Chapter 9

Dark Web Forensics

Introduction

The dark web has been associated with all manner of criminal and terrorist activity. It is obvious that cybercriminals will choose it as a base of operation and communication given its rather strongly anonymous structure. The dark web has seen the sale of drugs, weapons, hitmen for hire, hackers for hire, malware, stolen data, and terrorist communication. The main belief by many has been that the illegal activities taking place on the dark web are not traceable by law enforcement agencies. The dark web does not have any oversight authorities to prevent crime from taking place or the purchase of illegal items from occurring. The existence of this part of the internet still presents a threat to organizations who fear that their sensitive information could be stolen and listed for sale on markets on the dark web.

However, it is not 100% accurate to say that the dark web is completely out of reach for the law. It is similarly inaccurate to say that the dark web is 100% anonymous. From recent events such as the shutdown of many illegal marketplaces on the dark web, it can be seen that the law still catches up with perpetrators of crime on the dark net. A good example is Ross Ulbricht who was the alleged founder of the Silk Road 2 marketplace. Ross Ulbricht was sentenced to a life imprisonment for his alleged activities on the dark web. This is a testament that there is no such a thing as complete anonymity or absolute lack of accountability in this part of the internet. This chapter will focus on the forensic investigation aspects of the dark web and methods designed to beat them. It will do so in the following topics:

Introduction to Forensics

With all the illegal activities that take place on the dark web, it may seem that it is unwatched by legal agencies. While this is partially true, law enforcement agencies have increasingly been successfully carrying out investigations and apprehending the chief suspects behind the illegal goods and services offered on the dark web. By mid-2015, 312 people had been arrested by legal agencies for participating in illegal activities on dark net markets. These activities included the sale of drugs, weapons, child porn, and malware sale, among others. The following is a breakdown of these arrests as per the individual markets (Table 9.1).

Table 9.1 Users Arrested on the Dark Web

image

Of the total number of arrests, 162 were buyers and sellers were 116. Additionally, the black market staff arrested were ten in number and the market owners were four. The arrest of buyers shows that the law enforcement agencies were not just targeting the people listing illegal items on the dark web but also those that were buying these items. In Australia, there were four buyers arrested while trying to obtain weapons from the dark net marketplaces through a seller based in the United States. In Denmark, officers reported having arrested two notorious drug sellers on the dark web. It is believed that these sellers are the ones that had listed their drugs on Silk Road 1 and 2, Agora and Evolution. The European Union reported the arrest of about ten weapon buyers in the region. In Uganda, an American was arrested for counterfeiting and selling fake currencies. He had relocated to the African country where an undercover sting operation led to his arrest and deportation to face charges in the United States.

In the United States, there were more prolific arrests of the leading sellers. One of the sellers that were famed for selling weapons was known as weaponsguy, and in mid-2014, many customers were complaining of their packages not arriving. It was later alleged that the law enforcement agencies in the United States had managed to arrest him and use his account for investigations to arrest other sellers and buyers. Most of the weapon-related arrests were successful after the law enforcement agencies successfully set up traps using his account. In May 2015, a college student was arrested for buying drugs on the dark web and reselling them. His arrest came after banks reported suspicious activity in his accounts where he was mostly using his deposits to purchase cryptocurrency.

There have been more arrests that have been covered here. This means that it has been possible to bring to justice crooks hiding under the anonymity of dark nets. It is also a clear show that forensics work too on the dark web to successfully make arrests and charge people in court. Dark web forensics involve more complex operations than normal forensics in order to gather evidence or track crooks. The way that most dark nets were designed was such that it would be hard to tell the users on the networks and the sites that they were visiting. The advent of cryptocurrency also made it harder for criminals to be tracked using money trails. Therefore, investigators normally have to use more resources if they are to be able to catch or track the criminals hiding in the dark web.

The difficulty in carrying out forensics on the dark web is that there is a challenge in both finding the users and tracking their activities on dark nets. Even though not 100%, the dark web will still remain to be anonymous. Therefore, this anonymity barrier has to be taken down one way or another in order to get to the targets. With this cloak on, the location and internet activity of any seller, buyer, terrorist, or black market owner will remain anonymous. Without the location of a target, legal agencies find challenges in their investigations since they first need to establish jurisdiction, something merely possible without a physical location. Therefore, even if law enforcement agencies know the pseudonyms of the targets on dark net markets and also know the crimes that they commit, it is still a challenge to start acting on them if they do not know where they are.

Over time, legal enforcement agencies such as the NSA and Federal Bureau of Investigation (FBI) have been finding vulnerabilities deep within the architecture of the dark web to help them get the necessary information about dark net users for forensic investigations. Although this has caused an uproar from the user community of the dark web, it can only be explained as a necessary evil to ensure that the law takes its course even when culprits try to hide from it. There have been several vulnerabilities within browsers used to access dark nets that have been exploited by the FBI and NSA to collect evidence and arrest suspected criminals. Legal agencies have also devised ways to do special analysis and correlation of traffic entering and exiting dark networks via entry and exit nodes to collect data about individual users and the type of traffic that was flowing to their computers. Rogue entry and exit nodes have also been set up by security agencies on dark nets to collect data about the traffic getting in and out of the dark nets. Therefore, it is possible today for law enforcement agencies to find out the locations of criminals on the dark net based on these techniques and many more. It is no longer safe for one to assume that because they are on the dark web, everything they do will remain anonymous and that they will not face the law.

Even when law enforcement agencies lack the techniques to find out the identities of crooks on the dark net, they can still hire digital forensic professionals to help them. They have the resources to do that and there are professionals willing to expose criminals on the dark net to the real-world security agencies and get paid while doing it. There are also individual groups that hack into dark net websites that they presume to be engaging in illegal activity. For instance, recently all the websites hosted by freedom hosting were hacked by a vigilante because the hosting companies allowed sites that had child pornography to host their services there. Therefore, it is easy to find willing hands to do digital forensics to either capture or collect evidence about criminals on the dark net.

Crypto Market and Cryptocurrencies in the Dark Web

A basis of operations for law enforcement agencies has been to follow the money and it will lead to the criminal. This was particularly effective when the main way that money could change hands was through banks. Since banks are governed and controlled, law enforcement agencies court just come with court orders requesting to see more details about the accounts that received some money in a money trail. Therefore, the task was to find out who was paid the money, and this would bring up many more details about a crime (Figure 9.1).

However, in 2009, the digital currency called Bitcoin was invented and this coin made significant changes to crime. It was a cryptocurrency that ensured the anonymity of the transacting parties. Therefore, if money was converted to Bitcoin and exchanged, no one would tell who the transacting parties were since the transaction would not leave any trails. Therefore, money could vanish from paper trails and safely make its way back to the criminals. It came as such a relief and was adopted as the cryptocurrency of choice on the dark web. This is when there was a proliferation of websites offering illegal services and products and accepting payment via Bitcoin only. Today much has not changed as the dark web relies on cryptocurrencies for financial purposes. There have been global-scale demonstrations on the practicality of using cryptocurrency in any attack. In 2017, there was a ransomware that caused devastation across the globe by encrypting victim computers and demanding a ransom to be paid. The ransom was to be paid to a Bitcoin address. There have also been incidents of other ransomware types that have encrypted computers and demanded payment via Bitcoin or other cryptocurrencies.

Image

Figure 9.1 Bitcoin logo.

On the dark web, cryptocurrencies are the only acceptable payment options in many illegal black markets. For instance, to buy fake IDs and passports, the buyer will have to pay a certain amount to the seller via Bitcoin. So many other transactions take place in the same manner. No one wants to transact using cash in these markets and run the risk of being identified by law enforcement agencies (Figure 9.2).

There are many reasons that make cryptocurrencies the ideal medium of value exchange on the dark web. The first one is anonymity. Cryptocurrencies run on the Blockchain technology which uses an open ledger to conduct transactions to individual user wallets. The open ledger is not centrally stored; thus, the FBI cannot bust some servers and collect evidence to incriminate users that have sent or received money through cryptocurrencies. There are no details about the transacting parties kept. Money just gets deducted or added to one’s cryptocurrency wallet without details of transacting parties being kept. Second, cryptocurrency money transfers cannot be reversed. Therefore, there is an added level of protection to a seller that a rogue buyer will not get a transaction to be reversed as could be the case with the transfer of actual money through services such as PayPal.

The third reason why cryptocurrencies are commonly used on dark net transactions is that they can easily be laundered. This will be covered in a later section. The fourth reason is that cryptocurrency transactions are not charged the same fees as bank transactions. The charges, if any, are minimal, and thus, customers are attracted to them. The last and least reason why sellers prefer cryptocurrencies over fiat currencies is because these currencies change value. Cryptocurrencies had been rising in value in 2017 such that ordinary people started to use them as investments. They could convert currency from fiat to cryptocurrency in anticipation of further price increments. In January, however, the value of most cryptocurrencies started dropping. Bitcoin, which was the preferred cryptocurrency on the dark web, fell in value from $20,000 to $9,000 and continued depreciating in value. However, the prospects of getting paid in an investment-like currency are definitely an appealing one especially for those doing dirty business.

Image

Figure 9.2 Fake IDs and licenses on the dark web.

Cryptocurrencies and Money Laundering

Money laundering is one of the effective ways used to conceal the traces of illegally acquired money. Traditionally, it involved the transfer of money to foreign banks or businesses and then reobtaining the cash. This made it not seem like obtaining money from the proceeds of crime. A common place where money laundering has been taking place is through Swiss banks. This is because Swiss banks have come to be known for their utmost secrecy and protection of foreign accounts. They have therefore been used as tax havens and money-laundering points over time. This is because the previous legislations made it illegal for banks to disclose information about their clients. There has been international pressure to get these banks to be more open and compliant with offering information about clients that are implicated in scandals or those that are being investigated. However, Swiss regulators have maintained the stand that foreign clients are to be afforded the highest levels of confidentiality. Therefore, very few questions are asked when foreign clients deposit huge sums of money into Swiss bank accounts. It is not a new trend since tax evasion through Swiss banks goes back to the 1900s. During the world wars when European companies raised taxes to source funds for the war, wealthy individuals decided to move their funds to Swiss bank accounts and avoid these taxes altogether. However, Swiss banking authorities have introduced hurdles to make it impossible or significantly harder for money laundering to take place (Figure 9.3).

This void has been filled by the best alternative that is now accessible to everyone. There are cryptocurrency money-laundering services offered on the dark web. These services serve the interests of criminals, terrorists, and dirty politicians and businesspeople. There are several types of money-laundering activities that this section will cover.

The first laundering service is offered to cybercriminals when collecting the proceeds of their crime. For instance, the makers of WannaCry ransomware received sums of money from individuals that had paid either the $300 or $600 ransoms to salvage their files. Out of caution, these hackers will not rush to directly withdraw the amounts paid to them in Bitcoin. Even though Bitcoin transactions are said to be anonymous, they are not really so in reality. It is only difficult to trace them. But, with all the attention that these hackers got from law enforcement agencies in the 150 countries that they attacked, there is the risk that they could be traced. Therefore, there definitely was a need for them to mask their trails further. There are dark net websites that offer money laundering as a service to cybercriminals. They are part of the underground economy that has enabled hackers to get more successful with their heists. Laundering as a service is the final service in the underground economy where the dirty money obtained from crime is sanitized and made usable without risks of arrest.

Image

Figure 9.3 A traditional money-laundering scheme.

Laundering as a service can be offered by cashers. These are the individuals that exchange cryptocurrencies to fiat currencies on behalf of the holders of these cryptocurrencies. It is believed that they have access to huge sums in cash and will send back to the holder of cryptocurrencies that are “dirty.” Apart from offering cash, they can also give luxury cars and expensive items that can be resold in order to recover the cash. Casher’s have secret avenues that they use to get huge amounts of clean money. For instance, they could have connections working in actual banks that can set up fake accounts that can be used to deposit and withdraw cash. They can also use fake identification documents to create fake accounts in banks themselves. Therefore, when they accept dirty cryptocurrencies, they can go to any site that converts cryptocurrency to actual currency and sends the amounts converted to the fake bank account. At the end of the day, if a trail is followed successfully from cryptocurrencies to the end, it is only the fake account that will turn up and everything else will be masked out.

The second laundering type is one where one can oversee everything themselves. However, it is riskier since one is closer to the money trail. This is whereby one uses a myriad of cryptocurrency converters and the resulting cryptocurrency is used to buy items anonymously on the dark web stores. Either these items bought will be resold on the cryptocurrency market using another account and wallet or they will be delivered and resold in the real world. For instance, if one received dirty money through a cryptocurrency wallet X, they can use the money to buy goods on the dark net or real world whereby Bitcoin is acceptable. Once they have done so, they can resale these items and get the money deposited into a cryptocurrency wallet Y that is not registered with the same details as X. Therefore, the path to trace the dirty money will be long and cumbersome. It is important to note that the records for such transactions are not easy to find due to their decentralized nature, and thus, there are some people that opt to just convert their cryptocurrencies in bits to fiat currency and they feel safe that they cannot be traced. However, those that launder money are very good at what they do and can hardly be found out unless they make mistakes.

There are a few other avenues that can be exploited by people seeking to get dirty money cleansed. However, since they could still be used by innocent cryptocurrency holders, we will not directly classify them as types of laundering. These include the following.

Bitcoin ATMs

These are privately owned Bitcoin ATMs that are preferred by holders of Bitcoin that wish to remain anonymous. These ATMs work like normal ATMs whereby they exchange Bitcoins with cash without asking for the details of the person converting. Their objective is to ensure that very little is known about the customer. Know Your Customer (KYC) laws are generally not followed to achieve this. The only catch is that these ATMs charge a lot more than other Bitcoin exchangers with prices averaging about 15% of the value being exchanged.

Bitcoin Mixers

One of the ways through which Bitcoin transactions can be tracked is by analyzing the transactions on the public ledger. If wallet X received $5,000 in Bitcoin and wallet Y was deducted $5,000 worth Bitcoin within a short time window, it could be said that the owners of these wallets were transacting. Therefore, further investigations can reveal the details of these transacting parties. Bitcoin mixers come to fill this vulnerable space. They are used to obfuscate transactions such that it is nearly impossible for any observer to tell who the transacting parties were. Therefore, if wallet X had $5,000 in Bitcoin, a receiving party may not receive this as a whole, the Bitcoin mixer can take the money through several splits, conversion to other currencies, purchase, and buying of new currencies before the amounts are finally slowly transferred to the account(s) of the receiver. Therefore, there is no direct link between the sender and receiver of this money. Bitcoin mixers are however costly as they can take up to 15% of the value being mixed.

Bitcoin Property Exchanges

With the increased public adoption of cryptocurrency, there are some business organizations that are now accepting Bitcoin as a form of payment. It was anticipated that Amazon.com would soon adopt Bitcoin, but hopes seem to have been lost due to the lack of confirmation from the giant e-commerce store. Those hopes were purely speculative, and it was hoped that such an adoption would lead to a big rise in the value of Bitcoin. However, there are other organizations that have not anticipated to adopt cryptocurrency as a form of payment. There is an online service called purse.io that facilitates people to exchange their Bitcoin for actual property. The online service accepts Bitcoins on behalf of stores like Amazon and complete purchases for anyone that intends to use Bitcoin for purchasing purposes. For instance, if a buyer wants a $2,000 Tv from Amazon but wants to use Bitcoin, it is impossible to purchase directly from Amazon. However, purse.io will accept the Bitcoin and transact with Amazon on one’s behalf with actual money instead of Bitcoin. Once purse.io completes the purchase, the items are shipped or collected by the buyer. The buyer will not yet have sent the Bitcoin. Purse.io is still in the business of selling Bitcoins. Therefore, they will get an address or addresses of buyers that want Bitcoin and give the Amazon buyer these accounts to transfer the cryptocurrency to.

Therefore, once the customer that wanted merchandise from Amazon gets his or her product, purse.io will ensure that Bitcoins are sent to a willing buyer. The willing buyer will have to pay a certain fee for receiving the Bitcoin anonymously and without having to visit a Bitcoin exchange platform. This is an efficient business model that enables holders of Bitcoin to be able to make purchases without necessarily converting their Bitcoin to fiat. However, this could also be used by a money launderer. They could make a list of items they want, give the list to purse.io, and assure of payment. When the items are delivered and the money sent to buyers of cryptocurrencies, the laundering process is almost done. All one needs to do is to resell the items bought on Amazon through other avenues such as eBay.

Monero

After the arrest of Ross Ulbricht, the alleged founder of Silk Road 2, there were concerns about the anonymity of Bitcoin transactions and that of the distributed ledger technology. Therefore, money launderers searched for other cryptocurrencies that could offer more anonymity. There has been an uptake of Monero in the dark web mainly because the digital currency has an in-built tumbling/mixing technique. Therefore, any transaction made using Monero is more anonymous than any that is made using Bitcoin. Many marketplaces have been accepting Monero alongside Bitcoin. Due to this uptake, even more anonymous cryptocurrencies have been and are still being created. There are altcoins such as DASH and Cryptonite cryptos that are even more anonymous and can assure transactors of their security since it is hard for any observer to make any sensible money trail on them. These present a big challenge to forensic investigators especially when they are used for criminal purposes.

Exposed Cryptocurrency Laundering Schemes

Arrests of Bitcoin Laundering

In 2016, young men in their early twenties were apprehended for money laundering. Investigations pointed out that they had laundered up to $22 worth of Bitcoin that had been proceeds of drug deals on dark net websites. Therefore, it is likely that these were the cashers trusted by sellers on dark net sites to sanitize dirty money. During their arrests, law enforcement agencies seized high-end cars and loads of cash that they used for the laundering business. The more interesting bit is that they were discovered due to a mistake they made. They used to make huge cash deposits from online sources to their bank accounts and then very quickly withdraw the money. Therefore, it was not out of a cash trail that they were discovered, it was because they were not careful with their deposits and withdrawals. If, for instance, they had created fake bank accounts using fake identification documents, police would be called to arrest the account holders of the suspicious accounts, but it would all end there. There would be no one to arrest since the reportedly suspicious bank accounts would be found out to be registered under the names of nonexistent people. However, due to their careless mistakes, they were put behind bars at such young ages (Figure 9.4).

Image

Figure 9.4 A news article on the arrest of young men over Bitcoin-laundering scheme. (https://zdnet.com/article/arrests-made-over-bitcoin-laundering-scheme-dark-web-drug-deals/.)

BTC-e

A Russian that has been investigated of large-scale Bitcoin laundering was arrested and currently faces charges that amount to 55 years in prison if he is convicted. The Russian was found to be behind a successful Bitcoin-laundering scheme that had laundered $4 billion for people that had been engaging in computer hacking and drug sale activities mostly on the dark net. The man was arrested in Greece while staying at a beach hotel where he ran his services from. Since 2011, the Russian known as Vinnik created a site called BTC-e, and it grew to be a large Bitcoin trading platform. However, behind the scenes, BTC-e was doing money laundering for dark web clients. From one perspective, it was an ideal business since the exchange platform was a center stage for digital and fiat currencies exchanging hands. Therefore, there was an open avenue for the owner of this site to do the laundering services with the currencies that were already availed to him by the customers. It is said that most of the sites’ revenues did not come from come from cryptocurrency exchanges, rather, from money laundering.

The laundering process was found out to be actually a two-step process to stifle authorities from directly associating BTC-e to money laundering. The two steps were to make BTC-e to appear as a victim instead of the perpetrator. The first step was where the funds for laundering were being obtained from the dark web. These came from drug dealers, child porn sellers, and stolen cryptocurrency coins from users. These were deposited to the account of Mt. Gox which was under the control of Mr. Vinnik. Mt. Gox was another exchange platform that had been hacked, possibly by Mr. Vinnik, who then took control of it and put it into the business of money laundering. Mt. Gox would make several transactions with BTC-e, and BTC-e would go on to cleanse the dirty money when exchanging cryptocurrencies with cash for BTC-e customers.

Forensic investigators were able to collect evidence against Mr. Vinnik before tracking him down and arresting him with the assistance of Greece authorities in August 2017. Mr. Vinnik faces charges for money laundering and illegal money transactions. Prosecutors in court said that Mr. Vinnik’s platform was one of the most preferred by cybercriminals for money-laundering services. The site was reported to have a chat platform where users would openly discuss profitable criminal activities and the customer service would offer advice on how they would launder the money. This is a relevant court case which shows the abilities of forensic investigations to get through pseudo websites and accounts and bring the real culprits to justice. Despite the general claim that cryptocurrencies are anonymous, such cases openly show that a dedicated forensics team can get through the anonymity and expose criminals.

Forensic Investigation Scope and Models

The most important aspect of forensics is the collection of evidence. This evidence could lead to the successful prosecution of a cybercriminal, child porn peddler, terrorist, or scammer hiding in the deep web. Unlike other environments, gathering evidence on the dark web is both complex and challenging. Even if law enforcement agencies know a particular notorious criminal on the dark web, they can simply do nothing until they verify who the person is in real life. They will also not rush to arrest the person before they acquire sufficient evidence to build a strong case that can lead to a conviction. This is the reason why, even when an illegal marketplace has been infiltrated by law enforcement agencies, they will not rush to shut it down. They can spend weeks or months trying to collect evidence or to reveal the identities of several users of the marketplace. They can even participate in selling the drugs just to get some of the sellers. They can spend a lot of resources just to collect some evidence such as the real name or location of a wanted suspect on the dark web.

For the purposes of context, let us look at the arrest of Ross Ulbricht, the famous founder of Silk Road 2 who was also called Dread Pirate Roberts. He was first connected to Dread Pirate Roberts by investigators working with the American Drug Enforcement Administration (DEA) on a Silk Road case. The forensic investigators wanted to find out the people behind this marketplace that had wildly grown out of control and supplied very many people with illegal drugs. However, connecting Ulbricht to Dread Pirate Roberts was not a cheap affair. Investigators had a hard time with the anonymity of Tor, the dark net where Silk Road was operating on. However, they had been able to find out a username called Altoid who announced the launch of Silk Road 2. There was therefore sufficient reason to follow up on who used this username. They searched around for this username until 1 day, the same username popped up on a programming forum asking for some help with coding. In this forum post, Altoid gave his email address which fortunately or unfortunately contained his real names. The investigators then started working out on who, Altoid, who had exposed himself as Ross Ulbricht, was. They observed his activity both on the real world and on the Silk Road website where he used to log in as the admin. There were concerns brought in court by Ulbricht’s defense that the admin account of Dread Pirate Roberts was shared and it had been handed down by several people. If at all the investigators had not collected any other evidence, this claim could have dealt a big blow to the case. However, investigators had forensically collected digital evidence that tied Ulbricht squarely to Dread Pirate Roberts.

They had recorded the strange internet traffic associated with Tor from Ulbricht’s computer. They had also collected evidence from the messages that Dread Pirate Roberts exchanged with other members of Silk Road. The FBI had also disguised themselves as members that had grown to be close confidants of Dread Pirate Roberts. At the time of his arrest, an officer that had masqueraded as a Silk Road loyal member and a close friend of Dread Pirate Roberts asked him to look into an account that had some issues. When Ulbricht stepped into a library and logged into the site as Dread Pirate Roberts, law enforcement agencies distracted him, and then arrested him. They also seized the most important thing, his laptop while logged in as Dread Pirate Roberts. This allowed them to collect more evidence against Ross which the court upheld and used to sentence Ross to life imprisonment (Figure 9.5).

The collection of evidence and prosecution of Ross Ulbricht lays some foundation on how forensic investigations are carried out to lead to the successful prosecution of offenders hiding in the dark web. The following are explanations of the forensic scope and steps followed.

Scope

The scope for the digital forensics on the dark web is a little bit broad. The forensics have to cover everything from policies and procedures, evidence acquisition, evidence assessment, evidence analysis, and then reporting. The scope therefore defines the steps that are followed during the process of conducting a forensic investigation. The following is a layout of these general steps that will be followed in any forensic investigation.

Image

Figure 9.5 A news article on the arrest of Ross Ulbricht. (https://edition.cnn.com/2013/10/04/world/americas/silk-road-ross-ulbricht/index.html.)

Policy and Procedure Development

The forensics exercise on the dark web is quite delicate, and highly sensitive data is involved. This is data that, if lost, it might never be recovered again. Therefore, each forensics exercise has to be treated in a special manner to ensure that crucial evidence that will be collected is handled in the right way. This is why most forensics will start by setting up detailed guidelines and procedures that investigators have to use when doing the investigations. These procedures could cover how certain evidence is to be recovered, how some evidence can be retrieved from devices, how evidence should be stored, and also how to document the activities involved to ensure the authenticity of the data. Law enforcement agencies working on deep web cases often have to rely on the assistance from seasoned cybersecurity experts. These experts can accompany them to collect the evidence or just give rigorous training on how such evidence can be and should be collected. This is especially helpful if the evidence will be collected from the field where it might be unsuitable to bring people without physical assault or defense training. The cybersecurity experts are still helpful when evidence is to be collected online. They can list the programs that can be used to collect the evidence.

A very important part of the policies and procedures is the codification of actions regarding the constitution of evidence, what should be looked for in it and how it should be safely handled once retrieved. Also, before the investigation begins, it is important for details available about the case to be understood and the allowable investigative actions to be stated. There are some types of evidence that require warrants and authorizations before they are collected. If such are not obtained, a defense team in court could make the judge throw away such evidence. As a matter of fact, the defense of Ross Ulbricht used a similar tactic when they appealed his case. They particularly argued that Ulbricht’s internet traffic was seized without a warrant or probable cause which was in violation of the US constitution. Luckily, the appeal did not go through, but there were high hopes that it would from the defense side. Therefore, the understanding of warranties and authorizations must be ensured before the investigations begin to prevent key evidence from going to waste.

Evidence Assessment

It is important for any forensic investigation process to assess the potential evidence to be collected beforehand. It is important that these types of details about the case are understood. For example, if the goals of the investigations are to show that person X has committed crimes such as identity theft, the investigators need to know that they have to collect and go through evidence in hard disks, emails, social media, and other data collection spaces. They also need to understand that they will be required to assess whether the information they collect from such sources can be used for the particular crime. In another example, if person Y is being investigated for manipulating people to disclose their personal information, the investigators have to assess which type of evidence that they are seeking for. They also need to understand how such evidence has to be preserved. The integrity of these sources is also assessed to ensure that it will not be thrown out of court due to the incorrect collection or storage.

In the Ross Ulbricht’s case, investigators had assessed that the evidence they much needed from him was on his laptop. They also wanted evidence from within the Silk Road site, and thus, they had to find him logged into the site. That is the reason why they masqueraded as members on the site and could request for some favors from him. During his arrest, they wanted to find the laptop logged in and that is why they called on him to look into a Silk Road member account, and while he was logged in, they pounced on him. They were then able to collect and preserve the evidence they needed. This was elaborate evidence assessment prior to the collection and they followed the assessment with surgical precision.

Evidence Acquisition

This is a very important step in the forensic exercise where the evidence being sought after is retrieved. A lot of resources are used alongside care to ensure that the evidence is not destroyed during acquisition. To add some perspective to this, let us relook at the Ulbricht’s case evidence acquisition process. Investigators had already drawn him out into the open, in a library. He had logged into his computer and into the Silk Road website. It was a tense moment in which the investigators could capture all that they wanted or lose it. If they dashed at him, it is possible that he would set his laptop to auto-erase. They could also not use lethal methods since it would defeat the objectives of the investigations which were to bring him to face justice and serve as a lesson to others. They, therefore, used a ploy where secret agents inside the laboratory acted like a couple that was fighting. When Ulbricht tried to find out what was happening, it was only then that he was arrested. He was not in a position to rush back to his laptop and either destroy it or destroy the data it contained. The agents arrested him on the spot and used a data extraction software in a flash drive to start extracting data from Ulbricht’s computer. That was a spectacular example of how evidence acquisition is done at times.

It is very critical for any case, and thus, the acquisition process follows a rigorously detailed plan. Alongside taking care of how the evidence is obtained, documentation is needed for court purposes. Therefore, documentation has to be done prior to, during, and after the evidence collection. The documentation should include the hardware and software used as well as details about the systems being investigated. Evidence acquisition has to follow the laid out plans to prevent destruction or loss of integrity of data as it is retrieved from sources. The guidelines relating to reservation of evidence should also be followed as soon as the evidence has been retrieved. Additional precautions such as copying and transferring evidence to the investigators should take place as soon to prevent cases where evidence is stolen after being retrieved.

Of utmost importance is to ensure that all the pieces of evidence collected are collected using legal means. For instance, a court will throw out data that was obtained through illegal means. This is why documentation is important to help explain to the court how every piece was retrieved.

Evidence Examination

To ensure that the investigations of potential evidence are effective, there are some procedures that have to be laid out for the retrieval, copying, and storage of evidence. During investigations, data is commonly stored in designated archives wherever possible. There is also a list of methods that are used to analyze the evidence. Some of these methods include the use of software. For instance, if Ross Ulbricht would have begun erasing files from his computer before his arrest, law enforcement agencies would have had to use special software to recover the deleted data. If he had locked his computer, there are software that they could have used to gain access to the computer even without having to use his password. Apart from software, there are techniques that the investigators can use to locate important data. They can use metadata on files such as authors and last modification dates to find recent data. Even though this case is not from the dark net, it is highly relevant to this discussion. In 2012, Mr. Higinio Ochoa was part of a hacker group known as anonymous. He used the name Cabin Cr3w and commonly hacked police databases. However, in one instance, he hacked a police database and to taunt the officers, he posted a bikini photo of his girlfriend telling them that he had pawned them. Unfortunately, he forgot to scrape metadata from the photo. Later, the police used this metadata to locate the hacker, Mr. Ochoa, and arrest him. Part of his parole agreement, he is up to date not allowed to connect to the internet. From this case, it can be noted that readily available data such as metadata on files can be collected as evidence. The chances of finding useful data from such sources are normally high since it is hard for culprits to keep their tracks 100% hidden.

Investigators can also use techniques to search for certain keywords in hard disks, files, posts on social media, or blog posts to find certain data. For instance, the only way Ross Ulbricht came to be linked to Dread Pirate Roberts was from the username Altoid. Investigators searched around where else on the internet that Altoid was used and they came to find that there was a post on a forum and disclosed his personal email that had his real names. There are special search techniques that can be used on Google to find out exact information. Investigators can also use some techniques to find out hidden files or programs that may be of importance to a case.

The analysis of file names is also useful in evidence examination. Files on the internet or dark web can be analyzed to determine the directories within which they are stored in servers. This helps investigators to find other related files that may be stored in the same folder. For instance, take a look at the following URL to a pdf file:

By going in reverse order, investigators can find out more information contained in the hacking and secret files directories in the above domain name. For instance, in the hacking directory, they could find more files such as stolen credit cards, stolen identities, and stolen bank details among other things.

Downloaded files also give clues as to where they were downloaded from. Using this information, they can go to the source and find out what other pieces of information are available. Also, there are some cases where a suspect is alleged to be the distributor of some content. In this scenario, the investigators have to tie the suspect to files on a distribution medium such as a website. Therefore, they may have to match file names of files on a suspect’s computer with those on the said website as verification.

During the analysis of evidence, investigators normally work with lawyers and other investigators to ensure that the evidence is handled in the right and permissible way. They can also be guided on how to prepare the evidence for a court case.

Documentation and Reporting

The end goal of the collection of forensic evidence is so that it can be used in court. Documentation and reporting are therefore the last steps in a forensic investigation exercise. Throughout the evidence collection process, there was much focus on the documentation of the exercise. This documentation has to be verified to be accurate and complete. All the methods used to retrieve, copy, and store evidence as well as examine and assess evidence afterward have to be recorded. This is very helpful when it comes to questions of integrity in court. Investigator’s inability to document how they collected evidence has led to dismissals of serious cases after judges could not tell whether the evidence presented before them was factual or fabricated. It is easy to fabricate digital data and that is why there is an insistence on the documentation of every process. Documentation also allows courts to verify whether the data extraction and analysis techniques used were legal. The court can appoint its own experts to do that.

Cybersecurity experts are normally contracted by investigators to help with the preparation of data for reporting purposes. The data has to be kept in a readable format that judges and other laymen can understand. Some explanations have to be simplified by these experts such that the judge and jury can easily understand even without information security training.

Digital Forensic Models

It is of importance that digital forensic investigators conduct their investigations in the right way. It is very easy for a judge to dismiss digital evidence due to the ease at which it can be modified. Therefore, since as early as 1984, law enforcement agencies have developed processes and procedures for conducting digital forensic investigations. There have been models that have been developed to help investigators, and this section will take a look at some of them. Before then, it is good to take an overall look at the computer forensic investigation process. Models may differ on the individual processes, but the flow is all the same and all are based on a similar abstract frame. The first methodology on how digital evidence was to be acquired and made legally acceptable dates back to 1984. The methodology forms a basis of all the current digital forensic investigation models. The investigative process was outlined as being composed of the following processes.

Image

We have already looked all the above stages when covering the steps involved in digital forensics. Therefore, we are straight away going to look at the models used by law enforcement agencies in digital forensics. All these models are based on the four-step investigative process that has been diagrammatically illustrated above.

Digital Forensics Framework Investigative Model

This is the Digital Forensics Framework (DFRWS) that was developed in 2001. It has six phases as shown in the diagram below.

Image

This model was the base of most digital forensic investigations. It was known to be standardized and consistent thus could easily be accepted in court. Each of the phases had laid out techniques that investigators could use. In the first phase of identification, there were techniques to prevent crime, resolve signatures, detect anomalies, monitor systems, do audit analysis, and many other things. It made the identification process very strict and watertight. This was followed by preservation where there was a case management guideline that helped investigators store different data formats. There were imaging technologies given to help the retention of accurate and acceptable evidence. In the collection phase, the model discussed the software and hardware tools that could be used to extract the fine details from the evidence. There were also recovery techniques for deleted data. After this were the examination and analysis phases. This is where tracking, pattern matching, and hidden data discovery were done. The last phase was the presentation which included documentation, clarifications, and recommendations from experts.

Abstract Digital Forensics Model

This forensic investigation model was derived from DFRWS above and enhanced so that it could include nine phases. The model is as shown in the diagram below.

Image

In this model, identification is still the first phase but it is followed by preparation. The preparation phase was introduced in this model to allow for some investigative procedures to take place. These include search warrants, acquisition of tools, authorizations to monitor a suspect, and management support. Following this is the Approach Strategy that is also a new introduction. Here, the model allows for further collection of evidence with minimal impacts to the victims. The phase allows for a defined strategy to be used. In the preservation phase, data is isolated and secured. In the collection phase, data is finally moved from the sources to the investigators. The phase encourages that the evidence should be duplicated. In the examination phases, an in-depth systematic analysis is done where the fine details are obtained from the evidence. The analysis phase helps to determine the value of the derived details in relation to the case at hand. This is followed by presentation where the processes used are summarized in a report form. The last phase is returning evidence whereby the withheld pieces of evidence such as laptops and servers are returned to their respective owners. The main advantage of this model is that it caters for pre- and post-investigation processes while DFRWS assumed them.

Integrated Digital Investigation Process

This model was proposed in 2003, and it sought to integrate the available models at the time. The goal was to come up with a model that integrated digital and physical investigations since these at times went together. It is a very big model which is composed of 17 phases broken down into 5 groups. The following are the five groups that make up the entire model.

Image

The model starts with a readiness phase which makes sure that investigators are ready with all the training and equipment for investigating a case. The readiness phase also includes the acquisition of any data required for the investigation. The next group is the deployment phase group. This is where the mechanisms for incident detection and confirmation are provided. The phase has phases related to detection, notifications, confirmations, and authorizations during the forensic investigation. The next group is the physical crime scene investigation phase group. As the name suggests, it is the phase in which physical evidence is collected and analyzed. It consists of the preservation of the scene, survey of the scene for evidence, documentation of the evidence, searching for more evidence with digital investigation phases, crime scene reconstruction, and then the presentation of the complete theory. This is as shown in the diagram below.

Image

The last group of phases is the digital crime scene investigation. This phase is what is centered on the digital side of the investigation. It looks at every device in an investigation as a crime scene on its own and seeks to retrieve data from it. Like the physical phase, the digital phase has six phases as well. These are as shown in the diagram below.

Image

The last phase of the model is the review phase that seeks to enhance the model over time. The review phase includes the review of all the processes followed in the investigation process and finding points of improvement.

There are other models, but these are the main ones that have continually been used by law enforcement agencies. The newer models are specific to different types of technologies such as cloud, Internet of Things, and data mining. However, their applicability is only limited to the technologies that they cannot be used for other types of forensics.

Forensic Toolkit

To enhance the effectiveness of forensic investigations, investigators at times have to turn on some toolkits designed for this purpose. These toolkits enable them to gather evidence faster and automate some processes. There are a few tools that have been developed for this purpose. However, the one that stands out and is mostly applied by investigators is the FTK. The FTK is a software made by AccessData specifically for doing digital forensics.

FTK is said to be able to do fast searches on data and also to fasten the process of analyzing data sets. The main technique that allows this is the upfront indexing of data thus removing the delays occasioned by other searching tools and techniques. The tool can fetch out details from huge data sets quicker than any other tool according to the information provided by the creators. The following are the main selling points of the FTK for forensic investigations.

FTK is not limited to searching through data, it comes with other capabilities. The tool can be used to crack passwords. If during investigations there are some locked files that bear essential data, investigators can use this tool to crack the password and open the file. This is very useful especially when a suspect is not cooperative and will not open files on his or her computer. The tool can also analyze emails. With access to the email dump, the tool will fish out details that one is searching for. If it is a word, a number, or a phrase, the tool will extract it from the data dump. The following are the components of the FTK:

FTK is a premium tool that is sold by AccessData. However, the company gives a free trial for both the FTK toolkit and the FTK imager. The imager will work free for an unlimited amount of time, but the toolkit will expire if the user does not pay for a license key. It is a worthy buy for investigators, and it can make the forensic investigation exercise simpler.

Anti-Forensics Analysis

Digital forensic investigations can be hampered by some techniques designed to make it significantly harder to investigate certain files and programs. These techniques are as follows.

VM and Sandbox Detection

Virtual Machine (VM) and Sandbox detection are commonly used techniques to avoid analysis. To add some perspective, it is important to look back at a 2017 ransomware attack that affected 150 countries called WannaCry. To prevent analysis, WannaCry came with techniques to stop execution when it detected that it was in a sandbox or a virtual environment. By ceasing its functions, it was hard for analysts to find out the behavior of the ransomware. However, it was still analyzed using static analysis which involved the direct analysis of the code instead of the analysis of behavior. There are suspects that have tools that can do the same. When investigators get hold of these tools, they simply hibernate when they are run on virtual machines or sandbox environments. When this happens, the solution is to either analyze the raw code or run the tool on a sacrificial machine.

Search Engine Characteristics

To prevent the discovery of certain data by search engines, some suspects make data dynamic. Therefore, it is only generated when certain inputs are provided. An analyst who is not aware of this will visit a website and find nothing. At the same time, the suspect will visit the same website and provide some inputs and then data will be generated. It is an effective method of hiding sensitive data such as one that can be used as incriminating evidence.

Summary of the Chapter

This chapter has focused on the digital forensic exercises that are carried out for the purpose of obtaining evidence to prosecute suspects. The chapter has tied its discussions to real-world cases that have featured the same forensic exercises such as the arrest of the owner of Silk Road 2, a successful dark net marketplace. The chapter has explained the roles that cryptocurrencies have played, thus, making digital forensic investigations on the dark web more complex. They have eliminated the money trail that investigators used to rely on to track down suspects. The chapter has also discussed how cryptocurrencies have been used for money laundering thus making it easy for cybercriminals to cleanse dirty money. There has been a detailed explanation of the forensic investigation scope and models. The chapter has looked at the steps involved in a forensic investigation. It has then looked at the commonly used forensic investigation models. The chapter has also highlighted the Forensic Toolkit or known as FTK which is a tool commonly used for investigations. Lastly, the evasion techniques used to derail investigators have been discussed.

Questions

  1. Explain why the dark web is not 100% anonymous.

  2. What significant advantages have cryptocurrencies given cybercriminals on the dark web?

  3. Explain how money laundering was done before the invention of cryptocurrencies.

  4. Explain the steps followed in forensic investigations.

  5. Why is it important to obtain warrants and authorizations during evidence acquisition?

  6. State three forensic investigation models used today.

  7. State and explain one FTK.

  8. How is VM and Sandbox detection used as an anti-forensics technique?

  9. How can data be hidden from search engines?

Further Reading

The following are resources that can be used to gain more knowledge on this chapter:

  1. https://arxiv.org/ftp/arxiv/papers/1708/1708.01730.pdf.

  2. https://arxiv.org/ftp/arxiv/papers/1710/1710.08705.pdf.

  3. https://graduate.norwich.edu/resources-msisa/articles-msisa/5-steps-for-conducting-computer-forensics-investigations/.