Working Unseen on the Internet
This chapter introduces the reader to the techniques and tools required to work unseen on the Internet, particularly, by any investigative targets. The chapter discusses the types of Internet anonymization in use and how those tools can be implemented by the investigator. The chapter also stresses the need for investigators to use these anonymizing techniques consistent with their agency or company’s mission and legal requirements. The discussion starts with common techniques, such as the use of factious personas and emails and use of open or public Wi-Fi networks. It then quickly proceeds to the use of web anonymizers, proxy servers, Virtual Private Networks (VPN), The Onion Router (Tor), and The Amnesic Incognito Live System (Tails). The chapter also introduces readers to Tor’s “hidden services,” where an illegal marketplace has set up shop on the Internet. Finally, the chapter concludes by discussing methods to catch criminals who use anonymizing techniques.
Keywords
Anonymization; anonymous email; browser requests; spoofed IP’s; web anonymizers; proxy servers; Tor; Tails; I2P; hidden services
You know, it’s really strange now with the Internet, with everyone having an unsolicited, anonymous opinion.
Jeff Daniels, American Actor
Internet anonymity
Being anonymous on the Internet is a technique used by many. It simply means an author’s actions or messages are not revealed to others. It is not just a criminal’s practice but a technique used by anyone trying to prevent others from identifying who they are and what they do online. The idea of being anonymous in one’s writing is not a twenty-first century concept. Benjamin Franklin signed fictitious names and even created entire personas to get his letters published by his printer brother. One of Franklin’s fictitious profiles was Silence Dogood, a purportedly, middle-aged widow (Public Broadcasting Service, 2002).
Internet users under totalitarian regimes deploy anonymity techniques to prevent their governments from identifying those who would use online free speech to change their situation. These techniques also can be used to circumvent Internet restrictions or filtering. Others trying to prevent their activities being known can use these methods to hide from stalkers. The simplest online anonymity technique is the use of a false name or a pseudonym. Common in emails or in chat rooms, individuals sometimes use fictitious names to conceal their identity.
However, using online anonymity methods is not without possible legal ramifications, particularly if one violates civil and/or criminal statutes. One can’t assume someone’s real identity, even to engage in legitimate online discourse, without facing possible civil action if not criminal penalties. This is particularly the case if the discourse is contrary to the real person’s views. Additionally, using anonymity methods only makes it more difficult, but not impossible to catch someone engaging in criminal behavior. Once a person crosses the legal boundaries with their online behavior, anonymity serves as only an obstacle, not a complete barrier, to possible discovery and prosecution. Criminals are frequently more apt at using online hiding techniques than law enforcement or corporate investigators. They also need not be concerned with breaking laws, let alone administrative polices or procedures, in connection with using anonymity techniques. However, investigators have to be concerned with how their online actions, including the use of anonymity methods, may violate the law or negatively impact their cases and/or agency.
Responsible use
In 1999, the federal law enforcement agencies in the United States came together to form the Online Investigations Working Group (Working Group),1 to provide some general guidance for investigators conducting online investigations. The result was 11 principles,2 five of which focus on issues considering anonymity and/or working undercover online.3 These pre-911 principles imposed no new restrictions on agents’ conduct but did create two new procedural rules for agents or agencies to follow, concerning online undercover facilities (a consultation requirement with US Department of Justice (USDOJ)) and appropriating online identities (concurrence requirement from USDOJ). The principles were for federal agencies and not specific to state law enforcement, with the exception of highlighting concerns over local investigations with international connections. They were developed with the concept that agents were to follow their respective agency’s internal rules, regardless of whether they were working online or in the real world. For instance, if they were permitted to work covertly in the real world than they could likewise work covertly online. Additionally, if there were a set of rules that were to be followed for covert work in the real world, those same rules were to be followed to the extent possible, in an online environment. As the need arises, we will discuss those pertinent principles in this chapter and the next.
For now it is important to understand that the discussion of online anonymity techniques is not to provide a method to bypass agency or corporate rules on how investigations are to be conducted. Toward that objective, investigators need to consider how their investigative duties fall on an investigative continuum from least to more intrusive. The investigative continuum consists of general research, investigative collection, intelligence gathering, and undercover activities (Figure 9.1).
Additionally, it is important to understand that while conducting each of these activities, one maybe disclosing who they are or who they work for online, hence the possible need to use anonymity methods. Will that disclosure hamper their investigation? Will identification have a chilling effect on someone’s legitimate right, for instance, the presence of law enforcement in a public online debate on gun control? However, is such surveillance, even covertly, justified by the law? Could online identification and presence negatively impact one’s agency or company? For instance, someone visiting a pornographic website to document another employee’s unauthorized access to that website, will just as likely leave identifying information, with that website, as the first employee. If that information becomes public, is it to be viewed merely as one bad employee and an investigation, or that the entire agency or company is visiting a pornographic website. Investigators need to consider the ramifications of their online activities before they engage in them. Using anonymity techniques as an investigator are only justified if the overall online activity is clearly authorized.
Common methods to gain web anonymity
The most common method for an investigator to gain a level of Internet anonymity is through the use of a free email account. The most commonly used email addresses are the big service providers, Google’s Gmail, Microsoft’s live.com, and the tried and true AOL. The investigator can obtain multiple accounts in their personas to use for a variety of purposes. Free account and trial memberships on various websites can assist with building the persona. Familiarity with these sites can help investigators understand how they work so when an investigation of this type of site occurs they will have an understanding of what to look for.
Investigators can also use anonymous or disposable email services through various websites. Many of these services can be found with a simple Google Search of “Anonymous email.” These sites provide the user with the ability to send an anonymous email and receive email for short periods of time, such as a registration requirement at a website. Some sites will also forward email received at the anonymous account to any account the user selects. These sites differ from the above free email services as one does not have to register with the service. Additionally, the user's IP address information is frequently not maintained as long as one of the free email accounts noted above. For instance, when one registers for a free email account, the IP address from where they are accessing the account is frequently maintained indefinitely. Whenever a user accesses the account, the free email service provider will also maintain a record of that IP address. However, with an anonymous service that IP address information, although collected, is only maintained for a very short time. For instance, Guerrilla Mail will delete logs after 24 hours.
Both free and anonymous accounts are obviously used by criminals who give false names and other information to commit extortion, death threats, or stalking through the Internet. Criminals also use free accounts to aid in their theft of computer accounts and to receive anonymous payments, such as untraceable digital cash (E-Gold, Bitcoin, etc.). The Achilles’ Heel for discovering who is behind the account is the IP address information collected when one registers and/or accesses the account. The free accounts maintain this information longer than the anonymous accounts. However, one can’t use the same anonymous accounts indefinitely. If one creates a free account with bogus information or even an anonymous account from their home computer, that IP address may be discovered, particularly if someone does something illegal.
The low-tech solution is not to create or access the account using one’s own Internet Service Provider. Criminals know this and will use cybercafes and/or free Wi-Fi hot spots like Starbucks or McDonalds or any number of others to access these accounts, adding another layer of anonymity to their crimes. Many communities now even offer free Wi-Fi services throughout their city. If someone traces the IP address it will come back to the cybercafe or the free Wi-Fi hot spot. The next sections of this chapter will deal with more advanced methods of concealing your IP address.
What your computer can reveal about you
In the last chapter, we discussed how to check your investigative system for potential attack points. We even recommended some websites that you can use to check your security. What we haven’t discussed is exactly what your investigative system can reveal about who you are and what system you are using. So for the purposes of this section, let’s ask ourselves a question. What does your computer tell other computers about you?
What your browser reveals (http requests)
Web browsers, like Internet Explorer, Firefox, or Chrome, are tools designed to allow a user to access resources on the World Wide Web. To facilitate this access, the web browser has to communicate with a server on the Internet that contains the data that you are seeking. This communication is a standard protocol designed to let both sides agree to exchange data. Your browser sends data to the web server and requests the page you’ve asked for. It contains details on browser needs and what it will accept back from the server. It reveals the browser type, its version, and the browser’s capabilities. The communication can also reveal software installed on the investigator’s computer, potentially sites you have visited, your Internet Service Provider, and even IP address (Figure 9.2).
Anonymizing your surfing
For the investigator, there are several web-based methods to anonymize your browsing. The first option to consider is the use of a proxy via a website. A proxy is an agent authorized to act for another. These web anonymizers simply act as a go between the investigator’s browser and the website that is being investigated. (We will discuss the use of a proxy server, aka proxy firewall or application level gateway, later in the chapter) There are numerous free and pay websites that can act as proxy. These sites should be tested out so that you are aware of their functionality before using them during an investigation. Some of the websites allow you to browse successive webpages and some do not. Others will not allow you to conduct certain investigations, such as peer-to-peer (P2P) cases or complete downloads. Some web anonymizers could retain information of the investigator’s browser and IP address. Sometimes, web anonymizers, such as Anonymouse.org (http://anonymouse.org/anonwww.html), do not allow you to choose your originating IP address. You get whatever IP address is available, which may or not be an issue for your investigation. Others, such as Hidemyass.com (http://www.hidemyass.com/proxy/) and Newipnow.com (http://www.newipnow.com/), will allow you to pick from a range of various IP addresses. However, even this range may limit your choices to those originating from a particular country, such as the United States. Additionally, some web anonymizers will include ads with their service. Finally, be aware that some web anonymizers will not provide the same look or functionality, as a website not being accessed via a proxy (Figure 9.3).
Web anonymizers though are not without their benefits. Besides hiding the investigator’s IP address from the target website, these sites can also prevent malware infection. The proxy server acting as the web anonymizers is the server that runs any code from the target page. So if the target webpage has any malicious code the proxy can prevent it from running on the investigator’s machine. Additionally, by redirecting your Internet traffic through the anonymizing services secure servers, your online identity is protected. These servers often use encryption technology similar to the banking industry.
Another method for hiding your activities while on the Internet is through the use of Virtual Private Networks (VPN). VPN’s also act as a go between your browser and the website you want to access. However, they have the added benefit of encrypting all the communication between your browser and the website. Some of the same limitations that apply to web anonymizers also apply to VPNs. Many of the web anonymizers also provide VPN for a fee.
The pay version of Anonymizer found at www.anonymizer.com is an example of a VPN. This program hides your computer’s IP address from the Internet and provides an encrypted tunnel (Secure Sockets Layer (SSL)) between your computer and Anonymizer’s servers. SSL is the same encryption you see when you do banking or other secure business over the Internet. It also reduces spam and tracking. You can easily toggle the program on and off. Some sites don’t like it (i.e., Google) because they think you’re a hacker doing a denial of service attack. A simple search for VPN services online will provide a number of available services that can suit the investigator’s needs.
The Good and the Bad of Anonymization
The Good: Freedom of speech, anticensorship, and anonymous tips.
The Bad: Bypassing Internet use policy, abusing organization resources, and preventing filters from monitoring activities.
The Ugly: Spam, piracy, information and identity theft, cyber-stalking, and hiding terrorist activities (Figure 9.4).
Using proxy servers with your own network
When investigating Internet crimes the investigator needs to consider how much information that he presents to servers and webpages that he may be examining. Hiding oneself on the Internet used to be the hackers’ purview. However, technology changes and so has the ability to easily implement the same techniques hackers use to hide themselves during your investigations. There are many techniques for eluding identification on the Internet. Proxies have been used for years for this purpose. They act as a go between your network and the one you are investigating. A proxy server acts on your behalf and forwards to the server you are looking at any requests you make. The server you are investigating only sees the “proxy.” Proxy servers, also known as a proxy firewall, aka, Application Level Gateway, can be a hardware device or software application. A proxy server used in a normal network helps to prevent a hacker from obtaining internal addresses and details of that private network. It is an intermediary device that indirectly connects two systems and, as a result, allows these systems to communicate directly. In your own network, proxy servers can be used as a device to protect the network from unauthorized access and help to secure a network against outside attack. Proxy services are not limited to just hardware devices or applications. They can also be available as an Internet service.
Free online proxy servers
You can find proxy servers on the Internet that can be used during an investigation. Public proxy servers can be found at various websites such as Free Public Proxy Servers List http://www.proxies.by. Certainly, use of any “free” service on the Internet for an investigation comes with certain risks. You don’t know who owns the server, nor do you know if the owner is monitoring traffic coming and going on the proxy server. Investigators using these servers need to understand these potential risks when conducting an investigation through these servers. One of the issues with using free proxy servers is that they are very transient in nature. Most come and go fairly quickly as a service. One day that IP address has a proxy server and the next day it is gone. As a hiding method, this can be very useful to the criminal as well as the investigator. Changing the IP addresses of the proxy servers used makes the user far more difficult to find. Finding these “free” proxies is as simple as searching Google for the term “free proxy.” Many sites maintain these lists for a variety of uses and not just for use by criminals. Persons in countries that don’t allow free and unabated access to the Internet, or those trying to prevent a repressive government from finding postings on a blog, use these proxies.
So how is this different than a web-based anonymous service? Well, a web anonymizer is a website that offers the proxy services for your web browsing. This communication uses an application protocol, specifically, Hypertext Transfer Protocol (HTTP). Internet Explorer, or any other browser or tool will use HTTP. The free proxy servers on the Internet are servers that can be connected to by various tools to reroute your Internet traffic. This can be your browser, but it can also be, an Internet Relay Chat (IRC) client or any other Internet tool that allows the user to set up a proxy connection through another server. This routes the tool’s traffic through the IP address of the proxy server thus hiding the tool’s Internet traffic. In Figure 9.5, you can see that the Local Area Network (LAN) settings are rerouted through the IP address listed as the proxy.
To Tor or not to Tor
The Onion Router (Tor) is a significant tool in the “I need to hide on the Internet” world (Figure 9.6). Tor was developed from a concept originally written about by the US Navy. According to the Tor website, “Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location” (Tor Project Anonymity Online).
Your browser normally makes a call out through your Internet Service Provider to servers on the Internet. These servers easily identify who you are by your IP address so they can communicate back with you. This exposure of your IP address is what can tell the target who you are and possibly where you are in the world. The Tor network in its simplest description strips that information out and only provides the end user with an IP address belonging to the Tor network and not you. Thus you have effectively hidden from the end website you are visiting or target user that you may be communicating with through the Internet (Please note this is an over simplification of the process and exact details of how the Tor network works can be found on the project website). The current Tor Browser bundle installs its own browser version that does not allow the user to change the proxy settings in the browser. You can still use the installed “Vadalia” (like the onion) package to proxy your own browser through the Tor network, although the Tor project no longer recommends this practice.
Using Tor during online investigations is much easier now than in the past. This is due to the increase in most users’ Internet bandwidth, the constant upgrading and improving of the Tor software and its easy integration into the popular browsers. So how does the investigator implement Tor during their investigations? Well, the simplest method is to use the Tor network to hide browsing activity. If you are investigating a webpage or website, we know that there is certain information that our browser tells that server or website about who we are and potentially where we are. Our browsers can reveal our IP addresses, what kind of browser we are using, and its version. We can use Tor to prevent a suspect webpage from identifying us.
Using Tor in your investigations is as easy as downloading it and installing the Tor browser. Go to the Tor project website (www.torproject.org) and download the current Tor Browser Bundle Windows installer. Click on the executable file and the Tor project installs. Previous versions of Tor required setting the proxy settings in your browser to use the Tor network, but this is all done automatically during the installation of the latest Tor browser bundle.
The Tor project has a page you can go to that will verify that you are using the Tor network properly or you can go to one of the websites on the Internet that grabs your IP address like http://whatismyipaddress.com/ to identify what IP address you are exposing to the world.
We are now ready to go online and start our investigation without being identified. Things to note here. The online application being used by the Tor network in this configuration is the Tor browser. If you send an email to the target from your normal email client on your desktop, use another browser, instant messaging, or use P2P software you will potentially expose who you really are by your IP address. To use any other applications through the Tor network you need to set them up to use the Tor proxy settings.
Other things to consider if you are not using the Tor Browser Bundle is that your browser set up needs to turn off the running of scripts, ActiveX, and cookies. Also block pop-ups. But you say “I can’t access all the good content on the Internet”. Correct, you can’t but then the end user can’t identify you either through holes in these protocols. Each of these features enhance our web surfing experience, but they also require a code be downloaded through your browser and run on your machine. This can allow for the code to default to a port in use that is not being redirected to the Tor network, thereby exposing who you are. This may not be important in all the cases you work, but be aware of it. If you lock down your browser and don’t get the content you want, you can always relax the controls and go back and look at the site. You know at least the risks and can make a decision based on the needs of your investigation (Figure 9.7).
Tor’s hidden web services
Gormley (2011) wrote a short article which described how drugs were blatantly being sold on the Internet and members of Congress were very concerned and demanding an investigation. Selling drugs on the Internet is nothing new. The place on the Internet “openly” selling drugs was on the Tor network through the use of Tor’s “Hidden Services” function. The “Silk Road” is an online market open for the sale of goods and named after the ancient road used to bring goods from the Orient to the West. (The person behind the Silk Road hidden service was arrested by the FBI as this book was going to print. Goldstein 2013). For the power users, the Tor network’s hidden services are probably nothing new. For the average online investigator though, you may have heard of Tor and may have even tried to use it. But were you aware that webpages can be concealed within the Tor network? Have you ever seen a “.onion” domain name? Hidden services were introduced to the Tor network in 2004. They are run on a Tor client using special server software. This “hidden service” uses a pseudo top-level domain of “.onion”. Using this domain, the TOR routes traffic through its network without the use of IP addresses. To get to these hidden services, you must be using the Tor network.
How do you find sites using these hidden services? Well there is not a real “Google” for finding these sites, but there are lists of the addresses that can be found on the Tor network such as the Core Onion at http://eqt5g4fuenphqinx.onion/.
Core.onion, according to its hidden services site, has been in the network since 2007. Once on the Tor network and after accessing the Core.onion, you will find a simple directory to start exploring hidden services on the Tor network (Figure 9.8).
TorDir is another directory of hidden services. It gives you access to a variety of sites that offer instant messaging services, email, items for sale, social media–type sites, and marketplaces, all concealed through the Tor network. In the markets, a variety of things are for sale, and many appear on their face to be illegal. You can find sites for the purchase of illegal drugs, pornography, including sites with descriptive names indicative of child pornography and downloads for hacked versions of various software. File sharing also looks to be popular and can be found in several .onion sites (Figure 9.9).
Users of IRC can find similar hidden services on Tor. The Freenode website at http://freenode.net/irc_servers.shtml gives clear instructions on how to access Freenode IRC servers on Tor’s Hidden Services.
Tor is not the only anonymization service on the Internet. Ip2 is another anonymizing network that is becoming increasingly popular, which has its own “eeepsites” similar to the hidden services offered in Tor that a user can post content to like a website. Hidden services on both the Tor network and Ip2 are going to increasingly become a location that will be misused by criminals. It will also become a place on the Internet that investigators will need to become familiar with if they are to further their online investigations.
Tor and tails
Investigators that have a significant need to hide their computing system and ensure that they won’t be recovered can use a tool like the Amnesic Incognito Live System (Tails). Tails is a bootable DVD or USB drive that implements the Tor project. Tails uses the Debian Linux operating system. Using a bootable DVD or USB bypasses a computer’s operating system, with all programs being run from the DVD or USB, and loaded into the machine’s Random Access Memory (RAM). In this way data is not saved to the computer’s hard drive, even unintentionally.
Tails’ advantage is that the system uses the binaries on the DVD or USB that have been solely designed to prevent any possible exposure of the user to others on the Internet. The bootable DVD or USB drive implementation runs on its own operating system and has a solid implementation of the Tor project's network. This helps to ensure that the system used cannot be identified from someone wishing to identify the computer used. The downside of using Tails is none of the Windows-based collection tools previously noted will work (Figure 9.10).
Tracking criminals who use anonymous methods to hide
We have discussed many tools to use to hide ourselves online. We know our investigative targets can do the same thing. So how is it that we can track those who use these kinds of services for criminal purposes? There are many different things that can be done mechanically to track criminals online. What the investigator needs to know at the start is that a knowledgeable criminal maintains their security and use of the technology to prevent identification and will be harder to locate and identify than those that are not as diligent. One of the best methods of identifying people online is the same tactic that hackers have used for years, social engineering. In the context of Internet investigations, social engineering is the act of manipulating people to do something or reveal information.
This kind of tactic has long been the criminal’s mainstay. A simple but effective ruse could be faking a telephone call to the target stating your calling from the company’s “Help” desk. The criminal asks the target for assistance with an issue. During this conversation the criminal gets the target to reveal his login and password as he is helping work through a computer problem on the network. This seems overly simple and unlikely, but it is how many famous hackers like Kevin Mitnick got the right information to allow access to networks they were attacking. Kevin Mitnick has said that “Social engineering is using manipulation, influence and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker.” Investigators when trying to identify those using anonymization need to be thinking in the same terms. Get the criminal to reveal certain things about themselves that they would not normally do. Security-conscience targets are probably less likely to do this; however, everyone makes mistakes.
Tools for catching the hiding Internet target
The basics of catching a target hiding on the Internet require that there be some interaction in most cases. That interaction could be trading an email, communicating in a chat room, or getting them to visit a website or social media page. In each of these situations, there are things that could be implemented that might help to reveal usable information about the target. The investigator has to remember though that the information identified online may be an IP address that is hidden behind a proxy or other hiding technique. Identifying the real IP address used by the target could lead to identifying the real person who is the target of the investigation. You can easily identify if the target is using the Tor network by checking the IP address you have through the publicly available list of exit nodes used by the Tor network. The Tor networks’ last server on its network is called the “exit node.” This is the last computer server in the Tor chain that is identifiable by the investigator in the network. You can identify this IP address by going to the Tor Project website, www.torproject.org, and checking around on their project portal pages. They have a public list of the exit nodes for research purposes.
We can start with the simplest of the tools for identifying a target and that is an email. We spent some time in Chapter 8 talking about IP addresses and tracing them to their source. Reading an email header, if not spoofed, can give the investigator a direction to locate the target. Other effective techniques that can be used are tools like those from ReadyNotify.com or AnonymousSpeech.com. These websites offer tools that add content to the email, or documents attached to the email, that when opened by the target can track the target’s IP address. Each of these services will identify the receiver’s IP address. There are limitations with their usage. Some email tools like Microsoft Outlook require that the attachment be accepted to allow for the tracking tool to work.
More proactive methods
There are some more proactive methods of identifying anonymous users on the Internet. Two companies have tools that can add in this more technical method. This is far beyond the basic level but is worth mentioning hear for the basic investigator to know that with the right skills and technology most targets can be found. The Gamma Group, a British company, sells its software to governments solely for criminal investigations. Its product FinSpy, part of the FinFisher product suite, is a proactive tool used to identify, track, and monitor targets on the Internet. Details on the tool are limited publicly but some reports identify that it is being deployed around the world in various investigations.
Another tool designed specifically to assist in the identification of Internet users of anonymous technology is ACAV by Vere Software. Under a grant from the USDOJ, Vere Software and their partner, the University of Nevada, Reno’s Computer Science and Engineering Department, developed a tool called ACAV. ACAV was designed to assist state and local law enforcement investigators identify criminal users of anonymization. Both of these companies reportedly release their tools only to law enforcement investigators.
The Hewlett-Packard Lesson
In 2006, Hewlett-Packard investigators were called to task by the government for the techniques they used to ferret out an insider who was leaking sensitive information. One of the techniques used was web bugs via ReadyNotify.com. McMillian (2006) article notes: “When the question of whether web bugs are legal has been tested in the United States, courts have tended to focus on whether this type of technology violates federal wire tapping laws,” says Chris Jay Hoofnagle, senior staff attorney with the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley. Hoofnagle says “State courts could take up the issue of web bugs, considering the existence of anti-hacking laws in states such as California. California law prohibits certain uses of computer resources without the permission of the user, and nobody knows for sure whether HP’s actions would violate this law or similar statutes in other states.”
None of the HP investigators got in legal trouble for use of web bugs. However, several did get into legal hot water for how they used the technique called pretexting to convince telephone companies to provide confidential information. In one case, the investigator used the target’s own Social Security number, thereby committing identify theft, to convince the telephone company to provide the confidential information. One result of this case was the passage of the Telephone Records and Privacy Protection Act of 2006, which prohibits pretexting to buy, sell, or obtain personal phone records, except when conducted by law enforcement or intelligence agencies.
The bottom line as always is seek legal advice for your investigative procedures before you use them (Figure 9.11).
Other methods of identifying Internet users can be through web bugs, or web beacons, designed especially for embedding in a webpage. This is already a common practice within the marketing community. Google Analytics is a commonly used web bug inserted into a webpage to track users. This same concept can be used to track and identify a target during an investigation. These can be web beacons, which are small objects embedded in the webpage, that when loaded by the user’s browser make a call back to a server controlled by the owner. Tynan (2013) notes there were more than 1,300 tracking companies following users through these techniques.
Another method that can be used to track users by their IP address is through the review of server logs from websites. The website owner with access to the server can identify users’ IP addresses when they click the website on the server. Investigators can set up a web server with an undercover website designed for the investigation and use this as a method to track users browsing to the undercover website.
Conclusion
In this chapter, we discussed the use of anonymization as tools for the investigator as well as for the criminal. Anonymization can be an effective method for the investigator to secure their computing systems and their actions on the Internet. Each tool discussed has its own advantages and disadvantages, and investigators need to carefully consider their tool selection and how they are implemented. The use of anonymization by criminals does not halt an investigation. There are methods by which the investigator can track users of anonymization on the Internet. It can make an investigation more complicated and requires more effort on the part of the investigator, but it does not stop the investigation itself. Clearly, understanding anoymization techinques and how they are used by criminals is become an important skill for the online investigator.
Further reading
1. About freenode IRC Servers. (n.d.). Freenode IRC servers. Retrieved from <freenode.net/irc_servers.shtml>.
2. Anonymizer—Online Privacy, Security, and Anonymous Surfing Solutions. (n.d.). Anonymizer, Inc. Retrieved from <https://www.anonymizer.com/>.
3. Anonymous VPN, Proxy & Torrent Proxy Services. (n.d.). TorGuard. Retrieved from <http://torguard.net/>.
4. Architecture of the World Wide Web, Volume One. (2004). World wide web consortium (W3C). Retrieved from <http://www.w3.org/TR/webarch/>.
5. Benjamin Franklin. Wit and Wisdom. Name that Ben, PBS: Public Broadcasting Service. (2002). PBS. Retrieved from <http://www.pbs.org/benfranklin/l3_wit_name.html/>.
6. BTGuard—Anonymous BitTorrent Services. (n.d.). BTGuard. Retrieved from <http://btguard.com/>.
7. Certified Email with Delivery Receipts, Silent Tracking, Proof-of-Opening History, Security and Timestamps. (n.d.). ReadNotify.com. Retrieved from <ReadyNotify.com>.
8. Daniels, J. (n.d.). BrainyQuote.com. Retrieved from <http://www.brainyquote.com/quotes/quotes/j/jeffdaniel434329.html/>.
9. EPIC—Wiretapping. (n.d.). EPIC—Electronic Privacy Information Center. Retrieved from <http://epic.org/privacy/wiretap/onlineprinpt1.pdf/>.
10. Fast VPN and Anonymous Proxy—Privacy, now and cheap—Proxy.sh. (n.d.). Proxy.sh. Retrieved from <https://proxy.sh/>.
11. FinSpy Agent—Gamma International (UK) Limited Software Informer. (n.d.). Gamma International (UK) Limited Software Informer. Retrieved from <http://finspy-agent.software.informer.com/>.
12. Free Proxy—Surf Anonymously & Hide Your IP Address. (n.d.). Hide my ass! free proxy and privacy tools—surf the web anonymously. Retrieved June 10, 2013, from <http://www.hidemyass.com/proxy/>.
13. Free Public Proxy Servers Lists HTTP, HTTPS Secure Tunnel Connect IRC, SOCKS, CGI PHP Web, Transparent Anonymous Elite High Anonymous, Standard, Non-standard Ports. (n.d.). Free public proxy servers lists. Retrieved from <www.proxies.by/>.
14. Garsiel, T., & Irish, P. (2011, August 5). How browsers work: Behind the scenes of modern web browsers—HTML5 Rocks. HTML5 Rocks—A Resource for Open Web HTML5 Developers. Retrieved from <http://www.html5rocks.com/en/tutorials/internals/howbrowserswork/>.
15. Goldstein, J. (2013, October 2). Arrest in U.S. Shuts Down a Black Market for Narcotics - NYTimes.com. The New York Times - Breaking News, World News & Multimedia. Retrieved from <http://www.nytimes.com/2013/10/03/nyregion/operator-of-online-market-for-illegal-drugs-is-charged-fbi-says.html?_r=0>.
16. Gormley, M. (2011, June 5). Senators target internet narcotics trafficking website silk road. Breaking news and opinion on the Huffington Post. Retrieved from <http://www.huffingtonpost.com/2011/06/05/senators-internet-narcotics-_n_871466.html/>.
17. I2P Anonymous Network—I2P. (n.d.). I2P Anonymous Network—I2P. Retrieved from <www.i2p2.de/>.
18. Jetable.org—Home. (n.d.). Jetable.org—Home. Retrieved from <http://www.jetable.org/en/index/>.
19. Jones, K. (2007, June 29). Lessons learned from HP’s pretexting case. InformationWeek, Business Technology News, Reviews and Blogs. Retrieved from <http://www.informationweek.com/lessons-learned-from-hps-pretexting-case/200001776/>.
20. KPROXY—Free Anonymous Web Proxy—Anonymous Proxy. (n.d.). KPROXY—Free Anonymous Web Proxy. Retrieved from <http://www.kproxy.com/>.
21. Leyden, J. (2012, March 7). The one tiny slip that put LulzSec chief Sabu in the FBI’s pocket. The Register: Sci/Tech News for the World. Retrieved from <http://www.theregister.co.uk/2012/03/07/lulzsec_takedown_analysis/>.
22. Li, B., Erdin, E., Güneş, M. H., Bebis, G., & Shipley, T. (2011). An analysis of anonymizer technology usage. Traffic monitoring and analysis third international workshop, TMA 2011, Vienna, Austria, April 27, 2011: proceedings (pp. 108–121). Berlin: Springer.
23. Mailinator—Let Them Eat Spam!. (n.d.). Mailinator—Let Them Eat Spam! Retrieved from <http://www.mailinator.com/>.
24. McMillian, R. (2006, October 6). Web bugs trained to track your E-Mail. PCWorld—News, Tips and Reviews from the Experts on PCs, Windows, and More. Retrieved from <http://www.pcworld.com/article/127444/article.html/>.
25. Mitnick, K. (n.d.). BrainyQuote.com. Retrieved from <http://www.brainyquote.com/quotes/quotes/k/kevinmitni469455.html/>.
26. NewIPNow.com—Change IP On Demand. Private proxies and More. (n.d.). NewIPNow.com. Retrieved from <http://www.newipnow.com/>.
27. Ninja Cloak: Fast, Free, Anonymous Web Browsing (n.d.). NinjaCloak.com. Retrieved from <http://www.ninjacloak.com/>.
28. Proxify® Anonymous Proxy—Surf the Web Privately and Securely. (n.d.). Proxify®. Retrieved from <https://proxify.com/>.
29. RFC 2616: IETF HTTP/1.1 RFC. Retrieved from <http://tools.ietf.org/html/rfc2616/>.
30. RFC 2965: IETF HTTP State Management Mechanism RFC References. Retrieved from <http://tools.ietf.org/html/rfc2965/>.
31. RFC 4229: HTTP Header Field Registrations. December 2005 (contains a more complete list of HTTP headers). Retrieved from <http://tools.ietf.org/html/rfc4229/>.
32. Send Anonymous Email. (n.d.). Send Anonymous Email. Retrieved from <http://www.sendanonymousemail.net/>.
33. Send Anonymous Email, Anonymous Domain and Anonymous Hosting. (n.d.). Anonymous Speech. Retrieved June 9, 2013, from AnonymousSpeech.com.
34. The Department of Justice’s Principles for Conducting Online Undercover Operations, Public Intelligence. (n.d.). Public Intelligence. Retrieved from <http://publicintelligence.net/the-department-of-justices-principles-for-conducting-online-undercover-operations/>.
35. Tor Project Anonymity Online. (n.d.). Tor Project Anonymity Online. Retrieved from <https://www.torproject.org/>.
36. TorrentPrivacy—Hide your Personal Activity in P2P world. (n.d.). TorrentPrivacy. Retrieved from <https://torrentprivacy.com/>.
37. Tynan, D. (2013, March 21). Web trackers are totally out of control. ITworld. Retrieved from <http://www.itworld.com/it-management/349218/web-trackers-are-completely-out-control/>.
38. Vere Software—ACAV. (n.d.). Vere Software—Online Evidence Collection & Documentation. Retrieved from <http://veresoftware.com/index.php?page=ACAV/>.
39. VPN Service, from the Leaders in VPN Private Internet Access VPN Service. (n.d.). Private Internet Access. Retrieved from <https://www.privateinternetaccess.com/>.
40. WebRTC 1.0: Real-time Communication Between Browsers. (n.d.). World Wide Web Consortium (W3C). Retrieved from <http://www.w3.org/TR/webrtc/>.
41. WebWarper: Saving Traffic, Antivirus, Acceleration, Anonymizer, Optimization of Sites. (n.d.). WebWarper. Retrieved from <http://webwarper.net/>.
42. What Is My IP Address Lookup IP, Hide IP, Change IP, Trace IP and more. (n.d.). What Is My IP Address. Retrieved from <whatismyipaddress.com/>.
43. Wong, G. (2006, October 5). Ex-HP chairman Dunn, others charged in leak case—October 4, 2006. CNNMoney. Retrieved from <http://money.cnn.com/2006/10/04/news/companies/hp_california/index.htm?cnn=yes/>.
1The Working Group was created approximately 2 years before 911 and the realignment and creation of the Department of Homeland Security. With that in mind, the Working Group had representatives from: the Justice Department (Criminal Division): (Computer Crime and Intellectual Property Section, Organized Crime and Racketeering Section, Terrorism and Violent Crimes Section, Child Exploitation and Obscenity Section, Office of International Affairs, the Tax Division, the Environment and Natural Resources Division, the Antitrust Division, the Civil Rights Division, the Office of Legal Counsel, the Inspector General’s Office, the Attorney General’s Advisory Committee, the Executive Office for United States Attorneys, and the Office of Policy Development); the Federal Bureau of Investigation; the Drug Enforcement Administration; the Immigration and Naturalization Service; the United States Marshals Service; the Treasury Department, Office of the Undersecretary for Law Enforcement, the Internal Revenue Service; the US Secret Service; the Bureau of Alcohol, Tobacco, and Firearms; the US Customs Service, the Federal Law Enforcement Training Center, the Financial Crimes Enforcement Network (FinCEN); the Department of Defense, the US Postal Service, the Inspectors General through the President’s Council on Integrity and Efficiency, and the Food and Drug Administration.
2They are formally known as “Online Investigative Principles for Federal Law Enforcement Agents” (November 1999). It is noteworthy that document has the following footer advisement posted on each page: “Property of the United States Government, Contains Sensitive Law Enforcement Information; Distribution Limited to Law Enforcement Personnel.” It was initially released, somewhat redacted, to the Electronic Privacy Information Center (EPIC) in 2004. It is now available online in its entirety from Public Intelligence at http://publicintelligence.net/the-department-of-justices-principles-for-conducting-online-undercover-operations/.
3The other six principles covered were approving Internet research, use of online services to communicate, use of software tools, prohibiting access to restricted online sources or facilities without legal authority, online activity by agents during personal time, and investigations where data and/or witnesses are located in foreign country.