Investigator Use
The Tor Project develops and maintains the Tor anonymity network, the Tor Browser, and the infrastructure that enables private and censorship-resistant internet access. For OSINT investigators, the Tor Project's resources serve two distinct purposes: understanding the technology that subjects under investigation may be using to conceal their activities, and using Tor operationally to conduct investigations without revealing the investigator's IP address.
What investigators study through the Tor Project: how Tor routing works and its forensic implications, the Tor relay network and its use in concealing origin IPs, browser fingerprinting defenses built into Tor Browser, and the infrastructure behind .onion services. Understanding Tor is essential for analyzing cases involving dark web activity.
What the Tor Project exposes: educational resources on Tor's architecture, relay and bridge statistics via Tor Metrics, the Tor relay list for identifying network participants, historical data on network usage and traffic patterns, and documentation on how law enforcement has (and has not) been able to de-anonymize Tor users.
For operational security during investigations: OSINT practitioners working on sensitive cases — particularly dark web investigations — may use Tor Browser to access target sites without revealing their institutional IP address. Tor's multi-hop routing makes attribution significantly harder, though not impossible.
Tor Metrics provides valuable OSINT intelligence. The relay search at metrics.torproject.org lists all known Tor relays with their IP addresses, contact information, and capabilities. When an IP appears in a threat investigation, checking whether it is a known Tor exit node is an important attribution step. The ExoneraTor tool (hosted separately from the Tor Project site) confirms whether an IP was a relay at a specific date and time.
Limitations: Tor Browser significantly reduces browser fingerprinting but does not provide complete anonymity. Exit node traffic is unencrypted to the destination unless HTTPS is used. Law enforcement has de-anonymized Tor users through browser exploits, traffic analysis, and operational security mistakes.
In a workflow: pair the Tor Project's documentation with the ExoneraTor database when analyzing IPs in an investigation. Use Tor Browser operationally only when investigating sensitive targets that would be alerted by your institution's IP range appearing in their access logs.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
Ahmia
Dark Web OSINT
Ahmia indexes Tor hidden services, enabling investigators to search .onion sites by keyword without the Tor browser.
BlackWeb
Dark Web OSINT
BlackWeb is a community-maintained blacklist of malicious and spam domains for network filtering and threat infrastructure identification.
Dark Web Tools
Dark Web OSINT
IACA Dark Web Tools is a law enforcement-oriented collection of resources for searching Tor hidden services and dark web content.
Onion Inspector
Dark Web OSINT
Onioff inspects .onion URLs to verify availability, extract page metadata, and map Tor hidden service content for dark web OSINT.
Onion Links
Dark Web OSINT
Find the best onion links list here. Working onion links for 2025 with the best dark web links to explore. All working and updated.
Onion Scan
Dark Web OSINT
OnionScan investigates dark web sites for misconfigurations, operator errors, and links to clearnet infrastructure revealing real identities.