Strengthening forensic investigations of child pornography on P2P networks

Measurements of the Internet for law enforcement purposes must be forensically valid. We examine the problems inherent in using various network- and application-level identifiers in the context of forensic measurement, as exemplified in the policing of peer-to-peer file sharing networks for sexually exploitative imagery of children (child pornography). First, we present a five-month measurement performed in the law enforcement context. We then show how the identifiers in these measurements can be unreliable, and propose the tagging of remote machines. Our proposed tagging method marks remote machines by providing them with application- or system-level data which is valid, but which covertly has meaning to investigators. This tagging allows investigators to link network observations with physical evidence in a legal, forensically strong, and valid manner. We present a detailed model and analysis of our method, show how tagging can be used in several specific applications, discuss the general applicability of our method, and detail why the tags are strong evidence of criminal intent and participation in a crime.

[1]  Mikel Izal,et al.  Dissecting BitTorrent: Five Months in a Torrent's Lifetime , 2004, PAM.

[2]  梁 啓超,et al.  庸言 = The justice , 2022 .

[3]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[4]  Law. Policy Executive Summary of the National Academies of Science Reports, Strengthening Forensic Science in the United States: A Path Forward , 2009 .

[5]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[6]  Jacky C. Chu,et al.  Availability and locality measurements of peer-to-peer file systems , 2002, SPIE ITCom.

[7]  Martín Abadi,et al.  De-anonymizing the internet using unreliable IDs , 2009, SIGCOMM '09.

[8]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[9]  Virgil D. Gligor,et al.  A guide to understanding covert channel analysis of trusted systems , 1993 .

[10]  Roman Novak,et al.  Side-Channel Attack on Substitution Blocks , 2003, ACNS.

[11]  Mary K. Vernon,et al.  Characterizing the query behavior in peer-to-peer file sharing systems , 2004, IMC '04.

[12]  Ty E. Howard Don't Cache out Your Case: Prosecuting Child Pornograpy Possession Laws Based on Images Located in Temporary Internet Files , 2004 .

[13]  Brandon L. Garrett,et al.  Committee on Identifying the Needs of the Forensic Sciences Community , 2007 .

[14]  Carla E. Brodley,et al.  IP Covert Channel Detection , 2009, TSEC.

[15]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[16]  Marco Gruteser,et al.  Wireless device identification with radiometric signatures , 2008, MobiCom '08.

[17]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[18]  H. Marshall Jarrett,et al.  Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations , 1979 .

[19]  J. Wolak,et al.  Child-Pornography Possessors Arrested in Internet-Related Crimes: Findings From the National Juvenile Online Victimization Study. , 2005 .

[20]  Clay Shields,et al.  Forensic investigation of peer-to-peer file sharing networks , 2010, Digit. Investig..

[21]  Steven J. Murdoch,et al.  Hot or not: revealing hidden services by their clock skew , 2006, CCS '06.

[22]  Srdjan Capkun,et al.  Attacks on physical-layer identification , 2010, WiSec '10.