Spyder Forensics Dark Web Host-Based Forensics

40 Hours / 5-Days
The Dark Web Host-Based Forensics course offers expert-level training over the span of a week, tailored for digital forensic examiners who handle cases involving the Dark Web and Cryptocurrency.

Course Overview



Delve into the world of Tor, I2P and Freenet

During this course, participants will gain a detailed understanding of the software used to access the Dark networks and what data persists from their usage. Utilizing various techniques and forensic applications, participants will learn how to recognize the presence of the Dark Web tools on multiple platforms, and how to extract the relevant information. Topics covered include deciphering Tor Browser artifacts on Windows®, Android and iOS, identifying and extracting Tor Browser activity from Memory, a forensic look at I2P and Freenet Artifacts found on a Windows® device, and decoding popular cryptocurrency wallets. Additionally, students will learn methodologies to identify Dark Web and Cryptocurrency activity through the use of RegEx.

Course Modules:

Forensic Analysis of Tor Browser Artifacts

  • Introduction to the Tor Browser on Windows® Devices
  • Examine the artifacts associated with the installation of the Tor Browser
  • Extracting User Bookmark Information
    • Bookmark Backups
    • Places.sqlite
  • Identifying Tor Browser Activity from Windows Timeline
  • RegEx Searching Onion Addresses

Tor Browser Usage Artifacts from Memory

  • Introduction to HTTP Requests and Responses
  • Identifying HTTP Requests and Responses in Memory
  • Data Carving HTML pages from Memory
  • Data Carving Graphics from Memory

PGP Artifacts

  • Introduction the PGP Encryption
  • Identifying PGP Artifacts using RegEx
  • Extracting information from PGP keys

Forensic Analysis of I2P Artifacts

  • Introduction to I2P on Windows® Devices
  • Examine the artifacts associated with the installation of I2P and I2Peasy
  • Learn the function of the I2P Address book and how to extract information from it
  • Identifying I2P Browsing History
  • RegEx Searching I2P Addresses

Forensic Analysis of Freenet Artifacts

  • Introduction to Freenet on Windows® Devices
  • Examine the artifacts associated with the installation of Freenet
  • Extracting Freenet usage information
    • Freenet Bookmarks
    • Upload/Download History
  • Understanding the Node to Node Text Messaging System (N2NTM)
    • Decoding the N2NTM artifacts
  • Identifying Freenet Browsing History
  • RegEx Searching Freenet Keys

iOS Tor Applications

  • Introduction to Tor applications on iOS devices
  • Decoding the OnionBrowser Application
  • Decoding the RedOnion Application
  • Extracting Connection information from Orbot

Android Tor Applications

  • Introduction to Tor applications on Android devices
  • Decoding the Tor Browser Application
  • Decoding the OrNet Application
  • Extracting Connection information from Orbot

Cryptocurrency Artifacts

  • Introduction to popular Windows® Desktop Wallets
  • Identifying and extracting wallet information
    • Electrum
    • Exodus
    • Bitpay
    • Wasabi
  • Introduction to Trezor and Ledger Hardware Wallets
  • Identifying the use of Hardware cryptocurrency wallet
  • Extracting Hardware wallet information from their setup applications
    • Decoding Trezor Suite
    • Decoding Ledger Live


To get the most out of this class, you should:

  • Have 12 months experience in forensic examinations
  • Attended Spyder Forensics Foundations training or similar program
  • Have a fundamental understanding of SQLite, LevelDB’s, Binary Plists, HTML and JSON files
  • Be familiar with Dark Web Investigations

Request the Syllabus

Contact Spyder Forensics for more details of the course.

Hosting Courses

If you are interested in hosting this, or any of our courses at your facility, contact us.

Ready to get started?