Upload
tech-and-law-center
View
2.892
Download
1
Embed Size (px)
DESCRIPTION
www.techandlaw.net
Citation preview
Emerging Inves,ga,ve Techniques: Big Data and Social Networks (OSINT) and Mobile Surveillance
Giuseppe Vaciago
Seminar on Cybercrime and Digital Forensics
April 8-12th 2014
EU-Macao Co-operation Programme in the Legal Field (2010-2013)
1. Introduc,on q IP Address and DNS q Online Sources of Informa6on
2. Big Data and Social Network (OSINT) and mobile surveillance q Big Data Defini6on q Detec6ng and Seizing Illegal Contents q Valida6ng Digital Evidence q Chain of Custody aBer Seizure q Analysis of Digital Evidence q Repor6ng of Digital Evidence Findings
3. Emerging Inves,ga,ve Techniques q Iden6fy the Suspect – Fake Profile q Evidence from SNS
Agenda
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
What is Digital Electronic/Evidence? The Opte Project creates visualiza/ons of the 14 billion pages that make up the network of the web.
Hungarian physicist Albert-‐László discovered, from every single one of these pages you can navigate to any other in 19 clicks or less
An IP address is a numerical iden/fica/on code assigned to each and every device connected to a network, comparable to a street address or a telephone number. Given a specific IP address and the exact ,me the net connec/on was established, an ISP can trace the personal data of the person who signed the related connec,vity service contract. IP Address could be Sta,c (IP Address doesn’t change) or Dynamic (IP Address shared with several other customers of the same ISP)
IP Address
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
The Internet Assigned Numbers Authority (IANA) regulates these IP addresses. through regional en//es located around the world (RIPE -‐ Europe and some parts of Asia; APNIC -‐ Asia, and the Pacific Region; ARIN -‐ North America; LACNIC -‐ La/n America and the Caribbean; AfriNIC – Africa.
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
IP Address: IANA
IP Address: IPv6
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
IPv6 supports globally unique sta/c IP addresses, which can be used to track a single device's Internet ac,vity. Most devices are used by a single user, so a device's ac/vity is oSen assumed to be equivalent to a user's ac/vity. This causes privacy concerns in the same way that cookies can also track a user's naviga/on through sites.
Domain Name System (DNS)
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
The Domain Name System (DNS) is a distributed system that acts like a large phone book, and keeps track about which IP address (or addresses) is assigned to which “name”, and vice versa.
Apart from the official channels to query DNS records and resolve DNS to IP addresses there are plenty of tools and websites designed to automate and help the inves/gator on this front:
• DnsStuff (www.dnsstuff.com) • DomainTools (www.domaintools.com) • CentralOps (www.centralops.net)
Online Sources of Informa,on: Website
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
q The first piece of evidence here is the actual “visible” content of the web site.
q The second one is the “invisible” content associated to these sites. Invisible content here is basically the source code used to create the web page� (i.e user/developer comments such as passwords, iden/ty or loca/on references or metadata such as crea/on/last modifica/on date)
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
����The inves/gator should watch for on Social Networking Sites: □ User ID: it’s a valuable piece of evidence
Online Sources of Informa,on: Social Networking Sites
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
����Now there is the possibility to personalize your user ID (h^p://namechk.com).
Online Sources of Informa,on: Social Networking Sites
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
□ Picture: it’s possible to obtain important metadata even if the post important SNS clean uploaded user’s photos
Online Sources of Informa,on: Social Networking Sites
□ Chat: when it is legally possible, chats on SNS contain fundamental forma/on for the inves/ga/on
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
����WebMail Sites contains the following informa/on (most of the /me encrypted): □ Chat Subsystem □ Voice Subsystem
Online Sources of Informa,on: WebMail Sites
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
���Online ads (Google Adwords/Adsense, Facebook Ads, MicrosoS Adver/sing, AdBrite, BidVer/ser) are one of those sources of informa/on that could be used to a follow the “money trail”.
Online Sources of Informa,on: Ad-‐Networks
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Amazon has S3, Google has Google Drive, MicrosoS has Azure. One best-‐known examples here is DropBox, which internally relies, with Amazon S3. This will be the future of the storage and consequently of the inves/ga/on. The 2 main obstacle are q Jurisdic,on
q Digital Forensics (the admissibility of the evidence will be on the hand of the Cloud Provider)
Online Sources of Informa,on: Cloud Storage Services
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
������The key concept regarding the acquisi/on of evidence on files being shared or downloaded through most P2P networks consists on simply joining the P2P network, if the legal system admits this possibility. If logging is turned on for this client, all the details needed will be obtained (IP, ports, /mestamps, opera/ons) logged straight into a file in real-‐/me.
Online Sources of Informa,on: P2P Network
Mash UP
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Mash Up: A mash-‐up, in web development, is a web page, or web applica/on, that uses and combines data, presenta/on or func/onality from two or more sources to create new services.
Tim McCormick* proposed the following classifica/on of data: 1. Basic Pure Data
2. High Value Data
3. Transac/onal
4. High Value Transac/onal data Tim McCormick, “A Web Services Taxonomy”
Big Data – Defini,on
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Big Data is a collec/on of data sets so large and complex that it becomes difficult to process using tradi/onal data processing applica/ons
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Big Data Defini,on Social media is transforming society. We are transferring more and more of our lives onto vast digital social commons. The emergence of these increasingly significant public spaces poses a dilemma for government.
(#Intelligence – Demos Research – 2012)
Big Data – SOCMINT (Social Media Intelligence)
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Social media is an extremely important class of Big Data, and are increasingly subject to collec/on and analysis. Measuring and understanding the visage of millions of people digitally arguing, talking, joking, condemning and applauding is of wide and tremendous value.
SOCMINT – Direct contact to the Public
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
SOCMINT – Future Crime Predic,on
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
SOCMINT – Future Crime Predic,on -‐ PredPol
SOCMINT – Future Crime Predic,on -‐ August 2011 and London’s Riot
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
SOCMINT – Surveillance
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Adap,ve Grooming Policy (Network Algorithm)
Facebook admi^ed to monitoring certain online chats between minors and adults according to certain k e ywo r d s , f o rw a r d i n g t h i s informa/on to the law enforcement officials in order to check whether t h e r e a r e t h e g r ound s f o r inves/ga/ng whether “grooming” has occurred.
SOCMINT – Surveillance – Chat Monitoring
Mr Palazzolo a treasurer for the mafia, on the run for 30 years, was discovered by monitoring his Facebook profile.
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
SOCMINT – Surveillance – Chat Monitoring
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
SOCMINT – Mobile Surveillance -‐ Geoloca,on and Face Recogni,on
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Augmented Reality is a live, direct or indirect, view of a physical, real-‐world environment whose elements are augmented by computer-‐generated sensory input such as sound, video, graphics or GPS data.
SOCMINT – Mobile Surveillance – Augmented Reality
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
The research inves/gated the feasibility of combining publicly available Web 2.0 data with off-‐the-‐shelf face recogni/on soSware for the purpose of large-‐scale, automated individual re-‐iden/fica/on. Two experiments demonstrated the ability of iden/fying strangers online (on a da/ng site) and offline (in a public space), based on photos made publicly available on a social network site.
SOCMINT – Mobile Surveillance – Faces of Facebook
Emerging Inves,ga,ve Techniques
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Communica/ons sent over SNSs, and informa/on uploaded to SNS profiles, are normally saved only on the SNSs' servers.
But…
Some informa/on may also be stored on the user's computer cache
Emerging Inves,ga,ve Techniques -‐ Where the data are stored?
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Police also u/lise SNSs in their inves/ga/ons through, for example, senng up SNS profiles and reques/ng informa/on from the public. Police in New Zealand have made their first “Facebook arrest” aSer placing CCTV footage of a burglar removing his balaclava during the burglary on the social networking site” An internet savvy police officer in Queenstown, on New Zealand’s South Island, posted the footage on the force’s Facebook page and within 24 hours of the break-‐in the burglar was iden/fied.
Emerging Inves,ga,ve Techniques – Iden,fy the Suspects
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
q The Parson Cross Crew showed off guns and knives on social networking sites aSer some were convicted for a teenager’s murder.
q Dale Robertson, 18, was stabbed to death aSer a girl’s 16th birthday party.
q A woman created the Facebook website “The Parson Cross Crew Named and Shamed”, with picture of crew.
q Police were able to use the photographs as evidence against four further gang members at Sheffield Crown Court for firearms offences (Sheffield September, 2009)
Emerging Inves,ga,ve Techniques – Iden,fy the Suspects
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Emerging Inves,ga,ve Techniques – Iden,fy the Suspects
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
q The police must create fake profiles if they want to do any more than surf the general public material on the SNSs.
q In US, law enforcement agencies are openly engaging in these decep/ve prac/ces in order to inves/gate even minor drug and alcohol offences.
q Befriending targets on SNSs allows officers an opportunity to infiltrate ongoing criminal ac/vity with li^le physical risk.
q Examples include the FBI infiltra/on of
“Darkmarket” dubbed the “Facebook for fraudsters”, where users traded stolen credit card and bank account details.
Emerging Inves,ga,ve Techniques – Fake Profiles
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Emerging Inves,ga,ve Techniques – Covert Surveillance
Ar,cle 14 Proposal for a Direc,ve 2010/0064 (C0D) on Child pornography
Member States shall take the necessary measures to ensure that effec6ve inves6ga6ve tools are available to persons, units or services responsible for inves6ga6ng or prosecu6ng offences referred to in Ar6cles 3 to 7, allowing the possibility of covert opera*ons at least in those cases where the use of informa*on and communica*on technology is involved. Member States shall take the necessary measures to enable inves6ga6ve units or services to aWempt to iden6fy the vic6ms of the offences referred to in Ar6cles 3 to 7, in par6cular by analysing child pornography material, such as photographs and audiovisual recordings transmiWed or made available by means of informa6on and communica6on technology.
Emerging Inves,ga,ve Techniques -‐ Problems of Undercover Inves,ga,on
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Exclusionary Rule
Criminal Liability for
LEa Jurisdic/on
Admissibility of digital evidence
Fake profiles are not admi^ed
SNS Terms of Service
Emerging Inves,ga,ve Techniques -‐ Monitoring public profiles
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
X1 Social Discovery soSware maps a given loca/on, such as a certain block within a city or even an en/re par/cular metropolitan area, and searches the en/re public Twi^er feed to iden/fy any geo-‐located tweets in the past three days (some/mes longer) within that specific area.
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
“Where someone does an act in public, the observance and recording of that act will ordinarily not give rise to an expecta6on of privacy” (A. Gillespie, “Regula/on of Internet Surveillance” -‐ 2009)
“Public informa6on can fall within the scope of private life where it is systema6cally collected and stored in files held by the authori6es” (Rotaru v Romania, ECtHR, (App. No. 28341/95) 2000)
BUT…
Emerging Inves,ga,ve Techniques -‐ Monitoring public profiles
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
“Just as it is easy to fake a person's SNS profile, it is easy to alter informa/on taken from a SNS account”. For Michael O’Floinn and David Ormerod the challenges for SNS evidence are: (i) evidence must represent what appeared on the SNS; (ii) that the evidence can be shown to have originated from the
alleged source, as opposed to a hacker or someone with access to the SNS account;
(iii) Admissibility of the evidence
Evidence from SNS – Digital Forensics
Source: *Micheal O'Floinn and David Ormerod, Social networking sites, RIPA and criminal inves6ga6ons)
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
q Defendant’s friend contacted a rape complainant on MSN, proffering as evidence a doctored printout of the conversa/on to suggest that she admi^ed the sex was consensual. This led to the jury being discharged pending analysis of the computers. Defendant's friend was convicted of perver,ng the course of jus,ce
q In of State of Connec/cut vs. Eleck, the court rejected Facebook evidence in the form of a simple printout, for failure of adequate authen/ca/on. The court noted that it was incumbent on the party to seeking to admit the social media data to offer detailed “circumstan,al evidence that tends to authen,cate” the unique medium of social media evidence.
Evidence from SNS – (I) The Accuracy of evidence – Two examples
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
q US cases accept that tes,mony of a witness with knowledge or dis/nc/ve characteris/cs within the communica/on unless there is a specific allega/on of unauthorised access.
q MySpace evidence was authen/cated by tes/mony of
par/cipants in the communica/ons
q Expert evidence from a official of SNS.
q An unduly onerous authen,ca,on test may induce prosecutors to devote dispropor/onate /me and (scarce) resources to authen/ca/on, adding unnecessarily to complexity and delay at trial.
Evidence from SNS – (II) Proof of Authorship
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
The disputed SNS evidence must have logical relevance, and this is sa/sfied when it is: (a) possibly authen/c (b) bears on the probabili/es of a contested issue. The SNS evidence must be legally relevant, and this is sa/sfied if there is “some admissible evidence [...] of provenance, con/nuity (if relevant) and integrity”
Evidence from SNS – (III) Admissibility of the evidence to the Court
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
q In October 2008, in Edmonton, Alberta, it was revealed that filmmaker Mark Twitchell, who was facing first degree murder charges, had posted as his Facebook status in August that "he had a lot in common with Dexter Morgan". This proved to be a key piece of evidence in the missing person case of John Al/nger, as Twitchell was a fan of the television series "Dexter" and it is believed that he murdered Al/nger in the style of Dexter's clandes/ne murders.
q In September 2009, In Mar/nsburg, West Virginia, Burglar leaves his Facebook page on vic/m’s computer. ASer he stopped check his account on the vic/m's computer, but forgot to log out before leaving the home with two diamond rings.
q In November 2009, two women charged with robbing a home in Ontario. The two women, both in their early 20s, decide to post a photo of themselves with the stolen goods online.
Evidence from SNS -‐ Confession
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Misuse of Social Network – Lawyer and Judges
q Legal prac//oners searching SNS: lawyers may be tempted to create fake profiles and befriending witnesses or their friends.
q It is not only lawyers who can fall vic/m to SNS misuse. There are reported instances from other jurisdic/ons where judges have used SNSs to inves/gate witnesses, and to converse with counsel about the case. See, for example, Public Reprimand of Carlton Terry J. Judicial Standards Commission, Inquiry No.08-‐234, April 1, 2009
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
q More jurors said they saw informa/on about the case on the internet. In high profile cases 26% said they saw informa/on on the internet. In standard cases 13% said they saw informa/on.
q In June 2011, Joanne Fraill, 40, a juror in a Manchester case, was sentenced to eight months in jail for contempt of court aSer using Facebook to exchange messages with Jamie Sewart, 34, a defendant already acqui^ed in a mul/million-‐pound drug trial.
Misuse of Social Network – Jurors
Thanks for your a^en/on
Giuseppe Vaciago
Mail: [email protected] Web: hWp://www.techandlaw.net TwiWer: hWps://twiWer.com/giuseppevaciago Linkedin: hWp://it.linkedin.com/in/vaciago