Date: 04/03/2023

Lecture 20: Overview of Open Source Intelligence,

Deep Web & Dark Web

 Understanding Surface Web, Deep Web and Dark Web:

1 “The internet has two building blocks: “Surface Web” and “Deep Web”. We
are already aware of websites like Amazon, Wikipedia, Facebook, YouTube,
etc. These sites come under the Surface Web that can be indexed by search
engines like Google, Bing, Yahoo, etc. The Surface web is well-known as
“Visible Web”. But this is not all about the internet. The Surface web is

Figure 1 The Layers of the Web – Surface Web, Deep Web and Dark Web

the compact section of the Internet that’s 4% of the internet which can
be accessed by the general public. The surface web has enormous

1 https://ifflab.org/the-layers-of-the-web-surface-web-deep-web-and-dark-web/

© 2023, All rights reserved, NeGD MeitY

information and it is legal. Far away from these websites, some sites are
hidden and not available to the common public that is 96% of the Internet.” 2

The box describes different components involved in search engines 34:

 How do search engines work? So when you
1. Crawling: Crawling is the process through which develop a web
the search engine rummages the content on the page, it will clearly
world wide web: websites old and new, articles, tell you that you
product sheets, images, links, etc. Search engines can program it
use crawlers (also called bots or spiders) that, not to be searched
through specific algorithms, decide which websites by any search
to scan and how often. The crawler discovers new engine. There are
content by identifying and recording every link it certain meta tags
finds on the scanned pages and then puts them in a that if you add to
list of to-be-crawled URLs. your website,
2. Indexing: Once it has extracted the page content, search engines
the crawler will put it on the index of the visited like Google, Bing,
pages and organizes all the information. The all will stop. They
information is then used to measure the relevance will never look
of the page compared to similar ones. into your website
3. Ranking: While the two previous activities are the as soon as they
“behind the scenes” of the work of search engines, see that. Not all
ranking is the most evident one. Once a user enters search engines
a keyword on the search bar, the search engine will will do it, but most
search on its index the pages that match the search of the popular
query. Then it gives to these pages a score calculated search engine by
out of several ranking factors. Search Engine Result reading that
Page (SERP) are web pages served to users when particular tag will
they search for something online using a search stop and will not
engine, such as Google. index your
Box 1 How does Search Engine Works?

2https://www.researchgate.net/publication/341420503_The_Dark_Web_A_Dive_Into_the_D

arkest_Side_of_the_Internet
3 https://www.seotesteronline.com/blog/seo-basics/crawling-indexing-ranking/
4 https://www.wordstream.com/serp

© 2023, All rights reserved, NeGD MeitY

website. So such data is already available there, but we do not know it. It is
not indexed. Such data is available on what we call as Deep Web.

“This uncommon space is where the Deep Web exists. As validation is

compulsory to access the data like net-banking or private accounts.
Websites on the “Hidden Web” provides confidentiality to the users. If these
websites are indexed then anyone can access the data by searching your
name and the personal information will be revealed to the people.
Validation secured pages are unindexed to maintain the confidentiality.

These websites can be accessed with the verification on the Deep web.
Dark Web is a small fraction of the Deep web. Dark Web is also known as
“Invisible Web”. Dark Web cannot be accessed by the general public.
There are approximately 45,000 Dark web sites that are 0.01% of the
Internet.

The Dark web is the hidden content of the WWW (World Wide Web) which
subsists on the Deep Web. It uses the Internet but requires special software,
authorization, configurations, etc to access. It provides confidentiality and
these are not indexed by the web search engines. Dark Web can only be
accessed by special anonymous software installed in browsers like TOR
(The Onion Router), Subgraph, Waterfox, I2P (Invisible Internet Project),
etc. It is an image of the Surface Web. This encrypted internet allows both
great and terrible entertainers to work secretly. It is an actuality for the
purchasers and trade. TOR is the easiest way to browse the dark web. It may
be used for legal as well as illegal activities. Legal uses include freedom
of speech to the reporters and informers, the exchange of data globally
with privacy and illegal uses of dark web include dealing with drugs, stolen
credit card details and betting, etc

There is a misconception that the Deep web is the same as the Dark web but
these are two different things. The deep web is unindexed and not
accessible through the common search engines to provide the security of the
user , while the dark web is a small portion of the deep web which is
intentionally unindexed to provide the anonymity to the user. Dark web can

© 2023, All rights reserved, NeGD MeitY

only be used with the help of a mysterious browser.”5 The following table
shows the difference between Deep web and Dark web:

Table 1 Difference Between Deep Web and Dark Web6

Characteristics Deep Web Dark Web

Basic Deep web is a huge set The Dark Web is a
of hidden websites portion of Deep Web
whose matter is not a that`s not synchronized
segment of Surface and IP address are
Web. purposely concealed.
Access It can be retrieved It can only be retrieved
through an acceptable with the help of specific
username or software or where IP
credentials and using addresses are not
common search engines locatable.
Involves All pages that are not It is a section of
indexed undirected pages within
deep web
Portion of Internet It accounts for 96% of It accounts for 0.05% of
the internet the internet.
Usage It is used for legal It may be used for either
activities that require legal or illegal activities
privacy
Who utilizes it Reporters, Informers, Dealers of illicit trade
etc.

Other general differences are given in the table below:

S.No Deep Web Dark Web

1 The deep web is a segment of the internet The material on
(WWW) whose material is not indexed by darknets or overlay
common search engines. networks that use the
Internet but need
particular software,
setups, or
authorization to
access, is known as the
“dark web”.
2 In contrast to the Surface Web, the Deep One of the biggest
Web is the portion of the Internet that is criminal and terrorist
invisible to the unaided eye networks in the world

5https://www.researchgate.net/publication/341420503_The_Dark_Web_A_Dive_Into_the_D

arkest_Side_of_the_Internet
6https://www.researchgate.net/publication/341420503_The_Dark_Web_A_Dive_Into_the_D

arkest_Side_of_the_Internet

© 2023, All rights reserved, NeGD MeitY

 is connected through
the Dark Web
3 The typical search engines do not index Only private encrypted
the material. networks or peer-to-
peer setups, may
access the content.
4 A massive collection of websites that are Unregulated web sites
hidden whose IP addresses are
purposefully concealed
5 A legitimate account and password as well Only specific and
as typical search engines can be used to specialized software is
access it. needed to access it.
6 Deep Web refers to systems or websites The Deep Web`s
that require authentication in order to log architecture supports
in. or depends on the
Dark Web
7 Its access is not browser specific Its access is browser
specific like TOR, I2P,
Freenet, etc.
8 Due to the Deep Web`s open nature, it is The size and scope of
quite easy to measure it accurately. The the dark web cannot be
deep web has 400-500 times as much accurately measured
publicly accessible data as the surface
web

 Pros and Cons of Deep Web and Dark Web:

Pros Cons
Privacy Illegal Activities (Ex- Sale of firearms,
terrorism etc.)
Freedom of Expression (Ex- Unregulated Content and Market
Whistleblowers, Journalist places (Ex- Child porn)
Collaboration etc.)
Access to additional information (Ex- Difficulty in Navigation & Access
research papers, articles etc.)

 Navigating the Deep Web:

Can be done using “Dogpile” and the “WWW Virtual Library”. Following steps
are involved:

1. Visit the search engine

2. Refine your search results
3. Evaluate the search results
4. Follow up on leads

© 2023, All rights reserved, NeGD MeitY

  The WWW Virtual Library (www.vlib.org)

If you type this in your browser, this website will open. Now, this is manually
curated web portal, wherein you have a lot of information about the deep web
websites or articles that are specifically curated. It is not necessary that
whatever you find here will not be available on the surface net. Of course,
many of the things will be available on the surface net, but the secondary use
of this is also that you can for sure be assured that whatever is being made
available on this particular portal is very authentic. You can actually rely on
this information.

 Dogpile
Dogpile is actually not a direct index like virtual library, but what it does is,
whenever I search anything on Dogpile, it will search that particular keyword
on all of the possible top search engines simultaneously at the background.
And it will in itself curate it and will try to give you all the searches from all
the searches. However, we have to make sure that we follow these steps:

1. Visit the search engine

2. Refine your search results
3. Evaluate the search results
4. Follow up on leads

© 2023, All rights reserved, NeGD MeitY

The first is visit the search engine, like we did on virtual library. The second
very important thing is you need to work, you need to see and refine the
searches yourself. It is not Google or it is not Bing or it is not Yahoo that is
going to only give you the content which is top rated or mostly visited websites
and all that stuff. So, you have to be very, very sure about. Then the third
step is, you have to evaluate yourself again, you have to check whether all the
proper searches have appeared or not. Is it the material that looks authentic
or not, whether you want to search more terms to go deeper and all that and
then you have to follow the leads that you have to. So, this is how you go
through it.

 Navigating the Dark Web:

Talking specifically about dark web, it is only accessible through Tor

browsers. You cannot navigate darknet or onion websites from your regular
websites, web browsers. The extension will be always be “.onion”. It's going to
be some random alphanumeric string and it will follow a “.onion” extension.
So, that is when you know that it is a dark web website. So, say suppose this
(as shown in the figure above) is your computer, what you have to do is
connect to the internet. However, you need to make sure that you are

© 2023, All rights reserved, NeGD MeitY

connecting through a VPN. So, there are several VPNs in the market which
are free as well as there are many VPNs which are available paid. (always buy
a VPN, do not use free VPNs).

Once you are connected to a VPN, do not straight away go to the websites
which are risky. After that, open a Tor browser and connect the Tor network.
Once you are connected with the Tor network, then you will be able to access
the dark web.

As there are many malicious links that can backtrack you. So, always use
VPN, never use Tor directly.

Figure 2 TOR network7

“For anonymous communication anonymity over computer/internet is

provided by Onion Routing (OR). Messages are encrypted and then forwarded
to nodes known as onion routers. A header is peeled and the instructions for
routing to next router are performed. This process occurs in repetition. No
any nodes or intermediate node knows where the message is being passed

7 https://ieeexplore.ieee.org/document/7475027

© 2023, All rights reserved, NeGD MeitY

send or received [18]. There are three nodes/relays in Tor i.e. entry node,
middle node, exit node. As a communication system, there are four basic
components in Tor i.e. sender, receiver, onion routers and directory servers.”8

The second alternative to it is I2P eepsites. It

What is I2P? is a completely private network which is being

maintained by volunteers. Until late, over
The Invisible Internet Project
50,000 devices are part of this network and it
(I2P) is a fully encrypted
is dispersed in all of the countries that are
private network layer. It
protects your activity and there. So, anyone can host his own, use his
location. Every day people use own computer as a part of I2P sites and they
the network to connect with call themselves as eepsites. They do not call it
people without worry of being
a website. They call it as an eepsite.
tracked or their data being
collected. In some cases “An eepsite is a website that is hosted
people rely on the network anonymously, a hidden service which is
when they need to be discrete
accessible through your web browser. It can be
or are doing sensitive work.
accessed by setting your web browser’s HTTP
proxy to use the I2P web proxy (typically it listens on localhost port 4444), and
browsing to the site.”910

8 https://ieeexplore.ieee.org/document/7475027
9 https://geti2p.net/en/faq#eepsite
10 https://mhatta.medium.com/how-to-set-up-untraceable-websites-eepsites-on-i2p-
1fe26069271d#:~:text=Eepsites%20are%20websites%20in%20the,accessible%20through%2
0your%20web%20browser.

© 2023, All rights reserved, NeGD MeitY

Figure 3 I2P network11

12 “The idea of tunneling is introduced in I2P, outbound tunnel and inbound

tunnel one send messages away from the tunnel creator, while other tunnels
bring messages back to the tunnel creator. The sender client makes up an
outbound tunnel, and the receiver server makes up an inbound tunnel. The
sender/client adds instructions to her encrypted message and the endpoint
of the outbound tunnel decrypts the message. It contains instructions to
forward the message to the correct inbound gateway server. For end to end
communications between clients and
servers to achieve, the concept of
“garlic encryption” is developed, which
wraps up multiple messages into a
single “garlic message” of a client
router. By encrypting on a particular
public key, that intermediary peers
cannot determine the client/server
site 1 http://nekhbet.com/i2p_links.shtml
and where the message is destined. An

11 https://ieeexplore.ieee.org/document/7475027
12 http://nekhbet.com/i2p_links.shtml

© 2023, All rights reserved, NeGD MeitY

I2P important fact is that its mechanism is message based and data lost
happens in transportation.”13

Table 2 Comparison between TOR and I2P14

Features Tor I2P

User base Much Bigger Small
Visibility in academic Much more visibility Less Visibility
community
Scalability Much better Less
Funding Significant Less
Developers Much more Less
Paid or funded Much more Less
Vulnerability from DOS More Vulnerable Less Vulnerable
attacks
Number of exit nodes Large number of exit Less number of exit
nodes nodes
Documentation Well documented Poorly Documented
Website Better Good
Documentation in Available Not available
different languages
Memory usage More efficient In efficient
Bandwidth overhead Very low Very high
Centralized/distributed Centralized Distributed
control
Vulnerable to Sybil Yes No
attack
Throughput Higher Lower
Latency Low High
Software/language C Java
Nodes selection criteria Trusting claimed Continuously profiling
capacity and ranking
performance
Directory servers/flood Trusted and hard coded Varying and un-trusted
fill peers
Packet/circuit switched Circuit switched Packet switched
Uni/bi directional Bi directional circuit Uni directional tunnel
Protecting against Less protected Much protected
detecting client activity
Life of tunnels/circuits Long lives Short lives
TCP/UDP transport TCP Both TCP/UDP

13 https://ieeexplore.ieee.org/document/7475027
14 https://ieeexplore.ieee.org/document/7475027

© 2023, All rights reserved, NeGD MeitY

  Dark web/Dark net forensics:
Forensic point of view, if say, suppose you have raided a crime scene and if
you think that the Tor was being used there, there are many several ways,
wherein you can at least establish that which of the computers was used to
navigate through Tor websites, out of which 3 are mentioned below:

 Command Prompt:
So, what you can do is quickly, whatever suspect computer is there, you can
quickly pull in the command line over there and you can type the command:

netstat -ano

If you type this, you will find certain localhost instances wherein the
connection will be established on particular ports, which are mentioned, for
example:

These are some of the ports (such as port 8336) wherein if it shows that the
connection is established on these particular ports, then you can be sure that
Tor was being used here few minutes ago. When TOR browser is installed on
a Windows PC, it connects to TOR nodes via port 9150, 9151. However, they
usually, are present on your computer as a place only till five to six minutes.
After that, they vanish. You will not be able to trace them after the Tor browser
is closed and it's been five to ten, five to six minutes.

© 2023, All rights reserved, NeGD MeitY

  Windows registry
The user activity is stored in the Windows Registry when the Tor browser is
installed on a Windows system. In the following Registry entry, forensic
investigators can find the route from which the TOR browser is launched:

HKEY_USERS\<SID>\SOFTWARE\Mozilla\Firefox\Launcher

And you can navigate to Mozilla Firefox and Launcher. Now, why Firefox?
Because Tor is actually built over Mozilla Firefox. So, it will, in registry, it will
always show instance under Mozilla Firefox and then Launcher folder. If you
see the instances over here, you can be sure that Tor was being used on this
particular computer some time ago, right?

 Prefetch files.
On a Windows system, the prefetch files are placed in the location

C:\WINDOWS\Prefetch

Investigators may acquire metadata about the browser using tools like
WinPrefetchView(https://www.nirsoft.net/utils/win_prefetch_view.html#:~:
text=WinPrefetchView%20is%20a%20small%20utility,are%20loaded%20on%
20Windows%20boot ), which contains browser generated timestamps,
browser last run timestamps, the number of times the browser was run, the
Tor browser execution directory, Filename, and File Size.

© 2023, All rights reserved, NeGD MeitY

There are many forensic tools through which you can pull out the prefetch
files. There are many open-source tools also, just like autopsy, for example.
And you can clearly see that Tor.exe was used on a particular date, particular
time. So, there will be traces and you will be able to know that this is a
particular computer that is worth investigating just in case you have found a
particular case wherein you are investigating dark web or deep web cases.

 Free Tool – Maltego (https://www.maltego.com/maltego-

community/ )

Installation Guide:

 Go to this website https://www.maltego.com/maltego-community/

© 2023, All rights reserved, NeGD MeitY

  On this website, on the front page itself, you will find a download
for free button.
 install it
 After installation, when you start it for the first time, it will ask you
at a point one to register. So, you have to first go and register on
the website using your email ID, you will get a user ID and a
password. Then you have to log in into this. Once you log in for the
first time, it's going to ask you whether you want to use, you know,
a free version, which is called as Maltego CE. So, you have to ignore
all other versions and you have to select Maltego CE from the
option that will be given for the first time when you start the
software. Maltego CE is community edition and this is completely
free. (There are other versions, if you are interested, you can
purchase it directly from the website.)

 Interface of the software:

See, this is the interface of the software. So, you will see a lot of details like
over here.

© 2023, All rights reserved, NeGD MeitY

[When you start for the first time, please visit the docs and blogs section.
Please go ahead and go through the preliminary trainings that are there for
this particular tool, which are free. You don't have to pay for them. You can
attend the webinars and demonstrations so that you get acquainted to the
tool.]

So here, whenever you are investigating, you have to start with the new
button that is here.

© 2023, All rights reserved, NeGD MeitY

Once you click on new, you get a blank graph page.

So, this is basically a graphical link analysis tool, wherein whatever

information you try to find, it will show you in a graphical representation. So,
you have different kinds of tools over here.

Hashtag: If you want to search for certain hashtags, you can use this.

Pages: If you want to just search certain pages like the Wikipedia, Wikimedia,
etc., you can use this tool.

© 2023, All rights reserved, NeGD MeitY

Email: If you want to search through email address, you can search using
this.

Similarly, there is also a tool for searching the websites. There are tools for
cryptocurrency (see image below), Bitcoin cash addresses, Bitcoin cash
blocks. So, if you have a Bitcoin cash address in a certain case, you can just
pull this, drag this over the blank area (as shown in the image below) and
whatever the alphanumeric number is there for your Bitcoin address, you can
put it in the space provide (as highlighted in the image below), right click on
this and select just all transformation.

Once you do this, and if you're connected to the internet, it will give you all
the results that are there, if it is a valid number

Then you also have things on devices like if you have a particular suspect
computer model or handsets that you want to check on open source, you can
do that, mobile phones, etc. You can search for certain type of email
conversations that you want to search on open source information,
conversations on phones, date and time or incidences etc.

[Note: Given below is the case study as shown in the lecture]

© 2023, All rights reserved, NeGD MeitY

So, suppose there is a need to search for a certain person, let’s take example
a search for a person called Darshan Arun Wadikar. Type ‘person’ in the
search box as a keyword and it will show all the possible things that can be
searched or all the queries that are possible.

As soon as the search is initiated, we may get lot of information that are
related to this name. There are many phone numbers which are publicly
available on different web portals, on Facebook, on Twitter, etc.

We may go ahead and check all those things. Not all of them will be legitimate
because this is coming from open source. So, many people might have put in
false data also. There is Instagram information and this is the link that it
shows is related to this name. Just copy this and paste it in the web browser.
See, this is a correct page. So, we've just entered the name and were able to
get the social media information on that particular name.

© 2023, All rights reserved, NeGD MeitY

Now if the middle name is removed and the search is initiated then the results
may vary (as shown in the image below). This implies that the investigating
officer may use different combination of keywords to arrive at the desired
result.

Here you get the logs from where it is getting the information from. So,
suppose you have to log your information or create a report, you can also copy

© 2023, All rights reserved, NeGD MeitY

paste this thing and you can put it in your report that from where all this
information came.

We can also see from where the tool is getting its information from. For
example, consider the phone number found in the search results.

Go to properties. And you may find the link, form where it fetched the
information.

© 2023, All rights reserved, NeGD MeitY

You can even copy paste the url in the web browser and go to the link:

To get more information on a particular email ID:

© 2023, All rights reserved, NeGD MeitY

Now we may be able to find some more information:

In the image given below, the red icon shows that the email id was leaked in
some dark net data:

© 2023, All rights reserved, NeGD MeitY

Similarly we can do this for other components such as phone number, email
id, websites etc. and the tool will give more information related to each
individual component.

This tool can also find some common points.

© 2023, All rights reserved, NeGD MeitY

This is linked with the number, as shown in previous images, as well as the
tool is able to make a link with my original search of the name. So, it gives
you a kind of assurance that this particular number certainly is belonging to
this person. And there are common links with this name and this mobile
number through these entities. So, you are on a correct path because you are
also able to find some commonalities between this.

© 2023, All rights reserved, NeGD MeitY

There may also be cases of false positives, therefore it is necessary for the
investigating officer to use his/her wisdom and rule out the false positives
that the tool might find.

This tool does not require that a person should be popular enough. Any
person who has his profile some way or footprint some or other way on, you
know, on internet or the social platforms, you will be able to go and check
them.

We may also make use of the social network tags:

It is basically making a direct query to Facebook through the old APIs that
were there available. However, we all know that a few years back, there was a
lot of debate that happened and Facebook also faced many court cases
wherein it was being used (the social media APIs that it built) to polarize
people, their thoughts, put your own thoughts in someone else's mind, etc.
The elections (ex- United States elections) were being rigged. So, from that
point in time, all of the social media have restricted their APIs. So, you cannot
anymore find out these details using at least this tool because it has restricted
those kinds of APIs and you will not be able to work on those things. However,
you can find the same information using other things that we mentioned, like
“person”, for example. Once you pull out the information regarding the

© 2023, All rights reserved, NeGD MeitY

person, you get a lot of, lot of things like we have seen in this graph and you
can also drill down their Facebook and their websites or social media using
this drill down method from here. So, the starting point is different. However,
you can still reach that person, like mobile phones. Similarly, other than
person, you can use the mobile phone query as well. You can put in your
mobile phone that you want to search any phone number that you have a lead
on and you can try to see if there is any kind of association with any of the
phones or any of the person in particular and you will see the similar kind of
graphs.

 Commercial Tool – Recorded Future

Generally, whatever data that you are able to gather right now is from open
source intelligence. Open source intelligence itself means that whatever is
easily available on the internet, not in the darknet. But what if you want to
get any information that is related to darknet specifically? What if you are an
intelligence agency that is working specifically towards the cases of
contrabands, illegal arm deals, drug deals, banking frauds or the credit card
frauds, etc., in your own city, in your own jurisdiction. In those cases, that
OSINT tools will not be much helpful. They will give you some data, but that
will not lead you anywhere. So, in that case, you will need specialized tools
like Recorded Future. There are many others as well.

What happens is basically these tools have their own databases of darknet.
They have deployed a team of analysts who continuously try and successfully
infiltrate the darknet. They become a part of certain darknet communities and
continuously keep on indexing the darknet data. This is one way. The other
way of getting the data for them is they also purchase the darknet data that
is leaked in the darknet itself. So, they pay for it and they buy that database
and they make it available to law enforcement agencies.

These kinds of tools are not available for general public. The first thing is that
they are very costly. So, at an individual level, no one will be able to afford
them. But even if there is any agency, any private company that goes there,
they will restrict them. There are certain modules that they sell to the private

© 2023, All rights reserved, NeGD MeitY

organization, but they heavily restrict them as such that they will not be able
to gain the access to the very sensitive data that will only be sold and only be
given access to the law enforcement.

The information like anonymous forms, information leaks and dumps, sales
and purchases that are related to so many categories like drugs, weapons,
malware, ransomware as a service, carding info, gambling, fake passport,
pornography, money transfers, gift cards, credentials, etc, etc. Many other
things are very easily searchable on this particular tool.

What you get is an online login tool. You log into their portal, you get an ID,
which is specifically for you. You create a case.

Suppose you enter a particular photograph of a certain license/passport

It will try to search through its own indexed darknet data if this particular
license/passport or something similar to it is available. So, it will pull out all
the license/passport information. It will clearly tell you that this is on sale as
a data or this is on sale as a fake passport. It will show you how to reach that
particular person, because this is actual data that is gathered from darknet.
However, this is not a live data. It is continuously being indexed and passed
on to you. So, it is going to search through its indexed data. However, again,
but once you have this, you will not require to spend time and build your own
data over the period of time. Although it is worth to build your own data. But
at the same time, you can also utilize someone else's data and someone else's
research by paying such agencies.

[Note: Unfortunately, the speaker was not be able to show this tool because
of certain restrictions. However, there are some screenshots available which

© 2023, All rights reserved, NeGD MeitY

have been taken with the permission of the agency that makes this and have
been shown in the lecture, which have been mentioned in this notes below.]

Searched for credit card information. So, these many credit cards were
actually on sale.

Searching some term like searching more cocaine if it is available in India. So,
the tool has given the result, as shown in the screenshot below.

© 2023, All rights reserved, NeGD MeitY

So, here you can read, “yes, I'm very much new to the vending online, but have
nine years of experience of doing direct deals”. So, this is some drug peddler
who has written this over here.

And over here, if you can see, he has given his Proton email ID, where you
could reach as a law enforcement agency and try to see if you can get hands
on this person.

© 2023, All rights reserved, NeGD MeitY

Also it can be seen in the above screenshot which contains images. You can
see, these are the images that this person had uploaded. Using this link, the
investigator was able to reach to these images.

Now, people may debate that what will we do just by getting the email ID. So
the point to keep in mind is that, earlier you didn't even know that if anyone
is there on the darknet available in your particular city or in your country.
Now, you're getting the leads. Using this, you can try to contact this person
covertly. As a covert operation, you can run your operation.

So this will be of importance for lead generation, not directly to go ahead and
catch the person. You will very seldomly find any information on darknet,
wherein you will directly be able to target the person.

Author: Arshil Khan

Team Lead Cyber Law

© 2023, All rights reserved, NeGD MeitY

© 2023, All rights reserved, NeGD MeitY