The use of the un-indexed web, commonly known as the deep web and dark web,
to commit or facilitate criminal activity has drastically increased over the
past decade. The dark web is an in-famously dangerous place where all kinds of
criminal activities take place [1-2], despite advances in web forensics
techniques, tools, and methodologies, few studies have formally tackled the
dark and deep web forensics and the technical differences in terms of
investigative techniques and artefacts identification and extraction. This
research proposes a novel and comprehensive protocol to guide and assist
digital forensics professionals in investigating crimes committed on or via the
deep and dark web, The protocol named D2WFP establishes a new sequential
approach for performing investigative activities by observing the order of
volatility and implementing a systemic approach covering all browsing related
hives and artefacts which ultimately resulted into improv-ing the accuracy and
effectiveness. Rigorous quantitative and qualitative research has been
conducted by assessing D2WFP following a scientifically-sound and comprehensive
process in different scenarios and the obtained results show an apparent
increase in the number of artefacts re-covered when adopting D2WFP which
outperform any current industry or opensource browsing forensics tools. The
second contribution of D2WFP is the robust formulation of artefact correlation
and cross-validation within D2WFP which enables digital forensics professionals
to better document and structure their analysis of host-based deep and dark web
browsing artefacts