11/9/22, 10:02 AM CyberQ - Lab Guide

CyberQ Document

Module 10: Dark Web Forensics

Lab Scenario
When forensic investigators come across cases of dark web crimes, they generally do not locate any traces of criminal activity on normal
browsers meant for daily use such as Google Chrome Mozilla Firefox, Microsoft Edge/Internet Explorer, etc. For perpetrating dark web
crimes, criminals prefer the Tor Browser as it provides them with a high level of anonymity. In such instances, investigators need to examine
the suspect machine for Tor Browser artifacts to help them solve such cases.

Tor Browser artifacts can be retrieved by examining the RAM dump of the suspect machine. In case Tor Browser has been
removed/uninstalled from a system after committing the crime,investigators can discover its related artifacts by analyzing its prefetch file on
a Windows machine.

Lab Objectives
The objective of this lab is to help you understand dark web forensics techniques. The tasks include:

Discovering Tor Browser activity on a Windows machine

Examining RAM dumps to discover Tor Browser artifacts

Overview of Dark Web Forensics

Use of dark web forensics is necessary because of an increase in illegal activities such as drugs and weapons trafficking, selling credit card
details and other private information related to individuals, etc. that are facilitated through the internet. Dark web forensics helps
investigators gather evidence against the perpetrators of such dark web crimes so that they can be prosecuted in a court of law.

Lab Tasks
Recommended labs to assist you in dark web forensics:

Detecting TOR Browser on a Machine

Analyzing RAM Dumps to Retrieve TOR Browser Artifacts

Lab 1: Detecting TOR Browser on a Machine

Lab Scenario

During a search and seize operation connected with a case of an internet-based fraud in which credit card information and bank details of
several individuals were stolen and sold, law enforcement authorities got hold of a few computers belonging to the suspects. During the
forensic investigation of the seized computers, the investigators discovered that the suspects had tried to cover their tracks by removing all
the tools/applications they had used on the systems. The investigators decided to examine the prefetch files on the system to determine the
application/program that might have been used by the suspects to commit crimes. While searching through the prefetch files, the
investigators located a prefetch file for Tor Browser, which indicate that this might be a case of dark web crime. How should the investigators
proceed to be able to analyze the Tor Browser artifacts in this case?

As a forensic investigator, you must know how to analyze prefetch files pertaining to Tor Browser using the right tool(s).

Lab Objectives

Tor Browser is based on a Mozilla Firefox browsing application that works on the concept of Onion Routing. It allows users to access the dark
web and carry out criminal/illegal activities anonymously.

In this lab, you will learn how to retrieve Tor Browser activity from a Windows machine by:

Examining Windows prefetch files

Monitoring network connections using netstat command

Overview of the Lab

This lab familiarizes you with the process of determining whether Tor Browser has been used on a suspect system with the help of
WinPrefetchView, an application that helps you find the prefetch files pertaining to various programs that have been installed on a system.

about:blank 1/41
11/9/22, 10:02 AM CyberQ - Lab Guide
Even if a program is deleted/uninstalled from a system, the prefetch file related to it is still likely to remain on the system, which provides the
evidence for that program’s execution on the system.

Lab Tasks
1. Select CHFIV10 WINDOWS 10 virtual machine and click Ctrl+Alt+Del.

2. By default, Admin user profile is selected, type qwerty@123 in the Password field and press Enter to login.

Note: If Networks pane appears, click Yes to allow your PC to discoverable by other PCs and Devices on this network.

about:blank 2/41
11/9/22, 10:02 AM CyberQ - Lab Guide

Note: Before beginning the lab, make sure you install and run Tor Browser on your CHFIV10 WINDOWS 10 virtual
machine. Ignore any errors if Tor Browser is unable to establish a Tor network connection.

3. Navigate to Z:\CHFIv10 Module 10 Dark Web Forensics\Tor Browser. Double-click on [Link] to launch the set-up and
follow the wizard-driven installation steps to complete the installation of Tor Browser.

about:blank 3/41
11/9/22, 10:02 AM CyberQ - Lab Guide

Note: If an Open File – Security Alert window appears, click Run.

4. Navigate to Z:\CHFIv10 Module 10 Dark Web Forensics\Tor Browser Detection Tools\WinPrefetchView. Double-click on
[Link] to launch the application.

Note: If an Open File – Security Alert window appears, click Run.

Note: If a User Account Control pop-up appears, click Yes to continue.

5. WinPrefetchView opens and takes some time to load all prefetch files from your CHFIV10 WINDOWS 10 virtual machine. Upon
loading them, the application displays them as indicated in the screenshot below:

about:blank 4/41
11/9/22, 10:02 AM CyberQ - Lab Guide

6. Now, we need to examine the artifacts pertaining to Tor Browser from its prefetch file. Scroll down the upper pane of the application
window to locate the prefetch file related to Tor Browser.

about:blank 5/41
11/9/22, 10:02 AM CyberQ - Lab Guide

7. Now, right click on the Tor Browser Prefetch file and select Properties option from the context menu.

about:blank 6/41
11/9/22, 10:02 AM CyberQ - Lab Guide

8. The Properties window will now appear, displaying the metadata related to the browser such as Filename, Created Time, Modified
Time, Last Run Time (the timestamp when the browser was last run), Run Counter (Number of times the browser was executed), and
Tor Browser execution directory (Process Path).

about:blank 7/41
11/9/22, 10:02 AM CyberQ - Lab Guide

9. From the above screenshot, it is observed that Tor Browser has been executed 6 times on the machine (The Run Counter value varies
depending on the number of times you launch and access Tor Browser). The timestamps retrieved from the application help an
investigator construct a timeline analysis of the incident.

Note: WinPrefetchView application can fetch Tor Browser activity on the machine even when it is uninstalled/deleted
from the machine.

10. The netstat command in command prompt helps in determining Tor Browser activity on the suspect machine. If Tor successfully
established a connection, then launching a command prompt with administrator privileges and running the netstat -ano command
lists all active connection results as shown in the following screenshots:

about:blank 8/41
11/9/22, 10:02 AM CyberQ - Lab Guide

about:blank 9/41
11/9/22, 10:02 AM CyberQ - Lab Guide

Note: When TOR Browser is installed on a Windows machine, it uses port 9150/9151 for establishing connection via Tor
nodes.

Note: The connection state ESTABLISHED means the socket has an established connection and LISTENING means the
socket is waiting for a connection.

Note: In case the Active Connections state is displayed as Time_Wait, it means that the Tor Browser application has been
closed.

about:blank 10/41
11/9/22, 10:02 AM CyberQ - Lab Guide

Note: The result might differ if the browser has been closed a while ago. You might not see the ports 9150/9151 listed
after certain period of time lapse (for closed browser state).

11. In this manner, you can detect Tor Browser activity on a Windows machine.

12. Close all open windows.

Lab 2: Analyzing RAM Dumps to Retrieve TOR Browser Artifacts

Lab Scenario

Forensic investigators have seized a computer belonging to a drug trafficker who is suspected of expanding his drug smuggling network
through the dark web. During investigation, it was found that the suspect had been using Tor Browser on his system to engage in drug
trafficking and its expansion. To extract more information on the suspect’s activities related to drug trafficking, investigators need to analyze
the RAM dump of his system so that it reveals all his activities on Tor Browser. The artifacts obtained from the RAM dump can help the
investigators extract evidence that can be used to prosecute the suspect.

As a forensic investigator, you must know how to analyze the RAM dump of a suspect machine and retrieve Tor Browser artifacts.

Lab Objectives

The memory dump collected from a suspect machine not only contains artifacts related to the browser, but also all the activities that
occurred on it. Analyzing RAM dump can help investigators find all details pertaining to the activities that an attacker has performed on the
system using Tor Browser.

The objective of this lab is to help you learn how to examine a RAM dump and recover potential artifacts pertaining to Tor Browser using the
Bulk Extractor tool.

Overview of the Lab

This lab familiarizes you with the process of analyzing a RAM dump containing Tor Browser artifacts with the help of Bulk Extractor.

Lab Tasks

about:blank 11/41
11/9/22, 10:02 AM CyberQ - Lab Guide
1. Select CHFIV10 WINDOWS SERVER 2016 virtual machine and click Ctrl+Alt+Del..

2. By default, Administrator user profile is selected, type qwerty@123 in the Password field and press Enter to login.

Note: If Networks pane appears, click Yes to allow your PC to discoverable by other PCs and Devices on this network.

about:blank 12/41
11/9/22, 10:02 AM CyberQ - Lab Guide

3. Before beginning the lab, we will create two folders named Tor Report (Browser Opened) and Tor Report (Browser Closed) on the
Desktop. These two folders are going to serve as our case folders, which will store the Tor Browser artifacts retrieved in the respective
events of the browser being open and closed.

4. Navigate to C:\CHFI-Tools\CHFIv10 Module 10 Dark Web Forensics\Tor Browser Analysis Tools\Bulk Extractor. Double-click on
bulk_extractor-[Link] to launch the set-up and follow the wizard-driven installation steps to complete the
installation of Bulk Extractor.

5. Upon completing the installation, launch the Bulk Extractor application from the Start menu by clicking on the Start button
(Windows icon) on the task bar, as shown in the screenshot below:

about:blank 13/41
11/9/22, 10:02 AM CyberQ - Lab Guide

6. The main window of the application, i.e., Bulk Extractor Viewer will open. Click the Generate a report using bulk_extractor icon, as
shown in the screenshot below:

about:blank 14/41
11/9/22, 10:02 AM CyberQ - Lab Guide

7. Now, Run bulk_extractor window will open, as shown in the screenshot:

about:blank 15/41
11/9/22, 10:02 AM CyberQ - Lab Guide

Note: Reduce the height and adjust the position of the Run bulk_extractor window manually in order to view the options
specific to the tool located at the bottom of the window.

8. Now, we need to use the ellipsis buttons to browse the Image file and the Output Feature Directory, as indicated in the screenshot
below:

about:blank 16/41
11/9/22, 10:02 AM CyberQ - Lab Guide

9. Upon clicking the ellipsis button against the Image File field, you will see the Image File to Extract Features From window. Navigate
to C:\CHFI-Tools\Evidence Files\Forensic Images. From the Files of type drop-down, select All Files, then select the file
TOR_Opened.mem, and then click Open to provide the Image File.

about:blank 17/41
11/9/22, 10:02 AM CyberQ - Lab Guide

10. Similarly, upon clicking the ellipsis button against the Output Feature Directory field, you will see the Output Feature Directory
window. Select Desktop, then select the Tor Report (Browser Opened) folder, and then click Select to provide the Output Feature
Directory, as indicated in the screenshot below:

about:blank 18/41
11/9/22, 10:02 AM CyberQ - Lab Guide

11. We have provided the Image File and Output Feature Directory, and their paths will be displayed in their respective fields, as shown
in the screenshot below. Now, ensure that all options under the Scanners section are checked and then click Submit Run, as
highlighted in the screenshot:

about:blank 19/41
11/9/22, 10:02 AM CyberQ - Lab Guide

12. The bulk_extractor Scan window appears, where the input file is scanned. The progress of the scan and case creation can be seen in
the window, as shown in the following screenshot:

about:blank 20/41
11/9/22, 10:02 AM CyberQ - Lab Guide

13. Upon the successful completion of the scan, close the bulk_extractor Scan window and go back to the Bulk Extractor Viewer
window. We will now begin investigating the Tor Browser artifacts that were obtained when the browser was in an open state.

14. Now, in the left pane of the application window, you will see the Tor Report (Browser Opened) folder populated under the Reports
section. Click the folder to expand it and view its contents.

about:blank 21/41
11/9/22, 10:02 AM CyberQ - Lab Guide

15. Select the [Link] file to determine all website domains that were visited on the suspect machine’s Tor Browser. You will see
several different domains listed under [Link]. Upon scrolling down, we find numerous instances of the use of the
[Link] domain, as seen in the screenshot below. This tells us that there were numerous instances of Gmail being used to
exchange emails.

about:blank 22/41
11/9/22, 10:02 AM CyberQ - Lab Guide

16. Now, we will look for email IDs associated with Gmail as several instances of [Link] under [Link] have been located,
as seen in the screenshot above. To find the email IDs that have been recorded in this memory dump file, i.e., TOR_Opened.mem, click
on [Link] in the left pane under the Reports section. You will see all email IDs (including Gmail IDs) recorded on the memory
dump, as highlighted in the screenshot below:

about:blank 23/41
11/9/22, 10:02 AM CyberQ - Lab Guide

17. From the screenshot above, we can infer that there are multiple instances of the use of a Gmail ID. For a demonstrative purpose, we
have highlighted the region where we see the Gmail ID jasoncreek2020@[Link] in this lab. In real-time, you might find instances
wherein several email IDs from Gmail or any other email service provider(s) have been recorded.

18. Now, we will examine the contents of [Link] file. A JSON file stores information on the data exchange that has taken place between a
browser/web application and a server. By examining the contents of the [Link] file here, we can retrieve the details of email
exchanges on the browser (in this case, Tor Browser).

19. Therefore, when you first click on [Link] (1), you will find several entries in the Feature File section in the upper half of the middle
pane in the application window. Since we have found a number of entries pertaining to the email ID jasoncreek2020@[Link]
previously under [Link], we are assuming that email ID belongs to a suspect user. As a second step, enter
jasoncreek2020@[Link] in the Feature Filter field (2) and press Enter to obtain the artifacts of email communication related to
the mentioned email ID under the Feature File section (3).

about:blank 24/41
11/9/22, 10:02 AM CyberQ - Lab Guide

20. We need to carefully examine each of the entries obtained under the Feature File section as seen in the screenshot above to find the
artifacts of malicious email communication. Upon carefully examining each entry by clicking on them, we can retrieve the artifacts of a
malicious email communication.

Note: When you click on any entry, you can see the highlighted part related to the entry in the right pane of the window.

about:blank 25/41
11/9/22, 10:02 AM CyberQ - Lab Guide

Note: For the purpose of demonstrative ease in this lab, and to save time, we have confined our investigation to retrieving
malicious email artifacts that relate to the email ID jasoncreek2020@[Link] (assuming it to be a suspect email ID). In
real-time, however, you might have to examine email communication from several other email IDs in order to identify the
suspects or the suspect email IDs in a case.

21. From the above screenshot, we can summarize our observations as follows:

A. Email ID of the sender: jasoncreek2020@[Link].

B. Email ID of the receiver: rinimatthews@[Link].

C. Subject of the email: Share the Missile Codes.

D. The body of the email: As discussed, I am sharing the codes for launching the missiles. You can find them in the attachment.

E. Attachment found in the email: Secret_Codes.txt.

22. In this manner, we can retrieve the malicious email exchanges that took place through the Tor Browser.

23. Now, we will retrieve the artifacts stored in [Link] file. The [Link] will provide us information on all URLs that have been visited
through the suspect machine’s Tor Browser. Before moving to this task, ensure to remove the jasoncreek2020@[Link] filter from
the Feature Filter field, which we had applied for our previous task of finding email artifacts from the [Link] file.

24. Now, click on [Link] in the left pane of the application window under the Reports section. The application will display all artifacts
stored in [Link] under the Feature File section, as displayed in the following screenshot:

about:blank 26/41
11/9/22, 10:02 AM CyberQ - Lab Guide

25. Now, we will examine the artifacts stored in url_searches.txt. Examining the artifacts of url_searches.txt will provide us information
about all the search queries that were made on the suspect machine’s Tor Browser.

26. Click on url_searches.txt in the left pane of the application window under the Reports section. All queries that have been searched on
the suspect machine’s Tor Browser will now be listed under the Histogram File section in the upper half of the middle pane in the
application window, as indicated in the screenshot below:

about:blank 27/41
11/9/22, 10:02 AM CyberQ - Lab Guide

27. In this manner, we can find URLs or content that have been browsed on the suspect machine’s Tor Browser.

28. Now, we will examine the Tor Browser artifacts obtained when the browser was in a closed state.

29. In the Bulk Extractor Viewer window, click on the Generate a report using bulk_extractor icon.

about:blank 28/41
11/9/22, 10:02 AM CyberQ - Lab Guide

30. Run bulk_extractor window opens, as shown in the screenshot below:

about:blank 29/41
11/9/22, 10:02 AM CyberQ - Lab Guide

31. Now, click on the ellipsis buttons to browse and provide the Image file and the Output Feature Directory, as indicated in the
screenshot below:

about:blank 30/41
11/9/22, 10:02 AM CyberQ - Lab Guide

32. Upon clicking the ellipsis button against the Image File field, the Image File to Extract Features From window will appear. Navigate
to C:\CHFI-Tools\Evidence Files\Forensic Images. From the Files of type drop-down, select All Files, select the file
TOR_Closed.mem, and then click Open to provide the Image File.

about:blank 31/41
11/9/22, 10:02 AM CyberQ - Lab Guide

33. Similarly, upon clicking the ellipsis button against the Output Feature Directory field, you will see the Output Feature Directory
window. Select Desktop, then select the Tor Report (Browser Closed) folder, and then click Select to provide the Output Feature
Directory, as indicated in the screenshot below:

about:blank 32/41
11/9/22, 10:02 AM CyberQ - Lab Guide

34. We have now provided the Image File and Output Feature Directory, and their paths will be displayed in their respective fields, as
shown in the screenshot below. Now, ensure that all options under the Scanners section are checked, and then click on Submit Run,
as highlighted in the screenshot:

about:blank 33/41
11/9/22, 10:02 AM CyberQ - Lab Guide

35. The bulk_extractor Scan window appears where the input file is scanned. The progress of the scan and case creation can be seen in
the window, as shown in the following screenshot:

about:blank 34/41
11/9/22, 10:02 AM CyberQ - Lab Guide

36. Upon the successful completion of the scan, close the bulk_extractor Scan window and go back to the Bulk Extractor Viewer
window. We will now be investigating the Tor Browser artifacts that were obtained when the browser was in a closed state.

37. Now, in the left pane of the application window, you will see the Tor Report (Browser Closed) folder populated under the Reports
section. You may now collapse the previously expanded Tor Report (Browser Opened) folder and expand the Tor Report (Browser
Closed) folder to view the contents stored under it.

38. We will begin our forensic examination by first retrieving the information stored in [Link].

39. Select the [Link] file to determine all website domains that were visited on the suspect machine’s Tor Browser. You will see
several different domains listed under the Feature File [Link] section in the middle pane of the window. Upon scrolling down, we
find numerous instances of the use of the [Link] domain, as seen in the screenshot below. This tells us about numerous
instances where Gmail was used to exchange emails. Click/Select any of the instances of [Link] if you want to find any
specific artifacts associated with it. The artifacts, if any, will appear in the right pane of the window.

about:blank 35/41
11/9/22, 10:02 AM CyberQ - Lab Guide

40. Now, several instances of [Link] are listed under [Link] as seen in the screenshot above. We will look for email IDs
associated with Gmail. To find email IDs that have been recorded in this memory dump file, i.e., TOR_Closed.mem, click on [Link]
in the left pane under the Reports section. You will see all email IDs (including Gmail IDs) that have been recorded on the memory
dump, as highlighted in the screenshot below:

about:blank 36/41
11/9/22, 10:02 AM CyberQ - Lab Guide

41. From the screenshot above, we can infer that there are multiple instances of the use of a Gmail ID. For a demonstrative purpose, in this
lab, we have highlighted the region where we see multiple entries pertaining to the Gmail ID jasoncreek2020@[Link]. In real-
time, you might find instances wherein several different email IDs from Gmail or any other email service provider(s) have been
recorded.

42. Now, we will examine the contents of [Link] file. Follow the same procedure as in the previous case of examining the contents of
[Link] file for the Tor Browser Opened state. We will similarly use the email ID jasoncreek2020@[Link] as a filter to obtain
email messages related to the above mentioned email ID, which is found to be malicious. Therefore, first click on [Link] (1) in the left
pane under the Reports section. As a second step, apply the mentioned email ID as a filter (2) to find the results related to it under the
Feature File section (3), as indicated in the screenshot below:

about:blank 37/41
11/9/22, 10:02 AM CyberQ - Lab Guide

43. We need to examine each of the entries obtained in the previous step to find artifacts of any malicious email communication. To
examine the artifacts stored in an entry, select that entry. You will then be able to examine its artifacts in the right pane of the
application window.

44. Now, upon carefully examining the entry highlighted under the Feature File section in the screenshot below, we find the artifacts of a
malicious email communication:

about:blank 38/41
11/9/22, 10:02 AM CyberQ - Lab Guide

45. From the above screenshot, we can summarize our findings as follows:

A. Sender’s email ID: jasoncreek2020@[Link].

B. Receiver’s email ID: rinimatthews@[Link].

C. Subject of the email: Share the Missile Codes.

D. Body of the email: As discussed, I am sharing the codes for launching the missiles. You can find them in the attachment.

E. Attachment found in the email: Secret_Codes.txt.

46. We will now examine the artifacts stored in the [Link] file. Examining the artifacts of the [Link] file will provide us information about
the URLs visited through the suspect machine’s Tor Browser. Before moving to this task, ensure you remove the
jasoncreek2020@[Link] filter from the Feature Filter field, which we had applied to our previous task of finding email artifacts
from the [Link] file.

47. Now, click on [Link] in the left pane of the application window under the Reports section. The application will list all URLs that have
been visited through the suspect machine’s Tor Browser under the Feature File section, as indicated in the screenshot below:

about:blank 39/41
11/9/22, 10:02 AM CyberQ - Lab Guide

48. We will now examine the artifacts stored in the url_searches.txt file. url_searches.txt will provide us information on all search queries
made on the web through the Tor Browser. Therefore, click on url_searches.txt. All the artifacts stored in url_searches.txt will be
displayed under the Histogram File section, as shown in the screenshot below:

about:blank 40/41
11/9/22, 10:02 AM CyberQ - Lab Guide

49. In this manner, you can examine the RAM dump from a suspect machine and retrieve various artifacts pertaining to Tor Browser.

50. Close all open windows.

about:blank 41/41