Zeroska
  • 🐱Zeroska - The Bold
  • Computer/Cyber Security
    • ⭐Fresh off the boat - for new Blue Teamer/ SOC Analyst
    • 💀Necromancer (DFIR)
      • 🕵️DFIR and DFIR case
        • 🗃️Case Files
          • Misconfiguration 0x01
      • 📔My own DFIR notes
        • The Mark of The Web (MOTW)
        • LNK Shortcut
        • Prefetch, AmCache, ShimCache in Windows
        • Malicious Document (VBA, Office, PDF, ...)
        • SRUM (System Resource Usage Monitor)
        • Volatility notes
        • Understand Logon Session in Windows
        • "Very" Hidden sheets in Excel
        • Hidden Processes
      • 📔Notes
        • Useful Resources
        • Useful Resources DFIR
        • Saved Content (Backup for the OG content get deleted)
          • How to be best SOC analyst ever
    • 🧙‍♂️Defense Witchcraft
      • Data Analysis as a Defender
      • Active Directory
      • Windows Event Logs
        • Authentication (Windows Account Life Cycle Events)
      • MS Exchange
      • Windows
    • 💙My Current Blue Team Operation
      • VLAN Monitoring Template
      • Daily Monitoring Report
      • General Playbook
      • JupyterHub Configuration Guide
      • How to train your Blue Team
    • 🏭ICS/OT
      • Setup ICS/OT Simulation Learning Lab
      • Smart Grids
      • Learning Modbus TCP
      • Learning DNP3
      • Resources/Blogs/Links
    • 🥷Threat Intelligence
      • Small Cyber Threat Intelligence Program
      • Intelligence Analysis [VN]
      • OSINT Information Monitoring
        • Telegram Info-Stealer Monitoring
      • C2 Tracker
      • Fake Website Tracker
      • Dark Web Investigation Attempt
      • Threat Intelligence Quick Win
      • Resources/Blogs/Links
  • 😒Computer and Technology
    • My Home Lab Setup
    • 🐴ELK Stack
      • Useful Resources
      • ELK Stack - Container - Docker Compose - AWS ECS
      • ECS - Elastic Common Schema
      • Elasticsearch
      • Logstash
      • Troubleshooting and Problems
    • 🐧Linux
      • Setting up good SSH Authentication
      • Configure Auditd and how to leverage it
      • ELF Format
      • Useful Links
    • 📦Containers
      • Docker container logs is quite big
      • Worth Reading
    • 🪠Splunk Learning Experience
      • Splunk Test Lab
      • Data Collection Tier (How to get the data)
      • SC4S Custom Filter For Windows Event Log in Syslog Format (NXLog)
      • Useful Resources
  • Threat Hunting
    • Hunting for Implant
    • Using STRIDE and DREAD
    • 🐳Predators and Preys (Computing)
      • Tracks or Hunting Artifacts
    • 📦Network Packet Analysis
      • The Basic
      • Tshark | Zeek Copy & Paste
      • Network Analysis Resources
    • Grep | Powershell Search | Regex
    • Hunting Resources
  • 🎵In my remains
    • Choices
    • The Art of Facing Unknown Problems
    • Build the best DFIR team
    • Reverse Engineering - Đồ án hướng ngành A "Hụt" của tôi
Powered by GitBook
On this page
  • Introduction
  • Why learn dark web investigation or access the dark web anyway?
  • Where to learn this tradecraft?
  • My setup
  • Goal
  • Information searching

Was this helpful?

  1. Computer/Cyber Security
  2. Threat Intelligence

Dark Web Investigation Attempt

I don't know that say about this topic, the name itself is already pretty cool

PreviousFake Website TrackerNextThreat Intelligence Quick Win

Last updated 1 year ago

Was this helpful?

Introduction

So here I am wondering what should I do with our TI (Threat Intelligence) to make it better, I saw Group IB, and Mandiant are on the top of TI and they all do some kind of dark web monitor or investigation. So I wonder if I can obtain a basic of that skill. So let's do it. Here I'll not only show to tool but also my notes about this topic to help you to learn and shine a little bit of light on the topic.

Why learn dark web investigation or access the dark web anyway?

the question is why not? why limit yourself to just Google information and the surface web? Getting information from various sources to improve your TI program is always a plus. There are a lot of dark web networks, not just Tor alone, here are:

  • Zeronet

  • Lokinet

  • l2p

There are many more dark web because people can create their own network if they have the resources and if they want to. Accessing the dark web is one task, making use of it is another task, and staying safe while doing it.

Where to learn this tradecraft?

I found these links which will show you a little bit of how the dark web investigation works:

  • (here will show you how to set up a machine and proper network configuration to start going to the dark web)

  • (from SANS, this YouTube video will show you some of the tools that scrape the Tor network or the internet) -> Here is the list of

  • Anything related to www.hunch.ly is a pretty good resource.

Twitter

Github

My setup

  • Whonix as a Gateway

  • Trace OSINT VM

  • Tor Browser

Here is the diagram:

<insert diagram soon>

When doing this, always set a goal because if you go to the dark web and just want to look around then I think it is just a waste of time. For me, my goal is that I want to search for keywords that relate to my customer (name, business sector, customer email) and data breaches

At this time, I didn't what to do more than the task I listed above, maybe soon I'll figure something else.

Goal

Information searching

Tools I'll be using: (tool can automate search through the list of .onion domain)

(dark web archive)

🥷
https://www.hunch.ly/resources/Hunchly-Dark-Web-Setup.pdf
OSINT tools for dark web investigation
https://github.com/apurvsinghgautam/dark-web-osint-tools
https://medium.com/the-sleuth-sheet/darknet-field-kit-information-gathering-b5e555534b0
https://twitter.com/DarkDotFail
https://github.com/D4RK-R4BB1T/Dark-Web-Archives