When cybercriminals don’t make an effort to conceal nefarious activities, law enforcement can obtain information for their investigations from such sources as log files and other digital evidence (Casey, 2003). However, if data has been destroyed, or if the criminals have used such identity masking networks like TOR, then the investigators’ jobs become a little more difficult. Criminals can not only use TOR to hide their identity and location, but also as a secure peer to peer –for exchange of illicit materials, goods, or services (Forte, 2006).
If investigators can exploit flaws in TOR’s encryption chain, then they could backtrack paths to find evidence of criminal activity and attribution. The ability to trace these paths is unavailable without direct access to the router proxies used during the communication being investigated (Forte, 2006). TOR’s main intent of its threat model, for the privacy of its users, is to protect the overall traffic of its routing system from detailed analysis; it does not protect from such privacy invasions as matching situations, or the monitoring of exit nodes (described later) (Owen, 2007).
Due to this threat model, gaps occur and can be exploited by criminals, and, as will be examined, by investigators. To better understand these exploitations and the functions of TOR, the basic engineering of onion routing will first be summarized. TOR & Onion Routing The concept of onion routing, as developed by the U.S. Naval Research Laboratory, was to create a layered, encryption scheme to limit a network’s vulnerability for traffic analysis (Owen, 2007).
In 2004, TOR was released free to the public as open-source software, maintained by volunteers, and funded by various groups including the U.S. Government (Swan, 2016). Because TOR was created to be a secure way for users to protect their identity while online, it has brought in a large following –made up of both legitimate, everyday users, and criminals (Swan, 2016). TOR is a network made up of a collection of servers, all with assigned addresses called “nodes” (Swan, 2006). According to Swan (2006), “Nodes are the access and transfer points for user data; the bridges for user traffic sent back and forth…,” (p. 111). Tor designates a path for user information through its nodes –usually a designated path of at least three nodes: an entry node, at least one middle node, and finally an exit node before reaching the destination (Swan, 2006). The variation of paths is employed as a security measure to provide for greater anonymity. TOR also uses an onion routing encrypting process. “Each time an onion router handles a transaction, it strips away a layer of encryption concerning the preceding hop,” (Forte, 2006). By the time the information goes through the last node, the packet is delivered in clear text or unencrypted text (Forte, 2006). While TOR does implement the layered approach of onion routing and the use of random node paths, it does contain flaws that can allow investigators to track its users. The next sections will discuss gaps in the TOR technology.