Digital forensics is the science of recovering and investigating evidence from digital devices. In darknet investigations, forensic analysts work to recover encrypted data, trace cryptocurrency transactions, and reconstruct user activities despite anonymization attempts.
Forensic Process Overview
Evidence Acquisition
Live Acquisition
When a suspect's device is found running, forensic teams prioritize live acquisition:
- RAM capture: Encryption keys often exist only in memory
- Running processes: Active Tor connections, logged-in sessions
- Mounted volumes: Decrypted containers visible while system runs
- Network connections: Active communications
This is why Alexandre Cazes was arrested while his laptop was open and logged in—giving investigators direct access to AlphaBay's backend without needing to crack encryption.
Dead Box Acquisition
When devices are powered off or encrypted:
- Bit-for-bit forensic imaging
- Write blockers to prevent evidence modification
- Hash verification for integrity
- Cold boot attacks for recently shutdown systems
Encryption Challenges
Full Disk Encryption
Modern full disk encryption (FDE) is effectively unbreakable without the key. Investigators may:
| Approach | Description | Effectiveness |
|---|---|---|
| Live Capture | Capture keys from RAM while running | High (if possible) |
| Key Disclosure | Legal compulsion to reveal keys | Jurisdiction dependent |
| Password Cracking | Brute force or dictionary attacks | Low for strong passwords |
| Evil Maid | Physical access to install keylogger | Requires surveillance access |
| Cold Boot | Freeze RAM to preserve keys | Time-sensitive, unreliable |
Hidden Volumes
VeraCrypt hidden volumes create plausible deniability—different passwords reveal different content. Detecting hidden volumes is theoretically impossible, though patterns in disk usage may suggest their presence.
Tor Forensics
Artifacts on User Systems
Even when using Tor, systems may retain evidence:
# Browser Artifacts
- Cached pages (if not properly configured)
- Downloaded files
- Screenshots or screen recordings
# System Artifacts
- Prefetch files (Windows)
- Application logs
- Thumbnails of viewed images
- Swap/pagefile contents
- Memory dumps
# Why Tails matters
- Runs in RAM only
- No persistent storage by default
- Secure memory wipe on shutdown
Blockchain Forensics
Cryptocurrency forensics has become a specialized field:
Analysis Techniques
Clustering
Identifying addresses controlled by the same entity through common ownership heuristics.
Flow Analysis
Tracing funds through multiple transactions to exchanges where identity is known.
Tagging
Labeling addresses with known attribution (exchanges, markets, etc.).
Pattern Analysis
Identifying mixing services, timing patterns, and behavioral signatures.
Major Forensics Companies
- Chainalysis: Market leader, used by most US agencies
- Elliptic: UK-based, strong European presence
- CipherTrace: Acquired by Mastercard
- Blockchain Intelligence Group: QLUE platform
Network Forensics
Traffic Analysis
Even encrypted traffic reveals metadata:
- Timing correlations between entry and exit nodes
- Packet size patterns
- Connection timing and duration
- Volume analysis
Traffic Confirmation Attacks
An adversary controlling both entry and exit nodes can correlate traffic timing to deanonymize users. While Tor protects against passive observation, active traffic confirmation by well-resourced adversaries remains a theoretical threat.
Mobile Forensics
Extraction Levels
| Level | Description | Data Access |
|---|---|---|
| Logical | Backup-style extraction | User-accessible data |
| File System | Full file system access | More data including some deleted |
| Physical | Bit-for-bit imaging | All data including deleted |
| Chip-off | Remove memory chip directly | Bypasses device security |
Tools
- Cellebrite UFED: Industry standard for mobile extraction
- GrayKey: iPhone-focused, can bypass some encryption
- Oxygen Forensic: Cross-platform mobile analysis
Forensic Tools
Open Source
- Autopsy: Digital forensics platform
- Volatility: Memory forensics framework
- Sleuth Kit: File system analysis
- Wireshark: Network packet analysis
Commercial
- EnCase: Enterprise forensics suite
- FTK: Forensic Toolkit by AccessData
- X-Ways Forensics: Hex and disk editor
- Magnet AXIOM: Cross-platform analysis