Hakon Hoydal: Journalist, Verdens Gang (VG)
Nataly Remoe Hansen: Journalist, Verdens Gang (VG)
Otto Stangvik: Computer programmer
Otto Stangvik: I was a software developer for several years, and I felt my life was in a rut. I had a crisis and needed a change. I started playing around in the internet and got interested in tracking and following people on darknet who engage in abusive behavior, especially child pornography. This way I met with Nataly and Hakon, who were investigating this as journalist, and we decided to work together to expose participants in online child pornography rings.
Hakon: The first results of the collaboration was in 2015, with the publishing of “the downloaders”, publishing 95,000 IP addresses downloading 430,000 images of child porn.
Nataly: Further analysis led us into the dark web, where we discovered we could find formulas linking forums in open internet to ones in the darkweb, that lead to forums that have paid subscriptions. The money going into the forums goes into funding the infrastructure of the forum and for new content.
Otto: The method was to sift through logs in the public internet to look for patterns and links. I built tools to sort through the 46 million log records we gathered and create links of files. From this we isolated 95 downloaders.
Nataly: But all of these were people who primarily used regular internet as a gateway into the dark web. Our challenge was to go after people completely operating in the darkwave. Specifically, one of the posters in a darkweb forum dismissed the exposure by saying this was just possible due to the mistakes those users made by using regular web. He said that those who work solely on the darkweb were not in danger. We took this as a challenge and accepted it.
Otto: So how did we go about this? Our first step was to get to know the topology of the dark web forums, specifically one called “Child’s play”, the largest darkweb forum for child pornography. We studied the forum and its infrastructure. One of the things that helped us was that although these forums were on the dark web, they were still using opensource software to run and administer the site. So we were able to get a lot of information and find investigation approaches by just examining the opensource software itself, including some known vulnerabilities. Also, we found out that even though all the content was on the darkweb, some of these software systems used regular internet for metadata, which we could track.
We were careful to use only browsers that don’t show images, so as not to be exposed to the content. Also, we never stored images – we created a hasher that generated a hash for each image, so we could identify duplicates of it without having to store the actual image. We also had an enormous amount of data to sift through – we collected over 18GB of plaintext information; we had to create dashboards and search interface to track users across forums.
Hakon: We would track users across different forums. For example, we found that one user used the same user ID for skype. Some of the image data and posts contained GPS locations from people using their phones, so we could use this as well.
Eventually, we used all this information to track the origination servers to three countries – France, Germany and Australia. The server hosts in France and Germany refused to cooperate, but the ones in Australia did, and through them we were able to get the contact details of the person leasing the server computers – the Australian police department.
It turned out that the Australian police had been able to apprehend the original two creators of the site, which we were tracking, had them arrested, and transferred the site to themselves and continued running it as a sting operation. Once we discovered it, they shared some additional information about the people who ran it previously, and eventually shut down the server a year after we discovered it.
No comments:
Post a Comment