The use of the un-indexed web, commonly known as the deep web and dark web, to commit or facilitate criminal activity has drastically increased over the past decade. The dark web is an in-famously dangerous place where all kinds of criminal activities take place [1-2], despite advances in web forensics techniques, tools, and methodologies, few studies have formally tackled the dark and deep web forensics and the technical differences in terms of investigative techniques and artefacts identification and extraction. This research proposes a novel and comprehensive protocol to guide and assist digital forensics professionals in investigating crimes committed on or via the deep and dark web, The protocol named D2WFP establishes a new sequential approach for performing investigative activities by observing the order of volatility and implementing a systemic approach covering all browsing related hives and artefacts which ultimately resulted into improv-ing the accuracy and effectiveness. Rigorous quantitative and qualitative research has been conducted by assessing D2WFP following a scientifically-sound and comprehensive process in different scenarios and the obtained results show an apparent increase in the number of artefacts re-covered when adopting D2WFP which outperform any current industry or opensource browsing forensics tools. The second contribution of D2WFP is the robust formulation of artefact correlation and cross-validation within D2WFP which enables digital forensics professionals to better document and structure their analysis of host-based deep and dark web browsing artefacts.

翻译：摘要：过去十年间，利用非索引网络（俗称深网和暗网）实施或协助犯罪活动的行为急剧增加。暗网是一个臭名昭著的危险场所，各类犯罪活动在此频发[1-2]。尽管网络取证技术、工具和方法论取得进展，但少有研究正式探讨暗网与深网取证问题，以及侦查技术、痕迹识别与提取方面的技术差异。本研究提出一种新颖且全面的协议，用于指导和帮助数字取证专业人员调查通过深网与暗网实施或关联的犯罪活动。该协议命名为D2WFP，通过遵循易失性顺序并实施系统性方法覆盖所有与浏览相关的注册表项和痕迹，建立了一种执行侦查活动的新型序贯方法，最终提升了准确性与有效性。通过在不同场景下遵循科学严谨的完整流程评估D2WFP，开展了严格的定量与定性研究，结果表明采用D2WFP时恢复的痕迹数量显著增加，优于当前任何行业或开源浏览取证工具。D2WFP的第二项贡献在于其内部构建了稳健的痕迹关联与交叉验证机制，使数字取证专业人员能够更规范地记录和构建基于主机的深网与暗网浏览痕迹分析。