Criminals have always found ways to circumvent the law and engage in criminal activities “off of the radar.” They hide in the dark corners and carry out their business where no one can see them. With the increase in the availability of the internet, criminals can now take their schemes to the digital world to be carried out with privacy. Criminals, much like everyone else who values privacy, desire total anonymity. However, total anonymity is not available on the Internet. Even with encryption, only the message is hidden while the information about whom is communicating with whom and how often is revealed.
The Onion Routing (TOR) Project provides private communication over a public network (Goldschlag, Reed, Syverson, 1999, p.1) and provides the closest thing to being anonymous on the Internet. While TOR provides security through encryption and anonymity, it is also used for illegal activities such as: selling illegal drugs, gambling, child exploitation, contract killings, etc. (Schriner, 2017, p. 4).
Government agencies cannot rely solely on criminal information in public chat rooms or social media to be effective in combating computer crime; law enforcement must be able to use the same tools as the enemy.
This paper will present the ways government agencies can use TOR to be effective when conducting criminal investigations. This paper will begin with a literature review followed by a discussion of how utilizing the dark web through TOR to collect evidence for criminal cases is essential.
TOR provides anonymous connections that are not easily decrypted or analyzed (Çalışkan, Minárik, Osula, 2015, p.
6). Not only does TOR provide a means for secure browsing, it also offers a controversial feature known as a “hidden service.” The hidden service allows an untraceable server to be created, which bypasses all known forms of content restriction and surveillance (Moore, Rid, 2016, p. 16). One website on the dark web used for purchasing illicit drugs, Silk Road, was estimated to have facilitated 23 million dollars-worth of transactions annually. This is a small percentage of the 300-billion-dollar overall drug trade; however, the number of sellers on the site doubled within a 10-month span and the sales increased by 38 percent within six months (Martin, 2013, p. 3). Çalışkan et al., (2015, p. 12 – 13) state that not every TOR user can be identified every time but some users may be identified at some point. The Federal Bureau of Investigation (FBI) has proven they can decrypt TOR data on a host machine through a Network Investigative Technique (NIT), which can be used to collect evidence in an investigation (Miller, Stroschein, Podhradsky, 2016, p. 1). To better appreciate the need for TOR in government investigations and its capabilities, this paper will provide a background of TOR, including technical and functional history. For clarity, the words “server, node, point, hop” are all synonymous in the context of the following section.
The Onion Routing (TOR) Technology
TOR was created as a collaborative project between the United States Naval Research Lab and the Free Haven Project in 1997. The purpose of TOR was to create a network that was distributed, anonymous, easily deployable and encrypted for those who needed it (Moore, Rid, 2016, p. 16). Unlike the traditional Internet where website owners and registration information are available, the darknet does not have a central source of website listings, making it more difficult to identify the owners of illicit websites. Moore and Rid performed an index search of darknet services and found a total of 5,205 live websites of which 2,273 were found to have illegal content that can be categorized into 12 criminal categories (Moore, Rid, 2016, p. 18-21).
TOR packets are routed from a sending source to a destination source and will go through an encrypted detour (series of onion routers) instead of the most optimal route. Each server in the chain only contains information about the sending server and the next point in the chain (Çalışkan et al., 2015, p. 7). Onion routing achieves anonymity by making nameless network connections by the way of three phases: connection setup, data movement and connection tear-down. When a connection to the TOR network is made, an onion is created, which contains layers of cryptographic information which include algorithms, encryption keys and the next onion router in line, for each point in the traffic chain. At each point in the network path, packets are padded to maintain a fixed size. As traffic reaches the next node in the path, another layer of encryption is removed, peeling off a layer of the onion. All data arriving at an onion router within a specified time-window are jumbled together to prevent correlation (Goldschlag et al., 1999, p. 2).
TOR offers “hidden services” to keep the location of services concealed from the public. These services can be used for freedom of speech (wikileaks), the exchange of illegal goods, to mask the location of command and control servers used by botnets or something as innocent as the search engine, DuckDuckGo (Biryukov, Pustogarov, Thill, Weinmann, 2014). The “hidden services” feature of the TOR network is utilized to protect the information about the entry and exit nodes on the TOR network. This is achieved by setting a rendezvous point at which the sender and destination node meet to anonymize the identity of both. Instead of entering a destination host’s Internet Protocol (IP) address, a 16-digit identifier that is derived from a service’s public key and shared between the sender and destination to setup the rendezvous point (Çalışkan et al., 2015, p. 11).
Now that the technology behind TOR has been provided, we will now examine the different ways government agencies can use TOR in investigations.
Network Investigative Technique (NIT)
Servers running hidden services do not reveal identifying information about TOR users. When a user requests content through TOR, the identifying information (IP address) is hidden. Through a Network Investigative Technique (NIT), the FBI has proven that it can deanonymize the users of the host machines on the TOR network. During an investigation the FBI was given access to a set of computers that were known to have been running TOR hidden services and hosting illegal content. The NIT utilized in this case was a flash object supplied to a TOR browser on the machine, which deanonymized the users. The goal of the NIT was to identify the criminals by revealing their public IP address.
To aid in this objective, the FBI created a session ID for users of this service by utilizing a dynamic server-side PHP script. Each time a specific site was visited, the script would create a unique ID and log it to a table named “visitors” within a SQL database. After the ID was created, custom code developed by the FBI would determine the appropriate method of “decloaking” based upon the browser that was used. A Flash file was then used to pass an ID to a Flash object within the browser. The ID was created with a “generate_cookie” function. This function is also known as the Encrypted Session Identifier (ECID). Through the use of the Flash object, the FBI was able to decrypt session data retrieved from Domain Name System (DSN) queries and correlate the logs between multiple servers, proving the identity of some TOR users and their online activities (Miller et al., 2016, p. 195 – 197, 200).
The OnionScan tool was developed to help secure services in onion routing by checking for vulnerabilities in dark web sites. Written in the “Go” programming language, the tool is a free and open-source tool. One of the vulnerabilities the tool checks for is the debugging device, “mod_status” on Apache web servers. If the “mod_status” on the server is queried, information such as the real IP address of the server, other dark web and Clearnet sites the server hosts and secret areas of the website can be revealed. OnionScan also checks for open directories, which can reveal information such as images or possibly copies of the site; EXIF data, which reveals the owner name, make of the camera or phone or geolocation information from photos. Government agencies regularly scan the dark web for activities but do not make the results available. (Schriner, 2017, p. 5 – 6).
Discussion of Findings
Onion routing provides privacy and anonymity through utilizing an eavesdropping-resistant architecture within its network. TOR aims to protect the privacy of Transmission Control Protocol (TCP) Internet connections and user anonymity through utilizing “low-latency, deployability, usability, flexibility and a simple design.” TOR is intentionally designed with complexity and to be resource-intensive for resistance against spying. Each point in the path removes a layer of encryption (onion layer) until the traffic reaches the exit node where it is decrypted and reassembled into its original state. (Bauer, Grunwald, Mccoy, Kohno, Sicker, 2007).
While privacy is needed and threatened by cyber criminals, it is also being used to protect the very people law enforcement authorities are trying to protect its citizens against. There must be a balance struck between privacy and computer forensics capabilities (Yasinsac, Manzano, 2001, p. 294). One of the problems consistent across law enforcement cases is tying a crime to a criminal. Evidence must be provided that can link a person to a specific crime. In the cyber world, this is known as attribution. TOR was designed to endorse privacy and, as a result, has become an obstacle for authorities when it comes to cyber investigations as it masks user’s identities through multiple encryption layers and data scrambling (Finkela, 2015).
Various methods exist that allow government agencies to identify the perpetrators of online crimes. The FBI has proven that a NIT they developed can identify TOR users suspected of a crime and produce evidence that will link them to a crime. This is not always achievable but under the right circumstances it is successful. The OnionScan tool is freeware that was designed to help secure onion routers and maintain privacy but it can also be used to identify critical information about onion sites.
An individual’s right to privacy is a critical part of our society and is threatened by cyber criminals. The very system that was designed to provide privacy to Internet users also works against the authorities who are trying to protect its citizens. This paper has shown how the TOR network provides privacy and anonymity and two different methods to deanonymize TOR users for criminal investigations. Additionally, the amount and types of cyber crime on the dark net was discussed to illustrate the need for government agencies to have the ability to decrypt information within TOR. As previously stated, privacy is always a concern for the average law-abiding citizen but it cannot hinder the ability of government agencies to protect U.S. citizens by prosecuting cyber criminals.
Bauer, K., McCoy, D., Grunwald, D., Kohno, T., & Sicker, D. (2007). Low-Resource
Routing Attacks Against Tor. doi:10.1145/1314333.1314336
Biryukov, A., Pustogarov, I., Thill, F., & Weinmann, R. (2014). Content and popularity
analysis of Tor hidden services (pp. 1-6, Tech.). Retrieved from https://arxiv.org/pdf/1308.6768.pdf.
Buxton, J., & Bingham, T. (2015). The Rise and Challenge of Dark Net Drug Markets
(pp. 1-24, Rep. No. 7). Swansea University Prifysgol Abertawe.
Çalışkan, E., Minárik, T., Osula, A. (2015) Technical and Legal Overview of the Tor
Anonymity Network. NATO Cooperative Cyber Defense Centre of Excellence Tallinn, Estonia (pp. 1 – 31).
Finklea, K. (2015). Attribution in Cyberspace: Challenges for U.S. Law Enforcement
(Rep.). CRS Insights.
Goldschlag, D., Reed, M., & Syverson, P. (1999). Onion Routing for Anonymous and
Private Internet Connections (pp. 1-5, Tech.). Retrieved October 31, 2018, from http://www.dtic.mil/dtic/tr/fulltext/u2/a465075.pdf
Martin, J. (2013). Lost on the Silk Road: Online drug distribution and the ‘cryptomarket’.
Criminology & Criminal Justice, 14(3), 351-367. doi:http://doi.org/10.1177/1748895813505234
Miller, M., Stroschein, J., Podhradsky, A. (2016) Reverse Engineering a Nit That
Unmasks Tor Users. Annual ADFSL Conference on Digital Forensics, Security and Law. 10. Retrieved from https://commons.erau.edu/adfsl/2016/wednesday/10
Moore, D., Rid, T. (2016). Cryptopolitik and the Darknet, Survival, 58:1, 7-38, DOI:
Nicoll, C., Prins, J. E. J., & van Dellen, M. J. M. (Eds.) (2003). Digital Anonymity and
the Law. Tensions and Dimensions. (Information Technology & Law Series; No. 2). Den Haag: T.M.C. Asser Press.
Schriner, J. (2017). Monitoring the Dark Web and Securing Onion Services (pp. 1 – 12).
Retrieved October 31, 2018, from htp://academicworks.cuny.edu/qb_pubs/41
Yasinsac, A., & Monzano, Y. (2001, June 5). Policies to Enhance Computer and Network
Forensics. Lecture presented at Workshop on Information Assurance and Security in United States Military Academy, West Point.