Authors: Pascal Tippe, Daniel Spiekermann, Adrian Tippe
DFRWS USA 2026
Abstract
Digital forensics education relies heavily on static datasets, which often fail to replicate the complexity of investigating live, anonymous infrastructures. This paper bridges the gap between theoretical anonymization technologies and isolated forensic artifacts by presenting a novel training environment grounded in historical case data. We first analyzed court documents from 16 high-profile Onion Service takedowns, revealing that successful investigations leverage multiple information sources and rely primarily on linking information and technical misconfigurations rather than protocol exploits. We operationalized these findings into DarkMarket, a containerized simulation that requires trainees to navigate a multi-layered investigative chain ranging from identifying information leaks to executing active scanning. A qualitative pilot study with four active-duty law enforcement digital forensic practitioners validated the environment’s realism while highlighting a structural gap: current forensic taxonomies proved insufficient for live Onion Service investigations, which instead required adaptive, hypothesis-driven methodologies. Furthermore, we observed a potential Technical Halo Effect, where the robust frontend security led experts to heuristically overestimate the adversary’s backend competence. These findings underscore that effectively attributing high-value targets requires expanding forensic competencies to include the controlled, active verification strategies found in Network Investigative Techniques.