18.2 Internet Services: Legitimate versus Criminal Uses


18.2 Internet Services: Legitimate versus Criminal Uses

The Internet provides the infrastructure for many different services. Most people are familiar with services such as e-mail and the World Wide Web. Although many of us use these Internet services, we rarely access them directly. Instead we use applications (computer programs) that make it easier to use the services on a network. For example, many people use the Netscape Navigator application to access Web pages stored on distant Web servers. Similarly, Eudora is an application used to access e-mail on distant e-mail servers. The underlying services are comprised of application layer protocols, many of which are defined in Request For Comment (RFC) documents.[1] Although there are thousands of Internet services and applications, the process of understanding the Internet can be simplified by considering its five main services:

  • World Wide Web (WWW or Web)

  • E-mail

  • Newsgroups (a.k.a. Asynchronous Discussion Groups)

  • Synchronous (Live) Chat Networks

  • Peer-to-Peer (P2P)

The last two categories are growing rapidly, with more people communicating using live chat applications such as Microsoft Netmeeting, AOL IM, and Yahoo IM, and sharing music, video, and other media using applications like KazaA.[2]

Internet services like the Web, Usenet, and IRC retain information about people, organizations, and geographical areas. People use the Internet to communicate, explore new ideas, and make purchases from the comfort of their homes. Many organizations use the application layer of their private networks to facilitate communication between employees and to make sales, payroll, and other routine financial transactions more efficient. This combination of social and financial activity makes the application layer an attractive place for criminals. Con artists find a large number of marks through e-mail, Usenet, and the Web. Sexual offenders have a wide selection of hunting grounds (e.g. chat networks) and victims to choose from on the Internet. Stalkers use Internet services to obtain information about their victims and sometime harass their victims using the Internet. Thieves break into private networks of organizations and steal credit card numbers and trade secrets. Hate groups use the Internet to communicate, publish, and threaten.

Only a limited amount of research has been performed to quantify and analyze criminal activity on the Internet. Some of the resulting assertions about crime on the Internet have been based on limited data and are unverifiable.

CASE EXAMPLE (CARNEGIE MELLON UNIVERSITY 1995):

start example

The Georgetown University Law Review published a research paper by Martin Rimm, a student at Carnegie Mellon University (CMU). The paper described and classified the sexually oriented materials circulating on the Internet and quantified the relative amounts of obscene and illegal materials versus other kinds of materials. Rimm's study generated a great deal of interest, reaffirming many people's view that the Internet was primarily used to exchange pornographic materials. Time magazine was so taken with the results that they published a special issue entitled Cyberporn featuring Rimm's study. The CMU administration was so concerned that their computer systems were being used to distribute illegal materials, they temporarily removed all sexually explicit images from the newsgroups on their servers. Ultimately, the study did not fare well under academic scrutiny - the research methodology and data analysis was flawed.

end example

To gain a better understanding of how the Internet facilitates criminal activity, researchers conducted an exploratory study of two Usenet groups, one relating to lock picking and safe cracking and the other dedicated to undermining satellite television encryption mechanisms (Mann and Sutton 1998). Other studies have focused on child pornography and child exploitation on the Internet (Durkin and Bryant 1999). In fact, entire research groups, such as COPINE[3], have been established to address the growing concern of online child exploitation.

There are some general assertions that can be made about crime on the Internet. The Web does not contain much direct evidence of criminal activity because there is such a high risk of detection. Much of the illegal activity on the Web is carefully hidden (e.g. password protected), and only available to trusted individuals. Criminals utilize Usenet to collaborate and to distribute pornography of all kinds including child pornography. Criminals feel relatively safe on Usenet because they can conceal their identities and can prevent their messages from being archived, thereby reducing the risk of detection. Criminals that are determined to avoid detection while using the Internet use more private services like e-mail, realtime chat, and peer-to-peer networks. One informal study found that 6% of the requests on a peer-to-peer network appeared to be for child pornography (Palisade Systems 2003). However, this study was based on file names rather than content and probably does not reflect the actual amount of child pornography on these systems.

18.2.1 The World Wide Web

The Web first became publicly available in 1991 and has become so popular that it is often mistakenly referred to as the Internet. Other Internet services including e-mail, Usenet, and synchronous chat networks are now accessible through Web pages. Web pages make it easier for individuals to interact with other Internet services - hiding the complexity with a user-friendly facade.

The popularity and rapid growth of the Web is mainly due to its commercial potential. Using the Web, organizations and individuals alike can make information and commodities available to anyone in the world. Before 1990, some of this information was only available through less user-friendly programs like WAIS, FTP, Archie, Veronica, and Gopher. The Web incorporated these older services and continues to grow, producing the largest information repository in human history. As the Web becomes more widely used to make monetary transactions, associated criminal activities grow. In addition to using the Web to steal from individuals and even steal their identities for profit, some criminals have established Web sites to sell prescription drugs in violation of international customs law. Additionally, some criminals use the Web to provide information to and communicate with fellow criminals. For example, there are an increasing number of recipes for illegal substances on the Web.

CASE EXAMPLE (UNITED STATES v. REEDY 2000):

start example

In 1999, US Postal Inspectors found the Landslide Web site advertising and conspiring to distribute child pornography. The Texas company associated with the site, Landslide Productions, Inc., was owned and operated by Thomas and Janice Reedy. The US Department of Justice estimates that the Reedys made more than $1.4 million from subscription sales of child pornography in the one month that the Landslide operation was in business. Customers could subscribe to child pornography Web sites through a Ft. Worth post office box, or via the Internet. Landslide also offered a classified ads section on its site, allowing customers to place or respond to personal ads for child pornography (USPS 2001). Although the Web sites and related digital evidence were located in Indonesia and Russia, when digital evidence examiners obtained Thomas Reedy's computer, they found more than 70 images of child pornography and a list containing the identities of thousands of Landslide customers around the world. The resulting investigation was called Operation Avalanche. Thomas Reedy was sentenced to life in prison, and Janice Reedy was sentenced to 14 years in prison.

end example

Some Web sites that have an illegal purpose attempt to obfuscate their actual location by using Web redirection services (e.g. www.kickme.to). This type of redirection simply embeds the page within a frame and can be seen clearly by viewing the source HTML through a Web browser or from the server directly as shown here:

    % telnet illicit.kickme.to 80    Trying 64.235.234.138 ...    Connected to ns2.dynamicname.com.    Escape character is '^]'.    GET /index.html HTTP/1.1    Host: illicit.kickme.to    HTTP/1.1 200 OK    Date: Sun, 25 May 2003 13:16:50 GMT    Server: Apache/1.3.27 (Unix) PHP/4.1.2    Vary: Host    X-Powered-By: PHP/4.1.2    Transfer-Encoding: chunked    Content-Type: text/html    2e9    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">    <HTML>    <HEAD>          <TITLE>Illicit Site</TITLE>          <SCRIPT>          <!--          if(top!=self)          top.location.href=self.location.href;          ;//--->          </SCRIPT>    </HEAD>       <!--- frames -->       <FRAMESET ROWS="100%,*" FRAMEBORDER="no" FRAMESPACING="0">           <FRAME NAME="REDIRECTION_MAIN"    src="/books/2/57/1/html/2/http://server1.somewhereelse.com/illicit" MARGINWIDTH="0"    MARGINHEIGHT="0" SCROLLING="auto" FRAMEBORDER="0">         <FRAME NAME="AD_BOTTOM" src="/books/2/57/1/html/2//ad.html" MARGINWIDTH="0"    MARGINHEIGHT="0" SCROLLING="auto" FRAMEBORDER="0">       </FRAMESET>    </HTML>    0    Connection closed by foreign host. 

Other Web sites use redirection to forward the individual to a completely different server so investigators must remain alert and verify which server they are connected to when collecting digital evidence. Another common obfuscation approach used by fraudsters to obtain credit card information is to send e-mail posing as a legitimate business (e.g. Paypal, eBay) instructing individuals to submit their account information and credit card number to a URL like <"http://www.paypal.com@bylink.net>," giving the impression that data is being sent to Paypal when, in fact, it is being sent to "bylink.net."[4] By using this type of URL fraudsters are taking advantage of a feature in the HTTP protocol, described in RFC1738, that supports a username and password in the format <"http://username:password@www.website.com.">

18.2.2 E-Mail

E-mail, as the name suggests, is a service that enables people to send electronic messages to each other. Provided a message is correctly addressed, it will be delivered through cables and computers to the addressee's personal electronic mailbox. Every e-mail message has a header that contains information about its origin and receipt. It is often possible to track e-mail back to its source and identify the sender using the information in e-mail headers. Even if some information in an e-mail header is forged it can contain information that identifies the sender. For example, although the following header was forged to misdirect prying individuals, it still contains information about the sender, <ec30@is4.nyu.edu.>

Received: from NYU.EDU by is4.nyu.edu; (5.65v3.2/1.1.8.2/26Mar96-0600PM) id AA08502; Sun, 6 Jul 1997 21:22:35 -0400

Received: from comet.connix.com by cmcl2.NYU.EDU (5.61/1.34) id AA14047; Sun, 6 Jul 97 21:22:33 -0400

Received: from tara.eire.gov (ec30@IS4.NYU.EDU [128.122.253.137]) by comet.connix.com (8.8.5/8.8.5) with SMTP id VAA01050 for <eoghan.casey@nyu.edu; Sun, 6 Jul 1997 21:21:05 -0400 (EDT)

Date: Sun, 6 Jul 1997 21:21:05 -0400 (EDT)

Message-Id: ,199707070121.VAA01050@comet.connix.com

From: fionn@eire.gov

To: achilles@thessaly.gov

Subject: Arrangements for Thursday's battle: spears or swords

E-mail is one of the most widely used services on the Internet and is one of the most important vehicles for criminal activity, offering a high level of privacy, especially when encryption or anonymous services are used, making it difficult to determine if e-mail is being used to commit or facilitate a crime. Although an e-mail message can be intercepted at many points along its journey or collected from an individual's computer, personal e-mail is usually protected by strict privacy laws, making it more difficult to obtain than many other forms of digital evidence. Even if investigators can obtain incriminating e-mail, it can be difficult to prove that a specific individual sent a specific message. For instance, an individual can easily claim that he/she did not send the message.

CASE EXAMPLE (CBS 2001):

start example

When Fahad Naseem was initially arrested in connection with the kidnapping and killing of journalist Daniel Pearl, he admitted to sending ransom e-mails using his laptop. The laptop and handwritten versions of the e-mails were found in his possession. However, Naseem later retracted his confession and his defense attorney claimed that logs from Naseem's ISP indicated that his account was not connected to the Internet at the time the e-mails were sent. To shed further doubt on Naseem's involvement the defense claimed that the laptop produced in court had a different serial number than the one recorded in police records and that other documentation relating to the computer was inconsistent. For instance, documentation indicated that FBI agent, Ronald Joseph, was examining the laptop between February 4–7, whereas documents indicated that the laptop was not seized until February 11. However, the court denied the appeal, including the following explanation.

The leading of Shaikh Naeem to the recovery of the laptop being used through connection No. 66 from his system as the house of accused Fahad Naseem on 11/02/2002 was provided to [Ronald Joseph] who had examined the same and conducted the forensic examination and formulated his report which was conveyed to the investigation from the Consulate General of the United States of America vide Ex.49/3, on examining the report, he has categorically stated that the Black Soft Computer came with "Proworld" written on the exterior and upon opening the case a Dell Latitude Cpi laptop was found on it. The laptop was identified in the report produced by this witness to be of model PPL with Serial No. of ZH942 and located inside the laptop was an IBM travel star hard driver [sic] which was stated to have been removed from the laptop and viewing the label on the hard drive model, the drive was identified as 4.3 GB of storage capacity and the Model No. was determined by this witness to be OKLA24302 with a serial number of 4/1000N81834 . On examining articles 1 and 2 of Ex 49 compared with the Mushernama recovery of the laptop in juxtaposition with the computer Forensic Examination report and identifying the numbers of the same, there is no doubt whatsoever that this Laptop is the same equipment which was recovered from the possession of accused Fahad Naseem on 11/02/2002. The Forensic Examination report is also ex.49/B. It would be seen that the said report reflects the laptop to have been made available to this witness on 4/02/2002 as suggested by the defense. Availability of the laptop at the American Consulate on 4/02/2002 is not only unnatural but impossible because of the fact that complainant Marianne Pearl had filed the complaint with the police on 4/02/2002 (ex-53/A) at 2345 hours which had in fact set the ball rolling at the hands of the Investigating Agency. (DAWN Group 2002)

end example

18.2.3 Newsgroups

Newsgroups are the online equivalent of public bulletin boards, enabling asynchronous communication that often resembles a discussion. Anyone with Internet access can post a message on these bulletin boards and come back later to see if anyone has replied. Most newsgroups are part of a free, global system called the User's Network (Usenet) that began in 1979.

Because Usenet messages are broadcast to millions of people around the world, it is the perfect medium for individuals to communicate with a huge audience. Criminals use this global forum to exchange information and commit crimes, including defamation, copyright infringement, harassment, stalking, fraud, and solicitation of minors. Also, child pornography and pirated software is advertised and exchanged through Usenet to a limited degree. Offenders subscribe to newsgroups that attract potential victims (e.g. alt.abuse-recovery, alt.teens).

CASE EXAMPLE

start example

Sharon Lopatka was killed by a man she met on the Internet first through Usenet and then in a BDSM channel on IRC. Interestingly, nobody who knew Sharon in person, including her husband, suspected that she was involved in this type of activity or even had such an interest.

Subject:

>>>> Wanna Buy My Worn...Pantyhose...and Panties????

From:

nancyc544@aol.com (NancyC544)

Date:

1996/05/15

Message-ID:

<4nduca$2j4@newsbf02.news.aol.com

Newsgroups:

ait.pantyhose

organization:

America Online, Inc. (1-800-827-6364)

reply-to:

nancyc544@aol.com (NancyC544)

sender:

root@newsbf02.news.aol.com

Hi! My name is Nancy. I am 25, have Blonde hair, green eyes am 5'6 and weigh 121. Is anyone out there interested in buying my worn...pantyhose...or....panties? This is not a joke or a wacky internet scam. I am very serious about this. I live in the U.S. but I can ship them anywhere in the world. If you are serious you can e-mail me at: <nancyc544@aol.com>

end example

Like e-mail, Usenet messages have headers containing information about the sender and the journey that the message took. However, the format of the headers in Usenet is slightly different from e-mail. As with e-mail, the header can be modified to make it more difficult to identify the sender. With training and practice, investigators can learn to extract a great deal of information from Usenet.

18.2.4 Synchronous Chat Networks

Live conversations between users on the Internet exist in many formats (e.g. text, audio, video), a huge variety of topics, and take place 24 hours a day. There are many organizations such as AOL and Yahoo that provide large chat areas as well as Instant Messaging programs, and some ISPs have small chat areas for their customers. Additionally, there are more obscure chat areas on the Internet that can be accessed using Telnet (e.g. Multiuser Domains, Telnet Talkers).

One of the largest chat networks is Internet Relay Chat (IRC), started in 1988. IRC can be accessed by anyone on the Internet using free or low-cost software.[5] Because it is not necessary to pay or even register, IRC is effectively anonymous and, therefore, attractive to criminals. IRC is made up of separate networks such as Undernet, DALnet, Efnet, and IRCnet and no single organization controls all of them. Each subnet is simply a server, or combination of servers, run by a different group of people. Although they are all part of IRC, the subnets are physically separate. So, connecting to the Undernet subnet does not give access to chat rooms (a.k.a. channels) on DALnet. IRC allows individuals to create their own, self-titled rooms as shown in Figure 18.1 and some people choose not to have their channels listed, making them more difficult to locate.

CHANNEL NAME

PARTICIPANTS

DESCRIPTION

#0!!!!!!!ltlgirlsexchat

12

Sexy and Friendly FANTASY CHAT Channel for YOUNG GIRLS and those that love them!!! No snuff, torture, rape, force, extreme, mom/son channels. No trading, invites, on-joins or spam. 15 minutes between trolling messages. Girls under 20 can type !girl for a plussy.

#0!!!!bifem-dogsex

13

Welcome to #0!!!!bifem-dogsex LadyMary's friendly channel! 18+ Only ! We do not approve of rape and pedophile/underage channels - please leave immediately. DO NOT message anyone unless you ask!!!

#cracks

19

#cracks is now open. Serial Search !serial program name .New channel format. Absolutely NO files in the channel. This channel is for chat/search only, so it does NOT break Dalnets new AUP. :D

#masterccs

35

Welcome In The Official #CC Channel I Trading , Pasting Illegal Informations is NOT Permited ! I We are not responsible of normal users activities ! I EnJoY !!

#mp3cablez

80

-=M=P=3=C=A=B=L=E =Z=- Best High Speed Servers On Phazenet New/Pre_Release Movies Classic Rock Box Sets Zipped Albums Karaoke Christian Roms And More Always Open Slots

#192+mp3albums

127

www.mp3albums.ca FUCK THE RIAA. To share type !serv <MrStatic> novus, you like sniffing the exercise bike seat?


Figure 18.1: A list of a few IRC chat channels.

There are thousands of chat rooms in operation worldwide on IRC at any given time. Many IRC chat rooms exist to facilitate the discussion of unlawful activities and the exchange of illegal materials. Computer intruders gather in IRC chat channels to share information, ranging from general intrusion techniques to passwords of compromised systems. Child pornographers meet to exchange materials and IRC has even been used to broadcast live sessions of children being sexually abused. Some channels are plainly visible and some can even be found through search engines on the Web.[6] However, many channels are difficult to find because they are dealing with illegal activity, and may be acessed by invitation only, or protected by a password.

There are chat channels with names like "#carderz" and "#cardz" dedicated to selling stolen credit cards or trading them for equipment, compromised computers, and other items that are considered valuable. For example, Carlos Salgado was convicted of hacking into computer systems, stealing tens of thousands of credit cards, and selling them on IRC using the nickname SMAK. Other channels are dedicated to trading pirated music, videos, and software (a.k.a. warez).

IRC has a direct client connection (DCC) feature that allows two individuals to have a private conversation and exchange files without being seen by anybody. As the name suggests, DCC establishes a direct connection between personal computers, bypassing the IRC network, leaving little or no digital evidence on the IRC servers. Fortunately for digital evidence examiners, remnants of IRC sessions can sometimes be salvaged from unallocated or swap space as discussed in Part 2 of this text. Also, some offenders keep personal logs of the direct, private communications that they have on IRC. This ability to chat privately and transfer files over a more secure connection is very powerful and can lead to a level of criminal activity that gives meaning to the name that inspired the subnet name; Undernet. DCC could be thought of as an underworld of the Internet because it is the least visible part of IRC.

Another feature of IRC, called "fserve" (short for fileserver), enables people to make files on their personal computers available to many other IRC users. Many of the people trading files on IRC (e.g. pornography and pirated software) use this feature. One of the most sophisticated and popular fserves is Panzer.[7]

ICQ ("I seek you") is another large, free chat network that anyone on the Internet can use but, unlike IRC, it has a registration process. After completing a registration form with details like name, e-mail address, and personal interests, each individual is assigned a user identification number (UIN) for the ICQ network. Some people provide identifying information when they register, but many do not, making it more difficult to connect an individual with an ICQ number.

Instead of gathering in chat rooms, most ICQ users seek each other out and jointly agree to have a conversation. While this limits contact with others on the ICQ network, it enables more private conversations than on other chat networks. In this respect, misconduct facilitated by ICQ is more difficult to detect because a third party cannot participate in ICQ conversations unless invited. However, unlike direct chat on IRC, ICQ directs messages through a central system where they can be monitored. Notably, ICQ network also has asynchronous discussion boards and some chat rooms that can be accessed using a Web browser.[8]

The privacy, immediacy, and impermanence of synchronous chat networks make them particularly conducive to criminal activity. Also, the potential for direct contact with potential victims is appealing to some criminals. For instance, sex offenders can obtain victims immediately, leaving very little digital evidence. Even though chat sessions are not automatically archived or searchable by the public, a surprising amount can be learned from the activities in the millions of online chat rooms. Although it can be a challenge to locate and identify criminal on chat networks, criminals let their guard down, feeling protected by the perceived anonymity making these chat networks useful resources for investigators.

18.2.5 Peer-to-Peer Networks

A host on a peer-to-peer network can simultaneously function as server and client (a.k.a. servent), downloading files from peers while allowing peers to download files from it. The two most popular peer-to-peer networks, KaZaA and Gnutella, use protocols based on HTTP to exchange data. By design, many of these applications have a limited amount of information that can be useful to investigators. When individuals first connect to a peer-to-peer network, they are only required to select a unique username. Although the choice of username may be sufficiently unique to search for related information on the Internet, there is very little to go on other than the IP address.

When a file is being downloaded from a peer, the associated IP address can be viewed using netstat. However, some peer-to-peer clients can be configured to connect through a SOCK proxy to conceal the peer's actual IP address. While most peer-to-peer systems transfer files using a single connection, a KaZaA peer can download fragments from multiple peers and reassemble them into a complete file. Figure 18.2 shows search results in the KaZaA Media Desktop - the "+" beside an item indicates that it is available from multiple locations and can be downloaded in fragments. Newer peer-to-peer networks like eDonkey are implementing this capability to download pieces of a file from multiple sources. This fragmentation feature does not conceal the sources of the file fragments but does make it more difficult for digital evidence examiners to recover complete files from network traffic. The KaZAlyser[9] utility is useful for extracting information from computers that were used to exchnge files via KaZaA, such as file names, times and IP addresses.

click to expand
Figure 18.2: KaZaA Media Desktop (KMD).

KazaA has one feature that can be beneficial from an investigative standpoint - whenever possible it obtains files from peers in the same geographic region. Therefore, if investigators find a system with illegal materials, there is a good chance that it is nearby.

[1]http://www.ietf.org/rfc.html

[2]http://www.kazaa.com

[3]http://copine.ucc.ie

[4]To obfuscate the actual site, some fraudsters do not put the name of the fraudulent server in the misleading link. Instead they use the IP address or decimal equivalent such as <http://www.paypal.com@209.15.160.99> or <http://www.paypal.com@3507462243>

[5]http://www.irchelp.org

[6]http://searchirc.com/

[7]http://www.filetrading.net/irc/fileservers/panzer.htm

[8]http://www.icq.com

[9]http://www.sandersonforensics.co.uk




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net