Recently, various decentralized network web services are emerging. However, the decentralized network web service is not well exposed to general users because it is difficult to access it using a general portal search engine. This point is similar to the deep web, and in the case of Tor (The Onion Routing), a kind of deep web. It has been used for various online crimes such as distribution of child pornography and online drug dealing, and its usage is continuously increasing. Therefore, the decentralized network web service is also likely to be abused for crimes, and forensic investigation techniques are needed to respond to the crime of the decentralized network web service. This paper is about artifact analysis to identify traces of users accessing and actioned on ZeroNet, which is one of the decentralized network web services, and the digital forensic method for applying to forensic investigations for decentralized network web services. As a result, the method of acquiring artifacts for meaningful user access trace analysis and the storage structure of access record trace data were analyzed for a total of five platforms including Windows and macOS. As a result of analyzing the acquired data, it was able to identify users who distributed decentralized network web services through the illegal decentralized network web service address accessed by the user, a list of files downloaded to access the decentralized network web service and BitTorrent. In addition, it constructed a hypothetical scenario and presented a plan to use it from the perspective of forensic investigation. Through this thesis, when ZeroNet, a kind of decentralized network web service, is found on the user’s PC during a forensic investigation, it contributes to the development of forensic investigation techniques by presenting a method to obtain a list of decentralized network web service addresses, downloaded files, and users sharing files.

1. Introduction

Internet became an important element of the communication infrastructure [1], and most content providers are investing their resources to digitize their operations through virtualization and automation [2]. Now, it has evolved to various decentralized network web services, such as ZeroNet, Beaker, and SafeNetwork in recent years. As the essential characteristics of cloud computing services that directly connect consumers and providers [3], these services download required data from the client-side using blockchain [4] or BitTorrent [5] in order to use a web service without servers via a peer-to-peer (P2P) service. This structure is different from that of a centralized service, which processes a response by a single web server in general. Decentralized network web services are difficult to access via generally used web browsers. The information on decentralized network web services is also difficult to access and search by using Internet search engines, such as Google. These features are similar to those of the darknet, which is only accessed by dedicated software such as Tor (The Onion Router). Decentralized network web services have a similar structure as that of the darknet, which is implemented using an overlay network that is difficult to access from general networks in contrast with the surface web, which is accessible using standard search engines, such as Google or Yahoo [6] (see Figure 1).

Figure 2 shows the relay bandwidth of Tor, and in the case of Tor, the relay bandwidth is continuously increasing, so the usage is continuously increasing.

Therefore, it can be predicted that the use of the dark web, including Tor and the overlay network, will continue to increase. In addition, the decentralized network web service has the same characteristics that it is difficult to track the user’s action like the darknet, and there is a high possibility that a crime site occurring in Tor will commit the same crime in the decentralized network web service. In the case of ZeroNet, a kind of decentralized network web service, it is easy to create services that can be used for criminal purposes, and it is possible to discover services for criminal purposes. In such an environment, digital investigators must use the information on the suspect’s computer to find clues that can help prove the case [7]. However, ZeroNet operates in the form of client and server programs running on the user’s PC and accessing them through a general web browser. Therefore, it is expected that it will be helpful in forensic investigations if the traces of the ZeroNet client are analyzed to track and verify the user’s action, identify the web service accessed by the user, and discover users who have shared it. However, since there is no forensic method for ZeroNet Client, research on the digital forensic method to track and verify these actions is needed.

As a result, this study selected ZeroNet among various decentralized network web services and analyzed how ZeroNet operates, as well as identify artifacts to be used as evidence of digital forensic. In Section 2, a decentralized network web service, which is a hidden network-based web service, and a similar Tor network are described. In Section 3, the operation principle of ZeroNet and related artifacts are analyzed and defined. In Sections 4 and 5, scenarios are created, and a measure to utilize digital forensics using the previously identified artifacts is presented followed by the conclusions.

2. Theoretical Background

2.1. Decentralized Network Web Services

The decentralized network web service is characterized by user’s exchange of information via peer-to-peer services without the web hosting servers to use web services, which is different from general web services, and Tor, which is a well-known hidden network service. These features can overcome the limitation of the single point of failure caused by a hosting server problem that can occur in existing web services. Thus, its strength lies in being highly flexible in terms of service reliability.

2.1.1. ZeroNet

ZeroNet is a web platform developed using cryptography techniques and BitTorrent network, which aims for “open, free, and uncensorable network communication” [8]. Once user’s data are uploaded to ZeroNet, services of static files such as documents or music files that are not updated and even dynamic files that regularly require data updates such as blogs can be serviced in ZeroNet. Although ZeroNet services have a security vulnerability of allowing third parties to see nonencrypted network communications, this security problem can be overcome by using ZeroNet with the Tor browser [9].

2.1.2. Beaker

Beaker was developed by Blue Link Labs in 2017 and provided as an open-source [10]. Users can use Beaker as a form of a web browser, which performs P2P communications based on the DAT protocol [11] with directories called Hyperdrive. Data providers can publish and distribute web services using the Beaker web browser without configuring or hosting a separate web server.

2.1.3. SAFE Network

The Secure Access for Everyone (SAFE) network proposes a method to access apps that place a high emphasis on data security [12] and enables messaging, apps, e-mail, social network services, data repositories, and videoconferencing to be operated. The SAFE network provides SafeCoin using free hard drive space and processing resources of all the SAFE users in a network, thereby configuring a global network based on P2P [13].

2.2. Tor (The Onion Router)

Tor is a deep web service platform [14] using the Onion routing network developed by the U.S. Naval Research Laboratory’s Paul Syverson, Michael G. Reed, and David Goldschlag in the mid-1990s. It ensures anonymity because a network path from a source Internet protocol address of the destination cannot be identified and the “.onion” domain should be used, which is a site that can be connected using only the Tor browser. Currently, the Tor project is managed by the Electronic Frontier Foundation (EFF), which is an international nonprofit organization, and the Tor network is used by general users as well as the military, journalists, law enforcement, and activists. Although there are studies on digital forensic techniques with the Tor browser for the use of the Tor protocol, cases studies on decentralized network web services such as ZeroNet are not found. Thus, a study on the operational structure of ZeroNet and digital forensics for identifiable artifacts is needed to cope with crimes committed using decentralized network web services.

3. Operation Principles and Artifacts of ZeroNet

3.1. ZeroNet Overview

ZeroNet is a decentralized network web service based on P2P developed by Tamas Kocsis in 2015. It has no central server that processes a request in contrast with general web services. It can access the web service by communication between the peer that owns the site information to be connected and the peer that requests information. The website address of ZeroNet is called “zite” which uses a 34-byte public key. This is equivalent to the Bitcoin wallet address system [15], which can be used in downloading files that configure a website in the future or integrity verification on web service configuration files. ZeroNet can search a peer that owns the site information to be connected through the BitTorrent tracker. The required site configuration files are obtained by performing the ZeroNet network protocol communication using the peer information obtained from the tracker. Since a client that obtains the site configuration files simultaneously plays the role of a peer that delivers the files when requested by other users later, a web service can be operated without a central server. ZeroNet provides a variety of related services. These services include ZeroHello that lists statistics and “zites” of ZeroNet: ZeroTalk that plays a role of forums where notices and comments can be written; ZeroBlog, which is a demonstration blog page; ZeroMail that uses cryptographic methods between two ends; and ZeroMe, which is a social network service.

3.2. Operation Principles of ZeroNet

ZeroNet can be accessed through web browsers that are generally used such as Chrome without the need for an additional client browser to access the services. The ZeroNet client should first download files that configure a site when a user attempts to connect to a website listed in the “zite.” At this time, communication with a peer that owns the files is needed. It should be noted that the ZeroNet client, which is a dedicated connection program to access the ZeroNet zite, should be run. The ZeroNet client is a program developed by Python 3, and its executable distribution package compatible with operating systems, such as Windows, macOS, Linux, and Android, which is offered alongside the Docker image that can be independently run regardless of operating systems. The ZeroNet client provides an environment where users’ computers can access ZeroNet and perform communication using 43110 port in a local host if the default setting is not changed. Once the ZeroNet client is run, it is connected to ZeroNet Hello whose address is 1HeLLo4uzjaLetFx6NH3PMwFP3qbRbTf3D. Figure 3 shows the format of the entire address. The address system ending in “.bit” can also be used, which is a public key in the Bitcoin wallet address format instead of a 34-byte value [16].

The ZeroNet client requests a peer from the BitTorrent tracker using the “zite” address to fetch a site requested by a user. The BitTorrent tracker provides the ZeroNet client with a list of peers that correspond to the requested “zite.” The ZeroNet client performs communication that requests files from a peer using the provided list of peers. The ZeroNet client requests “content.json” files including the configuration files, such as the list of “zite” configuration files of the respective site and values to verify the integrity. The ZeroNet client receives the site configuration files from the peer based on the “content.json’ files and ultimately provides the content to the user. Figure 4 illustrates the operation process.

The ZeroNet client searches peers by communicating with the BitTorrent tracker for browsing a website of the “zite” requested by the user and requests this from the peer and then provides the user with the downloaded configuration files. Thus, there must be some traces such as the “zite” information and downloaded data in a personal computer where the ZeroNet client was run to distribute the content of the specific “zite” to other users, which is why a forensic investigation is needed to identify the user actions.

3.3. Collection of ZeroNet Artifacts

ZeroNet is a program created based on Python 3, which can be run in various operating systems. The packages are distributed for ZeroNet to easily run and supported by Windows, Linux, macOS, and Android, among other operating systems, and a package as a form of Docker image is also deployed to simply run ZeroNet. Thus, in this section, a path, files, and directories of artifacts that were created when running the ZeroNet client were collected, and analysis of them were conducted. Here, the ZeroNet client was installed and run in each operating system to obtain and collect artifacts to check whether the same files were created for each operating system, while an analysis was conducted.

To collect ZeroNet artifacts in Windows, Linux, and macOS, the ZeroNet client suitable for each operating system was installed. Figure 5 shows the flowchart of the execution process. This study verified the creation of new directories and files under the installed subdirectories as shown in Figure 5 when they are executed in the order shown in Figure 5. Note that, in the Android operating system, the data cannot be verified in the manner shown in Figure 5. Thus, the LG application backup feature that backs up application data was used to collect the data (see Figure 6).

The filename extension of the backup files was “.lbf,” and the tar file format [17] can be found from the 0xCC00 position of the file. The data created from the ZeroNet mobile application can be acquired by carving the file from the 0xCC00 position followed by extracting and decompressing that portion [18]. This study verified the creation of new directories and files associated with the paths of /data/data/in.canews.zeronetmobile/files/ZeroNet-py3 in the internal storage and /Android/data/net.mkg20001.zeronet/files/zero in the external storage.

Docker is an open-source project that runs applications through semivirtualization [19]. ZeroNet can be run using Docker through the nofish/ZeroNet image, which is distributed by ZeroNet. Docker was run with the Linux operating system. In this study, the ZeroNet client was run using Docker in the aforementioned execution order of ZeroNet. To check the created files in Docker, newly created, modified, or deleted files were verified using the command “docker diff [ZeroNet Client Image name]” and this study verified the created files corresponding to the ZeroNet client in the /root directory. Table 1 illustrates the environment, collection paths, and targets that are configured to collect artifacts in each operating system.

In the collection path, data and log directories were created, and in the subdirectories, directory structures that were unique to the ZeroNet client were configured, and no significant difference was found between the operating systems. Thus, in Section 3.4, artifacts were analyzed targeting the aforementioned data, log directories, and internal files.

3.4. Analysis of ZeroNet Artifacts

The information content about each site out of the files created is stored in the data directory, while a user uses the ZeroNet client. The files created in the subdirectory are illustrated in Table 2.

There is a subdirectory whose name contains the “zite” address, in which files created when communicating with each site are stored (2 to 16 in Table 2). These files include html, css, and js files, and the information of all files that can be downloaded is stored in “content.json.” The file directory ‘content.db' employs the SQLite [22] database, which contains the information about “content.json,” downloadable file information, peer information for file sharing, and connected site address.

The main tables in “content.db” are as follows: the content table contains the relative path from the “zite” address directory of the “content.json” file, which has a list of files that can be downloaded from the site, as well as content.json file’s modified time, size, and downloadable file size. The file_optional table contains a list of downloadable files. Even if a user does not download them, records are added. It stores a file path, site address, record addition time, file download time, file access time, and whether the file is downloaded. If the record file is not downloaded, all time information should have a “0.” The peer table contains the peer information that shares a file to access the site, which stores information about the peer-shared site, IP address, port, peer-added time, and peer-found time. Finally, the site table stores the site address to which a user connects. Table 3 illustrates the main tables in content.db.

4. Measure to Use Scenario-Based Digital Forensics

4.1. Analysis of ZeroNet Artifacts

Downloaded illegal content: a user who discovered a “zite” that distributes illegal contents using ZeroNet, which is a decentralized network web service, and attempts downloading the illegal contents. As a result, it is assumed that the user downloads a compressed .rar (formatted) file that compresses a BitTorrent file, by which the illegal contents can be downloaded, such as child sexual exploitation videos downloaded as a torrent file (see Figure 7).

Act of hiding evidence: the user has deleted all records concerning the Chrome web browser and BitTorrent used in downloading to hide evidence using an antiforensic tool. It is assumed that the storage media of the user's personal computer employed a solid state drive (SSD) where the trim function was activated [23]. Thus, the related data cannot be recovered even though recovery of deleted files was attempted using disk forensics technology (see Figure 8).

Nonetheless, artifacts of ZeroNet were not manipulated or removed, so if any traces of using the ZeroNet client by the user was found using a digital forensic tool. It can be used as evidence. The environment where the experiment was performed for digital forensic analysis using the scenarios is presented in Table 4.

4.2. Experimental Results of Digital Forensic
4.2.1. Prefetch Analysis

The prefetch function was used to find any trace of executing a “.torrent” file to download illegal contents from the user’s computer. The prefetch is a function used to improve the program execution performance of the Windows operating system, and prefetch artifacts are created when a program is executed [24]. The results of the prefetch showed the discovery of the execution records of the Chrome and the ZeroNet client, and any traces indicating other web browsers were not found. However, all traces of the Chrome were removed so that general Internet connection traces were not discovered. To check the additional crime traces, artifacts can be verified by acquiring the program path of the ZeroNet client in the prefetch information (see Figure 9).

4.2.2. Analysis of ZeroNet Artifacts

The ZeroNet client’s prefetch was checked using the WinPrefetchView program [25], which is a prefetch analysis tool. The results verified the existence of ZERONET-WIN-DIS-WIN64 directory in the desktop directory of the user called IEUser. The presence of ZeroNet.exe was verified to run the ZeroNet client in the directory. The investigation results of “content.db,” which was found in the subdirectory of ZERONET-WIN-DIS-WIN64, verified the traces of a downloaded .rar (formatted) file in the file_optional table (see Figure 10).

4.2.3. Specifying the Files to Prove the Charge and Collecting Additional Data

The verification results of the file_optional table showed that out of the three .rar extension files, a file in the storage media after being downloaded to the personal computer of the user was 1462779532420.rar, which had a “1” (true) under the is_downloaded column value. This file was downloaded from the website address of the 20th site_id, and the file path was the subdirectory /files/1462779532420.rar under the directory whose name contained the address. Thus, the file can be found in the ZeroNet folder after checking the address whose site_id was 20 by referring to the site table of “content.db.” The entire path where the file was discovered was “ZERONET-WIN-DIS-WIN64\<{Address}>\files\1462779532420.rar” (see Figure 11).

In addition, the peer information that distributed site information can be found in the peer table of “content.db.” If a hidden browser such as Tor is not used, the IP address and port information of users who distributed files can be verified, which can be usefully employed through the digital forensic investigation (see Figure 12).

In this scenario, in the process of digital forensic on the user’s PC using ZeroNet, in order to remove traces of the user’s access to ZeroNet from user’s PC using antiforensics, the Chrome browser and Chrome browser files are removed to remove the Chrome browser. Forensics through the browser became impossible, and instead of the artifacts of the Chrome browser, the artifacts of the ZeroNet client presented in this paper were discovered and the artifacts of the ZeroNet client were analyzed using the analysis technique. Time, site address, and peer information for dissemination can be obtained, which can be used as evidence to prove the user’s crime. Therefore, the ZeroNet client forensic technique presented in this paper is to check whether ZeroNet is used for a crime , to check the list of zite accessed through ZeroNet, to obtain a list of files downloaded through ZeroNet, and to obtain a list of peers who have shared the file. It has been confirmed that it can be used for forensic investigations.

5. Conclusion

In this study, for fear of an increase in crime using a decentralized network web service similar to Tor in the future, for ZeroNet, one of the decentralized network web services, artifact identification and analysis for forensic investigation targeting Windows, Linux, macOS, and Android operating systems was performed. Also, as a result of the analysis of artifacts, the files downloaded from the decentralized network, time information, and peers who shared the files were checked. To verify the analysis results, a hypothetical scenario was constructed, analyzed, and performed. In particular, the scenario constructed in this study is a digital forensic technique that can be performed under the assumption that ZeroNet users access a specific website, download a file, and then remove traces to hide criminal records. It is expected to have a high utility. However, if the user has an understanding of the ZeroNet and performs manipulations on the files in the ZeroNet client directory, it is difficult to apply the study, and there are disadvantages in the means for verifying the integrity that no manipulation is applied is insufficient. Therefore, research is needed to verify the integrity of the ZeroNet client collected from the user's PC. Also, there are still various decentralized network web services that cannot be accessed with a general web browser, such as the deep web or dark web. To respond to crimes using this, continuous digital forensic research on web services through related hidden networks remains a task in the future.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


This work was partly supported by the Institute of Information and Communications Technology Planning and Evaluation (IITP) grant funded by the Korea government (MSIT) (no. 2021-0-00493, 5G Massive Next Generation Cyber Attack Deception Technology Development, 45%), Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (NRF-2020R1A2C1012187, 45%), and the Gachon University research fund of 2021 (GCU-202106330001, 10%).