What methods are there for doing online research?
- Overt
Open and observable - Covert
Secret or hidden
To hide function, origin and intention - Undercover
Secret or hidden
To hide AND protect ID, fuction, origin, intention
Only accredited personnel
What do you need to consider when seting up a machine for online investigations?
Machine choice - Linux / Windows / Mac – Real or Virtual
Connection Choice – Real or fake account, dynamic or fixed IP, using proxy or VPN – TOR?
Machine Configuration – Updating! AV, browser, printer/file sharing settings, name/accounts
Forensic Copy – Log and hash, record actions and screen,
List 3 non port 80 services used by online child sex offenders and briefly explain how they use it.
Tor Hidden Services (Dark Web):
Peer-to-Peer (P2P) Networks:
Instant Messaging (IM) Applications:
Explain
* The Darknet
* The Deep web
* Usenet
- The Darknet: intentionally hidden and inaccessible through standard web browsers and search engines. It operates on overlay networks that require specific software, configurations, or authorization to access
- The Deep web: portion of the internet that is not indexed by standard search engines and is not readily accessible through public websites
- Usenet: It consists of a network of servers that exchange messages and files in discussion groups called newsgroups
NNTP (Network News Transfer Protocol) and provides access to a vast archive of text-based discussions, articles, and files across a wide range of topics (Usenet is used to only transmit text!)
Examples of to get access to Darknet :
Tor (The Onion Router):
I2P (Invisible Internet Project):
Freenet:
How das the darknet or darkweb work?
It operates by routing internet traffic through a series of encrypted relays, known as nodes, before reaching its final destination. Each relay in the Tor network only knows the IP address of the relay before and after it in the chain, making it difficult to trace the origin of the traffic.
When a user accesses the internet through the Tor network, their traffic is encrypted and routed through a random selection of relays, obscuring their IP address and location. This makes it challenging for websites, internet service providers, and other parties to track the user’s online activities.
Why is email used for CSAM ?
Just like all technologies – offenders use email offline and online
Used for sharing files, contacting other people and storing
2FA, Encryption, hard to get by LE, so pretty secure. (10min mail)
Easy wordwide access and with cloud storage included
Why is IRC used for CSAM?
Client server setup – Used for text – Chatting
Able to do file transfer and file sharing
Large amount of servers with huge amounts of channels
Why are social networks used by offenderS?
- Access to victims
- Intelligence
- Meetings
- Chatting
- Access to networks
- Creation of identity or identities
Countermeasures by LE on the web
-Websites can be blocked by ISP / LE / EU etc.
-Hotlines are set up for notice and takedown of websites.
-Financial coalition – card payment providers and companies allied to stop from payments regarding CSAM going through. Other payment systems have been setup by the offenders to get around this. BTC – Pay other sites instead of CSAM sites.
-Law enforcement actions – big operations, actively hunting
-ICANN – Registrars that can takedown websites when they have been notified that their hosted websites are used for the bad.
What is the Cuckoos carousel ?
This is used by offenders , take resources of someone else, by uploading ZIP or RAR on one Click hosters like rapid share of put it on hacked website on a hidden spot. Link to the files are then posted on boards, IRC or forum
What is the difference between a Registrant, Registry, and Registrar.
A registrant is an individual or entity that registers a domain name through a domain registrar
A registry is an organization or entity responsible for managing and maintaining a specific top-level domain (TLD) or group of TLD
A registrar is a company or organization authorized to sell domain name registrations to registrants on behalf of domain registries
What information is found using WHOIS?
Domain Name:
REgistrar information
Registrant information
Contact information
Registration dates
Registrar Abuse Contact
What does the expression Root Server mean in relation to DNS and what role does it play in the DNS system.
In the context of the Domain Name System (DNS), the term “Root Server” refers to one of the authoritative servers at the highest level of the DNS hierarchy. The DNS is a decentralized naming system for computers, services, or any resource connected to the Internet or a private network. It translates domain names into IP addresses, allowing users to access websites and other online resources using human-readable names.
List of the Big 7 top level UseNet hierarchies.
comp
humanities
misc
news
rec (recreational)
sci
soc
You find 100Nzb files on a suspect computer, what can you conclude.
Usenet Usage: NZB files are commonly associated with Usenet, a distributed discussion system used for sharing and downloading files, including software, media, and other content. Finding a large number of NZB files suggests that the suspect may be actively using Usenet for downloading or sharing files.
List at least 6 of the protocols in the application layer of the Internet Protocol suite. Which of these is most often used by online Child sex offenders and why?
HTTP/ HTTPS/ SMTP/FTP/POP/IMAP
What are the basic principles that must be in place before attempting an online investigation?
- Protect yourself
- Understand you limitations
- Be qualified or allocated
- Record Record Record
- Be Forensic
List four basics that should be in place to ensure your machine is secure.
- Anti-virus
- Updating operating system
- Firewall
- Anti-Malware
- Updates on applications
How are forums and message boards used by offenders?
CSAM board, only CSAM material.
Could have rapidshare and links to download archives
Setup for contact with offenders and might have second and third levels that are not visible to public
