Artifacts Analysis and Utilization of Decentralized Web Service ZeroNet for Digital Forensics

Recently, various decentralized network web services are emerging. However, the decentralized network web service is not well exposed to general users because it is difficult to access it using a general portal search engine. This point is similar to the deep web, and in the case of Tor (The Onion Routing), a kind of deep web. It has been used for various online crimes such as distribution of child pornography and online drug dealing, and its usage is continuously increasing. Therefore, the decentralized network web service is also likely to be abused for crimes, and forensic investigation techniques are needed to respond to the crime of the decentralized network web service. This paper is about artifact analysis to identify traces of users accessing and actioned on ZeroNet, which is one of the decentralized network web services, and the digital forensic method for applying to forensic investigations for decentralized network web services. As a result, the method of acquiring artifacts for meaningful user access trace analysis and the storage structure of access record trace data were analyzed for a total of five platforms including Windows and macOS. As a result of analyzing the acquired data, it was able to identify users who distributed decentralized network web services through the illegal decentralized network web service address accessed by the user, a list of files downloaded to access the decentralized network web service and BitTorrent. In addition, it constructed a hypothetical scenario and presented a plan to use it from the perspective of forensic investigation. Through this thesis, when ZeroNet, a kind of decentralized network web service, is found on the user's PC during a forensic investigation, it contributes to the development of forensic investigation techniques by presenting a method to obtain a list of decentralized network web service addresses, downloaded files, and users sharing files.