Transcript
Alex Blackman: So hello, everybody. Good morning and good afternoon. And thank you very much for joining today's webinar on defeating the Dark Web, where you'll discover the latest web investigation and evidence collection methods. My name is Alex Blackman, head of product marketing for Searchlight Cyber, and I'll be your moderator on today's call. Now, before we get things started, I just wanted to share three quick reminders. Firstly, please ask questions as we go. We will answer those questions at the end and all question answers will remain anonymous. We will not share your name. Secondly, please, whilst I'm talking, check out the handout section in the webinar where you'll find your link to download a suspect identification report that demonstrates how one breadcrumb of information can expose a criminal's real world identity. And lastly, if you enjoyed today's session, please don't keep it to yourself. We'll send a recording to you first thing tomorrow. You can share with your colleagues, so please do send that around. Follow us on LinkedIn. Sign up to our newsletter as well while you're there. So with that, let's dive in. So to kick things off, we have invited one of our experienced public sector sales leads to share with you some of the challenges that he is facing in what he is hearing from cyber investigation teams in your region so that you can hopefully understand where we can help, where we fit in, the solution that Searchlight can bring. And after that, we shed light on how you can uncover criminal activity on the dark and deep web, gather online dark web intelligence, and ultimately bring cyber criminals to real world justice. Again. We'll make sure there's loads of time for questions at the end, so please share those with me. As the session goes. We'll make sure to answer them in the final ten or so minutes. Now with us on the call today. We're very lucky to have Dr. Gareth Owenson, co-founder and CTO at Searchlight Cyber, not to mention he's also one of the world's leading dark Web researchers. And in addition to overseeing the direction of Searchlight Cyber's dark Web investigative and monitoring capabilities, he also advises government, military and law enforcement agencies on dark Web technologies. So in short, you're in for a treat on today's webinar. Joining him. I'm thrilled to also have with us Jillian Smith, who is located on the other side of the Atlantic. To myself and Gareth in North Virginia, close to our Washington, DC office. So with that, Julian, I'll hand it over to you to share some more of those challenges that you're hearing about and a little bit more about yourself as well. Julian Smith: Thanks, Alex. Good morning, everyone. It's a pleasure to speak with you today. My name is Julian Smith and I'm a US Army veteran with a background in conducting intelligence, surveillance and reconnaissance missions with drone technology. I worked in security operations assisting the University of Houston Police Department to protect student athletes and school property. Lastly, built a five year career in cybersecurity to support government organizations. Next slide. Today. I'm here to share some of the challenges I hear from officers trying to follow leads from the digital and physical worlds. On the slide on this slide are the three most common themes that military, law enforcement and government organizations are sharing with their team on both sides of the Atlantic. Outdated tools to track criminals on the dark web, the legal complexity of tracking criminals across different jurisdictions. And then there's the simple challenge of once you have the intelligence, how can you share it? I could talk at length about these challenges, but I've been instructed by Alex not to pitch Searchlight Cyber on this call. So with that, before I hand it over to Gareth, I wanted to share two other examples of challenges that feed nicely into what Gareth will present. Next slide. The two most common challenges that I'm hearing from law enforcement groups across the country would be awareness and manpower. Criminals have adapted by moving their activities to the dark Web Due to the clandestine nature of this network and the lack of knowledge surrounding it has left many law enforcement agencies unaware of its existence and the potential for it to generate criminal activities in their jurisdictions. Criminals frequently trade information on how to bypass law enforcement detection methods. Investigators from different departments such as cybercrime, narcotics or organized crime, must work together to identify links between different criminal activities and uncover networks of criminal organizations that operate on the dark web. Having a solution to identify rapid changes in the dark web will be key to reducing the burden that investigation teams go through to monitor and investigate illegal activities. It requires a lot of skilled personnel to handle the volume of illegal activity taking place. Traditional investigation methods are not enough, and it takes years of training and experience to become proficient in dark web investigations. Therefore, many law enforcement agencies are using technology to help them overcome the challenge of manpower constraints. Cerberus is a solution that collects data in real time from the dark web, with the historical database spanning over two decades. It can help law enforcement agencies investigate illicit activities and manage their cases more efficiently. It also provides real time updates and analysis to assist investigators in identifying suspects and collecting evidence. This can lead to more successful prosecutions and improved public safety. The collected evidence can also be shared with different departments and other law enforcement agencies at the state, local and federal level. Now, during a recent discussion with the small law enforcement investigative team, it became apparent that they were having challenges in bringing down an illegal fentanyl drug ring responsible for numerous overdose deaths within their local community, already hindered by a limited budget and staffing shortages, the team found themselves ill prepared to address the issue. Throughout our conversation, it emerged that the investigators were unaware of the criminals use of the dark web to source and acquire materials for drug production. We introduced a service solution to the team and provided them with a trial, empowering them with the knowledge and skills required to securely navigate the dark web. This enabled the team to pinpoint key individuals and trace suspicious activities connected to the fentanyl drug ring. Armed with the collected evidence, the team successfully apprehended several of the RingCentral players. Servers ultimately transformed a small resource trap team previously uninformed about the Dark Web's role in the threat landscape into an organization capable of effectively combating the illegal drug market in the city. With that, I'll pass it over to Gareth. Gareth Owenson: Thanks very much, Julian. Thank you, everyone, for attending the webinar. As Alex said, my name is Gareth Olsen. I'm the co-founder of Searchlight. But before Searchlight I was an academic working in Darknet research for almost 10 to 15 years. And what became apparent to me during the mid 20 tens, around 2015 was that law enforcement were really struggling to apprehend and investigate crimes taking place in the Dark Web. Yet there was a wealth of knowledge in the scientific literature and in the team that was in that could help law enforcement identify and apprehend people quickly with using technical techniques. And so around 2017, that's the reason we set up Searchlight, was to bring these tools and capabilities to law enforcement and help them rapidly accelerate their investigations and ultimately put these guys behind bars. The guys that thought they could act with impunity in this particular space. Now, in this talk, I'm going to talk to you about some of the background around dark webs and where they came from and the different types of dark webs. I will also talk to you about the types of content and material that you'll find on the dark Web and how they evolve over time. And then towards the latter third of the talk, we'll go through some of the investigative techniques which you can use to identify suspects in the dark web from low tech techniques through to the more high tech advanced techniques. So if I just take you on one more slide, I'll just show you our service platform in case you're not a customer of ours. Cerberus is a tool built with and for law enforcement investigators and investigating crime taking place on the dark Web. In essence, we go into all of these criminal places. We hoover up all that data, we store it and enrich it, and then we provide you a nice, user friendly front end to query and explore that data so you can pivot on actors on activity that's taking place and quickly get to identifying information for a particular actor. And I'll show you a case later in the Talk where you can very quickly go from a username to a number of identifiers which could be used to identify that that particular actor. And the platform is designed for multiple different types of teams from the child exploitation teams through to drugs, cryptocurrency type scams and ransomware ransomware groups, any kind of crime that you find in on the dark web or in deep web closed forums, that's really where the the tool set that we're offering helps you move ahead with your investigation much, much more quickly. And as I say, I'll show you an example later where you can very quickly go from a username to identifiers within within a matter of tens of seconds of starting your your investigative investigation. Now, at the start of the talk on the next couple of slides, I'm going to go through the different types of dark webs and where where dark webs or dark nets came from, and then we'll move on into those investigative use cases. So most of you will probably be familiar with the Tor Dark web. There are in fact many dark webs of which only Tor of which Tor is only one of them. And you'll normally be familiar familiar with them because you open a web browser and you put a long string of random looking characters into your address bar ending in onion or ITP. And up comes a 1990s era looking website which you can interact with and buy your drugs and so on and so forth. Now let's say Tor is the main one. Typically that addresses end in onion. Itp has had a bit of a boost in popularity in the last year or so. Now addresses end in ITP and there are many other darknets all with different different suffixes for visiting these sites. But generally you need the software for the particular darknet to access access those sites. Now all of these dark nets work on the similar similar sorts of principles and the way in which they function internally. And really that goal is to obfuscate the location of the user and also obfuscate the location of where any darknet sites are being being hosted so that it makes it difficult for for law enforcement officers to identify who and where they are. Now. All dark webs or pretty much all dark webs are based on our technology called mixed nets. Going back to the 19 late 1980s, the idea behind the technology is that you want to stop an adversary who can monitor network traffic from seeing what you're doing, where you're coming from and where you're going to. And one way to obfuscate that information is to take your traffic and bounce it through a number of relays around the world, often in different jurisdictions, so that not one jurisdiction could get visibility into into all of them. But as well as bouncing your traffic around the world. It's also to mix your traffic with other people so you end up with a pipe through which lots of people's traffic are traveling. And so if you can only just observe the flow through the pipe, you can't distinguish those individual users. So if we take the example on the screen here on the left hand side here, you've got a user called A, and then the boxes represent relays and different places in the world. And so as traffic comes in and then bounces through a number of relays in different parts of the world, and as it bounces through those relays, it gets mixed with other people's traffic. So anyone inspecting the communication between those two different relays can only see the the sum total of communication amongst all of the users traveling down that pipe, but not be able to split out those individual users. And so any adversary inspecting at the beginning where you're connecting into the network can simply see that you're connecting to the dark web but can't see what you're doing. If you inspect a pipe halfway along, you can just see a pipe with lots of traffic flowing down it, but it's actually the sum of multiple users. And then towards the exit, the last hop in the in the dark web when it comes out to, say, a dark net site, for example, you can see which site they're going to, but you don't know which user it is, that which which is accessing that site. Now, one of the goals behind Dark Web's was to prevent, as I said, network inspection and people observing network traffic to understand what's going on. You may often see it being marketed as a technology to prevent the likes of the NSA understanding where people's traffic is coming to or from. But dark nets, in fact do not protect against that that use case because it's possible to do some complex correlation of traffic coming into the network and coming out and ultimately link the two the two pieces of traffic together. We've seen this traffic at this time, this size, and we see it at another place in the network at this time and this size, the two are likely to be likely to be related. So despite what you may see from the Tor project and the the likes of other types of dark nets, they do not protect against a global adversary like the NSA, although they do certainly make it more difficult for them. But it doesn't provide an absolute shield against them. Spying on spying on your activity. Now, mixed nets. There's an interesting concept called onion routing, which is embedded typically now in mixed nets, was invented back in the late 1980s. Now, normally when you want to route your traffic through one of these networks, you pick the path that you want to go. So if you're going to bounce it through three relays, you would pick those three relays before you started sending the traffic and then you would encode in your traffic using something called source routing the path, which you would like the traffic to go. Now, if you do source routing on the traditional Internet, the path which it takes is not encrypted in any way and everyone can see the path which the traffic takes. But in a mixed net, that path is encrypted with several layers so that only the the relay which is currently going through can only decrypt the next step which that traffic needs to be sent to. So it never gets the full view of the path in which the traffic has taken through the network. If anyone could get the full view of the traffic, the path which the traffic has taken through the network, they could potentially get control of those three relays and then pieced together, you know, who is accessing accessing which site. Um, so perhaps the most famous darknet and probably the one many of you are focused on is called Tor. Tor is by far the most popular at the moment, primarily because it's easy to use and they make it easy to use. And that's why it's gained a great a great deal of popularity. Tor is based on the same technology which we just talked about, a so-called mixed net. And again, as a user comes into the network, it routes your traffic through three intermediate relays, often based in different parts of the world, and then comes out to the website in which you'd wish to access. So in this case, if you've got a user on the left hand side trying to go to The New York Times, its traffic would bounce through several relays and come out to the New York Times at the end. If you could inspect the traffic leaving the exit relay, you'd be able to see that a user is going to the New York Times but not know who they are. And if you could inspect the traffic coming into the first relay, the so-called guard, you could see that the user is accessing Tor, but you couldn't see what in fact it is that they are doing. Of course, all of those things break down if you have an adversary who can see traffic all over the world. But that's often not not the case for law enforcement. Now the tour darknet is an extension of this. Instead of having three hops, you have six hops. And there's a little dance which both the darknet site and the user go through to essentially find a way to communicate with each other without revealing each other's identity. So in the case of a user going to a Darknet website, the user doesn't know where the Darknet site is being hosted and the darknet site doesn't know where the user is. And it's this dance which Tor goes through that really enables those two parties to communicate together without revealing each other's identity. But it's built on this multi-hop nature of these networks bouncing traffic around. You may have also seen, as I say, in the last year or so, 18 months, a dark net popping up called I2. I2 is actually been around as long as Tor, if not a little bit longer. It's based on the same concept as Tor around this, this mixed net also again with onion based routing, but it's not had the same popularity which Tor has had probably because it's a little bit clunky to use and Tor have really focused on making it easy to use. You know, if you want to use Tor, you just download the Tor browser and it just works. That's not currently the case with ITP. It's a little bit more complicated than that, but once you get it set up, it works and it works in a similar way. Obviously the protocols are slightly different, but in terms at a conceptual level, it's more or less working in the same way. Now one of the beauties about ITP is that it hasn't had as much scientific scrutiny as Tor. In fact, it's had very little scientific scrutiny and there are many attacks which we know about which can be used on the Tor network to identify individuals, users and sites. And many of those attacks are likely to be applicable to ITP and in fact be much easier to deploy on something like ITP because it has had so little scrutiny when compared with with the other dark nets. So we've seen some dark net actors in the last 18 months or so, particularly some of the drugs marketplaces which are getting constantly DDoS attacked. And obviously if the site goes down, they can't make any money. So they've been looking at moving their sites to ITP. In my view, that's a foolish thing. I it's great for us, but it's a foolish thing for them to do simply because ITP is less is less secure than Tor because of that lack of scrutiny which tor which tor. Tor has had. So it may be a transient thing, this sort of shift to ITP. I'd be surprised if we see over the next few years a significant shift to ITP. I think it's just 1 or 2 sites at the moment and it will probably at some point revert back to Tor, as is often the case. The other darknet, which we've seen pop up recently, is zero net. Zero net is built on top of the Bitcoin. Sorry, the BitTorrent protocol, which ultimately is a file sharing protocol. It's kind of like the successor to Napster, if you remember Napster. Now, if you were to share a movie on on BitTorrent, for example, often your movie is broken up into chunks. When you first connect to the network, you start sharing those chunks with other people in the network. And eventually, once enough people in the network have copies of that file, you can leave the network and people can still download the file because there's enough people hosting those chunks of of those files. Now, Zeronet, as I say, built on that protocol. So the same sort of principle applies. People publish a darknet site which is essentially as a file, a package file of the site itself. And when they first connect to the network, they start sharing chunks of that file with other people within the network. And then once those those chunks have been shared, the site then becomes available in even when that original poster leaves the network. So there is a small window of opportunity with zero net publishers where you can potentially identify the publisher of the site when they first start sharing it. Obviously, once they've finished sharing it, it's being shared by other people. And so those are not the original publishers of those sites, those sites anymore. So zero net in many ways is a weak darknet as far as providing guarantees around anonymity and privacy, particularly around the hosts and the visitors to these sites. Now we're going to focus primarily on tour simply because it's the biggest, the biggest dark web, perhaps as criminal investigators, you know, tour is used by quite a lot of criminal actors, but that's not the way in which it's marketed. If you look at the if you look at the Tor Project website, they say that the Tor software is used for lots of good uses. It's about fighting censorship amongst repressive regimes and stopping activists being arrested in in in dodgy countries and ensure there is an element of that. But it's a very tiny percentage of users that use the Tor Darknet the bulk. And there's certainly scientific consensus on this. The bulk of users of the Tor network are engaged in in criminal activity. So the, you know, the sale of drugs, child exploitation, material, cybercrime based activities and so on and so forth. Um, perhaps the most famous user though, of Tor is Edward Snowden, the chap who leaked from the NSA. All of those classified documents on the types of spying activity which they were engaged in. Tor touts this as a really good use case for Tor, but as I said, the Tor Darknet does not protect you against the NSA. It's not designed to, and it certainly doesn't give you any guarantees when you're facing that kind of powerful adversary who is able to investigate you. Now, in terms of size, if you've been around a couple a couple of years, you will know there are two types of onions on the tour Darknet. There's the short onions, which are just 16 characters long. And then there are the longer onions, which are now 56 characters long. The two onions, the shorter ones have been phased out over the last couple of years and replaced with the longer three onions. The longer three onions give you slightly more security. Not in a not in a meaningful way. They really cover some edge cases around how the old onions were designed. But the main thing that users really see is that the onions are much longer than than than they used to be. Now, in terms of how big is the dark web, well, the Tor project publishes metrics on the number of onions which are available in any 24 hour period. And on average, it's between half a million and a million dark net onions. But this is really an incomplete picture as to how many onions there are, because this is a cumulative count over a 24 hour period. And when someone brings up an onion, they don't necessarily leave it online for 24 hours. Many onions start up and are gone within the hour. And so that massively inflates the count of onions, which are which appear to be available on this graph. You know, you can open the Tor browser and visit half a million individual sites, and many of those sites won't be hosting web content. They'll be hosting other types of content, which is not accessible through the likes of the Tor browser. So actually the darknet is much smaller than it looks in this picture. And a few years ago we did a study looking at what actually happens to onions over time and how does the whole Darknet evolve. And what we found is that when you look at an onion, which has just been launched, more than half of them are gone within 24 hours. And so likely that's people spinning up onions to try them out. It's the likes of botnet spinning up temporary temporary onion addresses that are only available for a short period of time and then destroyed. And so that vastly inflates those counts of onions. The dark net is much, much smaller than it first appears. And also, if you look at the graph on the right hand side here, the bottom axis is time. And then each of the individual rows represents an individual onion darknet site. So for every unit of time along that that particular line, the black means the site was offline and the white means the site was online for that for that unit of time. And what you see is the vast majority of onions disappear very, very quickly after being first launched. Some a very tiny percentage stay online, stay online for the full observation period, and then lots more come and go as time goes on. And in fact, we've seen criminal sites, which perhaps are only available on a Wednesday afternoon between 2:00 and 5:00, and all of the people who use that site know it's available at that particular time. And so they come on. And if you try to visit outside that time, the site will appear to be offline or nonexistent and you won't be able to visit it. So all of these factors vastly inflate the apparent size of the tour dark net in total. Now, as I said earlier, there's the so-called dark web, which is onions, which host a Web based site. And then there are onions, which host Non-web based sites. And the sum total of those two two is really the dark net. If you look at the dark web, which is the most widely studied because it is the easiest part of the dark web to study, the vast majority of the sites are criminally orientated in some way. They're either engaged in scams or drugs, cybercrime activity and all of the traditional things you would expect to see, you know, on the dark web. When you look at the onions, which don't host a web based site, they are hosting things like chat in an email, remote access to servers like, you know, accessing servers behind firewalls, for example. And then we also see Bitcoin clients using Tor to try and obfuscate their IP address. Zero Net often uses tours as well to try and hide people's IP addresses because zero net doesn't give you that anonymity as well. And then we also see botnets, bots within those botnets spinning up onion addresses so the administrator can access an individual bot as part of as part of that bot. Now, unfortunately, the non-web based part of the dark net is not that well-studied because it's actually quite difficult to do it because of the different types of services which which are available and the diversity of them. You'd have to program, you know, a way of classifying them all. And so just because of the challenges around that, not a lot of people have looked at those. My suspicion, having looked at them sort of anecdotally, is that fewer of them are criminally orientated than on the Web based portion of dark net sites. As we said in the last slide, half of sites disappear within the first day and only around 15% of onions which are launched appear to last for a long time. That is six months or more. And if you think about it, you know, the popular sites are the ones which are going to be around for a long time. If you launch a site for a short period of time, then it's not going to you're not going to generate a good user base, a critical mass of users to access that site. And then finally, you know, many of these onions, as I say, tend to be associated with botnets and botnets end up spinning up large numbers of onions, which which, you know, greatly inflates the number of apparent onions in the Tor dark web. So we're going to look next then about how you go about identifying users and how you go about identifying sites on the dark net when you're doing investigations. And we're going to go through a bunch of techniques varying complexity up to up to the much more advanced techniques which you could use. Now, all of the techniques which I'm going to talk about are available in the public domain. None of it's going to be secret. Some of them relate to real investigations, which have since seen the light of day in either the press or in the courts. And I'll be showing you some snippets also from some witness statements, some affidavits in the US where some of the more advanced techniques have been used. Now, normally there's two challenges on the dark web. The first is to identify where the site is hosted and then secondarily to identify where the users are located. And often it happens in those two steps. Now, um, you know, if you're, let's say you take down a drug marketplace, great. You get the admins behind that site who are raking in the money. But what about the vendors who are selling fentanyl and the other stuff, which is actually killing people, potentially committing more serious crime than the people which are running the site? So just getting the site on its own often is not enough because there are a more serious actors engaged in activity on on some of these sites. Now, how do you go about identifying where the servers located? There are really like a Swiss Army knife group of tools which can be used to identify where the site's being located. I'm going to give you the higher the higher level ones than perhaps the more obvious ones. Um, if you were to follow, follow a tutorial online about setting up a darknet site, very likely that tutorial will talk you through setting up a site in a way which leaks the IP address of where that site is located. For example, if you set up a website with Tor and Apache, which is a web server where the Apache in its default configuration leaks, information about where the server is located, and you can access that through Tor very easily and potentially very quickly locate where that server is being located. And that's because people blindly follow these tutorials and in fact probably that's a little bit of an unfair statement. You know, they follow these tutorials, but there are actually some nuances in the way that Tor and Apache and some of the other tools interact, which can lead to IP address leaks. Many tools like Apache, for example, are not designed for anonymity. So when you combine them with an anonymity tool, they don't necessarily keep that anonymity because they weren't designed for it in the first place. The other thing we've seen is information leaks. So we've seen some darknet market actors, for example, they might have a test server where they spin up a Darknet site while they're developing it on a server, and often they'll expose that to the Internet thinking no one will find it. But there are plenty of people scanning the internet and they do pick up these sites often either before they get launched or while they're in active development, while their sites are launched. And if that's the case, you end up identifying a true server on the Internet, which you can access without going through the dark web. So it gives you something which you can get your hands on, actually go to the data center and seize that server. The other thing we've seen is darknet actors doing development work and then pushing the Darknet site onto pushing the drug marketplace onto a darknet site and leaving in IP addresses for test servers that are associated with their development, which of course, again, gives you a real world identifier where you can physically go and put your hands on a server. Speaker4: Now, the other. Gareth Owenson: The bread and butter for policing, of course, is social engineering and engaging with actors with undercovers. Generally, law enforcement have had quite a bit of success with those approaches. On the dark. On the dark Web, certainly in longer term investigations they've had, they've had greater success with those. But it's not always a foolproof way to identify someone, particularly where you have someone who's a bit more paranoid and follows the, you know, the tradecraft properly when engaged in this space. And then finally the Tor software and the Tor browser, which is Firefox. You know, they have bugs in them just like any other piece of software. It's practically impossible to write a piece of software without a bug in it. And these bugs can be exploited by the likes of law enforcement to identify either servers or individuals that are accessing Tor sites. And I'll show you some examples where this has been the case and where law enforcement have actually used these in real world cases. Some of the complications around these techniques, often you see actors putting out misinformation about who they are. And most importantly, that ends up consuming law enforcement time more than anything else and delays the arrest of that individual while law enforcement are sent down a rabbit hole. Speaker4: As I said earlier. Gareth Owenson: Getting the site doesn't necessarily get the users. And then finally, there's a proportionality issue. If you're going to deploy technical attacks against the site to perhaps identify users en masse, not every user visiting that site is necessarily engaged in criminal activity. Just because someone's coming to a drug marketplace site, depending on your jurisdiction, of course, doesn't mean they're engaged in criminal activity. There may be journalists. There may be researchers that are going to those sites. And so targeting them when they're not engaged in criminal activity is undesirable. So there's a proportionality aspect to some of the stuff which we're we're going to talk about where you can tune them to be much more targeted and go after just the wrongdoers with a little bit of thought. So the first one is just a simple OpSec failure. I'm going to give you an example of an actor where that actor leaks information about who they are and how you can quickly find that using our service investigation tool. So the actor's username is shown here at the top and you can put this into our tool and immediately it will show you all of the places where we see this username being used. So you can see it being used on the Dread drug based Darknet forum site, as well as a bunch of other other sites engaged in typically criminal activity if we go into one of these profiles. Then the service tool will show you a timeline of their activity. When they first started posting, when they started last started posting, as well as the types of activity which they're engaged in. But we will also scan all of their posts, all of our messages looking for personally identifiable information, what we call osint, but are really selectors or PII or, you know, identifiers associated with that actor. So in this case, if we go simply just to the tag, we can immediately see a telegram identifier as well as a key fingerprint which can be used to link them across sites. So often you see actors creating keys and then reusing them from site to site, sometimes under different usernames. And because these keys are unique, it uniquely identifies one actor on one site to the actor on another site and ties their activity together with 100% certainty. Speaker4: We dig in a little bit. Gareth Owenson: More and look at that key. We can see when they created that key, they actually included a Gmail address. This is a bit of an OpSec failure on their part. Again, a technical technical failure on their part. They didn't realize that you could, in fact, omit this from the key. And so you don't have to have an email address with it within the key. And then just from doing these simple bits of investigation, the service tool, you end up with a picture that looks like this. Here's our username across a bunch of different sites. We've identified several different email addresses that are on the clear web. And so these are places where you can go with a warrant to get the IP address which these accounts were created with. We also got a Wickr address and two telegram addresses associated with that user. Again, more stronger links off the dark web that could be used to identify them. And perhaps it's no surprise to learn that this dark web actor was arrested not not not long after given given these failures. So all of this information is compiled within a couple of minutes of going into the service tool and looking at the particular actor. So let's look at some more advanced techniques for doing doing investigations, perhaps where the user doesn't leak any information about who they are. Speaker4: So the mechanism which we've. Gareth Owenson: Seen to be quite popular. It's been again, this is very much in the public domain is following Bitcoin transactions. Bitcoin, despite perhaps anecdotes and reputation amongst the criminal community, is not anonymous. In fact, it's quite the opposite, right? Bitcoin is based on the idea that there is a public ledger of all transactions and every single person can see it. But what many people assume is that just because you have a long Bitcoin address, you know, you've got this long random looking Bitcoin address and it's difficult to tie that back to a person. In fact, that's not the case. Just like in traditional criminal investigations, following the money often leads you to the suspect. And that's very much the case with something like Bitcoin, because you may have Bitcoin money that you've got from selling drugs online, but at some point you're going to want to turn those into US dollars and buy yourself your Lamborghini, because I doubt the dealer is going to accept payment in Bitcoin. And that's where crypto exchanges come in, much like foreign currency exchanges will turn your Bitcoin into hard cash and a currency of your choice. So because the Bitcoin ledger is public, we can follow those flow of transactions until the money hits a crypto exchange and then we can serve the crypto exchange with a warrant saying, you know who set up this account? And rather helpfully, in the last few years, most crypto exchanges now comply with know your customer and that means they've got copies of the person's passport address or driving license and so on, and they can give you copies of those, which then very quickly lead you back to, you know, a true, a true individual. Speaker4: So one of. Gareth Owenson: The defenses, which perhaps the more clued up criminals have worked out, is that if you use something called a mixer, this is kind of like old fashioned money laundering where you're mixing people's money together, but instead it's happening with Bitcoin. So when you rather than sending your money directly to the Bitcoin exchange, what you do is you send it to a mixer and it gets mixed with lots of other people's money and then spat out the other side in a way which it it's more challenging to track the money through that mixer back to the individual. But the reality is I'm only aware of one mixer which is known to be provably provably secure. The rest, it's somewhat trivial to follow the flow of money through through that mixer. And so whilst the criminals think it gives them a great advantage and it certainly adds a bit more work in the investigation, it doesn't stop the investigation outright because we can still identify those individuals and the vast, vast majority of cases. Now, the next approach I'm going to talk to you about is around some of those vulnerabilities and the Tor software, which I talked about. And this is getting really into the more advanced techniques which you can deploy. The Tor browser is based on Firefox. It is a modified version of the Firefox Tor browser, the Firefox Tor browser. Sorry, the Firefox browser has the worst security reputation of all of the browsers that are out there, yet the Tor project users choose to use it as their primary primary browser. Shown in the top left. Here is just what I pulled out just yesterday from Firefox's website on vulnerabilities in the Firefox browser, and here are two extremely critical bugs in Firefox which could be used to run code on the user's computer. Now that code can do anything that the user can do on that computer and watch them through the camera, listen on their microphone, Contact a law enforcement server and flag up that IP address. Any of these things are possible if you can run code on the user's computer. Now, so bad is Firefox from a security point of view that there's an annual competition called Pound to Own, where you get security researchers competing to find critical bugs in web browsers and they find them in all of the browsers each year. But in 2016, Firefox got banned from the competition because, quote, it was too easy to find these high severity bugs inside the Firefox Firefox browser. And little has changed. As I say, these these were pulled out of the Firefox vulnerability report just yesterday and they are the most serious vulnerabilities that you could have in this space. Now, as I say, if you can run code on the user's computer, then you know, it's basically game over for that individual actor. And I'm going to walk you through a case where this has actually been deployed in a real life investigation, again, very much in the public domain now. So the way this works is like this. So you have a user who goes to a Darknet website, so a drugs marketplace, for example, for example, but they go through the Tor network. So the Darknet site and the user are anonymous to each other. The first step which needs to happen is that law enforcement needs to identify where that site is hosted. Once they have control of the server with that Darknet site is hosted. They can modify the web pages which are hosted on that server, and you can insert code into those web pages which gets served up back to the user. This is what we call the exploit, and the exploit basically takes advantage of that bug in the user's browser to run code, which can do whatever the law enforcement agency want to do. Once that vulnerability succeeds and a typical case is that we'll modify the pages, put some code into them, the user will come to the Darknet site, they'll get served up the code, which exploits the vulnerability that will run on that computer. And that code will contact a law enforcement server and go, Hey, here I am, you know, here's my IP address and all my identifying information so that it makes a law enforcement investigation easy. Now, it's not just, you know, law enforcement doing this, these types of attack. You'll have seen the likes of NSO Group doing it on mobile phones and Apple phones and selling to, you know, dodgy governments that engaged in human rights abuses. You know, these these types of attacks are well known and have been for quite, quite, quite a long time, but are now being weaponized by governments and law enforcement to actually accelerate investigations. So I want to show you an actual real world application of this type of vulnerability. So this was a few a few years ago now, and I believe it was on a child exploitation site. If you were to go to the site, right click on the page and click view source, you'd see this top box here with this code. This JavaScript code, it runs in the browser to give you an interactive experience, typically on a on a on a on a on on a website. In this case, the code is somewhat hard to read and that's because it's being run through something called an Obfuscator. An Obfuscator takes the names of some of these variables here. Normally these would have sensible names like, you know, username or password or email address, etcetera, etcetera, which describes what's being stored in them. In this case they've been renamed var 29 and var 17 and so on. And that's because that's been done by this obfuscation tool, which is basically designed to try and hide the true purpose of the code and make it harder for someone else looking at the code. So the, the mere presence of this type of obfuscated code used to be a big warning sign that something dodgy was going on. More recently we see people using it for copyright protection and stuff like that. So it's perhaps less so now. But the interesting thing about this snippet of code is the very first variable has not been renamed. It's been called Magneto. Now, if they'd run this code through an obfuscator, that variable would have been renamed. So I think the guys that wrote this deliberately left that name inside the code. Now that variable stores what's called the shell code. This is the code which runs on the user's computer. When the vulnerability exploitation succeeds, it's the stuff that actually does the important bit after after we've taken advantage of the vulnerability. So in this case, the variable is called Magneto, and I think this is a reference to the X-Men. I think the authors of this particular exploit knew that they were going to get discovered or knew they had a high likelihood of getting Discover being discovered. And they left a bit of a, you know, a calling card in the code to sort of like I was here type thing. Um, you know, obviously it doesn't identify truly who they are, but you know, they definitely deliberately left this in there. Now, the first question when you see this sort of code is, well, what does it do? Now everything in that magneto variable said is what gets run on the user's computer. Now, that is raw instructions that get run by the CPU. So you can take this out and run it through something called a disassembler and it gives you more intelligible code shown in the bottom left hand corner here, which explains what's going on. But again, you need to be skilled in reverse engineering to be able to pick apart this code and understand what's going on. Um, but there is a very much like a sequence, a method in which you take this code apart and really understand, understand what it's doing and it doesn't take long. I think this took me about 40 minutes to go through this entire code and comment it and leave labels as to exactly what was going on. So in this particular box, in the left hand side, this code is connecting to a server somewhere else. And then of course, the first question is, well, which server is it connecting to? Well, that's shown in the bottom right hand corner here. The last four numbers are the IP address and just above the IP address is the port in which this particular code is is connecting to. And of course, you can look up the IP address using IP and you find it's based in Washington DC, not far from a very famous law enforcement agency with their certainly the resources to perform this type of attack. Speaker4: Now. Gareth Owenson: It's all very well connecting to a law enforcement server. By connecting to the law enforcement server, it gives up the user's IP address, the true IP address, because this code is not connecting through Tor. It's running on that computer, connecting directly to the law enforcement server. So we get that true IP address. But that's not enough really. You need a little bit more. So what I did was I took this code and I modified it and I modified it to connect to one of our servers. And then we just run the code and we see what the code sends to one of one of our servers. And this is what it looks like. So shown in the black box here is actually a web request. That's what your browser would normally send to a website, but it's being constructed by this code which is being run on the user's computer, and there are a number of parts to it. First of all, it's requesting a page, this slash, followed by a sequence of random looking characters. This is a unique ID which ties the user, particularly specifically to a single visit to the site, and then under the hostname is shown the user's computer name. So that's if you go into, you know, my computer on windows and settings and set your computer name, that's what would appear here. And then under the cookie, these long sequence of hex digits is in fact the user's Mac address for their network card. So it's a unique identifier for that network card inside that computer. Now, if you think about it, you've got all of those pieces of information plus the user's true IP address now. So if you're doing your investigation, you're going to go to the ISP with the IP address, say get the subscriber information for it, and then you're going to go and go and pay them a visit. But let's say you get to the address and there are 20 people living there, you know, and they've all got laptops. Which one of them which one of them is the suspect? Well, you've got the computer name and you've got the individual Mac address for that computer. So even that address, because they're all coming from the same IP address, you can pinpoint a particular laptop or device within that address, which was the one which was accessing that site. And then combine that with the unique ID at the top, you get the web server logs from the criminal site and you know exactly what that actor was doing on that site at that particular time. So it ties up really nicely for criminal prosecution later where you've got all of the evidence as well as the, you know, that laptop in the person's hand as well as their IP address and what activity they're engaged in on the site. And then shown on the right hand side here is actually from an affidavit in the US describing the use of this technique and the information which is sent to the law enforcement servers. These types of exploitations are typically called network investigative techniques, but in essence it is good old fashioned computer hacking is what what these nits are. But just use by by a law enforcement agency. So these types of approaches are very much at the higher end to find those vulnerabilities in Firefox. There's really two approaches. Actually, there's three, but two primary ones. The first one is that you monitor the Firefox vulnerability list. When a vulnerability is published, you quickly repurpose it for a law enforcement case, deploy it before they have time to patch the Tor browser. And that's what was done in this case. Or you buy on on a marketplace. The vulnerability typically costs like, you know $1 million for this this type of vulnerability and then it's not publicly known about and you can use it. And as long as you're going to get discovered, you could potentially use it again and again. If you think about it on some sites, you might identify maybe 50,000 users. If you think about that, you know, it may sound like a lot of money. $1 million. But when you're getting 50,000 users, actually it's not costing you a great deal of money at all on a per user basis to put someone behind bars. You certainly get a firehose of results in which you can deliver, you know, essentially real impact where you put lots of people behind bars. Okay. So with that, I think I'm happy to take any questions. Alex Blackman: Brilliant. Thank you very much, Gareth. So we've had a few questions pop through. There's still time to put your one in there if you would like as well. But the first one just wanted to put to you, Gareth was kind of relating back to Firefox. So if Firefox is the browser with the most vulnerabilities, what's the other, What's the other end of the spectrum? And maybe, maybe we could mention stealth browser at this stage as well. Gareth Owenson: Yeah, absolutely. Sure. So I'd say Firefox got the worst reputation as far as security is concerned. And that's not to say that the other browsers don't have vulnerabilities in them. They absolutely do. Chrome, in my view, has the best the best security track record and is the hardest browser to exploit. That's because they built in a layer, a layered approach to defending against these types of bugs. So even if you find the bug and can run some code on the user's computer, first of all, there's a sort of an internal firewall where that code can only do certain certain things. So then you've got to find a bug in the firewall before you can do to do anything useful. So you end up having to chain bugs together and that drastically increases the difficulty of doing these types of approaches. But they do. They do exist and we see several a year of those type types of vulnerabilities that can be chained together to deploy that. Now, obviously, there's law enforcement agencies. One of your worries will be visiting one of these sites and having one of these vulnerabilities deployed against you. So in the service tool, we have something called the Stealth browser, which is a remote browser which runs inside a virtual machine on our infrastructure. And you get a remote desktop interface to access that that virtual machine. So you can do whatever you like in that virtual machine. Even if one of these exploits get deployed against you, it's not going to identify you, the law and law enforcement agency. And then when you finished your session, the virtual machine gets wiped. So even if even if you downloaded some malware or something on those lines, it's not going to affect affect you personally. So it gives you a safe way to access the dark web without risking, you know, police infrastructure, for example. Alex Blackman: Brilliant. Thank you. And somewhat related, I would say this question for Julian, please, is, is how do you source your data? So, Julian, are you there? Julian Smith: Sure. Can you hear me? Speaker5: Yes. Julian Smith: Yes. Searchlight Cyber actually gathers his data from different sources on the deep and dark Web, including underground forums, marketplaces and encrypted chats using a combination of automated and manual techniques. We actually have a threat intelligence team with extensive experience in law enforcement, cybercrime and the military. And they also utilize advanced tools such as the our cutting edge web crawlers and natural language processing to extract context rich information from the collected data. All data that's collected is actually in accordance with US, UK and European laws. Alex Blackman: Brilliant. Thank you very much. So, um, Gareth, this one back to you from be So I don't know how much you've already shared a lot. But the question is, is search like, already in use by law enforcement agencies? Gareth Owenson: Um, I'm not about to tell you who, who the products in use by, but what I can tell you is that the tool the service product has been built in partnership with law enforcement, law enforcement agency over the last six years. So the feature set that's in there has been very much tailored to law enforcement use cases and law enforcement investigators. Alex Blackman: Great. Thank you very much. And I think that that's almost everything. So there's one last question here. Unless something pops through in a moment, we are running to time, which is excellent. So, Julian, this one, back to you and Gareth as well. Guess either of you going to be at any shows soon to to meet in person? Julian Smith: Uh, yes. I'll actually be attending the upcoming tech event on the 22nd in Salt Lake City. We also have a dark web book that we just published that will actually give you more details about our solutions. Feel free to contact me directly via the website or our LinkedIn. Gareth Owenson: Yeah, I don't have anything in the pipeline, but yeah, it's best to reach out to Julian. Alex Blackman: Sounds good. And actually, if you missed that earlier, if you Google Julian and Searchlight Cyber, he is the first result. I checked it before the webinar, so please do connect with him. But otherwise, if that's everything for now, if you do have other questions, again, please connect with Julian. Please find us via the connect. The contact us on our website. But all that's left for me to do then is to thank you again for joining. I hope you found that really insightful. I know I certainly did about how public sector organizations around the world are using Searchlight. Thank you very much, Gareth, for those examples. Julian for your stories as well from the field. If you would like more information, you know where to find us. But all that's left otherwise is to say thank you very much and I hope to see you on another webinar soon.