Investigating individuals on Tor networks - secuguru/security-terms GitHub Wiki

Investigating individuals on Tor networks presents a unique challenge for law enforcement and organized crime investigators due to the layers of encryption and anonymity Tor provides. However, there are several techniques and methods that investigators use to identify users on the Tor network, although these methods are often complex and resource-intensive. Here’s how they approach it:

  1. Exploiting Vulnerabilities
  • Browser Exploits: One common method is taking advantage of vulnerabilities in software, particularly the Tor Browser itself. Investigators have, in the past, used exploits to deliver malware (such as the FBI’s use of “Network Investigative Techniques” or NITs) to Tor users. This malware can be used to identify the real IP addresses or other identifying information of individuals.
  • JavaScript and Flash: Sometimes, malicious websites on the Tor network are set up to exploit vulnerabilities in outdated or improperly configured browsers. These websites may use hidden scripts to reveal the true IP address of the user.
  1. Compromised Exit Nodes
  • Traffic Analysis: Although traffic within the Tor network is encrypted, data that exits the network through exit nodes is decrypted if it is not protected by HTTPS. Investigators may operate or monitor Tor exit nodes to capture traffic. By analyzing this traffic and correlating patterns, investigators may be able to trace activities back to individual users, particularly if the users are accessing unencrypted websites (HTTP) or leaking identifiable information.
  • Correlation Attacks: If law enforcement can observe both the entry and exit points of a Tor connection (either by running relays or through partnerships with ISPs), they can attempt a traffic correlation attack. This involves matching patterns of traffic volume and timing at the entry and exit points to potentially deanonymize users.
  1. Deanonymizing Hidden Services
  • Seizing or Compromising Hidden Services: In some cases, law enforcement has been able to identify or even take control of websites hosted on the dark web (known as onion services). Once they have control of the site, they can monitor users who connect to it, sometimes using exploits to track down the visitors.
  • Operational Security Failures: Investigators often rely on operational security mistakes made by criminals. For example, if someone running an illegal service on Tor uses their real email address, a common username, or fails to use appropriate privacy precautions, this information can lead to their identification.
  1. Exit Node Fingerprinting
  • Traffic Fingerprinting: Law enforcement can use traffic fingerprinting techniques, where they analyze the size, timing, and other characteristics of traffic going into and out of the Tor network. By looking for patterns or unique characteristics, they may be able to identify or narrow down a suspect’s activity even if the traffic is encrypted.
  • Compromised Tor Nodes: Law enforcement might run or infiltrate a significant number of Tor relays (entry, middle, or exit nodes). With enough control over the network, they could gather substantial data on users’ behaviors, traffic volume, and usage patterns.
  1. Social Engineering and Undercover Operations
  • Infiltrating Communities: Investigators often conduct undercover operations, infiltrating dark web marketplaces and forums where illegal activity takes place. By building trust and interacting with targets, they can gather information leading to the identification of individuals.
  • Honey Pot Operations: Sometimes, law enforcement agencies set up fake services (such as illegal marketplaces or forums) on the dark web. These honey pots attract criminal users, who may reveal identifying information or make operational security mistakes while using the service.
  1. Metadata and Behavioral Analysis
  • Metadata Collection: Even though Tor anonymizes users’ IP addresses, other metadata, such as the times of connection, patterns of activity, or types of services accessed, can sometimes be correlated to a suspect. For instance, if a user frequently accesses a hidden service at predictable times, investigators may cross-reference this with known schedules or activities.
  • User Profiling: Investigators can build profiles based on a suspect’s behavior, habits, or writing style. This technique, known as stylometry, analyzes the way people write to identify them, even if they try to remain anonymous. It has been used to identify criminals on the dark web who use pseudonyms but maintain consistent writing patterns.
  1. Cooperation with ISPs and Other Services
  • ISP Monitoring: Law enforcement may work with internet service providers (ISPs) to monitor who is connecting to the Tor network. Although this doesn’t reveal what the user is doing within Tor, it can reveal who is using the service. In some cases, combining this with other data can lead to the identification of a suspect.
  • Data Requests from Third-Party Services: Some criminals on the dark web eventually need to interact with non-Tor services, such as email providers, cloud storage, or social media. Law enforcement can issue legal requests for data from these services, obtaining valuable information like IP addresses or activity logs.
  1. Legal and Policy Approaches
  • International Cooperation: Since Tor operates across international borders, law enforcement agencies may cooperate across countries to track and apprehend criminals. Many dark web investigations involve collaboration between agencies like the FBI, Europol, and other national police forces.
  • Leveraging National Legislation: In some cases, governments compel Tor relay operators or hosting services to hand over logs or information about specific users. They might also monitor internet access points in facilities like airports or cafes, where criminals may use Tor.

Conclusion

Tracking individuals on the Tor network is complex and requires a combination of advanced technical methods, legal tools, and investigative techniques. While Tor offers strong anonymity and privacy protections, law enforcement agencies have developed a variety of methods to identify users, especially those involved in illegal activities. Many successful operations rely on exploiting vulnerabilities, conducting undercover operations, or taking advantage of human error in maintaining anonymity.