Abstract

The dynamic nature of the darknet, especially in decentralized anonymity systems such as the Invisible Internet Project (I2P), is a major problem to forensic investigation and long-term preservation of digital data. The inability to have centralized registries and service ephemerality can mean that any digital evidence is lost forever. This paper presents a conceptual and architectural design that is used in the forensic-based archival of dark internet services. Our proposed architecture is a modular design that incorporates secure collection, preservation and verification layers, to verify integrity and provenance of data collected. The framework supports the forensic need of chain of custody and non-repudiation by using Merkle-tree-based hashing and cryptographic timestamps. While currently focused on design and theoretical evaluation, this work provides a rigorous foundation for future empirical deployment and testbed implementation in I2P-based cybercrime investigations.