Emerging Trends and Issues

Home , Open Whisper Systems, Pretty Good Privacy, ProtonMail, Whonix

EMERGING TRENDS AND ISSUES

UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS

New mobile apps, underground networks and crypto-phones are appearing daily. More sophisticated technologies, such as mesh networks, allow mobile devices to use public Wi-Fi to communicate from one device to another without ever using the cellular network or the Internet. Anonymous and encrypted email services are under development to evade government surveillance. Learn how these new capabilities are helping to make anonymous communication easier for fraudsters, and how they can use this technology to hide their tracks.

WALT MANNING, CFE President Investigations MD

Walt Manning has more than 35 years of experience in both law enforcement and private consulting, focused on the fields of investigations, digital forensics and e-discovery. He retired with the rank of lieutenant after a 20-year career with the Dallas Police Department. After his years of investigative experience in both the public and private sectors, Manning founded Investigations MD with the simple goal of helping other investigators to be more successful. Manning has been published in Fraud Magazine, Police Computer Review, Police Chief and Information Systems Security. He has coordinated and taught more than 100 seminars all over the world on subjects related to computer and Internet investigations, as well as digital forensics.

“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of this paper may not be transmitted, republished, modified, reproduced, distributed, copied, or sold without the prior consent of the author.

©2017 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES Introduction Technology is making it easier for fraudsters to cover their tracks while avoiding detection. Anonymous networks and operating systems, new mobile apps, and encrypted cell phones are appearing daily. Anonymous and encrypted email services are being developed to evade government surveillance and increase privacy. More sophisticated technologies, such as mesh networks, allow mobile devices that use public Wi-Fi to communicate from one device to another without ever using the cellular network or the Internet.

Fraud examiners, investigators, and security professionals need to be aware of these tools to understand how they could be used to hide evidence of possible crimes.

Anonymous Networks and Operating Systems

The Tor Network In 2003, the U.S. Naval research laboratory launched The Onion Router Project, which came to be known by its acronym Tor. The project name contained the word onion because the original design routed Internet network traffic through multiple encrypted layers, or nodes, that would effectively hide a user's location and the network through which they were connected. At each relay node, a layer of encryption would be removed from the message, similar to peeling away the layers of an onion.

Tor was designed for use by people who had a need for online anonymity. Normally, users on the Internet can be traced by their Internet protocol, or “IP,” address. When you use the Tor network, your IP address remains hidden.

28th Annual ACFE Global Fraud Conference ©2017 1 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES Tor is made up of two different parts. First is software that you can download and install on many devices. The second and critical piece is the Tor network, which is comprised of more than 7,000 volunteer computers that allow Tor users to route traffic through these network nodes.

Tor is not designed to anonymize a user's identity—it only hides where the user’s Internet traffic originates. The first Tor network node that a user accesses will know where that single transmission came from. However, as the transmission proceeds to the next Tor node, the second node will know only that the transmission came from the previous node—not where the transmission originated.

This process continues through at least three Tor nodes, each of which knows only the address of the previous node in the chain. There is no way for the final destination of the transmission to be able to track the random pathway back through the Tor network to identify the user.

Use of the Tor network does not guarantee complete anonymity because the packets sent across the Tor network are the only parts of the transmission that are modified. The actual contents of the data in these packets are not modified in any way.

Users who desire an even higher level of privacy have been known to encrypt their data before transmitting it on the Tor network, and possibly also use a virtual private network, or VPN, to provide even more anonymity and protection.

28th Annual ACFE Global Fraud Conference ©2017 2 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES The Invisible Internet Project (I2P) I2P is an open source project that has been in active development since 2003. The I2P network is designed to provide even better anonymity than Tor. Even though it is currently much smaller in scale than Tor, it is quickly gaining in popularity.

Tor is good at hiding the identity and location of the user and recipient of transmissions, but I2P carries this to another level. Where a Tor user creates a connection “circuit” to communicate through the network, I2P users create multiple user-defined “tunnels” to communicate with each other. These tunnels can be reconfigured or changed by a user at any time.

I2P tunnels operate in only one direction—either inbound or outbound. Users can configure as many tunnels as they need, and have the ability to create a single tunnel that is used only one time for one communication. Once that communication has ended, the user can deactivate the tunnel and never use it again.

Where the message headers on Tor are encrypted, the message body may not be (unless the user has used another application to do so). On I2P, there are multiple levels of encryption that protect the entire message from end to end.

I2P is also a packet-switched network, which means that each message is broken down into different packets, or pieces, each of which can travel the I2P network by different routes. This packet switching also allows I2P to balance the transmission workload across multiple routers on the network, which can make it faster and much more efficient.

28th Annual ACFE Global Fraud Conference ©2017 3 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES Users of I2P can also customize their configuration of tunnels on the network to require that their communication be forwarded through more network routers, which could enhance security even more. Since this means that every message would need to go through more “hops,” it could decrease the speed of the transmission. But the user has the flexibility to adjust his network settings according to his perceived risk profile.

I2P is considered in many ways to be more secure than Tor, but making effective use of I2P may require more technical knowledge than the easier-to-use Tor network. Cybercriminals and other people for whom additional security is important will not hesitate to migrate to I2P, which may help this network to grow rapidly.

MaidSafe: The Secure Access for Everyone (SAFE) Network The SAFE network is a peer-to-peer network where data is encrypted at all times. When a user installs the software, they are asked how much of their computer’s resources they would like to allocate for use by the network. In effect, their computer now becomes a node on the network, similar to the relay computers of the Tor and I2P networks. However, there are some differences.

Whatever portion of the volunteer computer’s data storage is allocated for use by the SAFE network now becomes an encrypted “Vault.” When a user joins the SAFE network, they are given a completely anonymous ID. The data storage “Vault” on their computer is issued yet another different and anonymous ID. A user never needs to provide personal information to the

28th Annual ACFE Global Fraud Conference ©2017 4 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES network. There is no centralized data storage or dedicated servers that store any unencrypted data or user personal information.

Volunteers are paid for their participation based on the amount of resources they provide to the network, as well as how much time they make their resources available. They are paid in a proprietary digital currency named Safecoin, which can be bought, sold, and traded for Bitcoin and several other digital currencies on multiple exchanges.

A criminal wanting to cover their tracks could join the SAFE network and acquire Safecoin. They could then exchange the Safecoin for Bitcoin, and then convert that into either a different digital currency or an accepted currency anywhere in the world via any exchange. There is never any personal identification associated with either digital currency.

When a user uploads a file to be stored on the SAFE network, the files are first broken into several pieces, and each piece is encrypted separately. Then several copies of each encrypted file segment are distributed and stored on computers active on the network. None of the file segments for one file are ever present on any single device other than the original owner’s. The contents of the file or any of its file segments are completely unreadable and inaccessible to any other member of the SAFE network.

If a computer connected to the SAFE network is powered off, before the computer shuts down several copies of all file segments stored there by other users are copied to other active nodes for redundancy. This ensures that the file owner will always be able to access

28th Annual ACFE Global Fraud Conference ©2017 5 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES their data at any time and from any location. This also results in the file segments being in constant movement, so that the location of a file segment today will more than likely be different tomorrow.

When a user requests their file from the network, the file segments are retrieved from the fastest node on which each copy is stored. A description of the process from the MaidSafe website:

“Example: A User uploads a 10 MB file. The file is split into 10 chunks (1 MB each) and made into 4 copies. This means there are 40 chunks spread out to 40 Vaults. When the User requests that file, they call on 40 Vaults. But only the fastest of each (4 Vaults per 1 MB chunk) are used to complete the retrieval. The speed at which the User can retrieve their completed file is limited by the fastest copy of the slowest 1 MB chunk arriving at their location. Instead of a whole 10 MB file being called from only 4 Vaults... you call 40 (1 MB) chunks from 40 Vaults. This makes a BIG difference in retrieval speed.”

The developers of the SAFE network are working to provide specialized apps and even websites that operate on or are hosted by the SAFE network. Imagine confidential messaging or email apps where an entire message is never stored in one place and everything is encrypted. Criminal website content, transactions, and all communication with these sites will also now be distributed and encrypted.

MaidSafe is not the only network being developed with this decentralized and distributed concept. All of these new networks will also be completely encrypted.

28th Annual ACFE Global Fraud Conference ©2017 6 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES The Amnesiac Incognito Live System (Tails) Tails is a Linux-based operating system designed for anonymity. It can be run from a USB stick, DVD, or SD memory card on any computer. Information from the website states that since Tails is a completely separate operating system, it does not use or depend on the operating system of the computer being used. Tails supposedly leaves no tracks on the host computer, and does not use the host computer’s data storage. When shut down, Tails also claims to automatically erase the contents of RAM memory.

Tails can be used to access either the Tor or I2P networks, so it provides a portable, independent, and secure operating system, with additional protection added through these underground networks. The software package also comes with encrypted email and messaging apps, and secure data wiping software.

Whonix Whonix is also a Linux-based operating system that uses two virtual machines to provide anonymity. The first of these is the Whonix-Gateway, which routes all traffic through the Tor network. The second virtual machine is the Whonix-Workstation, which contains the full operating system.

Whonix hides the IP address of the user, and allows for anonymous web browsing, chat, email, and more. Depending on how it is used, there may be forensic evidence traces of data on the host system, but if Whonix is installed on another virtual machine, and then if all files related to the virtual machine are wiped, very little, if any, digital evidence will be left for an investigator to find.

28th Annual ACFE Global Fraud Conference ©2017 7 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES Encrypted Calling and Messaging “Burner” cell phones, which are prepaid and usually low- cost phones capable of being used for short periods of time and then exchanged for a new device, have been around for many years. Burner phones present challenges for fraud examiners and law enforcement because the devices and airtime cards can be purchased with cash, leaving no links to identify or trace the user.

However, growing concerns over both government surveillance and corporate data collection has resulted in companies producing cell phones specifically designed to provide security and privacy. There is also a growing number of mobile device apps that are designed with these goals in mind. These new technologies can create more challenges for fraud investigators attempting to identify fraudsters and also in the preservation of electronic evidence.

There are many encrypted cell phones available for purchase, along with software applications to encrypt data on almost any device. In most cases, phones with hardware-based encryption will be significantly more expensive than a normal cell phone that uses only software- based encryption. The number of devices and apps already available is too extensive for this presentation. However, we will spotlight several options to provide a general idea of what is offered.

Blackphone Blackphone is a device manufactured by Silent Circle, a Swiss company founded by a former Navy SEAL and a group of experienced computer security professionals. One of the founders is Phil Zimmerman, the inventor of Pretty Good Privacy, one of the oldest and most widely used encryption programs in the world.

28th Annual ACFE Global Fraud Conference ©2017 8 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES The Blackphone has a proprietary operating system called Silent OS, which is a modified version of the Android operating system with much-improved security. Silent OS allows the user to create multiple “spaces” on the device that can be used for different purposes. In effect, the user can create several “virtual” devices on the phone.

Silent OS comes with the Silent Suite of apps pre- installed, which includes Silent Phone, Silent Text, and Silent Contacts. Silent Phone allows the user to make private calls or videoconference over an encrypted Voice over Internet Protocol (VoIP) service that operates worldwide. Silent Text automatically encrypts text messages, and includes a “burn” option that permanently wipes the selected message. Silent Contacts encrypts the user’s contacts and does not allow unauthorized access to the data unless specifically approved by the user. Many apps on regular cell phones automatically have access to any contact information stored on the device, many times without the user’s knowledge. The Blackphone protects against these types of apps.

The company also offers international calling plans that eliminate roaming charges while also enhancing the security of the user. This Silent World calling plan currently functions in more than 80 countries, with expanded coverage areas planned for the future.

The Blackphone is capable of being remotely wiped in the event that the device is lost or stolen. The company also has a Silent Store, where apps that have been analyzed for security by the company are available for download. One of the greatest security risks for regular phones is from insecure mobile apps, which could

28th Annual ACFE Global Fraud Conference ©2017 9 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES contain malware or give the developer access to much of the data on the phone.

Silent Circle does not maintain any of the encryption keys used to secure data on the Blackphone. This means that they would be unable to provide this information to requests from either intelligence or law enforcement agencies.

There is currently no secure email app included with the Blackphone, but Silent Circle is a member of the Dark Mail Alliance, which is developing an open- source encrypted messaging protocol that will more than likely be bundled with future versions of the Blackphone.

When activating a new Blackphone, the user needs to provide a username and an email address, which is the only information that Silent Circle maintains. If an anonymous email address is used, then the company has no data linking a Blackphone to its owner.

Silent Circle also has a mobile device app named Silent Phone to enable secure calling and messaging from any compatible device. The cost of the service is $9.95 USD per month.

Bitphone The Bitphone service can be accessed from any Internet browser, and gives the user the ability to make telephone calls anywhere in the world and pay for the call with Bitcoin.

The number that is displayed on Caller ID is one owned by the provider, and all calls are encrypted. If someone were to use a VPN to connect to the company and make

28th Annual ACFE Global Fraud Conference ©2017 10 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES a telephone call, there would be no way to trace the call or determine the identity of the user.

Privatoria A new service out of the Czech Republic, Privatoria combines the features of a secure VPN with the additional anonymity provided by the Tor network. The company also provides the capability to browse the Internet anonymously. A Privatoria subscription costs less than $40 USD per year, which can be paid with Bitcoin. The service never collects any personal information from its users, and maintains no logs of user activity.

SecureSafe SecureSafe provides private, encrypted data storage and is based in Switzerland, which is outside of the legal jurisdiction of both the United States and the European Union. Switzerland has some of the most restrictive privacy laws in the world, and all external surveillance requests or court orders must be processed in the Swiss courts.

Account holders can send encrypted files of up to 2 GB in size to anyone, and the recipient does not need to have a SecureSafe account. The company is never in possession of the encryption key. Files are encrypted twice during uploading and downloading, and each file is encrypted individually. “Team Spaces” can be created to allow customized access by other people who do not need to have an individual account with the company.

The company’s app comes with a secure password generator, and allows syncing of files across multiple devices. The app also includes a secure PDF and image

28th Annual ACFE Global Fraud Conference ©2017 11 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES viewer to prevent accidental data leakage for protected files. The mobile app allows the device’s camera to take encrypted photos of documents that are automatically uploaded to the secure data vault associated with the user’s account.

Mustbin The Mustbin app provides an encrypted data storage wallet for mobile devices. The app also allows encrypted messaging with end-to-end encryption, and the company has no access to encrypted data or to the encryption key.

The app turns a mobile device camera into a “Secure Camera” that directly encrypts photos, videos, and images of documents taken on the device. Data stored in the Mustbin wallet is automatically backed up to a cloud server, but a user can “take back” a message or file at any time. The service allows a user to remotely wipe the encrypted data on their device by accessing their account from a browser on any other device.

Users receive 8 GB of encrypted storage with free account, and can increase their storage capacity to 128 GB at a cost of $0.99 per month.

Tox Tox is an application that provides encrypted audio calls, video conferencing, text messaging, and file sharing. The software is available for multiple operating systems, including Windows, Apple OS X, Linux, Android, and iOS. Tox is a peer-to-peer network application, so when activated, the user’s computer becomes a node on the Tox network and helps to transmit data or calls for other users. Once installed, the Tox app will assign a unique Tox ID that can then be

28th Annual ACFE Global Fraud Conference ©2017 12 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES shared with other Tox users. Tox can be used over the Tor network to enhance anonymity.

Burner Burner is a phone app that allows the user to create multiple “burner” phone numbers that can be used once and then discarded. Burner numbers can also be kept if a person wants to use them for only certain purposes or for contact with designated people with whom the number has been shared.

The basic Burner app is free, and allows the creation of a sample burner number. After installing the app, the user will enter the cell phone number of the device where the app is installed. The user can then select any area code in the United States, and the app will create a burner number that can be used to make calls and send text messages or photos. Additional burner numbers can be created through the purchase of credits.

Guardlock Guardlock uses military grade encryption for voice calls end to end. Users download the app and create a username. The service never asks for personal information or for the real telephone number of the mobile device. Once activated, any other Guardlock user can be called via the app.

All calls are encrypted, and the company has no access to the call content. A new encryption key is generated for every call, and the company maintains no call records.

No SIM card is required to make a call with Guardlock—only an Internet connection. So a device

28th Annual ACFE Global Fraud Conference ©2017 13 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES with the SIM card removed but with a Wi-Fi connection could still make calls using the app.

Subscriptions to the service cost $29.99 USD per year, and the app is available from either the Apple App Store or the Google Play Store.

Zip SIM Zip SIM sells SIM cards that can be used in any compatible unlocked phone. The SIM card is preloaded with a cellular or data plan, and is self-activating. The cards can be purchased for cash at many retail locations throughout the U.S. or directly from the Zip SIM website. No registration is required, and SIM cards can be purchased that include unlimited nationwide calling in the U.S. plus text messaging and data. They also offer plans with only data. A plan that includes talk, text, and data for 7 days can cost as little as $25.00 USD.

Purchasers can enter a postal zip code, and after the SIM card has been activated, a text message will be sent to the phone that tells the user the new telephone number attached to the SIM card. If no zip code is specified, Zip SIM will randomly assign a telephone number.

Consider a scenario where a criminal purchases several cheap unlocked phones using a prepaid debit card. The next step would be to purchase several of the lowest cost Zip SIM cards with cash at one of the retail outlets (or online). Once the Zip SIM card has been activated, a user could use it for 7 days, choose a different phone, and activate the next Zip SIM card. If money were no issue for the fraudster, they would purchase additional new phones to use with this card as well.

28th Annual ACFE Global Fraud Conference ©2017 14 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES If the user also combined this system with the use of a VPN on the phone for data usage, it would be extremely difficult to trace their location.

Signal Open Whisper Systems has created the Signal app to allow a user to make encrypted cell phone calls or to send secure text messages. Communication is from one user to another via the app, and the encryption keys for all communication are stored only on the user’s device. This encryption key can be further protected with the use of a passphrase. The Signal app is free for either iOS or Android devices, and recently came out with a desktop version. The company maintains no metadata related to user activity, and requires no personal information for use of the app. Users can also send self- destructing text messages.

Wickr Another popular app called Wickr allows the user to decide the expiration date and time for any message sent, and can also transmit photos, videos, audio files, and documents. The app comes with a data shredder to securely erase messages or other files sent via the app.

Dust Dust is an ephemeral messaging app that can be used to send and receive text messages, stickers, links, photos, videos, and more. Messages are protected from screenshots and disappear after they are read. Messages are heavily encrypted and never touch a hard drive— not even one on a company server.

Messages exist only in active memory on company servers, and are erased immediately after they are read or after 24 hours if they go unopened. Once messages

28th Annual ACFE Global Fraud Conference ©2017 15 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES are deleted they can never be recovered. Every message is protected with its own unique 128-bit AES encryption that is further secured by an RSA 2048-bit key.

Anonymous and/or Encrypted Email

10 Minute Mail This is one of the many services that provide email addresses that are only valid for a short period of time. As you might guess, for this service a user can send and receive email messages for only ten minutes

http://10minutemail.com

W-3 Anonymous Remailer This web-based service was created as a joint project of George Mason Society and the Global Internet Liberty Campaign. The web page contains a form that asks the user to input the email address the message should be sent to, along with a subject and the body of the message. The message is then sent through their anonymous server, and the recipient never receives email header information that could identify the sender.

CounterMail CounterMail is an email provider located in Sweden. Accounts are encrypted and anonymous, and all messages are encrypted using the OpenPGP encryption protocol. CounterMail never captures the IP address of users accessing their systems, and all email messages have an anonymous IP address in the message header to maintain their users’ anonymity. All messages and attachments are always encrypted, and CounterMail does not save the public or private encryption keys of their users. CounterMail also offers the option to

28th Annual ACFE Global Fraud Conference ©2017 16 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES purchase a USB key, and logging into a user’s account is impossible unless the USB key is inserted into a USB port on the device being used to access the account. The annual fee of $59 USD can be paid by credit card, PayPal, wire transfer, or Bitcoin.

ProtonMail ProtonMail is a free email provider located in Switzerland, providing enhanced privacy protection as was mentioned earlier.

Email is encrypted on the ProtonMail servers, and is also encrypted during transmission for additional security. ProtonMail is never in possession of the decryption keys for any user data. There is also a feature for users to designate a self-destruction date and time when the encrypted email in the recipient’s Inbox will be destroyed (or no longer readable, if sent to a non-ProtonMail user).

A username and password are required to login to an account, but an additional password is needed to decrypt the email content.

The free account has limits on the amount of storage and number of messages per day. Paid accounts providing more storage, additional email addresses, and more messages per day are also available. The company has now released mobile device apps, but accounts can be accessed via any browser.

Lelantos Lelantos is an email provider on the Tor network. The cost of a basic account is $32 USD per year, payable in Bitcoin. No personal information is ever given when signing up for an account. All incoming email is

28th Annual ACFE Global Fraud Conference ©2017 17 UNTRACEABLE LINKS: TECHNOLOGIES USED BY FRAUDSTERS TO HIDE THEIR TRACKS NOTES automatically encrypted before it is stored in a user’s Inbox. The account allows registration of 100 email addresses, so the user can use multiple email addresses without opening new accounts. Temporary email addresses are also available, along with self-destructing email. Lelantos can be accessed only with the use of the Tor browser.

Mesh Networks Mesh networking makes use of special hardware or software to allow devices to directly connect to each other via W-Fi or Bluetooth signals without the use of a cellular network or the Internet. Similar technology is being used by municipalities to provide seamless Wi-Fi coverage within their boundaries by connecting available Wi-Fi routers and all available devices. Protesters are using this technology to communicate and coordinate their efforts, even in locations where government or law enforcement is attempting to control or stop the protest effort. Criminals can also use this technology to make it more difficult to trace their communications.

Mesh networks are self-healing, anonymous, pervasive, and cheap to deploy. The only way to shut down a mesh network is to close down every single node on the network, which may not be practical. Users may connect to other devices, and can use the fastest or most reliable connection from any other device to actually connect to the Internet. Another smart phone app named Fire Chat has been used extensively in the recent Hong Kong democracy protests. The app currently has over two million users, and connects every user who has installed the app into one giant mesh network. Users share their wireless and/or Internet connection and bandwidth with every other device on the network. The app allows instant messaging and photo transfers on the mesh network of connected devices, and

With this type of automatic network, authorized devices would automatically connect to the nearest device with the best signal, similar to the way cellular telephones change connections to the nearest cell tower. As the user moves around the area, her connection can hop from one device to another, depending on which device has the best connection and signal.

From an investigative perspective, mesh networks make it more difficult to track targets and to trace their communications. Users of a mesh network may never “touch” their cell network or the Internet, and there are no logs to trace messages through this decentralized network.

Conclusion New technologies, services, and apps are evolving daily that can provide fraudsters with the ability to communicate using potentially untraceable links. Fraud examiners must maintain an awareness of these new capabilities to recognize indications that any of these tools may have been used to hide evidence or to escape detection.