Case Examples on Evidence Collection, Retention, and Presentation
BOGDAN CIINARU | BANGKOK | DATE 10.09.2019
Software used
GPG4Win (Kleopatra)
Tor Browser
Ricochet (https://ricochet.im)
VC ENCRYPTION
Converting data in ciphertext (A)symmetric Often used on Dark Web/DNMs Encrypted messages Shipping address, info about orders E.g. PGP on DNMs Key server! PGP
Ensures encrypted communications:
Encrypt message with recipient’s public key (e.g. found on DNM) Recipient will decrypt message with the use of corresponding private key OSINT for PGP
Some public key servers where you can search for a name (string), email address or hexadecimal KeyID :
http://pgp.mit.edu/ https://sks-keyservers.net/i/ https://pgp.key-server.io/ Since mid ’90s by United States Naval Research Laboratory
Anonymization software
Protecting privacy
Censorship circumvention tool (bridges)
Protection against traffic analysis
Protection against eavesdropping
6000+ relays worldwide
Number of users : +/- 5 000 000
Safer communication for whistleblowers and dissidents
Hides footprints of LE, military, gov, etc.
Used by criminals Hidden service protocol (complex) Websites ending on .onion Only accessible with Tor Server’s location is hidden Server’s IP address not revealed E.g. Facebook, Wall Street Market TOR NETWORK
Visit http://torstatus.blutmagie.de/ https://metrics.torproject.org/exonerator.html Others
OpenBazaar
Orbot – Orfox
Ricochet
Tails
Freenet
I2P DeepDotWeb
• Guides DeepWebSitesLinks DarkWebNews Reddit “The Superlist” Google (e.g. SR case) Pastebin Onion Investigator
OSINT
The Hidden Wiki (http://zqktlwi4fecvo6ri.onion)
The Uncensored Hidden Wiki (kpvz7ki2lzvnwve7.onion/wiki/index.php/Main_Page)
Grams (http://grams7enufi7jmdl.onion)
Search engines/onion crawlers(users, products, marketsetc.): • Ahmia (http://msydqstlz2kzerdg.onion/) • Torch (http://xmh57jrzrnw6insl.onion/) • Not Evil (http://hss3uro2hsxfogfq.onion/) • VisiTOR (http://visitorfi5kl7q7i.onion/search/) • Fresh Onions (http://zlal32teyptf4tvi.onion/) Search Engines on darknet
• torch : xmh57jrzrnw6insl.onion • ahmia : msydqstlz2kzerdg.onion • searX : 5plvrsgydwy2sgce.onion DARKNET Markets
Darknet market = hidden service Trade of mostly illegal goods/services Vendor – buyer interaction Admin(s)/moderator(s) Escrow/domestically Exit scams e.g. Evolution Silk Road, AlphaBay, Hansa Market Forums DARKNET MARKETS TorLinks : torlinkbgs6aabns.onion Deep.dot.web : deepdot35wvmeyd5.onion The Hidden Wiki : zqktlwi4fecvo6ri.onion/wiki/Main_Page OnionDir : dirnxxdraygbifgc.onion
DARKNET Markets
Generally you need to register to obtain access • Username • Password • (PIN) • (PGP public key) • (invitation) Search/filter functionality User profile Feedback ratings Pictures Feedback ratings .onion Forum Markets VENDORS FOR ILLICIT IP PRODUCTS?
- profit-oriented, aiming to reach out to a large pool of customers and increase the sales volume; - vendors tend to advertise their products on different Darknet markets - often using the same user name and selling the products for the same price - specialised in selling one category of illicit goods E.G. (counterfeit) pharmaceutical products or luxury goods - usually not selling diffrent types of illicit goods as firearms, narcotics, …. .onion Shops IPR vendors are neglected their anonymity:
- email addresses (e.g. @yahoo.com) - registered websites from clear net - uploading pictures on popular platforms (e.g. imageshack.com) - using for delivery courier companies - have social media accounts(e.g. twitter)
Many migrated from Alphabay and Hansa to the new ones Undercover + classical LE investigations
Example • Test-purchase (undercover) • Figure out from where the parcel was sent from • Go to post office and ask CCTV footage • Buy a second good • Check again the place it was sent from • Same place? • Another purchase and proper surveillance in the office • Follow the suspect etc. • Fingerprints or DNA on parcel Objective: Locate DNM (real-world IP address)
Can be very technical (help from private sector?) Starting info and/or IP address could be revealed through: • Tip-off • Deanonymization techniques Misconfigurations/vulnerabilities/exploits Unmasking sloppy admin(s) because of catastrophic mistakes Intelligence gathering by scraping/crawling marketplace Convert raw data into useful intelligence Focus on darknet markets (DNMs)/vendor shops
Real-world IP address (hosting the market?) exposed • Wiretap analysis • NetFlow analysis • Infrastructure mapping Hosting services (VPS, dedicated server) – subpoena – reliable? - payments Used software/versions • If possible, forensic copy for first analysis • If needed, another wiretap/NetFlow (affiliated systems) • Connection with admin rights? Correlate info • Takedown (server analysis) or takeover (e.g. Hansa Market) Focus on the money Further steps
- involvement of organised crime in this trade and a potential for poly-criminality of vendors need to be further explored
- monitor and understand emerging threats presented by the Darknet
- complete approach and strong cooperation together with intermediaries (exchangers and shipping companies)
- awareness raising and expertise sharing among investigators - use and increase the intelligence in this area - consider the involvement of our private sector partners that possess operational intelligence - improve cooperation between our partners similarly at national level - potential strengthening the legislation - create future awareness campaigns for the users - use IPC3’s internet monitoring team - awarness campaigns - Continously monitor the dark internet EUROPOL IN NEWS FUTURE? Cyber-patrolling Week
• Second coordinated action week to counter the evolving criminality on the Darknet in a multi-disciplinary law enforcement manner by focusing on multiple crime areas.
• More than 40 investigators and experts mapped active targets in their specific crime areas and developed intelligence packages.
• Crime areas: Cyber-attacks, payment card fraud, illicit online trade including: drugs (cocaine, heroin, synthetic drugs), illicit trafficking in firearms, trafficking in human beings, virtual currencies, forged documents, money laundering and counterfeiting. Cyber-patrolling Week
• Key operational outcome: 272 targets listed, 73 of whom were prioritised for further investigation, and 42 cross-matches identified across the different areas.
• Europol's contribution: Operational coordination, operational strategy, secure information exchange, analytical and forensic expertise.
• Participants: AT, BE, BG, CY, CZ, DE, ES, FI, FR, HR, HU, IE, IT, LV, NL, PL, PT, RO, SI, SK, SE, UK, CH, US, Eurojust and Europol.
• AP Copy representatives for the first time from customs
THANK YOU