OSINT Roundup:
The Friday 5 Newsletter
By Ritu Gill
Secure Dark Web Evidence Capture Guide
1) What you’ll achieve
✅ Browse .onion sites through Tor.
✅ Capture evidence with Forensic OSINT inside Google Chrome.
✅ Choose between a quick setup (lower security) and a VM + Whonix setup (most secure).
2) Two ways to route Chrome + Forensic OSINT through Tor
2A) Quick method — Tor Browser as a local proxy (less secure)
Why it’s less secure:
Only Chrome is routed through Tor. Other apps on your host can still reach the internet directly.
If the host OS is compromised or misconfigured, traffic can leak outside Tor.
Good for quick checks, not ideal for higher-risk investigations.
How it works (plain English):
When Tor Browser is running, it creates a local SOCKS5 proxy on localhost:9150.
If you launch Chrome with special startup flags, Chrome sends all of its web traffic into that proxy.
Result: Chrome uses Tor’s network (without using Tor Browser itself).
The key is that you must start Chrome using the Tor-enabled launcher every time you want Tor routing.
Steps
1) Install and start Tor Browser. Leave it running so the local proxy is available:
https://www.torproject.org/download
IMPORTANT
Tor Browser must be installed, started, and left running in the background for Chrome to connect through Tor.
If Tor Browser is closed, Chrome will not use Tor and your real IP address will be exposed.
2) Create and use a Tor-enabled Chrome launcher:
Windows
• Close all Chrome windows.
• Copy your Chrome desktop shortcut; rename the copy to "Chrome (Tor)".
• Right-click Chrome (Tor) → Properties → Target.
• Append the flags below (after the existing path):
--proxy-server="socks5://localhost:9150" --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"
• Apply → OK.
• To use Tor: double-click the Chrome (Tor) icon you just created.
macOS
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
--proxy-server="socks5://localhost:9150" \
--host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"
Linux
google-chrome \
--proxy-server="socks5://localhost:9150" \
--host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"
3) Verify Tor is active:
In Chrome (launched with the Tor shortcut/command), visit https://check.torproject.org.
You should see confirmation that you are using Tor.
4) Install Forensic OSINT Chrome extension:
https://chromewebstore.google.com/detail/forensic-osint-full-page/jojaomahhndmeienhjihojidkddkahcn
Important Note on Chrome and Tor
When Chrome is already running, every new Chrome window will attach to the first process that was launched.
This means:
- If your first Chrome window was started with the Tor shortcut, then all new Chrome windows (even those opened from your normal Chrome icon) will also route through Tor.
- If your first Chrome window was started normally (without the Tor shortcut), then all additional windows will bypass Tor, even if you click the Tor shortcut afterward.
2B) Most secure method — VM + Whonix Gateway (recommended)
Why it’s more secure:
You use two virtual machines.
The Whonix Gateway VM is the only machine allowed to touch the internet; it forces all traffic through Tor.
Your investigation VM (where Chrome + Forensic OSINT run) sits on an isolated internal network and can only reach the gateway.
Even if the browser or investigation VM is compromised, your real IP cannot bypass Tor because there’s no direct route to the internet.
How it works (plain English):
The gateway VM has two virtual network cards: one for the internet (NAT) and one for a private “Whonix” internal network.
Your investigation VM has one virtual network card attached only to that same internal network.
You give the investigation VM a static IP, point its gateway/DNS at the Whonix Gateway IP, and that’s it — every packet must go through the Tor gateway.
What you’ll run in VirtualBox:
1) Whonix Gateway — this VM handles all Tor routing for the internal network (network name is usually Whonix).
2) Investigation VM — we recommend using the Trace Labs OSINT VM since it comes preloaded with many OSINT tools and is actively maintained. However, you can use any VM you prefer (Ubuntu, Windows, or another OS). The same setup steps below will work regardless — just make sure you install Google Chrome and the Forensic OSINT extension inside this VM.
Trace Labs VM Credentials:
• Trace Labs OSINT VM default login: osint / osint.
• Whonix often auto-logs in as user. If prompted, try user with a blank password.
Steps
1) Install VirtualBox:
https://www.virtualbox.org/wiki/Downloads
2) Import and start the Whonix Gateway VM:
• Download the official Whonix Gateway image and import it into VirtualBox.
https://www.whonix.org/wiki/VirtualBox
• Start the VM and wait for Tor to finish connecting.
3) Confirm Whonix Gateway network adapters (VirtualBox → Settings → Network):
• Adapter 1: NAT (internet access)
• Adapter 2: Internal Network with Name: Whonix
4) Add your Investigation VM:
• Option A: Import the Trace Labs OSINT VM, then log in with osint / osint.
https://www.tracelabs.org/initiatives/osint-vm
• Option B: Create your own VM (Ubuntu or Windows) and install normally.
5) Attach the Investigation VM to the Whonix internal network:
• In VirtualBox → Settings → Network.
• Set Adapter 1 to Internal Network.
• Name: Whonix (must match exactly).
• Ensure no other adapter gives direct internet access.
6) Configure a static IP inside the Investigation VM (Ubuntu example):
• IPv4 Method: Manual/Static
• IP address: 10.152.152.11
• Netmask: 255.255.192.0
• Gateway: 10.152.152.10
• DNS: 10.152.152.10
• Save and toggle the network interface off/on to apply.
7) Install Google Chrome (Appendix A) and then the Forensic OSINT extension (Appendix B).
8) Verify Tor is active inside the Investigation VM:
Open https://check.torproject.org in Chrome.
You should see confirmation that you are using Tor.
Daily use tip:
Always start the Whonix Gateway first and let Tor connect, then start the Investigation VM.
No proxy flags are needed in Chrome for this method — the VM cannot reach the internet any other way, so all traffic is forced through Whonix.
3) Use Forensic OSINT: Shared API vs. Isolated workflows
Shared API mode:
• In the Forensic OSINT extension settings, connect to your Shared API.
• Captures sync automatically to your backend.
• You can later log in from another machine to download Reports and Full Disclosure Packages.
• This is the easiest method for teams or when working across multiple computers.
Isolated mode (local-only):
• In this mode, you do not connect the Forensic OSINT extension to the Shared API.
• All captures remain stored locally inside the Investigation VM.
• To move evidence out, you must manually export each capture. You can either:
- Export a Full Disclosure Package (ZIP archive) and generate the PDF Report manually, or
- Export each capture for later import into another Forensic OSINT installation using our Import/Export feature.
Important note:
This process is more time-consuming, but it is the best option for air-gapped systems or highly restricted environments where network connections are not permitted.
• Refer to the Export/Import support page for step-by-step instructions.
4) Troubleshooting
Tor check fails:
• Ensure both VMs are running: Whonix Gateway and your Investigation VM.
• Investigation VM Adapter 1 should be Internal Network with Name set to Whonix.
• Double-check the static IP values: 10.152.152.11 / 255.255.192.0 / 10.152.152.10.
• Wait a couple of minutes for Tor to connect inside Whonix.
• Ensure your host machine has internet access.
I cannot ping anything from the Investigation VM:
• This is normal. Tor does not pass ICMP (ping).
• Use the browser to test instead.
Trace Labs login does not work:
• Default credentials are osint / osint. Change after first login.
Whonix asks for a password:
• Many builds auto-login.
• If prompted, try username user and press Enter for a blank password.
Chrome is not installed:
• Follow Appendix A to install Chrome inside the Investigation VM.
• If dependencies fail, use the “fix broken” command shown there.
5) Security notes
• This guide reduces common leak paths by isolating your investigation inside a VM routed through Whonix, but it does not guarantee anonymity.
• Do not sign in with personal accounts.
• Treat the Investigation VM as disposable. Take snapshots and reset often.
• Always follow legal and organizational requirements.
6) Summary
• Quick method: fast setup, less secure, fine for quick checks.
• VM + Whonix: stronger isolation, all traffic forced through Tor, best for real investigations.
• Forensic OSINT works in both. Use Shared API for easy syncing or Isolated mode for maximum control.
Appendix A – Install Google Chrome in the Investigation VM
1) Open Terminal in the Investigation VM.
2) Download Chrome:
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb3) Install:
sudo apt install ./google-chrome-stable_current_amd64.deb -yIf dependencies fail, run:
sudo apt --fix-broken install -y
sudo apt install ./google-chrome-stable_current_amd64.deb -y4) Launch Chrome:
google-chrome
Appendix B – Install the Forensic OSINT extension
1) Open Google Chrome.
2) Go to the Chrome Web Store.
3) Search for “Forensic OSINT”.
4) Click “Add to Chrome” → “Add extension”.
5) Confirm the extension icon appears in the toolbar.
Appendix C – Verify Tor routing
1) Ensure the Whonix Gateway is running and connected to Tor.
2) On the Investigation VM, open Chrome.
3) Visit https://check.torproject.org.
4) You should see a success message confirming Tor usage.
Minimum Requirements:
- 8 Characters
- 1 Upper
- 1 Lower
- 1 Digit