emerging investigative techniques: big data andsocial networks(osint) and mobile surveillance by...

Emerging Inves,ga,ve Techniques: Big Data and Social Networks (OSINT) and Mobile Surveillance

Giuseppe Vaciago

Seminar on Cybercrime and Digital Forensics

April 8-12th 2014

EU-Macao Co-operation Programme in the Legal Field (2010-2013)

1.   Introduc,on q  IP Address and DNS q  Online Sources of Informa6on

2.   Big Data and Social Network (OSINT) and mobile surveillance q  Big Data Defini6on q  Detec6ng and Seizing Illegal Contents q  Valida6ng Digital Evidence q  Chain of Custody aBer Seizure q  Analysis of Digital Evidence q  Repor6ng of Digital Evidence Findings

3.   Emerging Inves,ga,ve Techniques q  Iden6fy the Suspect – Fake Profile q  Evidence from SNS

Agenda

Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics

What is Digital Electronic/Evidence? The Opte Project creates visualiza/ons of the 14 billion pages that make up the network of the web.

Hungarian physicist Albert-‐László discovered, from every single one of these pages you can navigate to any other in 19 clicks or less

An IP address is a numerical iden/fica/on code assigned to each and every device connected to a network, comparable to a street address or a telephone number. Given a specific IP address and the exact ,me the net connec/on was established, an ISP can trace the personal data of the person who signed the related connec,vity service contract. IP Address could be Sta,c (IP Address doesn’t change) or Dynamic (IP Address shared with several other customers of the same ISP)

IP Address


The Internet Assigned Numbers Authority (IANA) regulates these IP addresses. through regional en//es located around the world (RIPE -‐ Europe and some parts of Asia; APNIC -‐ Asia, and the Pacific Region; ARIN -‐ North America; LACNIC -‐ La/n America and the Caribbean; AfriNIC – Africa.


IP Address: IANA

IP Address: IPv6


IPv6 supports globally unique sta/c IP addresses, which can be used to track a single device's Internet ac,vity. Most devices are used by a single user, so a device's ac/vity is oSen assumed to be equivalent to a user's ac/vity. This causes privacy concerns in the same way that cookies can also track a user's naviga/on through sites.

Domain Name System (DNS)


The Domain Name System (DNS) is a distributed system that acts like a large phone book, and keeps track about which IP address (or addresses) is assigned to which “name”, and vice versa.

Apart from the official channels to query DNS records and resolve DNS to IP addresses there are plenty of tools and websites designed to automate and help the inves/gator on this front:

•  DnsStuff (www.dnsstuff.com) •  DomainTools (www.domaintools.com) •  CentralOps (www.centralops.net)

Online Sources of Informa,on: Website


q  The first piece of evidence here is the actual “visible” content of the web site.

q  The second one is the “invisible” content associated to these sites. Invisible content here is basically the source code used to create the web page� (i.e user/developer comments such as passwords, iden/ty or loca/on references or metadata such as crea/on/last modifica/on date)


��The inves/gator should watch for on Social Networking Sites: □ User ID: it’s a valuable piece of evidence

Online Sources of Informa,on: Social Networking Sites


��Now there is the possibility to personalize your user ID (h^p://namechk.com).



□ Picture: it’s possible to obtain important metadata even if the post important SNS clean uploaded user’s photos


□ Chat: when it is legally possible, chats on SNS contain fundamental forma/on for the inves/ga/on


��WebMail Sites contains the following informa/on (most of the /me encrypted): □ Chat Subsystem □ Voice Subsystem

Online Sources of Informa,on: WebMail Sites


��Online ads (Google Adwords/Adsense, Facebook Ads, MicrosoS Adver/sing, AdBrite, BidVer/ser) are one of those sources of informa/on that could be used to a follow the “money trail”.

Online Sources of Informa,on: Ad-‐Networks


Amazon has S3, Google has Google Drive, MicrosoS has Azure. One best-‐known examples here is DropBox, which internally relies, with Amazon S3. This will be the future of the storage and consequently of the inves/ga/on. The 2 main obstacle are q  Jurisdic,on

q  Digital Forensics (the admissibility of the evidence will be on the hand of the Cloud Provider)

Online Sources of Informa,on: Cloud Storage Services


��The key concept regarding the acquisi/on of evidence on files being shared or downloaded through most P2P networks consists on simply joining the P2P network, if the legal system admits this possibility. If logging is turned on for this client, all the details needed will be obtained (IP, ports, /mestamps, opera/ons) logged straight into a file in real-‐/me.

Online Sources of Informa,on: P2P Network

Mash UP


Mash Up: A mash-‐up, in web development, is a web page, or web applica/on, that uses and combines data, presenta/on or func/onality from two or more sources to create new services.

Tim McCormick* proposed the following classifica/on of data: 1. Basic Pure Data

2. High Value Data

3. Transac/onal

4. High Value Transac/onal data Tim McCormick, “A Web Services Taxonomy”

Big Data – Defini,on


Big Data is a collec/on of data sets so large and complex that it becomes difficult to process using tradi/onal data processing applica/ons


Big Data Defini,on Social media is transforming society. We are transferring more and more of our lives onto vast digital social commons. The emergence of these increasingly significant public spaces poses a dilemma for government.

(#Intelligence – Demos Research – 2012)

Big Data – SOCMINT (Social Media Intelligence)


Social media is an extremely important class of Big Data, and are increasingly subject to collec/on and analysis. Measuring and understanding the visage of millions of people digitally arguing, talking, joking, condemning and applauding is of wide and tremendous value.

SOCMINT – Direct contact to the Public


SOCMINT – Future Crime Predic,on



SOCMINT – Future Crime Predic,on -‐ PredPol

SOCMINT – Future Crime Predic,on -‐ August 2011 and London’s Riot


SOCMINT – Surveillance



Adap,ve Grooming Policy (Network Algorithm)

Facebook admi^ed to monitoring certain online chats between minors and adults according to certain k e ywo r d s , f o rw a r d i n g t h i s informa/on to the law enforcement officials in order to check whether t h e r e a r e t h e g r ound s f o r inves/ga/ng whether “grooming” has occurred.

SOCMINT – Surveillance – Chat Monitoring

Mr Palazzolo a treasurer for the mafia, on the run for 30 years, was discovered by monitoring his Facebook profile.


SOCMINT – Surveillance – Chat Monitoring


SOCMINT – Mobile Surveillance -‐ Geoloca,on and Face Recogni,on


Augmented Reality is a live, direct or indirect, view of a physical, real-‐world environment whose elements are augmented by computer-‐generated sensory input such as sound, video, graphics or GPS data.

SOCMINT – Mobile Surveillance – Augmented Reality


The research inves/gated the feasibility of combining publicly available Web 2.0 data with off-‐the-‐shelf face recogni/on soSware for the purpose of large-‐scale, automated individual re-‐iden/fica/on. Two experiments demonstrated the ability of iden/fying strangers online (on a da/ng site) and offline (in a public space), based on photos made publicly available on a social network site.

SOCMINT – Mobile Surveillance – Faces of Facebook

Emerging Inves,ga,ve Techniques



Communica/ons sent over SNSs, and informa/on uploaded to SNS profiles, are normally saved only on the SNSs' servers.

But…

Some informa/on may also be stored on the user's computer cache

Emerging Inves,ga,ve Techniques -‐ Where the data are stored?


Police also u/lise SNSs in their inves/ga/ons through, for example, senng up SNS profiles and reques/ng informa/on from the public. Police in New Zealand have made their first “Facebook arrest” aSer placing CCTV footage of a burglar removing his balaclava during the burglary on the social networking site” An internet savvy police officer in Queenstown, on New Zealand’s South Island, posted the footage on the force’s Facebook page and within 24 hours of the break-‐in the burglar was iden/fied.

Emerging Inves,ga,ve Techniques – Iden,fy the Suspects


q  The Parson Cross Crew showed off guns and knives on social networking sites aSer some were convicted for a teenager’s murder.

q  Dale Robertson, 18, was stabbed to death aSer a girl’s 16th birthday party.

q  A woman created the Facebook website “The Parson Cross Crew Named and Shamed”, with picture of crew.

q  Police were able to use the photographs as evidence against four further gang members at Sheffield Crown Court for firearms offences (Sheffield September, 2009)



q  The police must create fake profiles if they want to do any more than surf the general public material on the SNSs.

q  In US, law enforcement agencies are openly engaging in these decep/ve prac/ces in order to inves/gate even minor drug and alcohol offences.

q  Befriending targets on SNSs allows officers an opportunity to infiltrate ongoing criminal ac/vity with li^le physical risk.

q  Examples include the FBI infiltra/on of

“Darkmarket” dubbed the “Facebook for fraudsters”, where users traded stolen credit card and bank account details.

Emerging Inves,ga,ve Techniques – Fake Profiles


Emerging Inves,ga,ve Techniques – Covert Surveillance

Ar,cle 14 Proposal for a Direc,ve 2010/0064 (C0D) on Child pornography

Member States shall take the necessary measures to ensure that effec6ve inves6ga6ve tools are available to persons, units or services responsible for inves6ga6ng or prosecu6ng offences referred to in Ar6cles 3 to 7, allowing the possibility of covert opera*ons at least in those cases where the use of informa*on and communica*on technology is involved. Member States shall take the necessary measures to enable inves6ga6ve units or services to aWempt to iden6fy the vic6ms of the offences referred to in Ar6cles 3 to 7, in par6cular by analysing child pornography material, such as photographs and audiovisual recordings transmiWed or made available by means of informa6on and communica6on technology.

Emerging Inves,ga,ve Techniques -‐ Problems of Undercover Inves,ga,on


Exclusionary Rule

Criminal Liability for

LEa Jurisdic/on

Admissibility of digital evidence

Fake profiles are not admi^ed

SNS Terms of Service

Emerging Inves,ga,ve Techniques -‐ Monitoring public profiles


X1 Social Discovery soSware maps a given loca/on, such as a certain block within a city or even an en/re par/cular metropolitan area, and searches the en/re public Twi^er feed to iden/fy any geo-‐located tweets in the past three days (some/mes longer) within that specific area.


“Where someone does an act in public, the observance and recording of that act will ordinarily not give rise to an expecta6on of privacy” (A. Gillespie, “Regula/on of Internet Surveillance” -‐ 2009)

“Public informa6on can fall within the scope of private life where it is systema6cally collected and stored in files held by the authori6es” (Rotaru v Romania, ECtHR, (App. No. 28341/95) 2000)

BUT…

Emerging Inves,ga,ve Techniques -‐ Monitoring public profiles


“Just as it is easy to fake a person's SNS profile, it is easy to alter informa/on taken from a SNS account”. For Michael O’Floinn and David Ormerod the challenges for SNS evidence are: (i)  evidence must represent what appeared on the SNS; (ii)  that the evidence can be shown to have originated from the

alleged source, as opposed to a hacker or someone with access to the SNS account;

(iii)  Admissibility of the evidence

Evidence from SNS – Digital Forensics

Source: *Micheal O'Floinn and David Ormerod, Social networking sites, RIPA and criminal inves6ga6ons)


q  Defendant’s friend contacted a rape complainant on MSN, proffering as evidence a doctored printout of the conversa/on to suggest that she admi^ed the sex was consensual. This led to the jury being discharged pending analysis of the computers. Defendant's friend was convicted of perver,ng the course of jus,ce

q  In of State of Connec/cut vs. Eleck, the court rejected Facebook evidence in the form of a simple printout, for failure of adequate authen/ca/on. The court noted that it was incumbent on the party to seeking to admit the social media data to offer detailed “circumstan,al evidence that tends to authen,cate” the unique medium of social media evidence.

Evidence from SNS – (I) The Accuracy of evidence – Two examples


q  US cases accept that tes,mony of a witness with knowledge or dis/nc/ve characteris/cs within the communica/on unless there is a specific allega/on of unauthorised access.

q  MySpace evidence was authen/cated by tes/mony of

par/cipants in the communica/ons

q  Expert evidence from a official of SNS.

q  An unduly onerous authen,ca,on test may induce prosecutors to devote dispropor/onate /me and (scarce) resources to authen/ca/on, adding unnecessarily to complexity and delay at trial.

Evidence from SNS – (II) Proof of Authorship


The disputed SNS evidence must have logical relevance, and this is sa/sfied when it is: (a)  possibly authen/c (b)  bears on the probabili/es of a contested issue. The SNS evidence must be legally relevant, and this is sa/sfied if there is “some admissible evidence [...] of provenance, con/nuity (if relevant) and integrity”

Evidence from SNS – (III) Admissibility of the evidence to the Court


q  In October 2008, in Edmonton, Alberta, it was revealed that filmmaker Mark Twitchell, who was facing first degree murder charges, had posted as his Facebook status in August that "he had a lot in common with Dexter Morgan". This proved to be a key piece of evidence in the missing person case of John Al/nger, as Twitchell was a fan of the television series "Dexter" and it is believed that he murdered Al/nger in the style of Dexter's clandes/ne murders.

q  In September 2009, In Mar/nsburg, West Virginia, Burglar leaves his Facebook page on vic/m’s computer. ASer he stopped check his account on the vic/m's computer, but forgot to log out before leaving the home with two diamond rings.

q  In November 2009, two women charged with robbing a home in Ontario. The two women, both in their early 20s, decide to post a photo of themselves with the stolen goods online.

Evidence from SNS -‐ Confession


Misuse of Social Network – Lawyer and Judges

q  Legal prac//oners searching SNS: lawyers may be tempted to create fake profiles and befriending witnesses or their friends.

q  It is not only lawyers who can fall vic/m to SNS misuse. There are reported instances from other jurisdic/ons where judges have used SNSs to inves/gate witnesses, and to converse with counsel about the case. See, for example, Public Reprimand of Carlton Terry J. Judicial Standards Commission, Inquiry No.08-‐234, April 1, 2009


q  More jurors said they saw informa/on about the case on the internet. In high profile cases 26% said they saw informa/on on the internet. In standard cases 13% said they saw informa/on.

q  In June 2011, Joanne Fraill, 40, a juror in a Manchester case, was sentenced to eight months in jail for contempt of court aSer using Facebook to exchange messages with Jamie Sewart, 34, a defendant already acqui^ed in a mul/million-‐pound drug trial.

Misuse of Social Network – Jurors

Thanks for your a^en/on

Giuseppe Vaciago

Mail: [email protected] Web: hWp://www.techandlaw.net TwiWer: hWps://twiWer.com/giuseppevaciago Linkedin: hWp://it.linkedin.com/in/vaciago

emerging investigative techniques: big data andsocial networks(osint) and mobile surveillance by...

Technology