By Jinnie Chua, Assistant Editor of In Public Safety
Remaining safe on the Darknet is highly dependent on being able to protect your identity. This is especially true for members of the law enforcement community. Those conducting illegal activity on the Darknet are often technologically savvy individuals who are on the lookout for officers.
“If you act like a cop, they are going to figure out you’re a cop,” said Albert Schultz, a former CIA Analyst and Operations Officer.
Last month, Schultz gave a presentation entitled “Darknet for Law Enforcement” at the Intel and Law Enforcement Training Seminar (INLETS) in Annapolis, Maryland. His presentation focused on tradecraft for conducting investigations anonymously on the Darknet.
Navigating the Tor Network
The dark web, which is the web content that lives on the Darknet, makes up less than one percent of the entire web. Unlike Facebook, Amazon and other sites that make up the surface web, the dark web can only be accessed on the Darknet via a specific browser or plug-in. (For an introduction to the surface web, dark web and Darknet, read more here).
There are various different networks that are referred to as the Darknet – including Freenet, I2P, and Tor – and each one uses its own set of protocols to grant users access. “Imagine that each network requires its own drill to access its content,” explained Schultz.
Tor, which stands for The Onion Router, is the most widely used network; 95 percent of the dark web is Tor-based. Tor utilizes onion routing, where layer after layer of encryption needs to be peeled back like an onion for data to reach its destination. To access the Tor network, users must first download the Tor browser. The Tor browser automatically directs traffic through Tor’s onion routing, allowing users to search the web with a greater level of anonymity.
Any site accessible via a regular browser like Google or Bing is also accessible via the Tor browser. “Even Facebook has a Darknet portal,” said Schultz. “It’s actually the site most used on Tor.”
However, when people refer to Tor in the context of the dark web, they are often referring to users who set up their own hidden domains using Tor hidden services. These sites live only on the Tor network (so they must be accessed using the Tor browser) and always end in “.onion.”
Darknet Markets and Beyond
Black markets are perhaps the most well-known type of site to live on the Darknet. All kinds of illegal goods and services are available through these marketplaces, the most notorious of which was Silk Road. Silk Road was primarily used for selling illegal drugs until it was shut down by the FBI in 2013.
“Marketplaces, by definition, want to be found because they want to sell things,” said Schultz. “This makes it quite easy for us to map out this part of the dark web.”
However, marketplaces aren’t the only sites where illegal activity occurs. Schultz explained that there are also sites that are purposely isolated with the intention to remain hidden. For example, those used by hackers and terrorist groups are often hidden.
Many of these covert sites are constantly changing with domains being made and removed all the time. “Be aware that there are also a lot of mirrors,” said Schultz. “There may be seven or eight different versions of a site to mask the real one.”
Although anonymity is always important when browsing the Darknet, it is especially important on these isolated sites. “Always assume you’re being observed,” said Schultz. “The webmasters are almost certainly watching what you’re doing.”
Constructing a Cover
Although it is possible to provoke someone to reveal they’re watching you, Shultz advises that observation detection shouldn’t be the goal. Instead, law enforcement officials should concentrate on deflection. “If there is someone watching you, you want to put them to sleep,” said Schultz.
With the assumption that your movements are always being watched, it’s crucial for law enforcement officials to plan an innocuous surf. The better you understand your target, the better you can construct your operation and cover around it. Schultz highlighted two, equally important parts for planning a cover for an innocuous surf:
- Cover for status (i.e. who you are and why you’re in a particular place)
- Cover for action (i.e. why you’re doing something)
Your cover for action should lead to your cover status. The key is to create a story that is both plausible and obvious. There is no use in having a good cover if it’s not evident to an observer, so an active effort must be made to manage perceptions.
“Your actions should be constructing a lie path that leads observers to your cover story,” said Schultz. “Make sure your digital fingerprint is consistent and matches the story you’ve created.”
Schultz also warned that a cover will naturally erode over time. So if you’re embarking on a long-term investigation, it’s important that your cover is strong from the start. You will also want to invest more in your cover if the target is a particularly tech-savvy individual, such as another intelligence officer, or if you know you’re going to meet the subject in real life.
Additional Steps
When conducting an investigation, search is often the quickest way to find what you’re looking for, but also the easiest way to reveal that information to an observer. “Be wary of convenient technology,” said Schultz. “Convenient is the opposite of secure.”
If you do need to search for something, it’s important to make sure all your searches lead to your cover for action. Schultz shared several techniques to keep your operational activity clandestine and to aid in search obfuscation:
- Burying – Execute your operational activity somewhere along a series of benign actions.
- Associated terms – Search for related terms that you know will bring up the same information.
- Misdirection (expanding) – Search for a series of things as if you’re looking for something that you can’t find. This can include searching for terms that look like mistakes.
- Manipulate time to manipulate perception – Spend minimum time on a page of interest to make it seem like you accidentally stumbled upon it. Take screenshots to minimize time.
Schultz also emphasized not to overlook the simplest steps you can take to protect your anonymity. For example, when constructing the architecture for your investigation, there’s no need to add multiple layers of the same protections (e.g. adding a VPN on top of Tor). “Think creatively and don’t overcomplicate it,” said Schultz. “It could be as simple as moving the computer to a location outside of your police department.”
In addition, officers should be aware of the environment they’re operating in. For example, it’s important to keep up to date on website polices. Schultz recalled an investigation on a terrorist group where he failed to realize a website’s regulations regarding profile views. He viewed the profiles of each of the terrorist group members he was investigating and realized his mistake when he was notified that each of them had viewed his own profile in turn.
“You can count on your own human stupidity,” said Schultz. “As investigators, you need to accept that sometimes the best way to clean it up is just to throw it away and start over.”
About Albert Schultz: Albert Schultz is a founder of the discipline of virtual tradecraft and an expert in the human strata of cybersecurity. He served as an Economic Analyst, an Operations Officer, and a contractor for the CIA for 28 years. His overseas work was in Latin America. Albert was also an infantry enlisted member and infantry officer of the Army National Guard and Army Reserve from 1986-1992. He earned an AB in Economics (with Honors) from the University of Chicago and a MSc in Management (with Distinction) from the London Business School’s Sloan Fellows Programme. Albert holds a Top Secret/SCI clearance with a full scope polygraph and background investigation, as well as a Q clearance from the Department of Energy. He speaks fluent Spanish and intermediate Italian. Albert can be reached at albert@kaerusllc.com.
