Diving Deeper: Leveraging the Internet’s Depths for Investigations

June 23, 2022

By Paul Sebastian, Senior Associate, Forward Risk and Intelligence

As many hard-core true crime fans might know, in criminal forensics, there is a general rule known as Locard’s exchange principle. This principle states that when a crime occurs, the perpetrator will bring something to the crime scene and leave something at it.

While most researchers in the due diligence industry do not typically have a background in criminal investigations, a modern corollary to Locard’s principle is important to keep in mind: whenever an individual touches the internet, that user brings something – usernames, IP addresses, email addresses, etc. – and will leave a trace of their presence. Searching for and finding these traces on all three layers of the internet is a hallmark of an expert open-source investigator.

Scratching the Surface

The internet is generally broken down into three layers: the surface web, the deep web, and the dark web.

The surface level is where web crawlers index websites and information, making it discoverable to researchers via search engines like Google or Bing. On this level, an investigator conducting research on a company executive, for example, may find news articles and profiles on popular social media platforms like LinkedIn. The use of advanced Google operators – known as dorking – can reveal otherwise buried search engine results, but this layer is still dependent on the indexing of the website on which the information resides. The information garnered from surface-level searches would be the equivalent to a detective finding broken glass at a burglary scene: it is valuable evidence, but its discovery is only the tip of the iceberg.

Diving Deeper

Just below the surface of the internet lies the deep web – which is far more interesting from an investigative perspective. Experienced and knowledgeable investigators with a strong attention to detail can exploit this layer to discover very valuable results. This layer of the internet encompasses hard-to-find or otherwise forgotten information such as legal and academic records, foreign language databases and sources, subscription-only information, and archived versions of websites. Web crawlers do not, or cannot, index this portion of the internet.

According to estimates from 2001 (the most recent available), the surface web contains 19 terabytes of information, while the deep web contains 7,500 terabytes, and since then the divide has grown exponentially, with more recent estimates placing just 1 percent of all information on the internet in the surface web. Examples on this layer of the internet include local court records and information found on genealogy sites like Ancestry.com. No amount of research using a search engine will uncover the valuable information found on this layer of the internet.

There is one final layer that experienced investigators search: the dark web. This layer is intentionally hidden from normal search engines, and its data is encrypted, requiring a specific web browser to discover. While there are legitimate reasons to use the highly-private dark web, it is on this layer that researchers will most likely find illicit activity and compromising information.

One of the most important pieces of data found on the dark web is data breach information. After a hacker steals log-in credentials from a website, these credentials will often appear on the dark web. Reviewing these compromised credentials – usernames and email addresses – may inform further surface and deep web searches, revealing previously-unknown social media profiles or blog activity. Finding these hidden or obscure social media accounts may provide greater Insight Into a subject’s personal connections, Interests, and history, which the subject may have believed was safely concealed behind an alias username, thus providing an investigator with greater insight into a truer picture of the subject aside from a carefully curated public persona.

There is also a thriving dark web market for the login credentials of users at websites containing extortionable information, such as Ashley Madison and Epik. Discovering that a subject had an account on these controversial sites can be a key piece of information when constructing a holistic picture.

Together, information found on the deep and dark web is the nonobvious evidence akin to a crime scene technician lifting fingerprints, documenting DNA, or finding other clues not readily apparent to the naked eye.

Applications in Real-World Investigations

At Forward Risk, our trained and skillful investigative team frequently provides clients with insight into the hidden characters of our subjects. Our reports include extensive deep web research, as well as a section dedicated to dark web research. This has provided clients with industry-leading insight into subjects of interest. The following examples show how Forward Risk’s deep and dark web research skills can provide more actionable information than research that focuses only on the surface of the web.

One important facet of deep and dark web research is the investigation of known IP addresses and web domains for a subject. In one case, our researcher discovered several inactive web domains previously registered to a subject. It was discovered that this otherwise-unassuming subject had once registered several questionable, race-related domain names that raised concerns about their judgment.

Often, sexual behavior and proclivities are a source of controversy and risk, but knowing this, people often attempt to obfuscate their activity online. One of our investigators was conducting opposition research on a political candidate and, using an email address discovered on the deep web, uncovered this candidate’s account on an adult website, in which he commented on videos “grading” women and made demeaning comments about his wife. In today’s political climate, this information can end a candidacy without further argument.

Information found on the deep and dark web can also inform a client on how to interact with a potential business partner. In one case, an investigator was conducting due diligence research on the founder of a tech startup seeking an investment from that client. Dark web research easily identified the passwords for several of the founder’s email accounts, all of which were common words easily brute forced by a computer program, meaning a computer program could easily guess the password. This signaled poor IT security practices, which does not augur well for the founder of a tech company, and it gave our client the knowledge that communications with the founder were vulnerable to a leak or hack. (A quick disclaimer when accessing dark-web data: Open-source researchers must take great care when accessing dark and deep web information, adhering to all applicable laws. Any passwords that may be discovered during research cannot be used to gain unauthorized access to any computer system.)

These examples show the value of research that goes beyond the surface level. By engaging professionals with expertise in deep and dark web investigations, clients seeking information about an executive they are planning to hire, or a company in which they plan to invest, may rest assured that they will be armed with comprehensive findings with which to make an informed business decision.

Paul Sebastian is a Senior Associate at Forward Risk and Intelligence Inc., a corporate investigations firm with offices in Washington, DC and New York. More information can be found at www.forwardrisk.com.