Deep Web Investigation

The dark web is a place where illegal items are sold. It can be dangerous to navigate, but it’s still an important source of intelligence for investigators.


Using the right tools is essential for dark web monitoring and investigation. Leveraging these easy-to-use tools for surface and dark web investigations will help you perform better research.

Identifying Digital Footprints

A digital footprint is a traceable online history based on your activity and data. It includes your social media, email, search and app activity, which can be viewed by cybercriminals. Digital footprints can affect your reputation, and the information you share may be used by hackers for malicious purposes such as phishing attacks or to gain access to your bank account.

Your digital footprint isn’t just created by your own actions, but also by what others do or say about you online. For example, a comment about your new car on social media can be screenshotted by someone and used to steal your identity. Similarly, an employer can use information from a job applicant’s digital footprint to make hiring decisions.

In addition, your passive footprint can grow through information gathered without your consent, such as when you visit websites or apps that collect and store your data. This information is often sold to third parties. In recent years, consumers have pushed for data privacy legislation, with 27 states proposing or passing bills to protect online rights.

To minimize the size of your digital footprint, consider not using public Wi-Fi. Instead, use your smartphone’s data or a VPN when surfing the internet. Likewise, use privacy settings to limit who can view your personal info. A Google Alert is another way to monitor your name in online searches.

Identifying Criminals

A growing criminal industry based on anonymizing technology and cryptocurrency hides an array of illegal goods and services in online marketplaces. These include drugs, fake COVID-19 vaccines, stolen ID documents, child pornography and weapon parts, according to a recent NIJ-supported workshop report.

Police need a better understanding of the dark web, including the types of data and information it contains. They also need the ability to access it, collect and preserve digital evidence, while maintaining a chain of custody, and present it in court. The workshop participants identified six overarching law enforcement needs and key established needs and challenges.

Identifying suspects is a top need. Detectives need to be able to connect the dots on how suspects use the internet to communicate and make transactions. Detectives should also be able to conduct forensic searches of computers, smartphones and tablets used by suspects, and be trained in using a variety of tools to capture data and assemble it into a usable form.

Investigators should be trained in new forensic technologies, such as data-extraction tools that can extract encrypted content from mobile devices and virtual private networks (VPNs). They should also understand how to identify and utilize digital evidence artifacts, such as a suspect’s TOR browser address and other metadata, and learn about methods for intercepting shipments to thwart criminal activity. Finally, they should consider establishing and encouraging the development of standards for new processes and tools to capture dark web evidence.

Identifying Digital Assets

Digital assets are electronic files that have a perceived value for an organization (both financial and non-financial). They can be in any file format, from simple text documents to photos and videos. They are most often created and stored on computers and may be used for marketing, business processes or as a form of identification. A common challenge when managing digital assets is finding a way to categorize and store them. In addition to ensuring that files are organized, it is important that they are accessible.

The term “dark web” refers to a portion of the internet that is intentionally hidden. Unlike the Surface Web, which can be accessed using most standard internet browsers, deep web sites must be accessed via a special software application called Tor. Tor is a network of servers that allows users to connect to deep web sites without fear of being tracked or identified.

For example, some people use Tor to access pirated music or movies that are not available in their local area. However, many criminals also use this technology to conduct illegal activities such as money laundering, drug trafficking and hacking. This is why it is important for investigators to understand how to identify these hidden areas and to conduct proper searches within the bounds of the law. This requires specialized training and expertise, including the ability to identify digital footprints, encrypted documents, virtual private networks and cryptocurrency wallets.

Identifying Threats

The internet is comprised of many layers. The surface web, or public web, contains websites accessible to any browser via standard search engines. The dark net, however, is hidden behind specialized browsers that employ encryption and anonymizing technology to prevent tracking. It is essentially an invisible internet that allows cybercriminals to exchange stolen data and evade law enforcement. Identifying these digital footprints and threats is key to bolstering cybersecurity and creating a safer online environment.

Often, the signs of a threat are evident in forums and marketplaces on the deep and dark web. These platforms allow criminals to quickly turn their stolen data into monetary gain. They are also a primary way that cybercriminals coordinate attacks and exchange vulnerabilities among themselves. In addition to this, criminals are able to use these forums and marketplaces to track trends and other information pertaining to their hacking activities.

One method for identifying these threats involves using machine learning (ML) to detect them. [54] developed an incremental framework that applies classification and text mining to search Dark Web marketplaces and analyzes the titles and descriptions of offered items for terms related to newly released malware or new vulnerabilities. It then compares them against an established set of indicators to produce warnings and identify the threat actors involved.

Workshop participants identified a need for additional training and support to address these growing challenges. They recommended courses that teach line officers about the types of evidence found in digital environments as well as training on methods used by criminals to conceal their activity from law enforcement. They also emphasized the need to secure command buy-in for this type of investigation to ensure commitments of funding and training time.