by Christa Miller, Forensic Focus
Celebrating its 31st year, the Crimes Against Children Conference ran from 12-15 July 2019 in Dallas, Texas. The conference kicked off with opening remarks by Lynn M. Davis, President and Chief Executive Officer of the Dallas Children’s Advocacy Center (DCAC), who focused on the DCAC’s new “Save Jane” initiative. Updated with the photos and names of local missing and endangered children, this video project is designed to be shareable and scalable for use by every community in the United States.
President and co-founder of Watch Systems Mike Cormaci spoke about his company’s sex offender registry management and community notification solution, OffenderWatch, which relies on relationships with the 15,000 users in its network to provide accessible statistics about sex offenders in any given community.
Cormaci was followed by Emily Vacher, Facebook’s Director of Trust & Security, who oriented her talk to creativity and big thinking to solve child protection problems unconstrained by geographic boundaries. Pointing to the Save Jane initiative, which she called a “living art exhibit,” Vacher talked about the importance of art — not just filmmaking, but also painting, music, and other art forms — to heal and inspire, educate and raise awareness, and even assist in finding children. For example:
- Director Sasha Joseph Neulinger’s documentary “Rewind”, featured at the Tribeca Film Festival, shows how survivors can reclaim their voices and call others to action.
- A 25th-anniversary cover of the 1993 Soul Asylum song “Runaway Train,” intersperses a music video with images of missing children. Thanks to the National Center for Missing and Exploited Children (NCMEC), these images are regularly updated and even geotargeted based on the location where the video plays. The video has already helped recover children.
Opening statements ended with a keynote by Greg Smith, founder of the Kelsey Smith Foundation, which offers liaison services to help law enforcement communicate with families during an investigation, as well as education for both civilians and law enforcement.
With that, the conference was officially under way. Many of the presentations we attended contained sensitive content that presenters didn’t want exposed to a broad online audience. If you need assistance or have questions about something you read, please be sure to post in our forums, or reach out directly to organizations like the National White Collar Crime Center (NW3C), SEARCH.org, and others that provide training and support.
Mobile Peer-To-Peer Investigations
Cellebrite’s Manager of Technology, Keith Leavitt, talked about mobile device evidence in P2P investigations. In Mississippi, where he retired from the Attorney General’s Office, minimal mobile broadband penetration meant that offenders relied on mobile technology to obtain CSAM.
Utorrent and BitTorrent file sharing services are both supported in Android, along with DroidG2, which implements Gnutella2 technology even though Gnutella itself isn’t supported for Android. Other P2P clients include eMule, eDonkey, and Shareaza; DroidG2 additionally accesses eDonkey.
The storage size of many mobile devices (plus expandable storage) means you’re likely to see one or more of these apps. However, most forensic tools don’t parse many of the apps, requiring manual examination.
Which data you can obtain depends on the level of extraction you perform: logical, file system, or physical. Because some methods are faster than others, extractions depend on the amount of time you have and the type of data you need. Tools like search term “watch lists” can help to filter extracted data.
Examining P2P apps starts with locating an identifier to provide the path to where the app data resides. In addition you may find other files of importance; logfiles that may include an IP address; and date/time stamps, all of which can be correlated with other places the IP address shows up.
Leavitt also covered challenges with external storage media. For example, Android makes it possible to mount an SD storage card as internal memory, and ejecting the card could break the device. Meanwhile, micro SD cards might store content in the device’s media download folder, and partial downloads may appear in the “resume” or “incomplete” folder rather than in the torrent folder. Torrent filenames may be bundled in a generic, hard-to-notice ZIP file.
Finally, Leavitt said it’s important to validate how the P2P apps work. Part of explaining how data got on the device, validation is a matter of running the app through a legal torrent such as the “Big Buck Bunny” film.
Learn more about Cellebrite’s mobile forensics solutions and training here.
Bill Wiltse, President of the Child Rescue Coalition (CRC), co-presented on overcoming investigative challenges with mobile devices and apps via CRC’s investigation tool, the Child Protection System (CPS).
These challenges include attribution to a specific offender; encryption; and ease of access to children. However, the talk also described opportunities associated with geolocating mobile addresses which are not resolvable using existing carrier infrastructure. The CPS offers a way for CSAM investigators to identify suspects by correlating these IP addresses together with digital forensic examination results.
Another of the talk’s key elements addressed the need for better communication and relationship-building across investigative teams and industry partners. Specifically, when approaching mobile carriers for information, it can help if investigative teams have already established how the carrier’s past help has enabled them to make a rescue. Including them on these kinds of wins can provide an incentive for them to help in the future.
The CRC, a 501(c)(3) nonprofit organization, maintains the CPS database with billions of records. Since 2004, the CRC has focused on information sharing, making data more digestible and better fused together to enable law enforcement to triage and find more suspects, more quickly.
Virtual Currencies, Virtual Reality, And The Dark Web
Eric Huber, Vice President of International and Strategic Initiatives at the National White Collar Crime Center (NW3C), described virtual currency and how it factors in investigations. Huber described different kinds of virtual currency including privacy coins, stablecoins, and even rewards systems like airline and hotel points.
Huber described the relationships between the blockchain ledger, currency mining, the public / private key infrastructure, wallets, and cryptocurrency exchanges, as well as how each part of the process works with the next; and how criminals exploit the network’s distributed nature.
Another more recent broad use case of blockchain technology is “smart contracts.” By turning the blockchain into an operating system, users can create decentralized applications, or dapps.
What kinds of crimes is cryptocurrency used for?
- One of the most glaring examples is ransomware, in which malware encrypts files on a computer or server and ransoms them in exchange for cryptocurrency.
- Cryptocurrency is frequently used for dark market purchases, such as drugs or CSAM.
- Money laundering.
- Both virtual and physical robbery can happen. A thief can steal private keys, but can also force a crypto transaction at gunpoint.
- Cryptojacking is when criminals install unauthorized cryptocurrency mining software on a victim’s machine. The software uses the victim’s computer and electricity to mine for cryptocurrency on the criminal’s behalf.
- Cash smuggling or counterfeit cash transactions might rely on dark market cryptocurrency exchanges, which let users get a box of cash in return for Bitcoin.
Blockchain investigations, therefore, are a mix of forensics, blockchain analysis, and traditional financial investigations. Free block explorers show the public ledger with transaction IDs, while paid cryptoforensic tools let you visualize transactions and even — when paired with legal process — deanonymize suspects. Often you can correlate these pieces of data with a link analysis graph that allows you to follow the money and see where to serve legal process.
Huber covered different kinds of evidence associated with cryptocurrency transactions, for example:
- Strings of hexadecimal numbers, which could be addresses or keys used in cryptocurrency transactions.
- USB keys that could be heavily encrypted hardware wallets. They include Trezor, Ledger, and KeepKey. Electronics recovery dogs can help find these.
- Software wallets, which could be desktop or mobile apps. Popular options include Electrum, Jaxx, Copay, Exodus, GreenAddress, and Mycelium.
- Mobile devices specifically designed for blockchain, including the HTC Exodus and Sirin Labs Finney.
Following the trail of cryptocurrency evidence was also the topic of a talk given by Guy Gino, a special agent with Homeland Security Investigations (HSI). He offered a case study on how his team managed to de-anonymize an opioid dealer whose product turned out to have killed 34 people within one week of their receiving and using it.
Investigating the crime like a homicide, not a computer crime, Gino’s team used conventional investigative skills to follow the trail. Starting with a partial dump from a chip-off acquisition of the victim’s locked phone, the team was able to locate a photo of a previous sale with the same characteristics — font, sticker size, and quantity — as the overdose.
They also found screenshots of images from the victim’s access to the darknet through PGP and other onion apps, and from there, were able to identify her on the darknet. Gino’s team then worked their remaining evidence:
- The logistics of the US postal system, used to ship the drugs.
- Social media profiles.
- Darknet marketplace “choke points.”
- The US Treasury’s FinCen suspicious activity reports, which helped to identify suspects.
In the end, Gino’s team was able to trace the products the suspect had used for “stealth shipping” to stores in the local area, including lot numbers. Unusual transactions at a handful of those stores enabled them to look at surveillance video to identify suspects and make arrests.
Huber said while some forensic tool vendors support wallets, it’s an area that’s evolving rapidly, and one that investigators need training on to examine data in unsupported apps. Comprehensive resources you can use to learn more about cryptocurrency include Coindesk, Coin Center, the Blockchain Alliance, and Jameson Lopp’s Bitcoin Information & Eductional Resources. In addition, the NW3C offers multiple training courses on both financial crimes and cryptocurrency investigations.
Huber also gave a talk about virtual reality (VR), augmented reality (AR), and mixed reality (MR) environments and their relevance to criminal investigations.
Most people are familiar with AR entertainment applications, including games like Pokemon Go, Minecraft Earth, Jurassic World Alive, and Harry Potter Wizards Unite. However, Huber said there are practical applications to all of these technologies as well. For law enforcement, it could include language translation, facial and voice recognition, and even tactical integrations like shooting simulations.
With price points dropping, virtual reality (VR) is becoming more accessible, in part because in some cases it relies on mobile devices to stream an experience. For example, partnerships between Valve (the company behind the Steam gaming platform) and HTC enable gameplay using HTC’s Vive device, while a partnership between Samsung and Oculus allows the Galaxy S10 to integrate with a VR headset. Lenovo’s Mirage Solo does something similar with Google Daydream.
VR social media enables chatroom participation via avatars in a virtual world. Using VR goggles, users can interact with people in a 3D, completely immersive space. Programs like the NYPD’s Options rely on VR to help youth make better decisions in high-stress situations.
While this could be great for crime scene training and practising courtroom presentation to juries, Huber said, it also has other applications: PornHub already has 2600+ VR videos that break the fourth wall, allowing users to become immersed in the action.
And so, just as the Cornerstone VR program helps child welfare workers to know what it’s like to be a child in an abusive situation, immersive technology could also be used as a tool of abuse. People who create child exploitation content will start to use the methods pioneered by the porn industry and others to create VR child exploitation content.
Huber said you can use mobile device forensic skills to collect data from AR and VR devices, though third-party cloud data collection may also come into play with technology like Facebook’s Oculus Quest and Oculus Rift.
However, one of his most important observations involved video production head mounts and the impact on an investigator’s mental health when reviewing child exploitation evidence from the 3D point of view of either the victim or the offender. On the other hand, 360-degree cameras like the Ricoh Theta can capture entire rooms, thereby potentially finding more evidence that could lead to improved chances of victim rescue and offender identification.
Learn more about the NW3C’s virtual reality training courses here.
Using Technology to Protect Investigators
Griffeye’s Eric Oldenburg spoke to a mixed room of law enforcement investigators and examiners, supervisors, and mental health professionals. Oldenburg’s talk was based on his 15 years of ICAC task force experience — a time before anything was in place to acknowledge or help investigators deal with the stress and trauma of looking at CSAM.
Drawing a comparison to the kinds of physical injuries that police work can incur, Oldenburg described how the task force lost one of its best examiners to burnout before Supporting Heroes in Mental Health Foundational Training (SHIFT) Wellness became available to teach mitigation techniques.
Key takeaways from Oldenburg’s session include:
- Burnout in this field is unique because it isn’t based on overwork or boredom. Rather, investigators just can’t stand it anymore. However, untreated vicarious trauma means the images stick with investigators, and it’s not enough for affected officers to transfer or leave. Supervisors must be trained to recognize burnout signs and symptoms.
- Supervisors may not always understand what workers are going through, but they need to have empathy — and to actively educate themselves. Lightly sanitized pictures can help them see that victims aren’t “just 17-year-old girls in pigtails.”
- Empathy extends to awareness of other factors like toxic work environments, stigma over a PTSD “label,” and stringent workers’ compensation rules, which can mean investigators never get the help they need.
- Mandatory six-month counseling visits can deflect the burden of getting help to the agency rather than the individual — a more proactive measure than employee assistance programs (EAPs). To get commanders’ buy-in, consider comparing the cost of therapy to the costs of workers’ compensation, turnover, and training new people.
- Other measures could include “little things” like a certified therapy dog, or even things like comfortable chairs for the digital forensics lab.
- Terminology changes are important, too. Although it might seem small to talk about “child sex abuse material” or “child exploitation material” rather than “child pornography” or “kiddie porn,” language that normalizes horrific crimes leads to laws and policy that minimize the crimes to “just pictures” or “barely-legal” websites rather than crime scene photos and true victims.
Oldenburg also spoke about the need for supervisors to sign off on purchasing the right technology. Calling it a revelation when he first discovered video analysis software whose sound was turned off by default — to spare investigators the trauma of hearing what was happening — Oldenburg then covered features like deduplication and machine learning, which can be trained to look at many more images than a person can, without getting tired.
Other technology, like Project VIC, encapsulates the findings of many investigators in a hash cloud database so that computers can match known images without investigators ever having to be exposed to them. Submitting new images to the database is a way, Oldenburg said, to protect other investigators from vicarious trauma, as well as to provide intelligence on offenders.
He estimated that three years is the rough average for an investigator to “become unstoppable,” but it’s also the point at which many people move on because they can no longer handle CSAM. At that point, said Oldenburg, the risk of losing these investigators is losing their technical aptitude to learn technology and find victims.
How supervisors can help: focus (and spend money) on technological solutions that empower and protect employees to best equip them to do their jobs safely, efficiently, and leave some day, unharmed.
Wil Hernandez, a technical engineer at MSAB, talked about how “drowning in data” from ever-changing technology presented a dilemma for investigators on multiple levels. Hernandez talked about some of those challenges, along with opportunities — specifically, multiple sources of evidence that can be correlated, as well as used to spot patterns of life: specific locations, event sequences, travel, people and places of interest, and so forth.
MSAB’s XRY and XAMN tools make these capabilities possible with automatic image recognition, the ability to analyze multiple cases and users together, and Project VIC hash database support, among other features. Read more about how they support child exploitation investigations at MSAB’s website here.
Finally, Jeff Shackelford of PassMark Software provided an introduction to PowerShell as an investigative tool. Useful for when in-field forensic tools don’t work and you don’t want to risk losing live memory or encrypting the drive — or when you need actionable intelligence for initial interviews — PowerShell is a user-friendly, documentable method of capturing data related to wifi connections, SSIDs, and passwords; finding out whether USB ports are enabled in the Windows registry (and being able to change this); discovering the BitLocker status (and keys) on all volumes; and even looking at the clipboard history.
PassMark’s OSForensics tool is another way to utilize PowerShell in the field. Contact [email protected] for your 30 day trial license.
Learn more about how to put these pieces together for forensic interviewers and prosecutors in Part II of our CACC 2019 recap!