A Unique Set of Tools for Maltego: [DarkNet Search]
In the summer of 2019, SocialLinks announced the release of an unusual set of tools and services: Predefined search methods that work on the DarkNet. These are already available to all Maltego Classic and XL users working with the SocialLinks plugin.
DarkNet is a space where familiar OSINT tools are difficult and sometimes even impossible to use. Many resources, including trading platforms and forums, are closed and access to them is possible only with the use of fairly complex identification schemes. Here, site owners have no fear of alienating potential users with an overly complicated registration procedure.
Sites and trading platforms on the DarkNet often change addresses, are removed, and later reappear, making it impossible for existing search engines to index these closed forums and other resources. As such, specialized tools are needed to collect data and conduct investigations on the DarkNet. Maltego’s built-in search methods focus mainly on the public Internet and do not solve the problem of surrounding the need for complex queries to access DarkNet resources.
One of the basic products that students learn is Maltego, along with the Social Links plugin. Law enforcement practice shows that DarkNet research can provide significant and even crucial evidence for investigations. For instance, the Dark Net is the driving factor in narcotics distribution around the world, as announced at this year’s Interpol Conference in Cape Town, attended by delegates from 194 countries.
Department representatives also note a high jump in Tor user activity — this means it’s more important than ever to with information from the Dark Net, but collecting data manually usually turns out to be difficult, inconvenient, and time consuming.
This task was successfully completed, but it required significant efforts. An infrastructure was created that was specifically designed to detect the changes in the Dark Net. Making a data parser is not difficult, however making it so that it works continuously is much more difficult. This requires proxies, automatically registered accounts, and the mass emulation of user actions. Only with such infrastructure support can the uninterrupted operation of such a service be ensured. It was also necessary to establish the constant monitoring of resources to monitor their disappearance, movement, and renaming on a regular basis.
These and other measures helped to ensure a reliable and continuous means of monitoring changes on the DarkNet, because data is updated every hour. The tools developed are integrated with eight DarkNet search engines, making full-text search by posts and product descriptions, search by an alias, Telegram accounts, Jabber, ICQ, phone numbers, and email possible. ‘Mirrors’ for these resources can also be determined automatically. This means not needing to spend time searching for relevant links – they are automatically tied to the search results.
This type of search is possible using data from the 30 largest forums and trading platforms with new resources being constantly added. All collected data is archived, so even the complete disappearance of a resource on the network won't mean losing information, allowing you to restore not only the current resource but to also access a history of resource alterations.
The ability to search for marketplace products by location is also crucial. An analysis of the listings on a given trading platform makes it possible to assess the scale of the movement of goods from country to country. For example, it would be possible to clearly see where drugs are being transferred to in South Africa or the Netherlands. Uncovering such general flows are useful in constructing an overall picture of these types of transactions, but for specific investigations accurate data on transactions between specific individuals is critical; this can also be done using these ready-made search methods. They are already able to detect changes in search terms used on the DarkNet for bitcoin wallets, the titles and text within posts on forums, individual phrases, and user data.
Finding and identifying connections on the Dark Net is also complicated by the fact that sellers of illegal goods and services change their aliases between resources. However, to conduct transactions and interact with sellers and buyers, they must use encryption keys called PGP keys. It is often difficult and inconvenient to change them, as they would need to send their new key to all of their contacts. Therefore, PGP keys are useful in identifying DarkNet users, as searching using these keys allows for the accurate detection of the same individual across all forums and markets, even if they use different aliases. This way, it is possible to map out the sales network of a particular merchant and view their larger trading network.
We are continually developing and improving our product and we welcome the specific requests and needs of SocialLinks users. This provides an important source of new ideas for us, as SocialLinks is always ready to deploy new and specific services as needed by our customers.