Download Schedule Demo
Home / Support / Secure Dark Web Capture Guide (Tor)

Secure Dark Web Evidence Capture Guide

Configure Forensic OSINT to capture evidence securely on the dark web using Tor

schoolTutorial
timer15 min read

What You'll Achieve

This guide walks you through two methods for routing Google Chrome through Tor so you can capture dark web evidence with Forensic OSINT.

language

Browse .onion Sites

Access dark web sites through Tor securely using Google Chrome.

camera_alt

Capture Evidence

Use Forensic OSINT inside Google Chrome to capture and preserve dark web content.

tune

Choose Your Setup

Pick between a quick setup (lower security) or a VM + Whonix setup (most secure).

Tor and Forensic OSINT - Perfect Combination for Secure OSINT Investigations
Tor and Forensic OSINT working together for secure dark web investigations.

Quick Method — Tor Browser as a Local Proxy

warning
Lower Security

Only Chrome is routed through Tor. Other apps on your host can still reach the internet directly. If the host OS is compromised or misconfigured, traffic can leak outside Tor. Good for quick checks, not ideal for higher-risk investigations.

How It Works

When Tor Browser is running, it creates a local SOCKS5 proxy on localhost:9150. If you launch Chrome with special startup flags, Chrome sends all of its web traffic into that proxy — routing it through Tor's network without using Tor Browser itself.

The key is that you must start Chrome using the Tor-enabled launcher every time you want Tor routing.

Steps

1

Install and start Tor Browser

Leave it running so the local proxy is available.

Download Tor Browser

Tor Browser main window open
Leave Tor Browser running to provide the local SOCKS5 proxy on port 9150.
priority_high

Important: Tor Browser must be installed, started, and left running in the background for Chrome to connect through Tor. If Tor Browser is closed, Chrome will not use Tor and your real IP address will be exposed.

2

Create a Tor-enabled Chrome launcher

Windows

  1. Close all Chrome windows.
  2. Copy your Chrome desktop shortcut; rename the copy to "Chrome (Tor)".
  3. Right-click Chrome (Tor) → Properties → Target.
  4. Append the flags below after the existing path:
--proxy-server="socks5://localhost:9150" --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"
  1. Apply → OK.
  2. To use Tor: double-click the Chrome (Tor) icon you just created.
Windows Chrome shortcut Properties showing the Tor flags appended
Windows Chrome shortcut Properties with the Tor proxy flags appended to the Target field.

macOS

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
  --proxy-server="socks5://localhost:9150" \
  --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"

Linux

google-chrome \
  --proxy-server="socks5://localhost:9150" \
  --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"
3

Verify Tor is active

In Chrome (launched with the Tor shortcut/command), visit check.torproject.org. You should see confirmation that you are using Tor.

Chrome showing the check.torproject.org Congratulations message
Chrome confirming Tor is active.
4

Install Forensic OSINT Chrome extension

Install the extension from the Chrome Web Store.

warning
Important Note on Chrome and Tor

When Chrome is already running, every new Chrome window attaches to the first process that was launched. If your first Chrome window was started with the Tor shortcut, all new windows will also route through Tor. If your first window was started normally, clicking the Tor shortcut afterward will bypass Tor.

Most Secure Method — VM + Whonix Gateway

verified_user

Why it's more secure: You use two virtual machines. The Whonix Gateway VM is the only machine allowed to touch the internet; it forces all traffic through Tor. Your investigation VM sits on an isolated internal network and can only reach the gateway. Even if the browser or investigation VM is compromised, your real IP cannot bypass Tor.

How It Works

The gateway VM has two virtual network cards: one for the internet (NAT) and one for a private "Whonix" internal network. Your investigation VM has one virtual network card attached only to that same internal network. You give the investigation VM a static IP, point its gateway/DNS at the Whonix Gateway IP, and every packet must go through the Tor gateway.

What You'll Run in VirtualBox

router

Whonix Gateway

Handles all Tor routing for the internal network. The network name is usually Whonix.

desktop_windows

Investigation VM

We recommend the Trace Labs OSINT VM (preloaded with OSINT tools), but any VM (Ubuntu, Windows) works. Install Chrome and Forensic OSINT inside this VM.

info

Note: Whonix provides a secure Workstation VM, but it is not required. You can use any VM as your investigation machine as long as it is attached to the Whonix internal network.

Default credentials:

  • Trace Labs OSINT VM: osint / osint
  • Whonix: often auto-logs in as user. If prompted, try user with a blank password.

Steps

1

Install VirtualBox

Download and install from virtualbox.org.

2

Import and start the Whonix Gateway VM

Download the official Whonix Gateway image and import it into VirtualBox.

Download Whonix Gateway

VirtualBox Import dialog for Whonix Gateway OVA file
Import the Whonix Gateway OVA into VirtualBox.

Start the VM and wait for Tor to finish connecting.

Whonix Gateway showing Tor connection in progress
Wait for Tor to fully connect before starting your Investigation VM.
3

Confirm Whonix Gateway network adapters

In VirtualBox → Settings → Network:

  • Adapter 1: NAT (internet access)
  • Adapter 2: Internal Network with Name: Whonix
Whonix Gateway Network settings showing Adapter 1 = NAT and Adapter 2 = Internal Network
Whonix Gateway network adapter configuration.
4

Add your Investigation VM

Option A: Import the Trace Labs OSINT VM, then log in with osint / osint.

Trace Labs OSINT VM download page
Download the Trace Labs OSINT VM.
VirtualBox Import dialog for Trace Labs OSINT VM
Import the Trace Labs OSINT VM OVA into VirtualBox.

Option B: Create your own VM (Ubuntu or Windows) and install normally.

5

Attach the Investigation VM to the Whonix internal network

In VirtualBox → Settings → Network:

  • Set Adapter 1 to Internal Network.
  • Name: Whonix (must match exactly).
  • Ensure no other adapter gives direct internet access.
Trace Labs VM Network settings showing Internal Network configuration
Investigation VM network adapter set to the Whonix internal network.
6

Configure a static IP inside the Investigation VM

Ubuntu example — set IPv4 Method to Manual/Static:

  • IP address: 10.152.152.11
  • Netmask: 255.255.192.0
  • Gateway: 10.152.152.10
  • DNS: 10.152.152.10

Save and toggle the network interface off/on to apply.

Investigation VM static IP configuration
Static IP configuration for the Investigation VM.
Disconnect and reconnect the network to apply settings
Disconnect and reconnect the network to apply the new static IP settings.
7

Google Chrome and Forensic OSINT are pre-installed

The Trace Labs OSINT VM comes with Google Chrome and the Forensic OSINT extension already installed for quick and easy access. No additional setup is needed.

If you are using your own VM instead, follow Appendix A to install Chrome and Appendix B to install the Forensic OSINT extension.

8

Verify Tor is active

Open check.torproject.org in Chrome. You should see confirmation that you are using Tor.

Investigation VM showing Chrome confirming Tor is active with Forensic OSINT
Investigation VM running Tor with Forensic OSINT installed.
lightbulb

Daily use tip: Always start the Whonix Gateway first and let Tor connect, then start the Investigation VM. No proxy flags are needed in Chrome — the VM cannot reach the internet any other way, so all traffic is forced through Whonix.

Using Forensic OSINT: Shared API vs. Isolated Workflows

cloud_sync

Shared API Mode

Connect to your Shared API in the extension settings. Captures sync automatically to your backend. Log in from another machine to download Reports and Full Disclosure Packages. Easiest method for teams.

cloud_off

Isolated Mode (Local-Only)

Do not connect the extension to the Shared API. All captures remain stored locally inside the Investigation VM. Export evidence manually via Full Disclosure Package or use the Import/Export feature.

info
About Isolated Mode

This process is more time-consuming, but it is the best option for air-gapped systems or highly restricted environments where network connections are not permitted. Refer to the Export/Import support page for step-by-step instructions.

Troubleshooting

Tor check fails

  • Ensure both VMs are running: Whonix Gateway and your Investigation VM.
  • Investigation VM Adapter 1 should be Internal Network with Name set to Whonix.
  • Double-check the static IP values: 10.152.152.11 / 255.255.192.0 / 10.152.152.10.
  • Wait a couple of minutes for Tor to connect inside Whonix.
  • Ensure your host machine has internet access.

Cannot ping anything from the Investigation VM

  • This is normal. Tor does not pass ICMP (ping).
  • Use the browser to test instead.

Trace Labs login does not work

  • Default credentials are osint / osint. Change after first login.

Whonix asks for a password

  • Many builds auto-login.
  • If prompted, try username user and press Enter for a blank password.

Chrome is not installed

  • Follow Appendix A to install Chrome inside the Investigation VM.
  • If dependencies fail, use the "fix broken" command shown there.

Security Notes

shield
Keep These in Mind

This guide reduces common leak paths by isolating your investigation inside a VM routed through Whonix, but it does not guarantee anonymity.

  • Do not sign in with personal accounts.
  • Treat the Investigation VM as disposable. Take snapshots and reset often.
  • Always follow legal and organizational requirements.

Summary

bolt

Quick Method

Fast setup, less secure, fine for quick checks.

security

VM + Whonix

Stronger isolation, all traffic forced through Tor, best for real investigations.

extension

Forensic OSINT

Works in both. Use Shared API for easy syncing or Isolated mode for maximum control.

Appendix A — Install Google Chrome in the Investigation VM

1

Open Terminal in the Investigation VM

2

Download Chrome

wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
3

Install

sudo apt install ./google-chrome-stable_current_amd64.deb -y

If dependencies fail, run:

sudo apt --fix-broken install -y
sudo apt install ./google-chrome-stable_current_amd64.deb -y
4

Launch Chrome

google-chrome
Terminal showing the wget command to download Google Chrome
Installing Google Chrome inside the Investigation VM.

Appendix B — Install the Forensic OSINT Extension

  1. Open Google Chrome.
  2. Go to the Chrome Web Store.
  3. Search for "Forensic OSINT".
  4. Click "Add to Chrome""Add extension".
  5. Confirm the extension icon appears in the toolbar.
Forensic OSINT extension in the Chrome Web Store
Install Forensic OSINT from the Chrome Web Store.

Appendix C — Verify Tor Routing

  1. Ensure the Whonix Gateway is running and connected to Tor.
  2. On the Investigation VM, open Chrome.
  3. Visit check.torproject.org.
  4. You should see a success message confirming Tor usage.
Chrome showing the check.torproject.org success message
Chrome confirming Tor routing is active.
help_outline

Need help with your Tor setup?

Contact our support team and we'll help you get configured.

Contact Support →

Ready to capture evidence?

Start preserving web content with forensic integrity.

Install Extension →Browse Support Articles →

Minimum Requirements:

  • 8 Characters
  • 1 Upper
  • 1 Lower
  • 1 Digit