Case Examples on Evidence Collection, Retention, and Presentation

BOGDAN CIINARU | BANGKOK | DATE 10.09.2019

Software used

 GPG4Win (Kleopatra)

 Tor Browser

 Ricochet (https://ricochet.im)

 VC ENCRYPTION

 Converting data in ciphertext  (A)symmetric  Often used on Dark Web/DNMs  Encrypted messages Shipping address, info about orders  E.g. PGP on DNMs  Key server! PGP

Ensures encrypted communications:

 Encrypt message with recipient’s public key (e.g. found on DNM)  Recipient will decrypt message with the use of corresponding private key OSINT for PGP

Some public key servers where you can search for a name (string), email address or hexadecimal KeyID :

 http://pgp.mit.edu/  https://sks-keyservers.net/i/  https://pgp.key-server.io/  Since mid ’90s by United States Naval Research Laboratory

 Anonymization software

 Protecting privacy

 Censorship circumvention tool (bridges)

 Protection against traffic analysis

 Protection against eavesdropping

 6000+ relays worldwide

 Number of users : +/- 5 000 000

 Safer communication for whistleblowers and dissidents

 Hides footprints of LE, military, gov, etc.

 Used by criminals  Hidden service protocol (complex)  Websites ending on .onion  Only accessible with Tor  Server’s location is hidden  Server’s IP address not revealed  E.g. Facebook, Wall Street Market TOR NETWORK

 Visit http://torstatus.blutmagie.de/ https://metrics.torproject.org/exonerator.html Others

 OpenBazaar

 Orbot – Orfox

 Ricochet

 Tails

 Freenet

 I2P  DeepDotWeb

• Guides  DeepWebSitesLinks  DarkWebNews  Reddit “The Superlist”  Google (e.g. SR case)  Pastebin  Onion Investigator

OSINT

 The Hidden Wiki (http://zqktlwi4fecvo6ri.onion)

 The Uncensored Hidden Wiki (kpvz7ki2lzvnwve7.onion/wiki/index.php/Main_Page)

 Grams (http://grams7enufi7jmdl.onion)

 Search engines/onion crawlers(users, products, marketsetc.): • Ahmia (http://msydqstlz2kzerdg.onion/) • Torch (http://xmh57jrzrnw6insl.onion/) • Not Evil (http://hss3uro2hsxfogfq.onion/) • VisiTOR (http://visitorfi5kl7q7i.onion/search/) • Fresh Onions (http://zlal32teyptf4tvi.onion/) Search Engines on darknet

• torch : xmh57jrzrnw6insl.onion • ahmia : msydqstlz2kzerdg.onion • searX : 5plvrsgydwy2sgce.onion DARKNET Markets

Darknet market = hidden service  Trade of mostly illegal goods/services  Vendor – buyer interaction  Admin(s)/moderator(s)  Escrow/domestically  Exit scams e.g. Evolution  Silk Road, AlphaBay, Hansa Market  Forums DARKNET MARKETS  TorLinks : torlinkbgs6aabns.onion  Deep.dot.web : deepdot35wvmeyd5.onion  The Hidden Wiki : zqktlwi4fecvo6ri.onion/wiki/Main_Page  OnionDir : dirnxxdraygbifgc.onion

DARKNET Markets

 Generally you need to register to obtain access • Username • Password • (PIN) • (PGP public key) • (invitation)  Search/filter functionality  User profile  Feedback ratings  Pictures  Feedback ratings .onion Forum Markets VENDORS FOR ILLICIT IP PRODUCTS?

- profit-oriented, aiming to reach out to a large pool of customers and increase the sales volume; - vendors tend to advertise their products on different Darknet markets - often using the same user name and selling the products for the same price - specialised in selling one category of illicit goods E.G. (counterfeit) pharmaceutical products or luxury goods - usually not selling diffrent types of illicit goods as firearms, narcotics, …. .onion Shops IPR vendors are neglected their anonymity:

- email addresses (e.g. @yahoo.com) - registered websites from clear net - uploading pictures on popular platforms (e.g. imageshack.com) - using for delivery courier companies - have social media accounts(e.g. twitter)

Many migrated from Alphabay and Hansa to the new ones  Undercover + classical LE investigations

 Example • Test-purchase (undercover) • Figure out from where the parcel was sent from • Go to post office and ask CCTV footage • Buy a second good • Check again the place it was sent from • Same place? • Another purchase and proper surveillance in the office • Follow the suspect etc. • Fingerprints or DNA on parcel Objective: Locate DNM (real-world IP address)

 Can be very technical (help from private sector?) Starting info and/or IP address could be revealed through: • Tip-off • Deanonymization techniques  Misconfigurations/vulnerabilities/exploits  Unmasking sloppy admin(s) because of catastrophic mistakes  Intelligence gathering by scraping/crawling marketplace  Convert raw data into useful intelligence Focus on darknet markets (DNMs)/vendor shops

 Real-world IP address (hosting the market?) exposed • Wiretap analysis • NetFlow analysis • Infrastructure mapping  Hosting services (VPS, dedicated server) – subpoena – reliable? - payments  Used software/versions • If possible, forensic copy for first analysis • If needed, another wiretap/NetFlow (affiliated systems) • Connection with admin rights?  Correlate info • Takedown (server analysis) or takeover (e.g. Hansa Market) Focus on the money Further steps

- involvement of organised crime in this trade and a potential for poly-criminality of vendors need to be further explored

- monitor and understand emerging threats presented by the Darknet

- complete approach and strong cooperation together with intermediaries (exchangers and shipping companies)

- awareness raising and expertise sharing among investigators - use and increase the intelligence in this area - consider the involvement of our private sector partners that possess operational intelligence - improve cooperation between our partners similarly at national level - potential strengthening the legislation - create future awareness campaigns for the users - use IPC3’s internet monitoring team  - awarness campaigns - Continously monitor the dark internet EUROPOL IN NEWS FUTURE? Cyber-patrolling Week

• Second coordinated action week to counter the evolving criminality on the Darknet in a multi-disciplinary law enforcement manner by focusing on multiple crime areas.

• More than 40 investigators and experts mapped active targets in their specific crime areas and developed intelligence packages.

• Crime areas: Cyber-attacks, payment card fraud, illicit online trade including: drugs (cocaine, heroin, synthetic drugs), illicit trafficking in firearms, trafficking in human beings, virtual currencies, forged documents, money laundering and counterfeiting. Cyber-patrolling Week

• Key operational outcome: 272 targets listed, 73 of whom were prioritised for further investigation, and 42 cross-matches identified across the different areas.

• Europol's contribution: Operational coordination, operational strategy, secure information exchange, analytical and forensic expertise.

• Participants: AT, BE, BG, CY, CZ, DE, ES, FI, FR, HR, HU, IE, IT, LV, NL, PL, PT, RO, SI, SK, SE, UK, CH, US, Eurojust and Europol.

• AP Copy representatives for the first time from customs

THANK YOU