Todd Shipley on the Dark Net, and the Importance of Relationship-Building for Investigations

Christa: Digital forensics is all about tracing the electronic artifacts that can show a suspect behind a keyboard. However, in the past decade or so, the dark web has complicated this process by anonymizing buyers and sellers, making them harder to trace. The problem is so profound that in 2019, the RAND Corporation issued a study that identified law enforcement’s highest priority problems and potential solutions related to evidence on the dark web.

With us to talk through some of those on the Forensic Focus podcast today is Todd Shipley, a cybersecurity and digital investigations expert with an extensive background in financial and computer crimes, investigations and training. Todd also currently serves as president of the International High Technology Crime Investigation Association, or HTCIA. I’m your podcast host, Christa Miller, and welcome Todd.

Todd: Thanks for having me, Christa.

Christa: Of course. It’s a pleasure to have you. In the interest of transparency, before we begin, I should disclose that many years ago, Todd and his company Vere Software was one of my first marketing consulting clients.

And I’m really interested, Todd, by how your focus has evolved from online investigations to the dark web subcategory. Tell us more about how that evolution came about.

Todd: Well, I mean, we always did online investigations, so it wasn’t a huge leap, but you know, when I was working in law enforcement, we did a lot of online investigations, child investigations and such not. So when I left and we started the company, the focus was on online investigations and how to collect evidence correctly for officers. And that went for quite a while.

And then obviously the dark net — for me, it’s always been about what interests me. It’s never about, necessarily, what’s the newest or greatest thing that’s out there. It’s what I find interesting, because I want to do what’s interesting for me work-wise, and the dark net became a very intriguing place.

Now, it’s not something that I hadn’t looked at before or hadn’t known about. I mean, it was there when I was working at SEARCH, we had looked at it and we’re trying to figure certain things out about those anonymizing technologies and how they were going to affect law enforcement.

So once — had several things happen, and I got asked to speak about it at a particular conference, and I hadn’t really done a lot of research on it at that point — started talking about it, started doing more research on what law enforcement’s responses could be to this problem.

Then the Silk Road case happened. I mean, that’s ancient history now. And [I] was involved in a documentary about Ross Ulbricht of the Silk Road and what happened, as the onscreen expert. And so things could just kind of compounded after that point in time.

And you know, I’ve been going down this road of trying to have a better understanding of what law enforcement’s needs are gonna be, and how do we respond to those and how do we train on that? Because it’s just like anything else, and even the forensic side today, [it] still mystifies me how many younger people don’t understand that work. Something that we think we should just know endemically now, what forensics is and how it works, and what they should be doing with evidence. And they don’t.

And the same thing with dark net investigations, and what the dark nets even are, has been a challenge to get law enforcement to understand better and deal with it, because they just think so much like the press was out — that it’s just, you can’t do anything with it. Well, that’s not necessarily true at all, and there are things that can be done even by state and local agencies, if they choose to go out and do investigations in this space.

Christa: So one of the things that it’s an interesting to me about dark web investigations is how they seem to blend elements of investigative police work. So sort of the traditional tracing things and digital forensics analysis. And I wondered if you could walk us through some of those similarities and differences.

Todd: Well, I think you have to look at the fact that it’s all digital evidence and that’s always been my point with online evidence. It’s still all digital evidence. And from the forensic point of view, when I approached online evidence, it was collecting data. You know, it wasn’t necessarily just grabbing a screen capture or screen printing something and going, “Oh, there’s the evidence.” No, there’s data behind this and how do we handle that data?

And that was what we originally — you know, the concept of our software was to be able to grab that stuff, handle it in a forensic manner, date and timestamp it, hash it, and deal with it. And it still has to be done that way, and that’s not changed.

And the dark web doesn’t change any of that because the current versions of how most hidden services, particularly within TOR, because that’s the one we talk about the most — not I2P and some of the other versions that are out there that still exist and are important to understand for an investigator — but TOR becomes the focus of most every investigation because it’s the one used by most people.

But the background hidden service sites are all HTML, and so we still have to think about the fact that how do we collect HTML in a manner that’s consistent with what we need to collect as evidence? And how do we deal with that and how do we process that on the back end once we collect it? And so the forensic point of this becomes very important from that aspect.

Then, we can’t forget that just the dead box part of it too, is when we go finally identify somebody and get them, there’s new and different artifacts that we have to look for within the machines specifically related to the artifacts that are unique to online activity on the dark nets and use of encryption and cryptocurrency, so there’s a variety of different things that are unique and aren’t necessarily explored by all the forensic tools. At least they’re getting better about it now, but just a few number of years ago, they weren’t as understood by the forensic community on the tool side as they should probably should have been.

Christa: That actually was my next question about the forensic artifacts. What kinds of forensic artifacts are examiners looking for and where do they tend to be located? So you mentioned dead box forensics on a computer system, but more unconventionally also, I think there are like hardware-based cryptowallets and maybe other devices that need to be analyzed as well?

Todd: You mention the hardware cryptowallets. We’ll just kind of take an aside there for a second. You know, those become important in the sense of collection, but they’re going to be often overlooked because they’re not very identifiable. I mean, they look like a USB drive or a key fob. They’re not very big.

And so if the investigator doesn’t have any training, or the person collecting the evidence at the scene isn’t aware of what these might look like, they might miss those kinds of things. And so we have to be careful that we understand what we’re looking for and what the evidence is now at the crime scene, different related to these.

And so that’s part of the conversation always with investigators is: When you go there, what are you looking at? How do I identify it, particularly with cryptocurrency? That’s a whole different kind of problem. And the artifacts themselves now become the typical Windows-based or Linux-based because a lot of users tend to use Linux to get on the TOR if they’re sophisticated enough.

So these, I think they’re being more anonymous by using that as opposed to something else, like Windows, but Windows leaves the normal trail of artifacts. In the app data folder there’s all the installation of the files and even TOR installs stuff right on the desktop, which is unique to a tool. And so you’re going to find information about a lot of different things within what TOR does.

And we haven’t really explored all of this. We’re actually working a project with Marshall University right now, where they’re looking at installation artifacts. It’s for Homeland Security. It’s a project for Homeland Security training, but we’re looking at artifacts related to the installation of different tools and how to get them back. There’s been some research done on phones by University of Alabama, Huntington I think it was, that did some on the phones a number of years ago.

And so there’s some stuff out there, but not a lot of research in this space. And so we need to do more on that, about all the cryptocurrencies, as well as the wallets, particularly not the currencies themselves, but the wallets that get installed and the dark net tools, whether it’s TOR, I2P or whatnot, need to be explored as to further find out what’s there. I don’t think we have a clear grasp yet about all the artifacts that are there.

And then that’s just dead box. You’ve got to remember that we’ve got to do some memory forensics on these machines too, because if you get there and you find them, we’ve got to be looking probably for keys and other things and passwords in memory before we ever shut the machine down, because a lot of this stuff is not going to reside on the box itself, the dead box. It’s probably going to be in memory, and we’ve got to be thinking about grabbing memory before we do anything else.

Christa: Right, right, right. I want to jump back. You had mentioned making sure that first responders in particular are properly trained. And that was something that came up also in the Rand report I mentioned in my intro — the highest priority in that report being training for law enforcement at all levels.

So I’d like to explore more about that. As you’ve been conducting training yourself, what are the gaps you’re finding in officer — and I guess particularly forensic examiner — knowledge and skills, when you’re talking about memory forensics and dead box forensics. And those are skills, obviously I think a lot of examiners should already have, but how does it differ when they jump over to the dark web?

Todd: Well, the forensic examiner is just doing forensic examination. If it’s just the examiner, not the investigator, you’re looking at the fact they’ve got that skill set already, which is memory forensics, hopefully; dead box forensics. There could be some networking forensics depending on, on how sophisticated the investigation is going to be, because you can trap some of this stuff. But that’s a whole ‘nother long conversation about network forensics, and what you can and can’t get when it comes to the dark web investigations.

But they’ve got the skill sets. What they have to do is learn to identify where those things are, because although Magnet Forensics and some of the others are starting to parse out better, some of this information, it’s still identifying where it’s at and actually going through it manually, because they’re still, like in particular with TOR, the configuration file has a whole bunch of information in it that could be related to what you’re doing and identifying what’s there. Now, are they just a user, or are they actually running hidden service on their computer? And where do I find that stuff? And those things.

So it’s learning where the new artifacts are and what the artifacts mean, because even when — like particularly cryptocurrency — they’ve got several different variations of how the data is stored in the wallet, and it can be a .DAT file or a JSON file, or some other things typically, are they encrypted or password protected or not? How do we get into that?

It comes back to on scene too, when we’re looking at — particularly with crypto — how is the user accessing the wallet that’s got the crypto? Is it an online wallet, so do we have to do browser forensics? So all the typical skill sets come in for the forensic guy. Are they able to get in there and log into the account because they’ve saved the password in the browser, and then be able to get into the online account, wherever the keys are stored?

Because keep in mind with cryptocurrency, it’s all asymmetric cryptography, public and private key cryptography. And so the wallets store the private key that controls the public key. That’s the thing that you give to everybody else. They send you cryptocurrency, and if you control that private key, then you control that account.

Now it doesn’t mean that he doesn’t have it stored someplace else, and as soon as he gets arrested, he tells his partner to get the crypto key out of the safe and move the funds. That’s why there’s a whole process for law enforcement to move cryptocurrency, to grab it during the seizure so that they control it, but that’s another conversation too.

But the artifacts, we’ve got to figure out where they’re at. So browsing may be there, and then again, too, if it’s an online company, now we’ve got to do search warrants to that exchange online that controls that wallet. So there’s a whole series of things that the team’s got to figure out where they’re going to go with something when it comes to where the artifacts exist, because the online company has got that private key, not the local machine.

Now that can’t say that there’s wallets you can download and store the private key on your local machine. But it’s just going to depend on where things are at and do they need to open the wallet? I mean, there’s just a lot of things like, can they actually access it from the dead side? Maybe, or do they have to boot the machine or run the machine live to get into the wallet because of stored passwords or something else that they can get into the wallet there locally?

So they’ve got to make some decisions on, from a forensic point of view in accessing the live data, to make sure that they get in and don’t lose control of the bad guy’s cryptocurrency in that case.

Christa: The RAND report mentioned — I know you’ve mentioned a couple of tools that are available — but the RAND report also described the need for standards. It’s sounding to me like this is a rapidly changing environment, or a landscape rather, where it might be hard to standardize some of those processes depending on how the providers might add or change services or new technologies that come up. How is the field currently addressing those issues?

Todd: I’m not sure that they’re addressing it as well as could be, but remember forensics is always behind, six months or a year behind on everything. And the problem with the TOR project in particular, because it’s the biggest and the one that we talk about the most, they’re updating constantly. They — remember, they use Firefox as their base browser — and so Firefox is constantly changing, and TOR is updating their neutered version of Firefox that they use for the interaction with the TOR network that the average user uses and so they’re constantly making those changes. And so artifacts are going to change and move.

Now, Tor carefully tries to block a lot of incoming stuff. So JavaScripting and other things are blocked, so you don’t have the normal artifact you might find within Firefox. I mean, there’s still some stuff there, but not as much as we would like. But still, it’s just a browser communication. And that’s what — from a forensics point of view, not from an investigative standpoint — it’s a browser communication.

And so all those traditional things in artifacts that are kept by the browser, a lot of that is still there, like temporary files and such still have to get written to the machine because it’s just the typical browser communication. So there’s going to be stuff unless they’re using a tool like TAILS, which is a Linux version of TOR that runs in memory only. And as soon as you’re starting off, it goes away.

If you’re using the Windows-based TOR browser, there’s still going to be stuff stored locally in Windows, because Windows is such a “dirty” machine that it collects so much behind the scenes. You don’t know that it’s there. So it’s just that they’re behind in identifying it. And for the market, is there enough interest that they’ve got to have this now?

But regardless, for the investigator, whether the tools catch up with translation of some of this identification, you need to know where some of these artifacts go, and be able to go back and do traditional — what we’d call forensics — actually going through individual files and trying to take them apart to identify what’s unique about this, because there is stuff that’s there.

Christa: Right, right, right. So what, in your opinion, what tools are getting it right so far in terms of finding those, or at least be able to parse those artifacts out?

Todd: Well, I have no relationship to any of these companies, but I know that Magnet Forensics has done a pretty good job. They’ve always done a pretty good job with artifacts afterwards. They’re doing a pretty good job with that.

I’m not sure — I haven’t looked at all the tools to know yet. That may be a question you ask your viewers about what they’re using to do a better job. I only mentioned Magnet because I know that, people have told me, they’re doing a pretty good job, and I’ve seen some of their reporting of the kinds of things they’re doing. They’re not doing a hundred percent of it. Nobody is, but they’re starting to look at some of the wallet stuff and identify they’re there, being able to search for cryptocurrency addresses and whatnot, and identify what tools are installed. And I think everybody already does that. It’s just parsing out what the data is on the backend, and once they find the tools and what was there.

Christa: I want to go back. You mentioned earlier about writing search warrants to providers and whatnot. There are, there’s a whole ‘nother set of challenges I can imagine associated with stakeholder communication.

So for instance, working with prosecutors to draw up search warrants that have the right wording, for instance, or for that matter, advocating with commanders for more resources to do these kinds of investigations. What are some tips you can offer the viewers who need to convey these issues to help their stakeholders understand the needs, especially when they might lack supporting data for them?

Todd: Well, I think one of the biggest things that I always talk about, every time I speak, is what’s the policy for what you’re doing? You have a policy to cover these kinds of investigations, because remember, as soon as you turn on TOR, it becomes an international case because TOR throws you all around the world with its nodes.

And so [one], have you got policy? And have you talked to management about what this means? Because supervision of these cases is important. If we look back all the way to the Silk Road case where they had two agents arrested because they weren’t following policy and weren’t being supervised, how do you deal with that?

And the other thing is making sure the supervisors understand what this unique space is, when it comes to technology, and why it’s important. Not just that there’s bad guys out there using anonymization. Make sure that they understand this and they can articulate to their managers why we’re doing this and what’s going on and why we need to.

Because it’s not the FBI’s problem. It’s not Secret Service’s problem. It’s a local problem because the victim is local, so we can’t forget that state and locals need to be thinking about this as a space that they need to be able to work in, because their victims are there and they’re being victimized.

And then probably the last thing is making sure the prosecutors are on board with whatever you’re doing in your investigations, because it doesn’t matter what you investigate, if the prosecutors don’t understand it and don’t want to work it, and certainly be able to get the subpoenas and do those things that need to be done behind the scenes.

Because it’s like tracing an IP address. We all know that tracing the IP address is not just, “I found the IP address, and I can identify who’s there through a whois lookup.” I’ve got to do subpoenas in the background and that kind of stuff. And in this case, it gets a little more complicated because if I’m tracing things, I may need an MLAT, a mutual legal assistance treaty agreement, request to another country for information from a bank or exchange or an ISP, depending on what’s going on.

And so things get complicated. It doesn’t mean you can’t do them, they can be done, but know your resources. Particularly for state and local guys, is there a federal agency that can help? Not just the FBI. Secret Service, DHS, Postal Service… there’s a lot of things that can be done, and a lot of agencies can be brought to bear, on a particular investigation if you understand who’s qualified and competent in that field, in your local level. And not everybody is, even at the federal level, has all the skill sets you want. So that’s why you need to shop around and figure out who’s got what skill sets for you.

Christa: I imagine that this is helped by having task forces, I mean, commonly the ICAC task forces, the HIDTAs. Are there other task forces that that regional people can look at for assistance?

Todd: Oh, sure, there’s several. I mean, that’s why they need to look up the resources to find out. Secret Service has got a task force, they’ve got their Electronic Crimes Task Forces. There’s several others that are cropping up related to just technology investigation stuff. All the organizations that are out there to learn from. You introduced me as the president of the HTCIA — the High Technology Crime Investigators Association — but it’s about meeting people and knowing the resources.

And that’s all — for me in particular, HTCIA when I was a working policeman, was a godsend in that respect, because you met people and were able to solve cases by calling somebody on the phone, and go, “Hey, can you do this?”

I remember distinctly, a good friend of mine now, years and years later, had been working for the Metropolitan Police Department in London. And I called him up and said, “Hey, I got this IP address in this child porn case. Can you go check this address out and see what’s there?” Well, they ended up arresting the guy over the whole thing, and the case went away because they arrested him in London. But it was because I made a phone call that we had this activity going on, and this particular IP address that was coming back, at that point, to an address that we could identify, or I had identified. And those things happen.

And so when you meet people at meetings or conferences, or even on our Zoom meetings now, you find resources that you wouldn’t have had — in business, as well, because we’re a mix of business and law enforcement. And so you need somebody at HP or IBM or whatever, we’ve got a member and you can find them and connect with them and go, “I’m a member too and I need some help,” and members are always willing to help. So those kinds of things are very important, just knowing the resources that you’ve got available to you.

Christa: Yeah, yeah. Do you find, or have you found, that there are very many gaps internationally between what we’re doing — because you’re talking a lot about investigations in the United States, and then as they move overseas and you’re connecting with people that are overseas, whether they’re prosecutors or forensic examiners or investigators — have you been able to tell how other countries are handling these kinds of investigations and where the gaps may or may not be between skill sets or abilities to handle these kinds of investigations?

Todd: Sure. I mean, that’s a really good question. And it’s relevant with the fact that this is an international problem when it comes to dealing with the technology. I’ve been working with Interpol over the past several years on a couple of different projects. I helped write a couple of different manuals for Interpol related to dark net investigations.

One was published last fall. They’re available to law enforcement through Interpol. If your readers want to get it, if they’re law enforcement, they can use their contacts through the state and federal agencies to get the manual about dark net investigations. And I’ll provide you some information afterwards that you can put up for the readers about that manual.

So, yeah, and I’ve been doing training with Interpol, so working the project and/or with Interpol and we’re training law enforcement in the Middle East. And we’re working on — this last manual was for training for the South Asia, Asian countries.

And there are huge gaps. If you think about how forensics grew in the United States and in Europe, the Western countries have become very adept at that. And the same thing with the technology investigations, when it comes to dark net investigations on top of it. They understand the information and how it works and how the networks work. We’re always learning because there’s always new things, but you can see by what the FBI has done, the Australian Federal Police, the French police as well as the Dutch and the Germans. I mean, they’re all capitalizing on this and understanding how these networks work in the background and taking a lot of them down.

Now, these are long-term projects, but they figured it out. Now, the gaps end up being typically, what we think could be the gaps, is that the non-Western countries that don’t have the background experience in forensics, they don’t have the background experience in online investigations either. And so we spend a lot of time training them.

Now that doesn’t mean that they don’t want to learn. One of the last places — we were in Baghdad two years ago, teaching the Iraqi police and they were eager to learn the information and wanted to know more about it. We did some training in Singapore, and we had people from Jordan and Morocco and a variety of different places in the class, and smart investigators [who] had been doing a lot of this already. And we did some interesting training, and they grasp it and they want to learn.

So it’s not for want of learning, or problems, because they recognize that they’ve got the same kinds of problems we got with dark net related characters, which is surprising to me that the number of them that did.

In fact, for one of the classes we had a whole six month period. They were supposed to go back and do their cases and come back and report to the Interpol about what they’d done. And we had a big meeting in Lyon, and they all presented their case investigations. And it was so fantastic to hear what these agencies had done to use the skill set that we had imparted. And it was only a week long class, but they’d use the information that they’d learned to identify and work on dark net related cases.

It’s supposed to be — this was for the chemical/biological/nuclear team that was sponsoring this from Interpol, but the teams had saved one particular — the Iraqis saved this little girl because they found out she was being trafficked and they used the skills that they had, and they learned, to save this girl. And it was heart wrenching to listen to the story about what they’d done to get this girl out of the problem.

And the others had done similar things with drugs and whatnot, but it’s always nice to see that that it’s actually being applied. And certainly in places you wouldn’t think they would worry about dark net, anonymized persons on the internet cases. So that’s a highlight of the last couple of years, is dealing with Interpol and those.

Christa: Okay, yeah, that sounds fascinating. So you mentioned HTCIA earlier. I think all of the issues that we’ve talked about today are on the agenda for the upcoming international conference and expo. By the time we post this, that will have already happened, but but I wanted to get a little bit more into the kinds of connections that you talked about in terms of supporting investigative professionals that are navigating these challenges.

Todd: Well, I mean, the conference that we have every year is always a highlight of my year. I mean, obviously COVID has changed how we do that, and last year it was all online. We’re doing kind of a hybrid kind of thing. We will be meeting in Phoenix and we’ll be doing a lot of the stage introductions and things in Phoenix. The international board will be coming together to talk about board stuff that we’ve got to do for running the organization. Our keynote’s going to be from there.

So we’ve got a lot of things that are going on, but the presentations will be similar to what we did last year. The speakers will be online, but we’ve got a variety of topics of all the forensic related things. I don’t have a schedule in front of me right now, but if they’re interested, just go to the website and you can find out and they’ll be online.

If you want to register for the conference through the virtual, you’ll be able to access the video recorded versions of the presentations for like 90 days after the conference. So you can still benefit from the conference, but you don’t have to attend live. You can get them recorded.

But I think that’s changed how HTCIA is looking at the world too, is we’ve got a big learning management system in the background now of our website for users. And we’re transitioning to a new one in the next couple of months to better facilitate some of the things that the users need, as well as going to an app-based kind of backend for users. Instead of having to log in from your computer, they’ll be able to do it right from their phone, which is actually, we’re high-tech crime units coming into the 21st century.

So we’re doing things to facilitate better the transmission of information, and that’s the big part of what HTCIA is, because we can’t do the physical meetings now. We’ve got to find other means to do that. And our chapters, the ones that have been actually engaged very well, have taken this whole online part of COVID, and meeting wise, and doing very well.

You know, we have a Canadian conference we’ve had for the past couple of years has just gone gangbusters that the Canadians put on. Our cyber summit was a physical conference, but had to transition last year into an online conference.

We’ve adapted very well because we were moving this way anyway, because we were trying to push to more online services prior to that. When I was vice-president I was pushing. We were then using another platform, but now we’re using the more typical ones that are out there, but we went through this very easily when COVID happened, because we already had the resources in place to make it happen. Our chapters were being pushed to do online anyway.

Christa: Well, Todd, thank you again for joining us on the Forensic Focus podcast.

Todd: Well, you’re welcome. I’m glad I could be here. Anytime. It’s a fun topic. I thought about many other things that you and I know that you and I both could have conversations about.

Christa: Yeah. I think there were a couple of things you mentioned that that are separate conversations.

Todd: Yeah, we could do that. That would be fun.

Christa: That would be, yeah, indeed.

Thanks also to our listeners. You’ll be able to find this recording and transcription along with more articles, information and forums at www.forensicfocus.com. If there are any topics you’d like us to cover, or you’d like to suggest someone for us to interview, please let us know.

Christa Miller is a Content Manager at Forensic Focus. She specializes in writing about technology and criminal justice, with particular interest in issues related to digital evidence and cyber law.

Leave a Comment