to The Onion Router (TOR) as it is the most popular and researched. However, it is important to note that there are many darknets and below is an example of three common ones:
Another common darknet is Zeronet. Each has different access requirements or methods.
Different darknet details:
Focusing on TOR, the browser bundle to connect can be downloaded here: https://www.torproject.org/download/
Simply accessing TOR from your standard machine is not advised due to possible security implications. For a lot of users, they will favor ease-of-use over security and connect directly from their standard workstation, but this has serious security considerations. The TOR browser is built on Firefox as a base, and therefore it is subject to the same vulnerabilities that Firefox has. Whilst the Firefox team might patch vulnerabilities regularly, there can be a delay for the update to reach the TOR bundle and therefore exposure users to risks. Given the nature of the content & site hosts on the dark web, this should be a critical consideration so as to not compromise your machine from both an attribution or malware perspective.
It is recommended to apply safe connection methods so as to protect your attribution and host machine from compromise.
Safe Browsing Options
There are many opinions and options for how to access darknets. Below is a simple chart for three options that you can use when connecting to a darknet to provide a safer level of protection. Each has varying barriers to entry and users will have different requirements, budgets, or considerations as part of their connection approach.
Configure a cloud virtual machine or desktop using providers such as Amazon Workspaces (https://aws.amazon.com/workspaces/), Google Cloud (https://cloud.google.com/compute), Microsoft Azure VDI (https://azure.microsoft.com/en-au/free/virtual-machines) or Paperspace (https://www.paperspace.com/). There are other providers but these are relatively cost-effective when used for small periods of time
Install TOR/darknet access on the cloud machine and use that for your research
Connect to the darknet from within the cloud virtual machine
Note: you could also configure a VPN on your cloud machine for an additional layer, however, some cloud providers make this challenging and the technical requirements can increase the barrier to entry
Install and configure a local virtual machine using a platform such as VirtualBox (https://www.virtualbox.org/) and downloading pre-configured VM's (such as the TL VM: https://www.tracelabs.org/initiatives/osint-vm) or installing an operating system from scratch
Install TOR/darknet access on the virtual machine
Configure a VPN on your standard workstation
Connect to the darknet from within the virtual machine
Provision a standalone research laptop/computer (consider using bootable operating systems such as Tails for lower-attribution)
Configure a VPN on your research laptop
Install TOR/darknet access natively on the research laptop
Connect to the darknet natively from your research laptop