Host-Based Dark Web Forensics
5 Days – 40Hrs
Cost: $2,995
Participants will receive
5-Days of Instruction
Course Manual
Practical Files
Attendance Certificate
Damien Attoe
Lead Developer
Before joining Spyder Forensics, Damien was a Managing Consultant at AccessData where he managed eDiscovery and digital forensics projects and provided services to companies in various industries including the Health Care, Energy, and Financial industries. Prior to that, Damien was a Computer Crime Specialist at the National White Collar Crime Center where he conducted digital forensic research and performed software validation studies on digital forensic software
Course Objectives
The Dark Web is a place of mystery and has been a challenge for Law Enforcement due to its anonymous nature. The software used to access the various Dark Webs are designed to protect a user’s identity and leave no traces of their activity. This course will look at the software used to access the Tor Network, I2P and Freenet and what residual evidence is left behind that can help during a case involving the Dark Web.
This course includes 40 hours of theoretical and hands on instruction. Students will be provided with a comprehensive training manual and will have access to all data used in class to enable them to continue their learning after the course is completed. Upon competition students will receive a certificate of attendance detailing the CPE hours gained.
Students will gain an understanding of what data could persist when a user is accessing the Tor Network, I2P and Freenet. During the course attendees will look at the artifacts found on a Windows system and in Memory that can show not only that the user had accessed the networks but also what they may have been doing. Students will also look at some of the popular iOS and Android Tor Browser applications.
Other topics covered in the course include identifying and extracting PGP Artifacts and Cryptocurrency usage artifacts including decoding popular wallet software such as Electrum and Exodus, along with recognizing trace evidence associated with using a Hardware Cryptocurrency wallet.
Primary Learning Objectives
Host-Based Dark Web Forensics - Day 1
Day 1 of the Spyder Forensics Host-Based Dark Web Forensics course begins with an overview of the course along with an introduction to the Instructor.
- Introduction to the Tor Browser on Windows® Devices
- Examine the artifacts associated with the installation of the Tor Browser
- Extracting User Bookmark Information
- Bookmark Backups
- Places.sqlite
- Identifying Tor Browser Activity from Windows Timeline
- RegEx Searching Onion Addresses
Instructor Led Lab
- Introduction to the Tor Browser on Windows® Devices
- Examine the artifacts associated with the installation of the Tor Browser
- Extracting User Bookmark Information
- Bookmark Backups
- Places.sqlite
- Identifying Tor Browser Activity from Windows Timeline
- RegEx Searching Onion Addresses
Host-Based Dark Web Forensics - Day 2
Day 2 of the course
Instructor Led Lab
- Introduction to HTTP Requests and Responses
- Identifying HTTP Requests and Responses in Memory
- Data Carving HTML pages from Memory
- Data Carving Graphics from Memory
- Introduction to HTTP Requests and Responses
- Identifying HTTP Requests and Responses in Memory
- Data Carving HTML pages from Memory
- Data Carving Graphics from Memory
- Introduction the PGP Encryption
- Identifying PGP Artifacts using RegEx
- Extracting information from PGP keys
Instructor Led lab
- Introduction the PGP Encryption
- Identifying PGP Artifacts using RegEx
- Extracting information from PGP keys
Host-Based Dark Web Forensics - Day 3
Day 3 of the course
Instructor Led Lab
- Introduction to I2P on Windows® Devices
- Examine the artifacts associated with the installation of I2P and I2Peasy
- Learn the function of the I2P Address book and how to extract information from it
- Identifying I2P Browsing History
- RegEx Searching I2P Addresses
- Introduction to I2P on Windows® Devices
- Examine the artifacts associated with the installation of I2P and I2Peasy
- Learn the function of the I2P Address book and how to extract information from it
- Identifying I2P Browsing History
- RegEx Searching I2P Addresses
Instructor Led Lab
- Introduction to Freenet on Windows® Devices
- Examine the artifacts associated with the installation of Freenet
- Extracting Freenet usage information
- Freenet Bookmarks
- Upload/Download History
- Understanding the Node to Node Text Messaging System (N2NTM)
- Decoding the N2NTM artifacts
- Identifying Freenet Browsing History
- RegEx Searching Freenet Keys
- Introduction to Freenet on Windows® Devices
- Examine the artifacts associated with the installation of Freenet
- Extracting Freenet usage information
- Freenet Bookmarks
- Upload/Download History
- Understanding the Node to Node Text Messaging System (N2NTM)
- Decoding the N2NTM artifacts
- Identifying Freenet Browsing History
- RegEx Searching Freenet Keys
Host-Based Dark Web Forensics - Day 4
Day 4 of the course
- Introduction to Tor applications on iOS devices
- Decoding the OnionBrowser Application
- Decoding the RedOnion Application
- Extracting Connection information from Orbot
Instructor Led Lab
- Introduction to Tor applications on iOS devices
- Decoding the OnionBrowser Application
- Decoding the RedOnion Application
- Extracting Connection information from Orbot
Instructor Led Lab
SQLite Write-Ahead Logs
- Examining Frames in an SQLite Write-Ahead Log
- Introduction to Tor applications on Android devices
- Decoding the Tor Browser Application
- Decoding the OrNet Application
- Extracting Connection information from Orbot
Host-Based Dark Web Forensics - Day 5
Day 5 of the course
- Introduction to popular Windows® Desktop Wallets
- Identifying and extracting wallet information
- Electrum
- Exodus
- Bitpay
- Wasabi
- Introduction to Trezor and Ledger Hardware Wallets
- Identifying the use of Hardware cryptocurrency wallet
- Extracting Hardware wallet information from their setup applications
- Decoding Trezor Suite
- Decoding Ledger Live
Instructor Led Lab
- Introduction to popular Windows® Desktop Wallets
- Identifying and extracting wallet information
- Electrum
- Exodus
- Bitpay
- Wasabi
- Introduction to Trezor and Ledger Hardware Wallets
- Identifying the use of Hardware cryptocurrency wallet
- Extracting Hardware wallet information from their setup applications
- Decoding Trezor Suite
- Decoding Ledger Live