Case Examples on Evidence Collection, Retention, and Presentation - - PowerPoint PPT Presentation

BOGDAN CIINARU | BANGKOK | DATE 10.09.2019

Case Examples on Evidence Collection, Retention, and Presentation

• GPG4Win (Kleopatra)
• Tor Browser
• Ricochet (https://ricochet.im)
• VC

Software used

ENCRYPTION

• Converting data in ciphertext
• (A)symmetric
• Often used on Dark Web/DNMs
• Encrypted messages

Shipping address, info about orders

• E.g. PGP on DNMs
• Key server!

PGP

Ensures encrypted communications:

• Encrypt message with recipient’s public key (e.g. found on DNM)
• Recipient will decrypt message with the use of corresponding private

key

OSINT for PGP

Some public key servers where you can search for a name (string), email address or hexadecimal KeyID :

• http://pgp.mit.edu/
• https://sks-keyservers.net/i/
• https://pgp.key-server.io/

• Since mid ’90s by United States Naval Research Laboratory
• Anonymization software
• Protecting privacy
• Censorship circumvention tool (bridges)
• Protection against traffic analysis
• Protection against eavesdropping
• 6000+ relays worldwide
• Number of users : +/- 5 000 000
• Safer communication for whistleblowers and dissidents
• Hides footprints of LE, military, gov, etc.
• Used by criminals

• Hidden service protocol (complex)
• Websites ending on .onion
• Only accessible with Tor
• Server’s location is hidden
• Server’s IP address not revealed
• E.g. Facebook, Wall Street Market

TOR NETWORK

• Visit http://torstatus.blutmagie.de/

https://metrics.torproject.org/exonerator.html

• OpenBazaar
• Orbot – Orfox
• Ricochet
• Tails
• Freenet
• I2P

Others

• DeepDotWeb
• Guides
• DeepWebSitesLinks
• DarkWebNews
• Reddit “The Superlist”
• Google (e.g. SR case)
• Pastebin
• Onion Investigator

• The Hidden Wiki (http://zqktlwi4fecvo6ri.onion)
• The Uncensored Hidden Wiki

(kpvz7ki2lzvnwve7.onion/wiki/index.php/Main_Page)

• Grams (http://grams7enufi7jmdl.onion)
• Search engines/onion crawlers(users, products, marketsetc.):
• Ahmia (http://msydqstlz2kzerdg.onion/)
• Torch (http://xmh57jrzrnw6insl.onion/)
• Not Evil (http://hss3uro2hsxfogfq.onion/)
• VisiTOR (http://visitorfi5kl7q7i.onion/search/)
• Fresh Onions (http://zlal32teyptf4tvi.onion/)

OSINT

• torch :

xmh57jrzrnw6insl.onion

• ahmia :

msydqstlz2kzerdg.onion

• searX :

5plvrsgydwy2sgce.onion

Search Engines on darknet

Darknet market = hidden service

• Trade of mostly illegal goods/services
• Vendor – buyer interaction
• Admin(s)/moderator(s)
• Escrow/domestically
• Exit scams e.g. Evolution
• Silk Road, AlphaBay, Hansa Market
• Forums

DARKNET Markets

DARKNET MARKETS

 TorLinks : torlinkbgs6aabns.onion  Deep.dot.web : deepdot35wvmeyd5.onion  The Hidden Wiki : zqktlwi4fecvo6ri.onion/wiki/Main_Page  OnionDir : dirnxxdraygbifgc.onion

• Generally you need to register to
• btain access
• Username
• Password
• (PIN)
• (PGP public key)
• (invitation)
• Search/filter functionality
• User profile
• Feedback ratings
• Pictures

DARKNET Markets

• Feedback ratings

.onion Forum Markets

VENDORS FOR ILLICIT IP PRODUCTS?

• profit-oriented, aiming to reach out to a large pool of customers and increase the

sales volume;

• vendors tend to advertise their products on different Darknet markets
• ften using the same user name and selling the products for the same price
• specialised in selling one category of illicit goods E.G. (counterfeit) pharmaceutical

products or luxury goods

• usually not selling diffrent types of illicit goods as firearms, narcotics, ….

.onion Shops

Many migrated from Alphabay and Hansa to the new ones IPR vendors are neglected their anonymity:

• email addresses (e.g. @yahoo.com)
• registered websites from clear net
• uploading pictures on popular platforms (e.g. imageshack.com)
• using for delivery courier companies
• have social media accounts(e.g. twitter)

• Undercover + classical LE investigations
• Example
• Test-purchase (undercover)
• Figure out from where the parcel was sent from
• Go to post office and ask CCTV footage
• Buy a second good
• Check again the place it was sent from
• Same place?
• Another purchase and proper surveillance in the office
• Follow the suspect etc.
• Fingerprints or DNA on parcel

Objective: Locate DNM (real-world IP address)

• Can be very technical (help from private sector?)

Starting info and/or IP address could be revealed through:

• Tip-off
• Deanonymization techniques

 Misconfigurations/vulnerabilities/exploits  Unmasking sloppy admin(s) because of catastrophic mistakes  Intelligence gathering by scraping/crawling marketplace  Convert raw data into useful intelligence

Focus on darknet markets (DNMs)/vendor shops

• Real-world IP address (hosting the market?) exposed
• Wiretap analysis
• NetFlow analysis
• Infrastructure mapping

 Hosting services (VPS, dedicated server) – subpoena – reliable?

• payments

 Used software/versions

• If possible, forensic copy for first analysis
• If needed, another wiretap/NetFlow (affiliated systems)
• Connection with admin rights?

 Correlate info

• Takedown (server analysis) or takeover (e.g. Hansa Market)

Focus on the money

Further steps

• involvement of organised crime in this trade and a potential for poly-criminality of

vendors need to be further explored

• monitor and understand emerging threats presented by the Darknet
• complete approach and strong cooperation together with intermediaries (exchangers

and shipping companies)

• awareness raising and expertise sharing among investigators

• use and increase the intelligence in this area
• consider the involvement of our private sector partners that possess operational

intelligence

• improve cooperation between our partners similarly at national level
• potential strengthening the legislation
• create future awareness campaigns for the users
• use IPC3’s internet monitoring team 
• awarness campaigns
• Continously monitor the dark internet

EUROPOL IN NEWS

FUTURE?

Cyber-patrolling Week

• Second coordinated action week to counter the evolving criminality on the

Darknet in a multi-disciplinary law enforcement manner by focusing on multiple crime areas.

• More than 40 investigators and experts mapped active targets in their specific

crime areas and developed intelligence packages.

• Crime areas: Cyber-attacks, payment card fraud, illicit online trade including:

drugs (cocaine, heroin, synthetic drugs), illicit trafficking in firearms, trafficking in human beings, virtual currencies, forged documents, money laundering and counterfeiting.

• Key operational outcome: 272 targets listed, 73 of whom were prioritised for

further investigation, and 42 cross-matches identified across the different areas.

• Europol's contribution: Operational coordination, operational strategy, secure

information exchange, analytical and forensic expertise.

• Participants: AT, BE, BG, CY, CZ, DE, ES, FI, FR, HR, HU, IE, IT, LV, NL, PL, PT, RO, SI,

SK, SE, UK, CH, US, Eurojust and Europol.

• AP Copy representatives for the first time from customs

Cyber-patrolling Week

THANK YOU