Research Security
Research Security
Section titled “Research Security”How to conduct research safely without exposing yourself or compromising your sources. This guide covers research-specific security practices.
Why Research Security Matters
Section titled “Why Research Security Matters”When researching sensitive topics:
- Your searches can be tracked
- Your identity can be linked to research activity
- You may inadvertently expose sources
- Research targets may detect your interest
- Browser fingerprinting can identify you across sessions
Key principle: “Distrust and verify” — no single tool provides complete protection. Layer your defenses based on your threat model.
Isolation Environments
Section titled “Isolation Environments”Beyond VPNs and secure browsers (covered in the DFP Guide), research may require full system isolation.
Tails (The Amnesic Incognito Live System)
Section titled “Tails (The Amnesic Incognito Live System)”Best for: Field operations, one-off research, leaving no trace
| Feature | Details |
|---|---|
| Type | Live USB operating system |
| Trace | Leaves nothing on host computer |
| Network | Routes all traffic through Tor |
| Setup | Boot from USB, no installation |
Use cases:
- Research from untrusted computers
- Journalism in hostile environments
- Quick investigations requiring no persistence
Download: tails.net
Whonix
Section titled “Whonix”Best for: Ongoing research projects, persistent workflows
| Feature | Details |
|---|---|
| Type | Two-VM system (Gateway + Workstation) |
| Trace | Persistent storage available |
| Network | All traffic forced through Tor gateway |
| Setup | Requires VirtualBox or KVM |
Architecture:
- Whonix-Gateway: Handles all Tor connections
- Whonix-Workstation: Where you do your work
- Even if workstation is compromised, your IP can’t leak
Download: whonix.org
Qubes OS
Section titled “Qubes OS”Best for: Multi-project separation, maximum isolation
| Feature | Details |
|---|---|
| Type | Security-focused operating system |
| Trace | Compartmentalized VMs |
| Network | Configurable per-VM |
| Setup | Dedicated hardware required |
Key feature: Each activity runs in a separate VM. Email, browsing, and research are completely isolated from each other.
Download: qubes-os.org
Choosing Your Environment
Section titled “Choosing Your Environment”| Situation | Recommended |
|---|---|
| One-time sensitive lookup | Tails |
| Ongoing investigation | Whonix |
| Multiple projects, high risk | Qubes OS |
| Lower-risk general research | VM with VPN |
| Quick check | Browser profile + VPN |
Privacy Browsers for Research
Section titled “Privacy Browsers for Research”The Quick DFP Guide covers general browser recommendations. For research specifically, these provide enhanced anti-fingerprinting:
Mullvad Browser
Section titled “Mullvad Browser”Best for: Anti-fingerprinting without Tor’s speed penalty
Everyone using Mullvad Browser appears identical to websites, making individual tracking nearly impossible. Uses Tor-grade protection (letterboxing, font standardization) without routing through Tor.
Download: mullvad.net/browser
LibreWolf
Section titled “LibreWolf”Best for: Hardened Firefox with maximum privacy
All telemetry removed, uBlock Origin built-in. Excellent protection against cross-session tracking.
Download: librewolf.net
Browser Comparison
Section titled “Browser Comparison”| Browser | Fingerprint Protection | Speed | Best For |
|---|---|---|---|
| Tor Browser | Excellent | Slow | Maximum anonymity |
| Mullvad Browser | Excellent | Fast | Research without Tor |
| LibreWolf | Very Good | Fast | Daily privacy browsing |
Warning: Anti-fingerprinting browser extensions are easily detected and can make you MORE identifiable. Use browsers with built-in protection.
Alternative Networks
Section titled “Alternative Networks”I2P (Invisible Internet Project)
Section titled “I2P (Invisible Internet Project)”Best for: Internal anonymous communications, dead drops
| Feature | Details |
|---|---|
| Nodes | ~50,000 (vs Tor’s ~10,000) |
| Routing | Garlic routing (bundled encrypted messages) |
| Sites | .i2p “eepsites” |
| Design | Fully decentralized |
Key differences from Tor:
- All I2P traffic stays within the I2P network
- No central directory authority
- Every node relays traffic by default
- Short-lived tunnels reduce attack surface
Use cases:
- Internal network communications
- Anonymous hosting
- Peer-to-peer file sharing
Download: geti2p.net
Research Account Management
Section titled “Research Account Management”Sock Puppet Accounts
Section titled “Sock Puppet Accounts”Fabricated online personas to protect your real identity during research.
Essential components:
- Untraceable email account
- Realistic but fictional identity
- Consistent backstory and details
- Dedicated password manager (separate from personal)
Setting Up Research Accounts
Section titled “Setting Up Research Accounts”- Email: Use ProtonMail or Tutanota with VPN/Tor
- Phone: Burner phone with cash-purchased SIM (where legal)
- Identity: Consistent fictional details
- Passwords: Unique for each account, stored in dedicated KeePass database
Firefox Multi-Account Containers
Section titled “Firefox Multi-Account Containers”Useful for managing multiple research identities in one browser:
- Each container is isolated (cookies, storage)
- Can assign specific sites to specific containers
- Prevents cross-account tracking
Install: Firefox Multi-Account Containers
Ethical Considerations
Section titled “Ethical Considerations”- Sock puppet use has legal implications in some jurisdictions
- Distinguish between passive research and active deception
- Never use for harassment or illegal purposes
- Consider whether deception is necessary for your research
Secure File Sharing
Section titled “Secure File Sharing”OnionShare
Section titled “OnionShare”Best for: Sharing files with sources anonymously
| Feature | Details |
|---|---|
| Network | Tor (direct computer-to-computer) |
| Storage | Files never uploaded to cloud |
| Encryption | End-to-end |
| Features | Send, receive, chat, host websites |
How it works:
- Start OnionShare and add files
- Share the .onion address with recipient
- Recipient downloads directly from your computer
- No third-party servers involved
Use cases:
- Receiving documents from sources
- Sharing research findings securely
- Quick anonymous chat
Download: onionshare.org
SecureDrop
Section titled “SecureDrop”For organizations needing a permanent whistleblower submission system. More complex to set up but designed for institutional use.
Website: securedrop.org
Encrypted Pastebins
Section titled “Encrypted Pastebins”For sharing text and code securely during research:
| Service | Notes |
|---|---|
| Disroot Bin | PrivateBin instance, E2E encrypted |
| PrivateBin | Self-hostable, zero-knowledge |
| CryptPad | Encrypted docs, pads, collaboration |
| 0bin | Client-side encryption |
| Paaster | E2E encrypted with paste history |
Research-Specific OPSEC
Section titled “Research-Specific OPSEC”Passive vs. Active Research
Section titled “Passive vs. Active Research”Passive (lower risk):
- Reading public information
- Search engine queries
- Viewing public social media
- Using caches/archives
Active (higher risk):
- Direct interaction with targets
- Creating accounts on target platforms
- Sending requests to target systems
- Downloading files from targets
Reducing Your Footprint
Section titled “Reducing Your Footprint”- Use cached versions when available
- Check archive.org before visiting directly
- Avoid repeated visits to the same resource
- Don’t click through from your main search
Website Caching Tools
Section titled “Website Caching Tools”| Tool | Purpose |
|---|---|
| Wayback Machine | View archived pages |
| Google Cache | Google’s cached version |
| Archive.today | Create/view snapshots |
Research OPSEC Checklist
Section titled “Research OPSEC Checklist”Before Starting
Section titled “Before Starting”- VPN connected (see DFP Guide)
- Using research browser/profile/VM
- Logged out of personal accounts
- Research accounts ready
- Secure storage location prepared
- Threat model understood
During Research
Section titled “During Research”- Not clicking suspicious links
- Not downloading unknown files
- Using caches when possible
- Taking notes securely
- Not mixing personal/research activity
- Documenting sources
After Research
Section titled “After Research”- Saving and encrypting findings
- Clearing browser data
- Disconnecting from VPN
- Reviewing what you accessed
- Securely deleting temporary files
Emergency Procedures
Section titled “Emergency Procedures”If You Think You’re Compromised
Section titled “If You Think You’re Compromised”- Stop research activity immediately
- Disconnect from network
- Assess what was exposed
- Change relevant passwords (from a different device)
- Notify affected parties if needed
- Document the incident
For full incident response, see Incident Response Guide.
Signs of Compromise
Section titled “Signs of Compromise”- Unexpected account activity
- Devices behaving strangely
- Unknown login attempts
- Being contacted about research activity
- Increased targeted ads related to research topics
Tool Quick Reference
Section titled “Tool Quick Reference”| Category | Tool | Best For | Setup |
|---|---|---|---|
| Isolation | Tails | Field operations | Low |
| Isolation | Whonix | Persistent research | Medium |
| Isolation | Qubes OS | Multi-project | High |
| Browser | Mullvad | Anti-fingerprinting | Low |
| Browser | LibreWolf | Firefox ecosystem | Low |
| Network | I2P | Internal comms | Medium |
| File Share | OnionShare | Source communication | Low |
| Pastebin | PrivateBin | Text sharing | Low |
For VPNs, password managers, MFA, and mobile security, see the DFP Guide and Mobile Hardening Guide.
Resources
Section titled “Resources”OSINT-Specific
Section titled “OSINT-Specific”Investigation Tools
Section titled “Investigation Tools”- Hunchly - Automatic web capture for investigations
- Sherlock - Username search across platforms
- IntelX - Data leak and darknet search