Cybersecurity Awareness: Darknet Investigator Best Practices

October 11, 2022

In honor of October’s Cybersecurity Awareness Month – a period of time designated by the President of the United States to heighten situational awareness – the DarkOwl team compiled a list of best practices for information security professionals and investigators tasked with conducting open-source intelligence (OSINT) and DARKINT™ investigations.

The fundamental rule of thumb in conducting any online cyber investigation is that the deeper you get into underground networks such as the darknet, the more vigilant your operational security and certainty in the technologies employed for anonymity. To remain safe while conducting dark and deep web operations, here are some guidelines and recommendations from our analysts.

1. Separate Your Technologies

Never utilize your work or home computers, or networks for that matter, for conducting dark web investigations. Even if you think you are being secure using Tor Browser Bundle or a VPN, there is elevated risk of inadvertent exposure to malware, threats, and viruses once you leave the Surface Web.

The same is true for social media investigations as well. Many threat actors that use personas on social media will include malicious links in social posts that are designed to log your IP address or expose your identity and location. A recent threat intelligence report indicates that some nation state sponsored malware can be triggered simply by hovering over the hyperlink.

2. Keep Darknet Identity Separate from IRL

Similarly, never use your personal, work, or school email address to sign up for or register accounts on any services on the darknet or deep web. Although you might think the address is non-attributable, if the username is remotely connected to your real-life identity, such as using your favorite sports team or hobbies, a threat actor can easily use the information to divulge your real identity or directly target you.

Likewise, never re-use an email address you used for an investigation with any personal or work-related website registrations or mailing lists, even if you believe it is non-attributable.

3. Layer Your Proxies

The Tor Browser provides layers of security protection through a series of network relays, obfuscating both the client and server IP addresses for every TCP/IP handshake. When conducting OSINT and darknet investigations that involve moving in and out of the Tor network, use one, or more, reliable paid virtual private network (VPN) services that offer additional features like double obfuscation and privacy policies like no server logging of user connection data. One could also adopt more extreme measures like live distros like Tails which wipes out every session’s data including the RAM, or Whonix which by design prevents IP address leakage.

4. Use Burner Phones and Email Addresses Where Possible

Non-attributable burner phones are more and more difficult to acquire, but increasingly necessary for building out investigative personas and joining sensitive networks and channels on chat platforms like Telegram. Underground forums and marketplaces also sometimes require a Telegram account or a valid email address for registration.

Overall, it is best to use temporary email address services, non-US based free email providers, or Tor email providers for account registrations. Some example temporary, anonymous, and secure email providers include Guerrilla, Protonmail, and AnonAddy.

5. Encrypt Everything Everywhere

Not using encryption on your darknet investigative platform, especially if you’re downloading and storing potentially sensitive data, is akin to storing things in a fireproof safe in real life without using the lock. The safe is there, turning the dial is the simple extra step for ensuring the safe’s contents are secure. End-to-end and OpenPGP encryption for emails and files are always better than storing on the disk directly.

Likewise, open-source Linux utilities like CryFS are readily available to encrypt your data. CryFS uses an AES-256-GCM algorithm plus a user-defined password to access configuration data for decrypting the hard disk. Others advocate for GostCrypt, a fork of Truecrypt, which uses the GOST 28147-89 algorithm and its more advanced cousin, Grasshopper for securing the data.

6. Trust No One

Despite the urban legends in circulation, such as – there are more law enforcement and information security researchers on the darknet than criminals – there is not a single individual or persona in the darknet that you can completely trust. Maintain your persona, capture whatever information and digital evidence you need quickly, and burn aliases and assets whenever necessary to not generate a lengthy digital paper trail.

Nearly every underground criminal community includes social engineering experts who thrive on the thrill of hunting down members of marketplaces, forums, and chats. Humans will continue to be the weakest link in cybersecurity, as threat specialists at Zerofox contend social engineering will continue to be the primary initial access vector for the foreseeable future. The LAPSUS$ gang are some of the most sophisticated social engineering cyber criminals in the darknet and continue to exploit enterprise victims using social engineering methods.

DarkOwl Vision’s UI helps OSINT analysts, darknet analysts, and darknet investigators gather critical data safely by bearing the brunt of these security risks. Vision provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information.