Peer-to-Peer Investigations

peer-to-peerWhile peer-to-peer (P2P) networks are used by many people who like to share music, graphics, images and movies, they are also commonly used by offenders to share child pornography. The anonymity and ease of use that the Internet offers combine to make parts of it a hotbed of criminality and exploitation. P2P networks allow collectors of child pornography to download and trade movies and images with others in the network. In effect, individuals in these networks maintain “libraries” of images for others to share. Fortunately there are tools that can identify sharing of child pornography in P2P networks. This course provides the critical training you need in order to use the tools that are available to combat these crimes. You will learn about IP addressing, how to search for downloads and contraband, legal issues you need to consider when building your case, and much more.

Audience: All high-tech crime investigators
Prerequisites: Background in online investigations; Understand and have experience with the basic computer crime scene.
Length: 3 days
Difficulty: Intermediate-to-advanced

Syllabus

Getting Started

We begin by reminding you that the purpose of this course is to train you in methods to ultimately rescue children by removing child predators from the Internet.

We show you why Firefox—supplemented by our list of recommended add-ons—will soon become your favorite Internet browser to use for investigations. You’ll see a demonstration of some Firefox Add-ons that will speed up your investigations by increasing functionality. Many of these add-ons fall under the category of “You better hurry up and grab it now, because it might be gone later.”

Peer-to-Peer Background

We begin to lay the foundation for this course by defining peer-to-peer (P2P) networks. Then we identify major P2P software applications, and show you the methods used to trade files in a P2P environment. You’ll see how P2P networks are used globally to exchange images and videos depicting the sexual exploitation of children. We introduce you to two key law enforcement tools for P2P investigations: the Child Protection System (CPS) and ShareazaLE.

CPS is a suite of programs centered on a web-based interface; it provides access to investigative data that has been gathered by automated tools or law enforcement searches. The CPS web interface allows investigators to query the database, provide deconfliction, and create investigative jobs.

ShareazaLE is a version of the P2P client software, Shareaza, that has been modified for law enforcement use.

IP Addressing/ Digital Officer Safety

Our first general rule for law enforcement is this: always practice digital officer safety. This means that you need to understand the concept of Internet Protocol (IP) addressing and know your IP address when conducting undercover investigations. In this block we discuss IP addressing and how it can be used to identify suspects. You’ll learn what an IP address is and see the different ways IP addresses are assigned. You’ll also learn how IP addresses can be useful to law enforcement and how to resolve IP addresses back to a subscriber. Finally, you will participate in an exercise to identify an IP address and resolve it back to the Internet Service Provider.

Installing/Configuring Your System

We show you how to set up your computer so that your P2P undercover (UC) operations are conducted without risk of placing child pornography back into circulation. We discuss the requirements for a UC computing environment and you will participate in an exercise to install and configure a UC system.

Searching for Downloads/Contraband

During this hands-on lab, we’ll show you how to use Phex, a Gnutella P2P client, to locate and download files. You’ll use search terms to establish the likelihood of finding child pornography on the Internet, and SHA-1 values to identify prospective downloads. By matching digital signatures, you’ll verify which download opportunities will best match the prosecution criteria in your local jurisdiction. We show you how to browse a host and conduct a download from a single source. Your assignment will be to locate and download specific criminal files.

Peer Spectre 2

We introduce you to another tool—Peer Spectre 2—and demonstrate its capabilities for investigators. We walk you through installation and setup and show you how it integrates with CPS.

Child Protection System

After a quick review of what we covered yesterday, we launch into a demonstration of CPS and familiarize you with the CPS interface and the functions associated with the system’s features. We discuss data types and sources, and the types of queries and reporting available. We cover query scoring and IP logging, and the use of CPS to deconflict with other investigators.

Advanced CPS Tools – ShareazaLE

The next tool we show you is ShareazaLE, a P2P file sharing system. We explain its role in CPS and review how to launch jobs via CPS. We talk about single-source downloads and browses of target IPs, and show you the logs and documentation it generates. In the classroom you will use CPS and ShareazaLE to identify likely targets within your jurisdiction and launch jobs to browse and download identified files. You will retrieve generated log files and review the documentation created to support the case. You will also learn about Query Routing Protocol and how it relates to investigating P2P networks.

Advanced CPS Tools – Media Library

In this block we show you how to handle and categorize images and video files to create your Media Library, a supplement CPS application. Using material downloaded in prior exercises, you will use Media Library to view and locally classify images and videos. We’ll show you the proper storage of contraband, and introduce you to download magnets. You’ll see how to use ShareazaLE to accept jobs created in Media Library to obtain needed files.

Legal Issues

We begin our legal discussion by helping you define the location of your crime scene. Is it on a laptop? Cell phone? In the cloud? We talk through the pros and cons of different types of searches: consent, warrant, and exigent circumstance. We show you the legal issues surrounding P2P cases and walk you through two different digital evidence collection scenarios. We show you what should be put in a warrant. You’ll learn about pre-search warrant execution activities and special precautions that you should take.

We talk about Federal privacy statutes, including the Electronic Communications Privacy Act (ECPA) and the Privacy Protection Act. Our discussion about evidence in cyberspace includes information on the Stored Communications Act, which is likely going to control most of the evidence you are looking for. When we’re finished, you should have all the information you need in order to complete your affidavit.

Building a Case

This is an opportunity to put your newfound skills to the test. If you were able to find information for your jurisdiction during this course, we’ll help you begin to build your case. For some investigators, that means conducting a live investigation while attending this course—a great way to multitask.