Within ADF software and forensic triage products, including Digital Evidence Investigator, Triage-Investigator, or Triage-G2, an investigator can quickly find Dark Web traces. This can be done in Quick Profiles but in this video, Rich Frawley shows how to use an Intermediate Profile to triage a suspect machine to identify Dark Web traces. These can be found in ADF's Anti-Forensic Traces Capture.
In this video, Rich shows investigators how to locate relevant evidence. Select Anti-Forensic Traces to see the keywords that were run. You'll see hits on
Rich also how to locate darkweb traces such as the TOR Browser showcasing how ADF finds:
In this video, you can see that the suspect did some browsing to research and find the TOR browser and you'll see how the suspect downloaded the .exe and started the TOR Browser. The ADF software shows the time the TOR Browser was run which takes the investigator to the timeline which helps tie the user to the activities. These can be very good indicators to help the examiner continue to work the case.
ADF makes an inventory of every file and folder that is on the device an investigator scans so you have every file and folder that is listed. In the Summary, investigators can see:
If there are other applications that you want to look for, an Examiner can set up a Custom Search Profile, by creating a new forensic Search Profile or copying an existing Search Profile to add additional keywords one by one or by importing a new list of keywords. Keywords can be searched by File and Folder Names, by Files Content and Metadata, or by Artifact Records from Other Captures.
You may also be interested to learn: