Appearance
Searching on Tor
Understanding Tor
The darknet is an encrypted area of the internet that is accessible only through special software. It is commonly used by cybercriminals.
Cyber attackers use it to leak victims' data from ransomware attacks. This data is then often used to identify new targets, particularly for phishing schemes.
Beyond cybercrime, political and religious activists use the darknet to discuss their upcoming actions and activities.
What OwlyScan Indexes?
OwlyScan indexes all unencrypted and unprotected data and archives, filtering out problematic content such as sexual content, drugs, and weapons.
OwlyScan focuses on textual data (it does not index images, videos, or any other multimedia content). It can handle various document types that contain text, even if they are within archives (e.g., a DOCX attached to an email inside a ZIP file).
OwlyScan extracts text content from documents, splitting larger documents while preserving paragraph integrity (approximately 100,000 words per segment). Queries are executed on these individual splits.
Writing a Query
OwlyScan searches are deliberately non-semantic, focusing on keyword-based matching to precisely identify results that relate to the specific domain of interest.
For example, if you are searching for entity X, you wouldn't want results about Y, even if Y operates in the same sector or is in the same city.
Once the initial results are gathered, further semantic searches can be performed by using the AI assistant.
Queries are conducted using keywords and optional advanced filters, called dorks.
Crafting an Effective Query
An effective query returns a manageable number of results that are contextually relevant to your specific needs.
TIP
Narrow or expand your search to get between 100 and 1,000 results for effective analysis.
Real-Time Query Preview
The right-hand panel provides a real-time approximation of the number of results available for your query. This helps you refine the query before submitting it, as searches consume a query token only upon confirmation.
Results are categorized based on their source:
- Ransomware: Related to ransomware groups
- Forum: Discussion groups with varying topics, akin to forums like 4chan or more localized activist cells
- Shop: Online marketplaces for goods
- Service: Online service providers
- BTC: Bitcoin-related content
- Links: Link directories
WARNING
A query token is consumed as soon as the Launch Search button is clicked.
Using the Query assistant
OwlyScan provides a query assistant to help users craft effective queries through an interactive form.
This assistant is similar to the Google query assistant, guiding users by suggesting and adding appropriate dorks to refine their search criteria.
Running a Query
To initiate a search, click the "Run Search" button. A query token will be consumed upon submission.
Depending on the query's complexity, results will be displayed within 20 to 30 seconds.
A search on the Darknet includes:
- Collecting results matching the search expression
- Generating exportable reports (in tabular format)
- Initializing the AI assistant to help interpret and utilize the results
Interpreting the Results
Display and Grouping of Data
Search results are presented grouped by URL to condense the display, especially when an URL contains multiple results or points to an archive. This grouping is indicated by the following symbol: 
To expand the grouped results, click on them. To return to the general results list, click the blue "Back to results list" button: 
Each result provides a snippet of text that can be expanded to display up to 100,000 characters.
Only the first 500 results are displayed initially. Users can click the "Load more results" button at the end of the page to load additional results, 500 at a time.
Reports can be exported by clicking the export button at the top of the page. This export will generate as many tabular files as there are multiples of 500 results:
WARNING
Avoid using the browser's back button, as it may disrupt the navigation experience.
Utilizing the AI Assistant
The AI assistant is specifically designed to provide insights tailored to your search results. For example, it will exclude unrelated results for entity X even if entity Y appears in the same document.
Explaining a specific result
Click on the AI assistant icon to explain a specific result:
Conducting Semantic Searches Within Results
The AI assistant can also facilitate semantic searches among the returned results: 
Handling "Illegal" Content
Some results are marked as "illegal". These contain content that is restricted based on the client's level of accreditation, such as violent or otherwise shocking material.
If your results contain only illegal content, your query token will be automatically credited back.
Checking resource availability
OwlyScan now includes a feature to verify the availability of resources in real time directly from the search results. This ensures users can quickly determine whether a linked resource is still accessible on the Tor network before engaging with it.
Each result includes a "Check Availability" button. This button allows you to perform a real-time query on the Tor network to verify if the resource is still available. The status is displayed in a matter of seconds, helping you avoid time wasted on inaccessible resources.
The "Check Availability" button can display three statuses:
- Unset: When the status of the resource has not yet been checked, the button remains in its initial state.
- Resource Available: When the resource is confirmed as accessible on the Tor network, the button will display a success indicator.
- Resource Unavailable: If the resource is no longer accessible, the button will indicate that the resource is unavailable.
The availability check only verifies the resource at the time of the query.
Why might a resource be unavailable?
There are several scenarios where a resource may no longer be accessible:
- The website no longer exists: The site has been removed entirely from the Tor network.
- The website is temporarily unavailable: This is common, particularly for newer or less stable ransomware groups.
- The website is online, but the specific resource is unavailable: This can happen when data has been bought, removed, or is of interest to the operators.
Advanced Query Examples
Search Filters
All fields are case-insensitive.
| Filter | Description | Example |
|---|---|---|
text | Case-insensitive search within documents | text: myquery myquery |
url | Full match on URL parts (separated by / - : ? & .) | url: test.onion |
title | Case-insensitive search within document titles | title: myquery myquery |
file | (archives only) Full match on files (separated by / - : ? & . ) | file: secrets.docx |
date | Filter on date (equals, before, after) | date: 2024-02-29 date: <2024-02-29 date: >2024-02-29 |
level0 | Full match on TOR website categories: Ransomware, Shop, Forum, Links, Illegal | level0: Ransomware |
Examples of Queries
Resources containing /2024/ in the url
plaintext
url:2024Resources containing both guns and buy in their title
plaintext
title:guns title:buyResources containing "Airbus", indexed after the fifth of May
plaintext
airbus date:>2024-05-20Note that this compact form is equivalent to:
plaintext
(text:airbus OR title:airbus OR url:airbus) AND date:>2024-05-20AND operators can generally be ignored.
Airbus and Boeing door incidents, from ransomware groups Note the use of the glob operator (*) to match plurals.
plaintext
(airbus OR boeing) "door*" (accident* OR incident*) level0:ransomwareOperators
Search Term
plaintext
"Airbus planes"Equivalent to:
plaintext
text:"Airbus planes" OR title:"Airbus planes" OR url:"Airbus planes"OR Operator
The OR operator searches for a given search term OR an equivalent term.
plaintext
expr1 OR expr2AND Operator
The AND operator searches for results that contain both terms. This is equivalent to:
plaintext
expr1 AND expr2Or simply:
plaintext
expr1 expr2Glob Operator
The glob operator matches the start of a longer word. Note it can only be used at the end (postfix) and not at the start of a word.
plaintext
startOfALongerWord*Exclude Results
To exclude results containing a specific word:
plaintext
-wordToExclude