Case Examples on Evidence Collection, Retention, and Presentation - PowerPoint PPT Presentation

Case Examples on Evidence Collection, Retention, and Presentation BOGDAN CIINARU | BANGKOK | DATE 10.09.2019

Software used  GPG4Win (Kleopatra)  Tor Browser  Ricochet (https://ricochet.im)  VC

ENCRYPTION  Converting data in ciphertext  (A)symmetric  Often used on Dark Web/DNMs  Encrypted messages Shipping address, info about orders  E.g. PGP on DNMs  Key server!

PGP Ensures encrypted communications:  Encrypt message with recipient’s public key (e.g. found on DNM)  Recipient will decrypt message with the use of corresponding private key

OSINT for PGP Some public key servers where you can search for a name (string), email address or hexadecimal KeyID :  http://pgp.mit.edu/  https://sks-keyservers.net/i/  https://pgp.key-server.io/

 Since mid ’90s by United States Naval Research Laboratory  Anonymization software  Protecting privacy  Censorship circumvention tool (bridges)  Protection against traffic analysis  Protection against eavesdropping  6000+ relays worldwide  Number of users : +/- 5 000 000  Safer communication for whistleblowers and dissidents  Hides footprints of LE, military, gov, etc.  Used by criminals

 Hidden service protocol ( complex )  Websites ending on .onion  Only accessible with Tor  Server’s location is hidden  Server’s IP address not revealed  E.g. Facebook, Wall Street Market

TOR NETWORK  Visit http://torstatus.blutmagie.de/

https://metrics.torproject.org/exonerator.html

Others  OpenBazaar  Orbot – Orfox  Ricochet  Tails  Freenet  I2P

 DeepDotWeb • Guides  DeepWebSitesLinks  DarkWebNews  Reddit “The Superlist ”  Google (e.g. SR case)  Pastebin  Onion Investigator

OSINT  The Hidden Wiki (http://zqktlwi4fecvo6ri.onion)  The Uncensored Hidden Wiki (kpvz7ki2lzvnwve7.onion/wiki/index.php/Main_Page)  Grams (http://grams7enufi7jmdl.onion)  Search engines/onion crawlers(users, products, marketsetc.): • Ahmia (http://msydqstlz2kzerdg.onion/) • Torch (http://xmh57jrzrnw6insl.onion/) • Not Evil (http://hss3uro2hsxfogfq.onion/) • VisiTOR (http://visitorfi5kl7q7i.onion/search/) • Fresh Onions (http://zlal32teyptf4tvi.onion/)

Search Engines on darknet • torch : xmh57jrzrnw6insl.onion • ahmia : msydqstlz2kzerdg.onion • searX : 5plvrsgydwy2sgce.onion

DARKNET Markets Darknet market = hidden service  Trade of mostly illegal goods/services  Vendor – buyer interaction  Admin(s)/moderator(s)  Escrow/domestically  Exit scams e.g. Evolution  Silk Road, AlphaBay, Hansa Market  Forums

DARKNET MARKETS

 TorLinks : torlinkbgs6aabns.onion  Deep.dot.web : deepdot35wvmeyd5.onion  The Hidden Wiki : zqktlwi4fecvo6ri.onion/wiki/Main_Page  OnionDir : dirnxxdraygbifgc.onion

DARKNET Markets  Generally you need to register to obtain access • Username • Password • (PIN) • (PGP public key) • (invitation)  Search/filter functionality  User profile  Feedback ratings  Pictures

 Feedback ratings

.onion Forum Markets

VENDORS FOR ILLICIT IP PRODUCTS? - profit-oriented, aiming to reach out to a large pool of customers and increase the sales volume; - vendors tend to advertise their products on different Darknet markets - often using the same user name and selling the products for the same price - specialised in selling one category of illicit goods E.G. (counterfeit) pharmaceutical products or luxury goods - usually not selling diffrent types of illicit goods as firearms, narcotics, … .

.onion Shops

IPR vendors are neglected their anonymity: - email addresses (e.g. @yahoo.com) - registered websites from clear net - uploading pictures on popular platforms (e.g. imageshack.com) - using for delivery courier companies - have social media accounts(e.g. twitter) Many migrated from Alphabay and Hansa to the new ones

 Undercover + classical LE investigations  Example • Test-purchase (undercover) • Figure out from where the parcel was sent from • Go to post office and ask CCTV footage • Buy a second good • Check again the place it was sent from • Same place? • Another purchase and proper surveillance in the office • Follow the suspect etc. • Fingerprints or DNA on parcel

Objective: Locate DNM (real-world IP address)  Can be very technical (help from private sector?) Starting info and/or IP address could be revealed through: • Tip-off • Deanonymization techniques  Misconfigurations/vulnerabilities/exploits  Unmasking sloppy admin(s) because of catastrophic mistakes  Intelligence gathering by scraping/crawling marketplace  Convert raw data into useful intelligence

Focus on darknet markets (DNMs)/vendor shops  Real-world IP address (hosting the market?) exposed • Wiretap analysis • NetFlow analysis • Infrastructure mapping  Hosting services (VPS, dedicated server) – subpoena – reliable? - payments  Used software/versions • If possible, forensic copy for first analysis • If needed, another wiretap/NetFlow (affiliated systems) • Connection with admin rights?  Correlate info • Takedown (server analysis) or takeover (e.g. Hansa Market)

Focus on the money

Further steps - involvement of organised crime in this trade and a potential for poly-criminality of vendors need to be further explored - monitor and understand emerging threats presented by the Darknet - complete approach and strong cooperation together with intermediaries (exchangers and shipping companies) - awareness raising and expertise sharing among investigators

- use and increase the intelligence in this area - consider the involvement of our private sector partners that possess operational intelligence - improve cooperation between our partners similarly at national level - potential strengthening the legislation - create future awareness campaigns for the users use IPC3 ’s internet monitoring team  - - awarness campaigns - Continously monitor the dark internet

EUROPOL IN NEWS

FUTURE?

Cyber-patrolling Week • Second coordinated action week to counter the evolving criminality on the Darknet in a multi-disciplinary law enforcement manner by focusing on multiple crime areas. • More than 40 investigators and experts mapped active targets in their specific crime areas and developed intelligence packages. • Crime areas: Cyber-attacks, payment card fraud, illicit online trade including: drugs (cocaine, heroin, synthetic drugs), illicit trafficking in firearms, trafficking in human beings, virtual currencies, forged documents, money laundering and counterfeiting.

Cyber-patrolling Week • Key operational outcome: 272 targets listed, 73 of whom were prioritised for further investigation, and 42 cross-matches identified across the different areas. • Europol's contribution: Operational coordination, operational strategy, secure information exchange, analytical and forensic expertise. • Participants: AT, BE, BG, CY, CZ, DE, ES, FI, FR, HR, HU, IE, IT, LV, NL, PL, PT, RO, SI, SK, SE, UK, CH, US, Eurojust and Europol. • AP Copy representatives for the first time from customs

THANK YOU