Evolution of Dark Web Threat Analysis and Detection: A Systematic Approach

Dark Web is one of the most challenging and untraceable mediums adopted by the cyber criminals, terrorists, and state-sponsored spies to fulfil their illicit motives. Cyber-crimes happening inside the Dark Web are alike the real world crimes. However, the sheer size, unpredictable ecosystem and anonymity provided by the Dark Web services are the essential confrontations to trace the criminals. To discover the potential solutions towards cyber-crimes evaluating the sailing Dark Web crime threats is a crucial step. In this paper, we will appraise the Dark Web by analysing the crimes with their consequences and enforced methods as well as future manoeuvres to lessen the crime threats. We used Systematic Literature Review (SLR) method with the aspiration to provide the direction and aspect of emerging crime threats in the Dark Web for the researchers and specialist in Cyber security field. For this SLR 65 most relevant articles from leading electronic databases were selected for data extraction and synthesis to answer our predefined research questions. The result of this systematic literature review provides (i) comprehensive knowledge on the growing crimes proceeding with Dark Web (ii) assessing the social, economic and ethical impacts of the cyber-crimes happening inside the Dark Web and (iii) analysing the challenges, established techniques and methods to locate the criminals and their drawbacks. Our study reveals that more in depth researches are required to identify criminals in the Dark Web with new prominent way, the crypto markets and Dark Web discussion forums analysis is crucial for forensic investigations, the anonymity provided by Dark Web services can be used as a weapon to catch the criminals and digital evidences should be analysed and processed in a way that follows the law enforcement to make the seizure of the criminals and shutting down the illicit sites in the Dark Web.


I. INTRODUCTION
The World Wide Web (WWW) is a complex system that consists of unprecedented amount of digital information. The normal Internet used daily is accessible through standard search engines such as Google and Yahoo. However, there are large sections of the Internet that is unindexed and hidden from the normal search engines [141]. These concealed part of the Internet is Deep Web which is estimated to make up about 96 precent of the WWW [64]. Within the Deep Web a subset that is mostly used for illicit purpose is the Dark Web or Dark Net [7]. Criminal activities and illegal contents are used The associate editor coordinating the review of this manuscript and approving it for publication was Fabrizio Marozzo .
In 2013, when the US Federal Bureau of Investigation (FBI) shut down the most infamous marketplace Silk Road operating in the Dark Web, these criminal activities caught the attention of the public [153]. Hidden wiki and Deep search engines are the way to browse malicious intents and illicit contents in the Dark Web. These sites provide links access to many other links in Deep Web [64]. One of the main obstacles the forensic analysts face while investigating the criminals activity in the Dark Web is the anonymity presented in the Dark Web services. The contents and services provided by Dark Web are commonly used by anonymous services such as Tor, Freenet, I2P and JonDonym [110].
Most popular service in the Dark Web is the TOR network which provides the facility for the users to secretly share information anonymously via peer-to-peer connections instead of a centralized computer server [81]. This service was intended to access blocked content, use circumvent censorship and maintain privacy of sensitive communications by U.S. Naval Research Laboratory in 2002 [54]. Monitoring the Dark Web is very challenging due to the anonymous design structure of the TOR network. Criminals utilize the Onion Router (TOR) for navigating the Dark Web because of the untraceable and difficult to shut down infrastructure of TOR [39]. This is one of the reasons for the immense pressure on security agencies and law enforcement for monitoring and tracing the activities in the Dark Web.
Criminals usually setup a relay station in the TOR and conceal their criminal activities in the Dark Web. As a result, only the last TOR exit relay is located by the law enforcement when they link the IP address to the identify the committed crime using the TOR browser [110]. Researchers have developed various strategies and methods to monitor and detect different crimes and criminals in the Deep Web. Memex Project developed and implemented by the United States Defence Advanced Research Projects Agency (DARPA) is one of the successful data mining tool in Dark Web [75]. Some of the techniques to pro-actively monitor the hidden parts of the Internet was discussed in a study that include mapping the hidden services directory, social site monitoring, customer data monitoring, semantic analysis and marketplace profiling [39]. Law enforcement has also applied various methods to locate criminals those include social media, IP addresses, monitor activities of users, monitor Bitcoin accounts [98].
To identify the research questions with the justification of future research in any particular study area a systematic review of scientific literatures have many significances [109]. The systematic literature review (SLR) aims at identifying works of a specific area with systematic study via following several research steps and processes. Although some studies have been conducted by authors to analyse the Dark Web, any systematic literature review on the evaluation of the Dark Web in the context of threats is still insufficiently explored, which has motivated us to present this survey. This study aims to explore the emerging crime threats in the Dark Web such as drug transactions, terrorisms, human trafficking, markets for cybercrime tools and so on with their consequences and the corresponding crime monitoring and locating technologies. For this purpose, we have systematically selected and reviewed 65 articles relevant to our research aim. Thus the contributions of this paper are: • providing a survey on the emerging crimes happening in the Dark Web • the consequences of the crimes on social, economic and ethical structures • challenges and difficulties to trace the criminals • techniques and methods to locate the criminals and crimes with their limitations The remainder of this paper is organized as follows: Section II provides the implemented research methodology Section III describes our findings with results IV the demographic information about the selected papers. Section V shows the architectures of the selected papers and finally Section VI concludes our work with a discussion and future direction in this research.

II. RESEARCH METHODOLOGY
This section describes the Systematic Literature Review (SLR) method [87] used for conducting this review. We have also considered some recent studies with SLR method to apply in our work [66], [146]. SLR uses systematic methods to define research question, conduct literature search, screen the findings, extract the data from the selected findings, analyse and synthesize the findings qualitatively or quantitatively [11]. The methodology includes defining (i) the research questions (ii) relevant data sources and the search procedures (iii) inclusion and exclusion criteria (iv) extraction of data (v) analysis and synthesis of the data A. RESEARCH QUESTIONS Providing the summary of emerging crimes happening in the Dark Web with their consequences and defence techniques is the main goal of this work. Thus, the following research questions and the motivations are as follows: • RQ1: What are the rising threats in the Dark Web crimes? Identifying the type of Dark Web threats globally can help to show how the illegal contents and the services are accessed and what their consequences are. This raises the challenges and importance of creating better technologies and law enforcement to trace the criminals.
• RQ2: What types of techniques are applied to locate the criminals in Dark Web? Identify the law enforcement methods, applied and available technologies for tracing and detecting the crimes and criminals in the Dark Web. It gives the future path to apply different strategies with latest technologies along with law enforcement to defeat the cyber-criminals plan.

B. SEARCH STRATEGY AND SELECTION
We have followed the search strategy guidelines stated in [87] and [163] which is explained below in details. To collect the data for the review papers, electronically-based search was performed from IEEE Xplore, ScieneDirect, Springer, Scopus, ACM Digital Library and Google Scholar.
We included in our search term the Dark Web crimes mentioned in [33] and [153]. We have used the terms from our research questions in Section II.A. Boolean search operation with ANDS and ORs has been implemented to specific phrases. The search terms used for retrieving our relevant articles are presented in Table 1. However, this is to mention that  different search terms have been used for retrieving relevant publications. Also, a search for additional articles from the references of the relevant articles found was considered.
The matching of the strings in the search terms from the digital libraries are based on the title, abstract and keywords of the papers except the Springer library which does not allow to restrict the search in specific parts of the paper. We did the filtering and screening for selecting the most relevant papers based on the inclusion and exclusion criteria discussed below.
The inclusion and exclusion criteria followed in this survey are described in Table 2 and 3 respectively. After applying these screening steps with the inclusion and exclusion criteria 65 articles were selected for this review paper. The selected publications are listed in Appendix (A), Table 11. After applying the inclusive and exclusive criteria in our filtering process we ended up with 65 papers. The overall SLR article selection procedure applied in our survey paper is described in the Figure 1. Some of the selection techniques are described as follows.
•Automatic search: Using the search terms on the six database libraries mentioned with automatic search we could collect 1920 papers.
•Title-based selection: For a fast article picking method title based selection was performed. We choose the articles from the title of the paper that are relevant to our SLR. This made the number of papers to 581.
•Duplication removal: In this case duplicate papers were removed as some of the database indexes papers are available in the other databases. After removing the duplicates the number of articles reduced to 393.
•Abstract-based selection: To check whether the selected 372 papers are related to our SLR, the abstract of the papers were read. The irrelevant abstract articles were disregarded at this stage and 100 papers were selected.
•Full-text selection: Each of the 100 papers was completely read through and 65 papers were selected based on this.
Out of 65 papers, 18 were selected from IEEE Xplore, 22 papers were from Google Scholar, 6 articles were chosen from ScieneDirect, 9 papers were selected from Springer, 5 papers were selected from Scopus and the rest 5 papers were extracted from ACM Digital Library.

C. DATA EXTRACTION AND SYNTHESIS
To answer our research questions in this systematic literature review the procedure of data extraction and analysis of the data extracted from the filtered papers is discussed in this section. The extraction of data from the filtered articles has been done based on the data extraction form that is shown in Table 4. Microsoft Excel spread sheet was used to record the extracted data. To evaluate article suitability in accordance to answer the research question the quality attribute rules were applied. 6 QARs were identified and each one is worth 1 mark out of 10.The score is as follows ''fully answered''=1, ''above average''=0.75,'' average''=.50 and ''below average''=0.25,''not answered''=0. The overall score of the article will be the summation of marks obtained from the 6 QARs. If the result was 3 or higher, the article was considered to answer our RQs otherwise was excluded. The QARs are shown in Table 5.
For data synthesis on the extracted data we have used different procedures that aggregate the evidence to answer our RQs. The demographic data of the reviewed articles have been analysed using descriptive statistics. The demographic information result analysis is discussed and shown in section IV. The architectures of the literatures obtained from the data analysis process are discussed and shown in section V.
The data analysis process for our RQs is summarized in Figure 2. We have first identified the quality attributes from the selected articles based on the selection criteria for each RQ. Depending on the RQ we extracted the motivations and applied thematic analysis [43] to extract the themes from the articles.
RQ1: Depending on the quality attributes and selection criteria we first extracted the motivations from the papers and identified different architectures used in the literatures. After that we applied thematic analysis to extract the themes from the studies. Then we did the qualitative data analysis based on the themes extracted. This gives the architecture frameworks used in the literatures based on the themes. From Appendix A Table 11 ID 10, ID 26, ID 40 are themed as 'Terrorist and ISIS' study from the obtained motivation of these studies, as the studies says the Terrorism is one of the threatening crimes incurred with the Dark Web.ID 7, ID 53, ID 54, ID 55, ID 56 are themed as 'Drug transactions' study as the motivations obtained from these studies aim to the study of terrorist organizations on the Deep Web. The summary of the different architecture frameworks obtained from the RQ1 block is the input of the RQ2 block. Thus RQ1 provides important information that goes to RQ2.
RQ2: Our RQ2 data analysis is done based on the output of RQ1 that helps to organize the architecture of different literatures based on the analysis as shown in Figure 2. At the first step we extracted the motivations from the architectures summary to identify the characteristics of the models used in different frameworks of the architectures. These characteristics are the data size used, practical usage and the performance of the models. Then we applied thematic analysis to get the generalized models. This step defines the introduction and motivation of our architecture analysis. Once the generalized models are identified we analysed the proposed models to identify the different tools and techniques used in the models and applied thematic to obtain the generalized methods from the analysis. This step serves as the description and example exploration in the architecture analysis. To analyse the performance of methods applied in the models in the frameworks, we studied the experimental results and the consequences of the methods then applied thematic to get the final results and constrains from applied methods. Thus we got the result and constrains for our architecture analysis. From the RQ2 we could summarize the obtained analysis results as below.
Method: We found 9 generalized implemented crime and criminal detection methods in Dark Web those include Hash value analysis, Sock puppet and key informants, TOR attacks, exit node analysis, Monitoring network traffic, classification of network traffic, marketplace scarping, monitoring Dark Web. For example ID 2,ID 13,ID 18,ID19,ID 24,ID 27,ID 28, ID 29,ID 30,ID 32,ID 41,ID 49,ID50 Tools: We found 4 generalized law enforcement tool implemented in Dark Web crime forensics those include MLAT, DARPA, Bit coin flow, social media For example ID 9, ID 21, ID 35, ID 36, ID 65.

III. RESULT AND DISCUSSION
In this section, we will answer the two research questions and discuss the result obtained from this systematic review of the literature. The first research question (RQ1) is to determine the rising threats in the Dark Web crimes. We will address this at the subsection A. This subsection answers our RQ1 with subsection III.A.1 to III.A.8 giving the overview of the threats in the Dark Web occurred from the criminal activities. Our second research question (RQ2) is to analyse the different techniques applied to locate the criminals in Dark Web. To answer and analyse this we have discussed in the subsection B. The answer of our RQ2 is addressed in subsection III.B.1.a to III.B.2.i with the analyses of the methods and techniques applied against these threats. After this we present the third subsection III.C which evaluates the contents of the extracted 65 studies with their contributions in a summative way. Human trafficking and sex trafficking are a large part of crimes and has extremely been increased due to online forums, chat services and anonymousness of the Deep Web [49]. Human trafficking is considered a significant human rights challenge. About 2.5 million individuals worldwide are trapped in some form of modern-day slavery according to the United Nations Office on Drugs and Crime [73]. The victims are forced into slavery as beggars, sex workers, and child soldiers, factory workers, domestic workers, and laborers in different commercial industries. To recruit victims for human trafficking and sex trafficking human traffickers do negotiations and contracts.
Trafficking networks can avoid detection, censorship and surveillance system employed by the government and antihuman trafficking organizations as the networks used by traffickers are dynamic [90]. Human trafficking in the field of the hidden nature is difficult and challenging to identify. International Labor Organization (ILO) reported in 2017, Nearly about 40.3 million people were in modern slavery and this number includes 24.9 million in forced labor and 15.4 million in forced marriage in the year 2016. This concludes for every 1,000 people in the world there are 5.4 victims of modern slavery. It is alarming that in every four victims one is a victim of modern slavery. Around 16 million victims of forced labor out of 24.9 million were oppressed to domestic work, construction or agriculture, 4.8 million victims of forced sexual enslaved and the rest 4 million to forced labor. Women and girls are exploited to commercial sex industry and other sectors by 99% and 58% respectively [67].
To see the consequence of human trafficking, the report on human trafficking of can be brought into light where it was reported that in 2014 a federally-funded hotline for trafficking victims received more than 21,000 calls. During that same period, the Department of Justice secured 184 convictions for trafficking, up from 174 in 2013. Among the cases, 157 were victims of sex trafficking and 27 were focused on labor trafficking [125]. Victims of human trafficking are mostly innocent young girls from foreign countries who are manipulated, lied to, and often kidnapped and forced into prostitution [40].

2) PORNOGRAPHY INDUSTRY
Victims mostly exploited by pornography industry are women of human trafficking and sex trafficking [124]. Traffickers force victims by fear of assassination for pornography production once male-female sign agreement for accomplishing the acts. The sex trafficker's records video without the consent of victims and distributes those to interested parties through pornography industry. Traffickers also publishes recordings and photos in their websites [41].
Many web sites related to pornography are hosted in the Dark Web. Similar to human and sex traffickers, pornography industry use Dark Web, social media, online forums to recruit or kidnap victims hiding their identification [40]. New forms of criminal acts as well as extreme levels of violence are present in the online prostitution videos and images [71]. With the extensive use of social media prostitution has also become more sophisticated. From an investigative perspective of interviewing victims, witnesses and tracking behavior thus monitoring the prostitution activity are extremely difficult to conduct effectively [20].

3) ASSASSINS AND MARKETING
Dark Web is used by criminals to sell their assassin skills. MailOnline, White Wolves and C'thuthlu websites provided advertisement for criminals which mentioned the hiring amount of $10,000 in US and $12,000 in European [37]. For a police officer to high rankling politician this price ranges from 40 thousands to 15 million of hire price [45]. Hidden Wiki and Deep search engines are the most common ways to explore the Deep Web as these contains dozens of links to illicit onion sites [64].
Thirteen different illicit onion sites were listed by the researchers under the category of Commercial Services. Some most wanted findings were Black Market Reloaded forum, Sheep Market forum and the Silk Road forum [13].
From year 2011 to 2013 the Silk Road was the most prohibited Deep Web market for buying drugs, discussing same minded political beliefs with individual freedom, free markets, and limited government. Although the original Silk Road website was active for less than three years, during this small period it brought a huge impact. Silk Road users considered themselves entirely anonymous for the communications on because it was operated as a Tor hidden service. Furthermore, transactions on Silk Road could only be made using bitcoin transactions [95]. Bitcoin is the most common currency employed in all Tor hidden-services trade. Although Bitcoin transactions can be monitored but not easily deanonymised [112].
However, the popularity of Silk Road came to an abrupt end on October 1, 2013, when the FBI, IRS, and DEA seized the Silk Road market and arrested Ross Ulbricht the founder of Silk Road. He was accused in separate complaints of paying for the attempted murders of two business associates who he believed had crossed him. With an estimated value of $3.6 million, the Justice Department shut down the Silk Road website and seized Bitcoins [120].

4) DRUG TRANSACTIONS
Two types of drug markets within the Deep Web are usually found. These include the markets that are dedicated to one specific type of drug such as. heroin. Due to the product expertise and vendor customer relationship these type is much popular. The second type of drug markets is general shop for buyers where all types of illicit products are offered such as weapons, pornography, stolen jewelry, black-market cigarettes and credit cards. The vast assortment of narcotics, VOLUME 8, 2020 to include drug hardware and drug manufacturing chemicals are the most common items [38].
Anonymity of Deep Web has helped significant rise in drug transaction from the Deep Web which has created digital black market for drug. As no face to face communication is required for drug dealing, illicit vendors use Dark Web for buying and selling drugs. Silk Road was one of the examples in Dark Web marketplace that sold the drug over a billion dollar and posted drugs by DHL or drop shipping [8], [9], [17], [103], [148].
After Silk Road was shut down in October 2013, several other crypto markets rose on the Dark Net [30], [152]. Evolution, one of the most popular crypto markets active from January 2014 to March 2015 was studied in a research from Swiss point of view and found more than 48,000 listings and around 2700 vendors claiming to send illicit drug products from 70 countries. They identified three sellers located in Switzerland. The purchases were carried out to confront digital information such as shipping country, type of drug and so on. The illicit drugs purity was found different from the information in respective listings although digital information such as concealment methods and shipping country were accurate [126].
Another Dark Net marketplace for illegal drugs like marijuana, cocaine, and many other legal and illegal goods was Mr. Nice Guy. The security of the site is fairly good as well as the registration has a better level of protection than a standard site [50].

5) CHILD ABUSE
Children are using social media and many applications such as Omegle, Ask.fm that hide identity of users for communicating [42]. Pedophiles use the benefit of these applications to interact with the children. Dark Web is massively used by Pedophiles and related criminals for child pornography, sharing photos and pons. Freedom hosting used 550 servers all over the Europe that offered space to anyone for hosting porn form children [27], [64].
In operation pacifier the FBI arrested several hundreds of pedophiles from US and international territories which involves 2000,000 users, 23,000 explicit images and 9000 video files with explicit sexuality [62]. The suicide case of Amanda Todd, a 15-year-old Canadian girl, brought the global attention to online children abuse. She posted a YouTube video few weeks before her suicide recounting her ordeal in 2012 where she used a series of flash cards to tell her experience of being blackmailed into exposing her breasts via webcam, being bullied and physically assaulted [2].
Webcam child prostitution has become a growing threat of online child sexual abuse where the victim simply sells his/her live sexual images through Voice-over-IP (VoIP) applications. Using the video streaming feature of VoIP applications live child abuse images are produced and sold for profit [2], [123].
In 2011, freedom hosting firm was identified to host 95 percent of child porn on the TOR network. The site hosted around 100 child porn sites with thousands of users and was shut down in 2013 [121]. Freedom Hosting II was identified in 2017 by hackers that followed the previous one. Hackers claimed that over 50% of the content on Freedom Hosting was related to child pornography and the data are dumped but they can identify the users of these sites [144].
The largest child sexual exploitation site Welcome to Video operated by 23-year-old Jong Woo Son of South Korea was started on 2015. This operator has been charged in 2018 and the site has been tracked down. Officials around the world were arrested with a total of 337 Welcome to Video users in 23 US states, Washington DC, and in 11 other countries. This resulted the rescue of at least 23 abused children victims from United States, Spain and the United Kingdom by the site participants [115].

6) TERRORISM
Terrorism and terrorist organizations on the Deep Web are dangerous threat to national security. Terrorist organizations such as al-Qaeda/ISIS and ISIL ISIS have utilized the benefits of Dark Web to fulfill their negative motives and spread propaganda [18], [104], [157], [160].
The Islamic State in Iraq and Syria (ISIS) uses the Dark Web to solicit money to help, support their cause and as a means of passing information throughout the change of command. A technology editor for Defense One, stated that there is substantiated data that supports ISIS or ISIS supported groups are pursuing the Dark Web for a different reason other than passing false information for the purposes of indoctrination and self-aggrandizement. ISIS uses Bitcoins for services provided on the Dark Web. The U.S. Military monitors the Dark Web trying to track ISIS but the problem is that law enforcement and the military have not found a way to track ISIS on the Dark Web without infringing on privacy rights [149].
ISIS uses Dark Web as a weapon for terrorism where they provide live streaming and recording of death sentences of prisoners. They use Dark Web as broadcasting media where they upload small video clips of their inhuman activities. For recruiting the soldiers around the world they also use the Dark Web [137]. To protect the identities and get the safeguard from hackers, ISIS turned to the Dark Net. They spread news and propaganda from the attacks in Paris in November 2015 using Dark Net sites and online platforms.
ISIS's media outlet, Al-Hayat Media Center, posted a link and explanations on how to get to their new Dark Net site on a forum associated with ISIS. The message was sent by Telegram, an encrypted texting program used by ISIS for smartphones and Windows through a TOR browser line. The developers of Telegram were too confident to offer a cash reward who could break the security and solve the encryption [157].
ISIS coordinates by planning operations and discussing the command and control using a public forum, which is encoded. Applications like Skype and WhatsApp are used by them to send messages across the battlefield and have been able to use small drones to collect real time data to use as propaganda. ISIS recruits by using online magazines with slick production values to communicate their views as well as how to construct weapons for terrorist attacks [137]. Five categories of terroristic activities on the Internet are identified in various studies. Those include propaganda, recruitment and training, fundraising, communications and targeting [98], [168].

7) MARKETS FOR CYBERCRIME TOOLS AND STOLEN DATA
The anonymous marketplaces are one of the main sources for the cyber criminals to sell cybercrime tools and leaked or stolen data in the Dark Web. Black Market Reloaded forum, Sheep Market forum and the Silk Road were the most known and rising Dark Net market places those have been disappeared due to arrest [72] and voluntarily [13].
Following the path of the infamous Silk Road numerous crypto markets evolved. A large portion of these marketplace ecosystems has been analysed for the year 2013 to 2015 in [139]. These marketplaces include Agora, Atlantis, Black Flag, Black Market Reloaded, Tor Bazaar, Cloud 9, Deep Bay, Evolution, Flo Market, Hydra, The Marketplace, Pandora, Sheep Marketplace, Silk Road, Silk Road 2.0, and Utopia. Some of these marketplaces were seized by police, had voluntary shutdowns, and suspected fraudulent closures.
Alongside the selling of drugs pornography and weapon these online anonymous marketplaces are the main source of selling stolen or leaked information those include financial statements, credit card details, cloned pins and sensitive information [88]. Dark net marketplaces selling products and services on malicious hacking were investigated with various developed systems [12], [117], [128], [134]. Information of malicious tools and services that facilitate the cyber carding crime are exchanged by the data thieves and cyber criminals via underground black markets and forums were studied in [97].
Some of the studies have been undertaken on finding the vendors origin and the challenges on locating the information of the online anonymous marketplaces [76], [77], [78]. Until this paper writing date according to DNStats the rising and active marketplaces are Empire Market, TOCHKA Market, SLILPP, UAS Service RDP, Hydra, Wannabuy RDP, UNICC Shop, Cannazon, Monopoly Market, Tochka Market, Empire Market [52].

8) DARK NET CURRENCY EXCHANGE USING BITCOIN
Bit coin is a crypto currency that allows the Dark Net marketplace members to stay anonymous while transaction [74]. The Dark Net marketplaces often only accepts bit coin as a currency.Silk Road was one of the successful black marketplace that could earn over US$1.2 billion through this [95]. Bitcoin's legitimate use has been controversial but supported as a currency which rises and conceals the money laundering [25].
Money laundering is a three step process of making illegally gained dirty money. These are defined by the U.S.
Treasury's Financial Crimes Enforcement Network. The steps include placing the illegal money in the legitimate financial system, layering it within additional transactions and integrating it into the financial system with more transactions so the funds appear licit [60]. Elliptic's forensic analysis tool was used to identify bitcoins moving from illicit entities for the transaction data between 2013 and 2016 [60]. Because of the weakness with publicly available information stored in blockchain of Bitcoin this is vulnerable to analysis but criminals follows the Escrow system that ensures preventing scamming [3].

B. TECHNIQUES TO LOCATE CRIMINALS IN DARK WEB(RQ2)
Cybercrimes in the Dark Web and crimes in the real world are quite similar except that it is hard to track virtual crime using the Dark Web by the law enforcement. The anonymity provided by Dark Web services is one of the main problems some forensic analysts may face while trying to investigate criminal activity. Thus, this is hindering the forensic investigation of criminal activity. Many crime detection studies have been done on the Dark Web to locate the crimes or criminals. We will see the detection techniques and law enforcement methods applied and initiated for this purpose in the sub sections under law enforcement and detection method. This section answers our RQ2.

1) LAW ENFORCEMENTS
Smaller law enforcement agencies do not have the technical expertise to fight back specific crimes as cybercriminals have increased their abilities. There are several types of laws pertaining to criminal activity on the Dark Web including criminal law, civil law, and regulatory law. Criminal law relates to crimes at the government level of local, state, and federal. The type of penalty could range -from a fine to life in prison. Depending on the state the crime occurred in, punishment could be death. Civil law relates to a person or organization that has been held responsible and instructed to pay a fine or required to complete a service as part of the punishment. In regulatory law, the agency within a jurisdiction has the right to issue fines as punishment for activities. Regulatory agencies have the right to cease all business operation of individuals or company that are not in compliance [136].

2) SOCIAL MEDIA
To identify criminal activities in the Dark Web social media and Deep Web can be jointly used. Different media such as Twitter, Youtube and Facebook are used to identify suspects [142]. According to RSA, to communicate and sell stolen identities, credit card numbers and other information, cybercriminals rely heavily on social media platforms such as Facebook, Snapchat Instagram, WhatsApp, Telegram and other social media platforms [24].
The reason behind the usage of these platforms by cyber criminals is its quite easy to share and pass on anything including malware in the social sites. On average these VOLUME 8, 2020 platforms have additional techniques to scam such as adverts, sharing buttons and plug-ins compared to other websites. Moreover, hundreds to thousands people connected on these platforms creates convenience for the criminals to spread malware in a wider range [21]. A six-month global study by criminology expert at the University of Surrey in the UK on social media cybercrime in last year, found annual earnings of cybercriminals exploiting popular social platforms is nearly $3.25 billion [99].
On the positive side, social networking is providing pathways to solve crimes for the law enforcement officers. As there is large number of users in the social platforms, tips can be gathered by their online presences as well as observation of the crimes committed within their communities [129], [148]. Many of the successful track downs by police with the help of social media was the arrest of Raderius Glenn Collins a Florida burglar who posted a seven minute Facebook video bragging about a $500,000 jewelry heist that got 3,000 views; Derek Medina a 33-year old man was sentenced to life in prison for second-degree murder of his wife. The criminal posted the picture of his wife after killing her on Facebook and wrote about murdering her; Maxwell Marion Morton was charged with first-degree murder after he posted via SnapChat a selfie of a classmate who has been shot in the face; 71 people were arrested by Police in Cincinnati after a 9-month investigation used with the help of social media to identify key gang members [55].
Information found on social media with police records and reports were combined by University of Cincinnati's Institute of Crime Science to establish a link between suspects that helped the Police to arrest the gang [55]. As reported by LexisNexis, social media is used as an investigation tool by more than 80% of police departments [96]. The usage of social media in investigation in the year 2012 and 2014 is described by LexisNexis.

3) DARPA AND MEMEX
The Defense Advanced Projects Research Agency (DARPA) identified several tools on the market available to law enforcement to help with locating individuals that are using the Dark Web for criminal activities. In the past, the FBI used the Metasploit Decloaking Engine to help with their investigation of the Dark Web. Metasploit Decloaking Engine and Memex systems are used by US law enforcement agencies through indexing the Deep websites in an intelligent way to identify the criminals particularly the human traffickers in the Deep Web [47].
The process of finding criminal operating on the Dark Web has been made easy for the law enforcement by DARPA (Defense Advanced Research Projects Agency) by developing a suite of tools, collectively known as Memex [56], [107]. These tools are primarily written in Python and were developed in collaboration with various universities [47]. In 2012, the Drug Enforcement Agency (DEA) completed a two-year investigation on Dark Web based marketplace called the Farmer's Market, which distributed drugs to over 3,000 customers in dozens of countries and all 50 states in the U.S. According the DEA's press release, the TOR network was used to facilitate the operation. TOR masked the IP addresses by allowing the routing of transactions and email to be diffused throughout various relays all over the world. Farmer's Market used many forms of payment for the illicit goods including electronic methods. During the roundup, federal agents and local law enforcement also seized hashish, LSD and MDMA, as well as an indoor psychotropic mushroom grow and three indoor marijuana grows [80].

4) BIT COIN FLOW
Bit coins are the virtual money used for transaction in the Deep Web [69]. The bit coin flow in the Dark Web is used by the law and policing agencies to locate criminals. The criminal's activity can be monitored by the law enforcement agencies by analyzing the bit coin flow. One of the successful examples of identifying criminals from Deep Web is the Silk Road server [95]. FBI identified the location of server through bit coin transaction flow in Iceland data center. Silk Road was operated using TOR which is an anonymous network but the site was identified due to a misconfiguration in Silk Road's login page which described the IP addresses and physical location of the server [73]. FBI also has been successfully able to hack the underground discussion board darkode where criminals join every day and share information, discusses for criminal activities [61]. The massive Dark Web child-pornography site named Welcome to Video that was launched on June 2015 has been shut down in 2018 March [115].
The arrest and surrender of the site's operator, Jong Woo Son has been announced in a joint press conference by the U.S. Attorney's Office for the District of Columbia, the Justice Department's Criminal Division, the IRS Criminal Investigation (IRS-CI), and U.S. Immigration and Customs Enforcement's Homeland Security Investigations (HSI), together with the National Crime Agency of the United Kingdom and Republic of Korea. This takedown has been possible by tracing bitcoin transactions other than any hacking or encrypted communication [57]. The site used to charge fees in bitcoin from every user and give unique bitcoin wallet address to the user account. IRS-CI traced the bitcoin transactions on the site by the people from all over the world who downloaded and uploaded materials to the site. They were also succeeded in identifying the location of the site administrator. The agents of IRS-CI analyzed the blockchain and deanonymized bitcoin transaction which resulted the identification of hundreds of the predators from all around the world [57].

5) MLAT
The Mutual Legal Assistance Treaty (MLAT) helps aid law enforcement in support of their investigations. To assist law enforcement, the U.S. conducts a joint investigation that permits more than one country to be involved in the criminal investigation. The analysts can initiate an official event notifying the Office of International Affairs (OIA) and generating MLAT protocols [68].
MLAT is one of the established methods for law enforcement sharing information across borders. If a state seeks access to digital evidence that is outside the border of that state, a formal request is required to be fired The aim of MLAT is protecting the legal rights of people those are questionable of offshore offending [156]. However, The MLAT process is slow as it often takes months, the structure is opaque and due to too many requests under stress and thus inconvenient. In 2013, a search warrant was issued by the US government to Microsoft for seizing the information of a specific email account. But Microsoft could oppose it as the emails were on the server storage located in Ireland [143].

6) CRIME DETECTION
To fight back the emerging crimes growing in the anonymous Dark Web the importance of detecting the perpetrators and the associated crimes is inimitable. Although this is a very challenging task to analyze the untraceable anonymous networks used by the cyber criminals, many techniques and methods have been developed that can be implemented in this area.

a: HASH VALUE ANALYSI
Identification and collection of digital evidence is one of the main criteria to put criminals under law enforcement in the cyber-crime as these types of crimes are performed in computer based systems [154]. Hash functions play powerful role in cryptography to prove any evidence is authentic during the investigation. Hash functions produce has values that represent the original message from which they have been computed [46]. Some popular hash algorithms are MD5,SHA-1,SHA-256,SHA-512 [84], [155].
TOR has a complicated structure with thousands of internal nodes and hash value computations that is untraceable but the exit node can be analyzed. [51], [110]. Hash value analysis at the exit node layer of the onion routing can be implemented to find the destination of the connecting server [10], [119]. Many researches have been done applying the hash value analysis for the detection of crime and digital forensics. These studies include analysis of crimes [82], approximate matching for digital forensic [22], [23], [31], [91], [130], analysis of malware [85], steganography software detection [92], fraud detection and financial crime detection [86].

b: SOCK PUPPETS AND INFORMANT ANALYSIS
Sock puppet is a false online identity or the same person having multiple usernames to communicate in the online [122]. This method is mostly utilized by the cyber criminals to do ID theft, sell fake products, terrorist activities on the Dark Web which make it difficult for their seizure. Thus, sock puppet detection is very crucial in cyber intelligence operation in order to forensic accounting, extrapolating information about the criminals, monitoring the communication, and screening the Dark Web for tracking the terrorists.
Another detection method of crimes can be Key informants which is a source of experts' information. Researchers use key informant interviews over an extensive period of time with participants who have unique knowledge of a topic. Key informant analysis has played vital role in the research studies on illegal drug reporting, money laundry for criminal finance and terrorist organization structure [44], [104].

c: NETWORK ANALYSIS METHODOLOGIES
Proper understanding and analysis of the structure of the cyber-criminal and terrorists networks can lead to the path of technical insight for obstructing the illicit activities in the Dark Web. The network analysis of the terrorist and extremist groups in the Dark Web have been conducted in studies to detect and discover crime threats [28], [34], [160], [165], [170]. Network analysis with topic based model in the Dark web portals has been implemented in studies to inherent topics [94], [127], [161].
Classification of network traffic using correlation have been implemented in the field of network security monitoring and identifying attacks, this can be used as a traffic classification technique for detecting attacks on the Dark Web [70], [159], [164], [169].
Another network analysis method is locating entry and exit nodes to identify attacks [145]. Although TOR has a powerful infrastructure which is hard to break, the communication of the users and the routing behaviour can be detected by implementing some attack techniques in the TOR network [6], [19], [58], [100].

d: MARKETPLACE SCRAPING
Dark Web marketplaces are one of the main platforms for cyber criminals to spread and conduct their illicit crimes. Thus scrapping the information from these marketplaces can lead success to detect and catch the criminals [77]. According to an article by Alan Travis, with the use of anonymous marketplaces and forums to sell financial data about 5.1 million incidents of online fraud in England and wales were found [147].

e: MONITORING DARK WEB
Monitoring the Dark Web is very challenging because of the untraceable and anonymous infrastructure. Numerous methods and techniques have been established to monitor the Deep Web by the researchers. Some of the monitoring techniques of hidden parts of the Internet were discussed [39]. The monitoring of the Dark Web can be beneficial to the crime analysts as by retrieving the data for a websites on the Dark Web a prominent database can be built that can contain important information about a hidden site which can help track future illegal activities and criminals.
Monitoring extremist and hate groups to analyse the usage and content of the Dark Web data have been adopted by many researchers [1], [133], [165], [168]. Various studies were proposed to monitor malicious activities and threats in the Dark Net [14], [114], [116], [135].

f: HONEYPOT DEPLOYMNET
The network server is often targeted cyber-criminals for attacks as a mean of spreading malicious software across the network or breaking into the system. Monitoring the network traffic is another fruitful way to observe the activities of the criminals in the Dark Web TOR network [59]. In this context, the use of Honeypots in detecting cyber-attacks and criminals behaviour in the network traffic have been proposed in various studies [29], [89], [118].
Honeypots techniques have been applied as a detection method for Ransomware [111]. As honeypot deceives the attackers by acting a decoy computer, illicit access can be detected through this technique. Detection of comprised secure socket sell can prevent DoS attack, SSH port scanning, SSH brute-force attack, phishing attack and so on. A detection model using honeypots and machine learning was implemented to detect SSH with malicious activity [131].

g: TRIPWIRE IMPLEMENTATION
Credential stealing with the benefit from reusing password could result in site compromise to organizational exploit. Tripwire is another detection method used for monitoring system to notify and trigger when any compromising action could lead to exploit data. Different studies have adopted this technique to detect any comprising threats in the system that indicates attacks and hacking [4], [48].

h: ANOMALY DETECTION METHODS
Anomaly detection can be utilized as prevention for security breaches and attacks in the cyber space. Various user profiling models to create security profiles in anomaly detection has been discussed in [35]. Anomaly detection techniques are implemented as a cyber-incident detection method in many studies [5], [102], [132], [162].

i: INTRUSION DETECTION TECHNIQUES
Intrusion detection plays important role in detecting threats and attacks by analysing the system logs and network traffic.
Different intrusion detection methods with the attack detecting capabilities have been analysed in the study to get more understanding about the techniques [108].
Network based, host based, signature based, anomaly based, specification based, hybrid and physical intrusion detection methods were discussed in [32], [65]. Flow based intrusion detection model was proposed in a study with the analysis of statistical and machine learning techniques [151].

C. DISCUSSION SUMMARY OF SELECTED STUDIES
With the answers and explanation of our research questions in the above subsections A and B, this subsection summarizes the selected 65 articles contents with their contributions. The contents of the extracted 65 studies are summarized in Table 6 where each ID is referred in Appendix A, Table 11. To summarize the contents according to the contributions despite the different methods implemented, some studies have been grouped together in Table 6.

IV. DEMOGRAPHIC INFORMATION
This section shows the distribution of the reviewed papers for the types of publications, publications by year and publication numbers based on search criteria. We have also analysed the most widely used keywords based on our studied articles. The most representative authors and the publication sources where the studied articles are most published are also discussed. We have considered the countries of publications where the most cited journals, conferences or books were published. Figure 3(a) shows the type of publications selected for our SLR. We have utilized three types of articles for our review those include journals, conferences and books. The Figure demonstrates that among 65 selected articles, the majority is journal papers with 37 numbers and 57%, followed by 25 conferences with 38% and the rest 3 books with 5%.

D. WIDELY USED KEYWORDS
The most widely used keywords from our studied 65 articles are represented in Table 7. These keywords are also used as search terms for searching a study of interest in this field. Keywords may vary from article to article but most popular and utilized keywords are common. However these keywords are sometimes presented in the articles with different parts of speech and tenses. Table 7 represents the most widely used keywords and the number of papers that used the keywords in their articles.

E. REPRESENTATIVE AUTHORS
The most representative authors have been selected in terms of citation of the papers in the field of our study. We have analysed 10 top most articles with highest number of citations from the 65 selected papers for this analysis. According to our analysis Nicolas Christin has the most cited article on this field of study [ID 1, ID 11]. Although some of the authors have published in different field of studies, we considered the popularity based on the citation numbers on our field of study. Table 8 shows the most representative authors with the citation numbers and ID from Appendix A.

F. POPULAR DATABASES
The statistics of extracting the articles from six databases described in subsection II.B shows that Google Scholar contains the most available resources for the study following by the IEEE Xplore. The number of articles extracted from the databases of Google Scholar, IEEE Xplore, Sci-eneDirect, Springer, Scopus and ACM Digital Library are 22, 18,6,9,5 and 5 respectively.    of countries that publishes the articles on our field of study. Table 9 represents the top 10 published sources and countries.

V. ARCHITECTURAL ANALYSIS
This section reports the architectural description of the selected Dark Web article's and describes the architectural frameworks. The overall architectural view is shown in Figure 5. It is to be noted that the various elements in the architectures are not limited to what is shown in the figure.
From the reviewed articles we have found different architecture frameworks based on different crime theme analysis. All the details are discussed in Section III in details. For analysis of the overall architectures of the papers Figure 5 represents the example. Studies are focused on different themes such as Drug transactions, terrorists and ISIS, human trafficking, pornography industry, money laundering and so on. Based on these themes architectural frameworks have been created. The frame works are divided into two categories one for detection methods that includes network analysis, hash value analysis, marketplace monitoring and scraping and the other for law enforcement tools such as DARPA,MLAT and so on.
The analysis of architectural framework steps and outcomes are shown in Figure 6. To analyse the existing models obtained from the studies Figure 6 describes the generalized steps used in the models applied for different architectures. The elements of the Figures are identified from the architectures implemented in different models in the studied papers listed in Appendix A. This diagram helps to understand each key component in a model and their examples and importance. This also refers to the outcomes of each step to better understand the key criteria's. The generalized elements are described below.
Data Collection: This component describes the sources of data, the size of data set and the availability of the data set used for the models. The choice of collected data varies from researchers to enterprises. Many researches have used already crawled data from available online databases, many have crawled the onion sites as their research where others have used TOR traffics as their data set.
Data Pre-processing: This is a crucial step to process the data. Important feature selection, filtering, extraction and duplicate or noise removals are the main components of this step. In most of the studies this step is followed with their relevant requirements to feed the model.
Data Processing: This is the focal stage of any model which includes the algorithm implementation such as machine learning, classifications of the data such as clustering or labelling, checking the performance of the algorithms with training and testing data and applying the techniques to their respective fields.
Results: Depending on the implemented model the results are the final outcome targeted to create the framework.
This leads to the analysis of the crimes using available software's such as Maltego, detection of crimes, locating crimes or criminals, giving system alerts of malicious activities through email or mobile applications.
The security agencies or law enforcement can take actions depending on the models outcome which is the ultimate goal of all the frameworks. It is to be noted that the techniques and examples given are not limited to the Figure 6 and the description.
We will analyse some techniques that use different models and tools from our reviewed papers based on the architectures as below.
A. MACHINE LEARNING TECHNIQUE [ID 13] Introduction and Motivation: Machine learning algorithms could play a very important role in Monitoring and detecting malicious activities. An operational system was proposed for gathering information on malicious hacking products and services from various social platforms on the Dark Net and Deep Net discussion forums and marketplaces Description: They have used 10 marketplaces and two forums data for their experiment. At first, they crawled the marketplace and forum data then parsed the data for classification which could determine different topics from forums and products from marketplace which are related to malicious hacking. Machine learning algorithms of supervised and semi-supervised methods were applied for both marketplace and forums. They implemented Naive Bayes(NB), random forest (RF), support vector machine (SVM)and logistic regression (LOG-REG) algorithms as supervised and label propagation, Co-training approaches as semi supervised algorithms.
Result and Constrains: The proposed system collects on average 305 high-quality cyber threat warnings each week.

B. AFFECT ANALYSIS TECHNIQUE [ID 24]
Introduction and Motivation: Affect analysis of the extremists groups in the Dark Web forums leads to the violence, hate and propagandas spread over there. To gather the affect related contents over extremist groups from the Dark Web forums an affect lexicon was constructed with probabilistic disambiguation technique in this study.
Description: Extremist forum data were collected from University of Arizona for their experiment which consisted of messages from 16 US and Middle Eastern forums. The system consisted of two components of lexicon creation and analysis technique. At first they collected the messages and to remove affect ambiguity applied probabilistic disambiguation from the term list of collected messages to create the affect lexicon database. In the Affect Analysis phase several filtering and duplicate removal are done for affect parsing and getting intensity scores and correlations.
Result and Constrains: From the US forums they found racism other than hate and violence whereas the Middle East forums are rich in hate and violence. The analysis did VOLUME 8, 2020 not consider the forum posts which contain rich amount of features to extract data for such analysis.

C. FINGERPRINTING TECHNIQUE [ID 28]
Introduction and Motivation: To gather the encrypted contents and anonymized connections website fingerprinting attacks play important role. This research aims to apply fingerprinting attacks on TOR to get the hidden service connections and finding out the hidden services accessed.
Description: To gather the data which is the Hidden service addresses they crawled all known hidden services search engines with a automatic tool per day from which they collected 13,243 unique addresses in four month. Alongside this, they exploited the hidden service directories in the protocols directly from the TOR network in live to gather the onion addresses. 3.6.2 TBB was utilized to access the hidden services and regular webpages via Tor. For data extraction and processing they grouped several pages together in order to avoid subpages that contain blank pages or little information. The proposed fingerprinting approach consists of two classification phases. The first phase detects the communication of clients with the hidden service and the second phase, if connection is detected it recognizes which hidden service content has been visited by the client.

Result and Constrains:
The feasibility of a connection establishment to a hidden service is shown in their dataset to recognize the particular content which is not scalable to the existing methods applied in realistic settings.

D. AUTHORSHIP ANALYSIS TECHNIQUE [ID 32]
Introduction and Motivation: To identify the suspects in the Dark Web who utilizes the anonymity service such as TOR authorship detection is necessary step in the cyber forensic. This article proposed classification setups on two major tasks of alias classification and authorship attribution for user identification in the drug trafficking area of Dark Web.
Description: The experimental data was collected from Black Market Reloaded (BMR) forum in the Dark Net. They collected database consists of 92,333 posts from 8,348 different users, posted in 12,923 different threads in multiple languages. English language threads and more than 250 threads posted and less than 50 threads posted were excluded while data filtering stage. For the first classification phase of alias classification they applied stylometric analysis. Topic independent features were selected for their stylometric analysis and character n-grams as features to profile users were also explored with time based features of the forum posts. For the authorship attribution a multiclass classification was implemented. For this step they combined multiple randomly selected posts into a single instance, to represent a user's writing style and irregular or uninformative posts were ignored. They have implemented Support vector machine (SVM) as their classification algorithm.
Result and Constrains: In the alias classification to decide if two user accounts are aliases or not precision result of 91% at a recall of 25% were obtained for 177 users whereas for 25 users the precision was same but the recall reached 45%. The result of authorship attribution varies with the number of users. For 177 users the classification accuracy with SVM was 88% but for fewer users it could gain 94% accuracy. If any users use different style of writing in different posts this method will get biased based with the stylometric analysis thus considering more features beside character n-gram and time based is required.

E. SOCIAL NETWORK ANALYSIS TECHNIQUE [ID 41]
Introduction and Motivation: social networks analysis and text mining in the terrorism activities contributes to develop methods that can fight back terrorism. This study aims to combine social network analysis and data mining techniques for identifying key members of a community for measuring social aspects which can trigger the further analysis on experts' detection, sub-groups detection, centrality measures and so on.
Description: The experiment was done on English Dark web forum named Ansar1. Posts were created by 376 members and extracted topics where realized over 29057 posts for this experiment. The main focus of this article is to discover the key members talking about particular subjects in the Dark web related to security threats based on a topic-based social network structure. For this they used a hybrid approach of social network analysis with latent semantic-based text mining that could lead to threatening topics and perform specific analysis on each one. For social network analysis the network configuration was done based on members' interactions through post replies. They considered two approaches for network conversion of Creator oriented Network and Last Reply oriented Network. According to each network configurations, the topic-based filtering using LDA method is used to remove all replies that are not according to the posts' topic. Keymembers where determined using Hyperlink-Induced Topic Search (HITS) Result and Constrains: The result obtained 47 topics using the closest 30 words on each topic and 11 topics were discarded afterwards. However, the information obtained from their network analysis could not lead to identify any specific patterns.

F. IDENTITY DECEPTION DETECTION TECHNIQUE [ID 35]
Introduction and Motivation: In social media environment identity deception is increasing and detection of such identity can also play important roles in the Dark web forensics. A detection method using non-verbal behaviour for identity deception in social media is proposed in this study. Description: Publicly available data for Wikipedia has been used for the proposed method. Non-verbal user behaviour is monitored for deception detection using machine learning algorithms in this study. The logged data on the Wikipedia page revisions are considered as non-verbal user behaviour such as time taken between each revision. Variables of online non-verbal behaviour were divided into time-independent and time-dependent. For data retrieval from the available logs of blocked accounts, regular expressions were used to keep only sockpuppet cases with an infinite time of block issued for these accounts. For testing 7,500 cases of sockpuppets samples were considered.
Result and Constrains: Selecting the variables for nonverbal behaviour may vary in the result accuracy. Also new users' time window set will have significant impact on the method's effectiveness. Thus a combination of verbal detection deception with the non-verbal behaviour deception method is necessary.

G. DARK WEB SCRAPPING TECHNIQUE [ID 17]
Introduction and Motivation: Scrapping the Dark Web marketplaces and forums can lead to important information that VOLUME 8, 2020   can help law enforcement and security agencies to investigate and forensic. The article developed an automatic scraping framework and analysed with free tools to investigate the scrapped Dark Web marketplaces Description: To find the lists of the onion URLs of the top marketplaces they used of Reddit and DeepDotWeb websites. They have proposed a web crawler which is written in Apple script. The script could keep track of all the accounts and add only new accounts not listed in the crawling. After scrapping the marketplace sites Maltego tool was used to identify suspected vendors on the focus drug marketplace in the Dark Web obtained from the scrapping results. They manually analysed the marketplace and over 3000 distinct vendors operating on the marketplace.
Result and Constrains: The Web crawler could give the account information for more than 3000 vendors from the drug marketplace and four most active vendors' origins using Maltego were identified. They did not engage in dialogue with any vendor and did not purchase any products from the marketplace which questions the authenticity of the vendors' identification. Moreover, manual entry in the Maltego software is erroneous and time consuming.

H. COMPARATIVE ANALYSIS
To analyse the architecture of some selective techniques we have explained the methods in this section under subsection V.A to subsection V.G. To evaluate the contents of the selected papers (ID 13,17,24,28,32,35,41) the performance analysis is done in a summative way presented in Table 10. The table replicates the architectural frame work steps defined in Figure 6 with the respective article ID, the data collection procedure, the data pre-processing and processing methods and the final outcome.

VI. CONCLUSION
In precise,this SLR incorporate a comprehensive description of the Dark Net crime threats, the technical and forensic challenges with the anonymous network structures and the detection methods, algorithms, tools and strategies applied for locating the crimes and criminals in the Dark Web. Cyber criminals are becoming more quick-witted against the enforced methods to detect them inside Dark Web. As a result challenges are elevated. For law enforcement and security agencies international boarder is one of the most hindering task. The sheer size of the hidden web necessitates more effective approaches to minimise the potential threats from the Dark Web. The black marketplace and transactions happening there must be traced to detect the criminals with advanced methods. The unindexed, fragmented and multilayer structure of Dark Web makes it more strenuous to detect the crimes. The ecosystem of the Dark Web being highly unpredictable as every day the old sites keep vanishing while new sites appear,strong digital evidences are required to collect for the forensic law agencies to ensure overcoming the obstacles in arresting and sizing the criminals.

APPENDIX A PRIMARY STUDIES SELECTED FOR THIS SLR
See Table 11.