Behind the scenes at Garlic

Behind the scenes at Garlic
A old, nostalgic shot of our open-space office. Remote work can be great for productivity and flexibility, but there is no such thing as small talk, creative rush sessions, and laughing together around a friday afternoon beer.
Photo by Sigmund / Unsplash

Hello there! It's been a while since my last article on here. I've been relatively busy over the past few months with infrastructure upgrades, and some other changes to take Garlic to the next level.

In this article I will share some updates and the future plans for Garlic! As always, if you have any feature requests, suggestions or run into bugs you can send me a email over at doc at chaos dot institute or simply DM me on twitter.

So what is Garlic?

Garlic is my side project. It lives on OSINT.PARTY where you can use the HTTP based API or Maltego integration to search for data found on onions hosted on the Tor network.

Garlic stores quite a bit of metadata

As of writing this post the database contains more than 22 million records for 78 thousand onions. That's a lot of data.


Garlic runs on a single AMD based server. I exclusively use AMD and harden my servers with AMD Secure Encrypted Virtualization (SEV) and AMD Secure Memory Encryption (SME) so even with physical access there are still layers of defence between the hypervisor and the VMs running on it.

I exclusively use ECC memory. The current server has 128GB of memory and it allows me to keep most of my data in memory which keeps the application snappy.

But having a lot of memory isn't just good for caching! The server is running on dual NVME drives in raid zero with full-disk encryption using LUKS2 and argon2id as the key derivation function. I've tweaked the argon2id memory parameters to use 80% of the available memory and a "fuck you" amount of cycles to add yet another layer of defense against brute force attacks. Booting up the server takes a while but it means I can sleep at night.

Search & Full-text search.

I've stated a few times in the past that I'm working on adding search and full-text search to the application. I've put that feature on ice for now whilst I work out how to solve some of the issues.

Tor is full of obscene and quetionable content. There are thousands of onions out there with CSAM material. The moment I add search into Garlic it would allow bad actors to start using my database to find their favorite content. And that scares me.

Garlic is just a side project for me, so unless I start a patreon to potentially fund a Lawyer to sit down and figure out how I can add it and stay compliant with the rules and regulations it's unlikely to happen anytime soon.

I'm open to suggestions and advice. I'd love to make search public for anyone but becoming a dual-use product scares me.

That said. Researchers, law enforcement and the OSINT community can always reach out and ask for help with finding data or de-anonimizing a specific onion.

I've got the experience and the data.

Future plans

Now that I'm mostly done upgrading the stability of Garlic to make sure up/downtime detection is solid and we can crawl at massive speeds it's time to start working on new features. Here is a list of things I'm currently considering.

  • EXIF metadata scanning (Need to solve CSAM issues first, but would love to add this)
  • Support for more cryptocurrencies (Monero will likely be the next)
  • Automated de-anonimization by running internet-wide scans to match fingerprints (Need to find a provider that lets me run portscans! Help!)
  • Indexing JS code and analyzing it
  • Automated detection and grouping of phishing/scam sites
  • Building a massive graph of how sites are connected


I want to say thanks to everyone in the OSINT community for their support. Building Garlic has been amazing and getting DMs from people that enjoy using the product and want to learn more is what keeps me going.

Maybe one day I can turn this into a full-time job.

Show Comments