1. Introduction

2. Literature Review and Research Gaps

Figure 2. Summary of Internet activities Artefact's location per category in Windows and Linux distributions.

Figure 2. Summary of Internet activities Artefact's location per category in Windows and Linux distributions.

3. Research Methodology

4. Research Contributions and Novelty

5. Order of Volatility in Cyber Forensics

6. The Proposed High-Level Protocol

7. Detailed D2WF Protocol

➢

Identify and Collect Suspect Devices: Identifying potential evidence that may have been used in a crime is crucial to ensuring it will be admissible in court. This can be achieved by examining the crime scene, speaking to witnesses, or reviewing surveillance footage.

➢

Identify Extra Storages (e.g. Cloud and IoT): Once potential evidence has been identified, collecting and documenting accurately is crucial.

➢

Identify Extra-Storages (e.g. Cloud and IoT): During the evidence identification phase, it is critical to identify extra-Storage (e.g., cloud and IoT) that may contain vital data, and a process technique to extract this data should be developed.

➢

Determine the Required Hardware/Software: determining what is necessary to complete the evidence identification will include hardware, software, and storage requirements. Each task is unique, and it is critical to tailor the needs of the task to the hardware, software, and storage requirements.

➢

Establish a Chain of Custody: a "chain of custody" is a paper trail or chronological documentation that shows the seizure, control, transfer, analysis, and disposition of physical or electronic evidence. When gathering evidence, it is critical to maintain a chain of custody to ensure its integrity and admissibility in court.

➢

Acquire Volatile Data Following the Order of Volatility (OOV): Volatile data is information stored in a computer's temporary memory, and it is lost when the system is powered down. It is critical to acquire evidence in the Order of volatility to ensure that as much data as possible is recovered from a system. This means that the most volatile data, i.e. data in a system's temporary memory, should be acquired first.

➢

Acquire Physical or Logical File System Image: a physical file system image is a bit-for-bit copy of a storage device, such as a hard drive, that can be used to forensically examine the device's contents, whereas a logical file system image is a copy of data on a storage device that can be created without creating an exact bit-for-bit copy of the device. Logical file system images typically include only the files and folders required for a specific investigation.

➢

Import/Backup Cloud-Based Content: acquiring and backing up cloud-based content ensures that the evidence is not lost or tampered with if the cloud-based service is shut down or deleted.

➢

Extract Networking and Logging Data: investigators will often need to collect networking and logging data from reconstructing events or tracking down suspects. This information can be obtained by obtaining it from network devices or servers.

➢

Secure Evidence and Store Original Devices in Safe: Once the evidence has been collected, it must be secured and stored in a secure location. This will prevent the evidence from being lost or tampered with. Keeping the original devices in a safe location is also critical to ensure their integrity.

➢

Analyse RAM and Examine URLs, Web Content, Search Queries, Logging Details, and Downloaded Files: Examine the running processes, visited websites, downloaded files, system logs, open files, and network connections to reconstruct events.

➢

Analyse Browsing Data, File System/Registry, Examine URLs, Bookmarks, Usage Sessions, Timestamps, and Caches: we can begin by looking at web browser data to get an idea of what the user is doing on the system. This provides an overview of the websites the user visits and the types of activities carried out. The -r option returns a grep list of all bookmarks saved by the user. We can use the grep -c option to print the number of times each URL has been visited. To see a list of all the cookies stored on the system, use the -f option with grep. We can use the grep -s option to see how many times each cookie has been accessed.

➢

Analyse Logs and Networking Cookies, Examine Downloads and Browsing: Examine the log files with the command-line tool grep to search for specific keywords in the log files. We can use the grep -r option to see a list of all the IP addresses that the user has accessed. We can use the grep -c option to see how many times each IP address has been accessed.

➢

Analyse Cloud Backup and Examine Logging, Browsing, and Search Queries: this search can reveal user activities during the Examination and Analysis phase. However, the information that is stored in the remote location through a network such as the Internet is further analysed, the logging details of the activities and who was involved are examined, and the search behaviour of the user is evaluated so that the investigator can organise and get more insight on the user's activities and the incidents that happened.

➢

Correlate Findings and Establish the Final Timeline: We reviewed the findings and looked for patterns or themes. If there are any gaps in the data, we conduct additional research to correlate the findings. Once we have a clear picture of what occurred, we create a detailed timeline of events that will serve as the foundation for the final report.

➢

Process Finding, Correlate Finding, and Remove Duplication: At this stage, we process all of the evidence files' findings and correlate them to remove any duplication.

➢

Summarise Findings in accordance with the Relevance and Acceptability to reconstruct the crime environment and ensure that the evidence is admissible.

➢

Complete Findings and Present a Technical Report: When all the above digital forensics processes have been completed, the findings need to be presented and put in an orderly document that validates the evidence collected, tracked, and analysed. The findings should be protected and kept in a safe place for access when needed. Security of such information is vital to avoid tampering or loss of data.

8. Forensic Scenarios Design and Datasets Generation

9. Forensic Processing, Examination And Analysis

10. Results and Discussion

11. Conclusions and Future Works

References

1. Arshad, M. R., Hussain, M., Tahir, H. & Qadir, S. (2021). Forensic Analysis of Tor Browser on Windows 10 and Android 10 Operating Systems. IEEE Access, Volume 9, pp. 141273 - 141294. [CrossRef]
2. Balduzzi, M. & Ciancaglini, V., 2015. Cybercrime in the Deep Web. Amsterdam, 2015 Black Hat EU Conference.
3. Baronia, D., 2021. Dark Web and Tor Forensic. [Online] Available at: https://informaticss.com/dark-web-and-tor-forensic/ [Accessed 12 October 2022].
4. Brinson, R., Wimmer, H., Cheng, L. (2022). Dark Web Forensics: An investigation of tracking dark web activity with digital forensics. Interdisciplinary Research in Technology and Management (IRTM). [CrossRef]
5. Gehl, R.W., 2018. Weaving the dark web: Legitimacy on Freenet, Tor, and I2P. MIT Press.
6. Cherty, A., Sharma, U. (2019). Memory forensic analysis for investigation of online crime- A review. IEEE 6th International Conference on Computing for Sustainable Global Development. IEEE Access.
7. European Monitoring Centre for Drugs and Drug Addiction and Europol, (2017). Drugs and the darknet: Perspectives for enforcement, research and policy, Luxembourg: Publications Office of the European Union.
8. Forensic-Pathways, 2020. Dark Web Investigations/Monitoring. [Online] Available at: https://www.forensic-pathways.com/dark-web-investigations monitoring/ [Accessed 12 October 2022]. 12 October.
9. Godawatte, K., Raza, M., Murtaza, M. & Saeed, A., 2019. Dark Web Along with the Dark Web Marketing and Surveillance. 2019 20th International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT). Gold Coast, QLD, Australia, IEEE.
10. Goodison, S. E. et al. Research Report. 2019. Identifying Law Enforcement Needs for Conducting Criminal Investigations Involving Evidence on the Dark Web, California: RAND Corporation.
11. Handalage, U., Prasanga, T. (2020). Dark Web, Its Impact on the Internet and the Society: A Review. (Online). [CrossRef]
12. Protrka, N. (2021). Cybercrime. In Modern Police Leadership (pp. 143-155). Palgrave Macmillan, Cham.
13. R. Brinson, H. Wimmer and L. Chen, "Dark Web Forensics: An Investigation of Tracking Dark Web Activity with Digital Forensics," 2022 Interdisciplinary Research in Technology and Management (IRTM), Kolkata, India, 2022, pp. 1-8. [CrossRef]
14. M. F. B. Rafiuddin, H. Minhas and P. S. Dhubb, "A dark web story in-depth research and study conducted on the dark web based on forensic computing and security in Malaysia," 2017 IEEE International Conference on Power, Control, Signals and Instrumentation Engineering (ICPCSI), Chennai, India, 2017, pp. 3049-3055. [CrossRef]
15. Leng, T., Yu, A. (2021). A framework of darknet forensics. International Conference on Advanced Information Science and Systems. (Online). https://dl.acm.org/doi/fullHtml/10.1145/3503047.3503082. [CrossRef]
16. Maisammaguda, D., (2019). Digital Notes on Computer Forensics, India: Malla Reddy College of Engineering and Technology. Maryville University, 2017. Top 4 Data Analysis Techniques That Create Business Value. [Online] Available at: https://online.maryville.edu/blog/data-analysis-techniques/#qualitative [Ac- cessed 4 December 2022].
17. Matic, S., Kotzias, P. and Caballero, J., 2015, October. Caronte: Detecting location leaks for deanonymizing tor hidden services. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 1455-1466).
18. Naza, S., Huda, S., Abawajy, J., Hassan, M. M. (2020). The evolution of dark web threat and detection: a systematic approach. IEEE Access 8:171796-171819. [CrossRef]
19. Rogers, B., 2017. Tor: Beginners to Expert Guide to Accessing the DarkNet, TOR Browsing, and Remaining Anonymous Online. 1st ed: CreateSpace Independent Publishing Platform.
20. Tazi, F., Shrestha, S., Cruz, J. D. L., Das, S., (2020). SoK: An Evaluation of the Secure End User Experience on the Dark Net through Systematic Literature Review. J. Cybersecurity and Privacy. 2022, 2(2), 329–357. [CrossRef]
21. Zeid, R. B., Moubarak, J., Bassil, C. (2020) Investigating the darknet (Online). International Wireless Communications and Mobile Computing (IWCMC). [CrossRef]
22. Ozkaya, E., & Islam, R. (2019). Inside the Dark Web. CRC Press. [CrossRef]
23. Popov, O., Bergman, J., & Valassi, C. (2018, November). A framework for forensically sound harvesting the dark web. Central European Cybersecurity Conference 2018 (pp. 1-7).
24. Nazah, S., Huda, S., Abawajy, J., & Hassan, M. M. (2020). Evolution of dark web threat analysis and detection: A systematic approach. IEEE Access, 8, 171796-171819.
25. Holland, B. J. (2020). Transnational cybercrime: The dark web. Encyclopedia of Criminal Activities and the Deep Web, 108-128.
26. Jardine. E. (2015). The Dark Web Dilemma: Tor, Anonymity and Online Policing. Global Commission on Internet Governance Paper Series, Volume 21, pp. 1-11. [CrossRef]
27. Ghanem, M.C. Cryptographically Upgrading TOR Network to Enforce Anonymity by Enhancing Security and Improving Performances. Preprints.org 2023, 2023070982. [Google Scholar] [CrossRef]
28. Samtani, S., Zhu, H., & Chen, H. (2020). Proactively identifying emerging hacker threats from the dark web: A diachronic graph embedding framework. ACM Transactions on Privacy and Security (TOPS), 23(4), 1-33. [CrossRef]
29. Dunsin, D., Ghanem, M., Ouazzane, K. (2022), 'The Use of Artificial Intelligence in Digital Forensics and Incident Response in a Constrained Environment', World Academy of Science, Engineering and Technology, Open Science Index 188, International Journal of Information and Communication Engineering, 16(8), 280 - 285.