This document discusses how criminals use the internet to hide evidence of crimes. It outlines various methods such as using anonymity tools like TOR, VPNs, and proxy servers to hide identities online. Criminals also form private online communities and use steganography and strong encryption to conceal criminal plans and activities. The document presents a hypothetical case study of how a child pornography ring hides its operations across multiple encrypted servers in different countries to evade law enforcement. It concludes that criminals pursuing anonymity can likely hide evidence of their crimes online, though investigators are improving their technical capabilities for tracking such activities.
2. What we will talk about today
• Introduction & Background
• Internet Service: Legitimate Vs Criminal Uses
• Using the Internet to hide evidence
• Tools and techniques to hide crime using the
internet
3. What we will talk about today
• Ways in which investigators can get around the
methods used to hide crime
• Case study
• Conclusions
• References
• Questions
4. Introduction & Background
• In recent years, the Internet has developed rapidly
and has been used as a great tool for various
areas.
• The Internet creates new ways for people to
communicate and share information
• Growth of Information Technology has led to a
development of digital encryption technologies.
6. Introduction (Continue…)
• The Internet has transformed criminal
opportunity to hide their crime.
• Encryption also gives criminals a powerful tool for
concealing their activities.
7. Introduction (Continue…)
Schneider, J.L. (2003) notes:
“ While this technology facilitates productive, legitimate
interaction, it can also open a ‘Pandora’s Box’ of criminal
opportunity.” (p. 375)
He continues:
“ Not only can criminals hide in terms of identity and
location, but also the types of crimes being committed
may not be a high priority for police and their high-tech
crime units to investigate.” (p. 375)
Schneider, J. L. (2003). Hiding in Plain Sight: An Exploration of the Illegal(?) Activities
of a Drugs Newsgroup. The Howard Journal of Criminal Justice, 42(4), 374-389.
8. Introduction (Continue…)
Denning & Baugh (1998) stated that:
“ encryption is being used as a tool for hiding
information in a variety of crimes, including fraud
and other financial crimes, theft of proprietary
information, computer crime, drugs, child
pornography, terrorism, murder, and economic and
military espionage.” (p. 47)
Denning, D., & Baugh, W. (1998). Encryption and evolving technologies:
Tools of organized crime and terrorism. Trends in Organized Crime, 3(3), 44-75.
9. Internet Service
Legitimate Vs Criminal Uses
Important communication tool
Important Crime tool
Sharing criminal ideas
Sharing good ideas
….
10. Internet Service
Legitimate Vs Criminal Uses
Showing
Hiding
my
my
profile
profile
exchange of
ideas and Enhance
criminal
beliefs
VS
activities
Share criminal
knowledge –
Enhance (how to build
Communication bombs)
overcome
overcome barriers of
barriers of time investigation
Interact Interact
with with
friends criminals
11. Using the Internet to hide evidence
• News Group
• Online Forums
• Online file repository
• Voice over chat (to avoid tracked conversation)
This provides a challenging set of circumstances
for investigators to find evidence
12. Hiding Identity - Anonymity
• The best way to hide crime is to ensure it can’t
be tracked back to you.
• In general if the perpetrator makes no attempt
to conceal their identity online then they can
be tracked.
13. Hiding Identity – Another Device/Network
It is very easy for a criminal to simply use
another device or network to conduct crime.
This could involve the use of:
• Authorised use of a device from their friend,
employer, internet café, university etc.
• A stolen device or one accessed without
authorisation (i.e. steal a mobile and use it’s
data plan)
• Public wireless networks
14. Hiding Identity – Hacked Devices/Networks
Criminals often have an array of hacked
devices/networks that they can use to route
their communications through. This includes.
• Hacked servers
• Hacked home computers (often under Botnet
control)
• Hacked wireless networks
15. Hiding Identity – Stolen Credentials
Criminals may hack, steal or guess credentials
for access to people’s online services. Crime is
then conducted using these credentials. Popular
targets include:
• Online banking
• Payment systems (e.g. Paypal)
• Online merchants
• Email & Social Networking (mainly for spam)
16. Hiding Identity – Identity Theft
• Identity theft allows a criminal to appear as
you while committing crime by stealing or
fabricating your identifying documents.
• Can open accounts in your name with any
service provider.
• Can get credentials for your existing accounts
reset.
• Complete identities are readily and cheaply
available online.
17. Hiding Identity – Proxies
• Proxies provide an intermediary for network
traffic helping to conceal the identity of the
source.
• Can be chained together allowing the network
traffic to travel through several proxies.
• Not commonly used by criminals any more
due to a lack of supply and better options
being available.
18. Hiding Identity – VPNs/SSL Tunnels
• VPNs (Virtual Private Networks) allow network
traffic to be sent via a third party concealing
the identity of the source.
• All traffic between the user and the VPN
provider is generally encrypted.
• Thousands of commercial VPN providers with
varying policies on keeping logs etc.
• Many less legitimate providers who provide
guarantees of not tracking anything you do.
19. Hiding Identity – TOR
https://www.torproject.org
TOR (The Onion Router) is essentially a peer to peer
VPN network. Traffic is encrypted and routed
through several peers before going out to the
internet.
Source: http://www.torproject.org/about/overview.html.en
20. Hiding Identity – TOR
How it works
Each connection made is routed through a random
path. TOR makes your communications anonymous
but not private. Exit nodes can see the unencrypted
traffic.
Source: http://www.torproject.org/about/overview.html.en
21. Hiding Crime – TOR
Hidden Services
TOR can also host hidden services (i.e. web servers)
that can’t be tracked. TOR acts an intermediary
allowing two users to talk to each other without
ever connecting directly.
Source: https://www.torproject.org/docs/hidden-services.html.en
22. Hiding Identity – TOR
Hiding evidence of TOR Usage
• Portable versions of TOR that can run off a
USB flash drive are available. These leave
limited traces on the host machine
• Live Linux distributions including TOR are
available. These leave no traces at all on the
host machine.
• Both of these options require zero
configuration and are “plug and play”
solutions for anonymous communication.
23. Hiding Identity – TOR
Alternatives
• I2P (http://www.i2p2.de/) is very similar to
TOR but more decentralised.
• FreeNet (https://freenetproject.org/) provides
a similar function to TOR’s hidden services.
24. Hiding Activity
• To hide crime online it is also important to be
able to hide communications and criminal
activity.
• The easiest way to hide communications is
hide in plain site; the internet is a big place
and there’s only so many eyes watching.
• Criminals are getting more sophisticated in the
methods they use to hide their criminal
activity online.
25. Hiding Activity – Private Communities
• A lot of criminal activity on the internet
happens in private or semi-private
communities.
• These typically involve private forums and
chat rooms were criminals can communicate
with each other securely.
• These communities often have some sort of
vetting process; usually a referral from an
existing member.
26. Hiding Activity - Darknets
• A Darknet is very similar to TOR with the
exception that all the nodes in the network
are known; it is friend-to-friend not peer-to-
peer.
• Darknets ensure that communication is only
seen by people within the group thus ensuring
privacy.
• Darknets are harder to set up and maintain
than TOR but also harder to detect and track.
27. Hiding Evidence - Encryption
• Encryption is the process of applying a
transformation to information using an
algorithm to make it unreadable without
special knowledge.
• Algorithms range from the easy to crack
(protected MS Office Files, MD5) to near
impossible (AES, Twofish)
• A wide range of commercial and free software
available.
28. Hiding Evidence - Encryption
• Criminal cases involving encryption have been
steadily increasing.
• Cracking encryption often isn’t feasible – try
to find the password another way.
• If you encounter a live system where
encryption is likely to be used don’t turn it
off.
29. Hiding Evidence - Steganography
• Steganography is the process of hiding a
hidden piece of information inside of
legitimate/innocuous information.
• This means the hidden information attracts no
attentions.
• Commercial and free software available that
can hide files inside image, audio and video
files.
• Hidden information could be hiding inside
any container file.
30. Hiding Evidence - Steganography
• Can be used in conjunction with encryption to
further hide evidence.
• Very little if any use by criminals online.
• The media has often reported that terrorists
widely use steganography to hide
communications online. This is a myth.
31. Other Techniques – Jurisdiction Issues
• In the physical world criminals will often
commit crime from or escape to jurisdictions
were they cannot be prosecuted. This applies
equally to online crime.
• Most online crime originates in countries with
poor electronic crime laws and/or a lack of
motivation to prosecute criminals.
• The use of computers/networks in multiple
countries further complicates jurisdiction
issues.
32. Ways in which investigators can get around
the methods used to hide crime
Hide Unhide
Cryptography Cryptanalysis
Cipher Decipher
33. Ways in which investigators can get around
the methods used to hide crime
• Cryptanalysis
Study of methods for obtaining the meaning of encrypted
information, without access to the secret information that is
normally required to do so. Wikipedia. (2011)
• Brute-force attack
Tries every possible key until an intelligible
information is obtained.
Stallings, W. (2005). Cryptography and Network Security (4th ed.). Upper Saddle River, NJ: Prentice-Hall,
Inc.
Wikipedia. (2011). Cryptanalysis. Retrieved 20th March, 2011, from http://en.wikipedia.org/wiki/Cryptanalysis
34. Ways in which investigators can get around
the methods used to hide crime
• Software
– PRTK (Password Recovered Toolkit)
– EnCE (Hash Analysis)
– FTK (Forensics ToolKit) – E-Discovery
– Internet Evidence Finder
– S-Tools (Steganography)
36. Fox News - Steganography
Source from: http://www.youtube.com/watch?v=SgxiBIt9siE&feature=related
37. Case study – An Insight Into Child Porn
• In 2009 “Mr X” provided an expose on the
current child porn industry to Wikileaks.
• “Mr X” has 10+ years experience in the
industry.
• This expose details how the industry currently
works and explains why attempts to set up
filters will never work.
http://mirror.wikileaks.info/wiki/An_insight_into_child_porn/
38. Case study – An Insight Into Child Porn
Step 1 – Rent Servers
• Rent servers in multiple countries (Germany is
a favourite). These servers are paid for with
stolen credit cards, prepaid credit cards (i.e.
“Prezzy Cards”), PayPal or WebMoney.
• Often identification is required; for this there
is no shortage of high quality false
identification.
39. Case study – An Insight Into Child Porn
Step 2 – Configure Servers
• Administrators connect to the servers
anonymously (i.e. proxy chains and TOR) to
configure them.
• All operating system logging mechanisms that
can be turned off are turned off.
• Partitions are encrypted using TrueCrypt; If
the server is shut down or some logs in locally
these volumes are unmounted.
• Servers configured to only accept connections
from a limited range of IP addresses.
40. Case study – An Insight Into Child Porn
Step 3 – Share Media
• One server is the content server; content is
uploading anonymously through proxies.
• Other servers are “proxy servers” or “forward
servers”.
• A domain name is handed out that links to one of
the forward servers (the server rotates each time)
• Custom software on the forward server creates
an encrypted tunnel through the other forward
servers and then to the content server.
• The user then connects through this tunnel to the
content server using remote destkop tools like
RDP or VNC.
41. Case study – An Insight Into Child Porn
Conclusion
• The content server attracts very little attention as it’s
only talking to a very limited range of other servers.
• All traffic from the content servers through the forward
servers is encrypted and cannot be monitored.
• If a forward server gets raided the TrueCrypt volume is
unmounted automatically. If this is somehow defeated
then there’s no illegal content on the server to find
anyway.
• If the user gets raided then it’s often difficult to
prosecute. They were viewing a computer in another
country remotely; nothing is actually on their
computers
42. Conclusions
• Criminals are becoming increasingly
sophisticated in their attempts to hide crime
online.
• Investigators are also becoming more
sophisticated. However there are still many
challenges in tracking online crime.
• Anyone who is serious about hiding crime
online can probably do so in way that leaves
little to no traces.
43. References
• Denning, D., & Baugh, W. (1998). Encryption and evolving technologies:
Tools of organized crime and terrorism. Trends in Organized Crime, 3(3),
44-75.
• Schneider, J. L. (2003). Hiding in Plain Sight: An Exploration of the Illegal(?)
Activities of a Drugs Newsgroup. The Howard Journal of Criminal Justice,
42(4), 374-389. doi: 10.1111/1468-2311.00293
• Stallings, W. (2005). Cryptography and Network Security (4th ed.). Upper
Saddle River, NJ: Prentice-Hall, Inc.
• Wikipedia. (2011). Cryptanalysis. Retrieved 20th March, 2011, from
http://en.wikipedia.org/wiki/Cryptanalysis