Progressive Standard Operating Procedures for Darkweb Forensics Investigation

Mgembe I. P. , Msongaleli D. L. , Chaundhary N. K.

10th International Symposium on Digital Forensics and Security (ISDFS), Maltepe, Turkey, 6 - 07 June 2022 identifier identifier

  • Publication Type: Conference Paper / Full Text
  • Doi Number: 10.1109/isdfs55398.2022.9800830
  • City: Maltepe
  • Country: Turkey
  • Keywords: Darkweb, TOR, Forensics, Artifacts, Cryptocurrency


With the advent of information and communication technology, the digital space is becoming a playing ground for criminal activities. Criminals typically prefer darkness or a hidden place to perform their illegal activities in a real-world while sometimes covering their face to avoid being exposed and getting caught. The same applies in a digital world where criminals prefer features which provide anonymity or hidden features to perform illegal activities. It is from this spirit the Darkweb is attracting all kinds of criminal activities conducted over the Internet such as selling drugs, illegal weapons, child pornography, assassination for hire, hackers for hire, and selling of malicious exploits, to mention a few. Although the anonymity offered by Darkweb can be exploited as a tool to arrest criminals involved in cybercrime, an in-depth research is needed to advance criminal investigation on Darkweb. Analysis of illegal activities conducted in Darkweb is in its infancy and faces several challenges like lack of standard operating procedures. This study proposes progressive standard operating procedures (SOPs) for Darkweb forensics investigation. We provide the four stages of SOP for Darkweb investigation. The proposed SOP consists of the following stages; identification and profiling, discovery, acquisition and preservation, and the last stage is analysis and reporting. In each stage, we consider the objectives, tools and expected results of that particular stage. Careful consideration of this SOP revealed promising results in the Darkweb investigation.