DarkWeb Host-Based Forensics (Live On-Site, Pittsburgh, PA) – August 2025
Advanced Level Course
Course Overview
The Dark Web Host-Based Forensics course offers expert-level training over the span of a week, tailored for digital forensic examiners who handle cases involving the Dark Web and Cryptocurrency. This intensive program delves into the world of Tor, I2P and Freenet and what residual evidence persists on the host device that can reveal user activity on these anonymous networks.
During this course, participants will gain a detailed understanding of the software used to access the Dark networks and what data persists from their usage. Utilizing various techniques and forensic applications, participants will learn how to recognize the presence of the Dark Web tools on multiple platforms, and how to extract the relevant information. Topics covered include deciphering Tor Browser artifacts on Windows®, Android and iOS, identifying and extracting Tor Browser activity from Memory, a forensic look at I2P and Freenet Artifacts found on a Windows® device, and decoding popular cryptocurrency wallets. Additionally, students will learn methodologies to identify Dark Web and Cryptocurrency activity using RegEx.
This advanced level course goes beyond the capabilities of automated forensic tools by digging into the various file structures to uncover data that maybe deleted, compressed, or obfuscated. This includes handling Mozlz4 compressed files, exploiting SQLite Write-ahead logs to uncover secure deleted data, extracting deleted keys from LevelDB’s and identifying obfuscated data inside a Binary plist.
By the end of the course, participants will have acquired the advanced skills to identify the use of Dark Web related applications, and how to extract and interpret the key artifacts related to user activity. The knowledge acquired in this course will not only aid an examiner in Dark Web investigations but will increase their proficiency in handling of various data structures such as SQLite and LevelDB’s which can be applied to any examination.
Students will use a variety of open source and leading forensic applications to examine key artifacts through multiple hands-on labs and student exercises.
Eligibility:
STRICTLY Law enforcement, Government, Armed forces, and Police ONLY
This course is designed for government and police investigators, to understand where to start their Darknet investigations and how to operate in this new environment. Investigators engaged in online investigations of any kind and those using open source (OSINT) analytics, will benefit greatly from this course. Crime analysts, National security investigators, crimes against children investigators, drug investigators will especially benefit. This is an advanced-level course presented from an investigator’s point of view. Those with a non-technical background will also benefit from the material presented. This is not a general lecture course and is for experienced investigators to learn advanced topics.