Eu FLag
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No101022004

How can Law Enforcement Agencies tackle terrorism using web forensics?

Web forensic and open-source intelligence (OSINT) are the basic tools used for information gathering related to crime in cyberspace. The use of new and advanced technologies by terrorist groups is a daily routine, starting with promotion on social networks and ensuring encrypted communication and ending with the financing of individual terrorist groups. A considerable example of this is the fight against the Islamic State (also known as ISIS, ISIL, or Deash), which was able to use cyberspace for professional promotion, encrypted communication, and gathering its financial support. While Islamic terrorism is at the forefront, the threats posed by right-wing or left-wing extremist groups should not be forgotten because their activities can pose a significant threat to national security as well. 

To successfully gather information from the cyberspace there are several steps that need to be followed:  

  • Having a secure connection to the cyberspace (internet) 
  • Selection of a suitable browser to save and secure information (evidence)  
  • Providing information about internet web sites of interest 
  • Extraction of “darknet” and individual “darkwebs” 
  • Monitoring the flow of virtual currency and payments 

If we want to monitor money laundering and terrorist financing in cyberspace, we must start with a secure connection to the internet. 

One of the best choices to secure your web forensics is to use a Virtual Private Network (VPN) that can establish a protected network connection when using public networks. VPNs encrypt internet traffic and disguise your online identity making it more difficult for third parties to track your activities online since the encryption takes place in real time. In addition to VPN connections, there are other alternative solutions that can provide protection in the cyber network such as special software (e.g. JonDoFox) or already modified operation systems (OS). 

The next step for successful information gathering is the choice of web browser. One of the most well known web browsers with a Google Chrome engine is Opera which contains a free VPN service, allowing users to surf the web anonymously.

When looking at the website as an objective of interest with the goal of extracting as much information as possible, we can start our web forensics with an easy ping. A ping is a digital tool that you can use to test the online connection between two computers. It will tell you whether you can send a message from your computer to another computer and how fast it takes for that computer to receive a message and send a response. It is important to note that some machines may be configured not to respond to pings, and your firewall settings may restrict your ability to ping other computers. You’ll generally need to use the command line interface on your computer to send a ping. You will also need to know the address of the other server that you want to send a ping message to. This can be a human-readable domain name, like www.example.com, or an Internet protocol address, such as 127.0.0.1.

If you only know the domain name it is recommended to use a “who is” domain tool or a “who is” web side. WHOIS is an online tool that allows you to lookup information on the target website/web app such as Domain name, IP address block or autonomous system but it is also used to query for a wider range of information. The information provided in the WHOIS lookup is publicly available unless the website is using domain privacy. Non-existent websites of extremist or terrorist groups and organizations can be found on the website www. archive.org. It provides free public access to collections of digitized materials, including websites. Within archive.org it is possible to monitor the development of individual websites – a change in their environment, especially for extremist websites, can be traced to the escalation of radicalization, if appropriate indicators are set. 

In cases where we need to analyse the content of a website, it is recommended to download the content through an application designed to back up websites and continue working offline. The content of websites, social network profiles (e.g. Facebook, Instagram, YouTube, etc.) and e-mail boxes can be secured in several ways: 

  • ensuring the complete content of individual websites, conversations of social networks, media channels, etc. in the form of off-line backup with the help of the native environment, special programs or add-ons web browsers; the more extensive the request is (backup depth level), the longer (time) the backup will take (in some cases you can count with outputs of several tens of GB); A variety of programs can be used to perform backups; websites looks different after being downloaded by several different programs, and it is seldom possible to provide a look that is identical to the online version of the website. 
  • if the website or part of the website needs to be secured quickly and easily, screen capture programs can be used; options include paid programs, free alternatives or functions of direct saving of a web page to an image in a web browser, functions of printing (to PDF) and add-ons of the web browser;
  • Another option is to take photo or video documentation of the monitor screen or device display on which the website or social network profile (e.g., Facebook, Instagram, YouTube, online communicator) is displayed. 

There are a lot of tools for creating website backups. An example would be Europol’s project FREETOOL which  involves law enforcement agencies (LEAs) in the creation of the tool. The development of tools to support the investigation of crime in the cyberspace helps to save time and money and can be used by with the wider community. These tools offer the same (and sometimes more advanced) levels of functionality than commercial options.

In the field of Web Forensics it is important to recognise that the seizure of data is done by specialists trained on how to handle secured data. Seized data important for criminal proceedings is always stored in a way that makes unauthorized change impossible. For this reason, so-called hashes are acquired by checksums, which also transparently ensures the security of data against unauthorized manipulation. TRACE pays close attention to the ways in which data security can be considered as a secondary product. 

TRACE is aware of the importance of ICT technologies in the field of crime. A significant advantage of the project is that it analyses the issues from the perspective of real criminal cases. Using case studies processed by police officers who have participated in the investigation of the cases themselves, TRACE ICT tools are based on practice and personal experience. What this means is that members themselves can become familiar with the tools of their colleagues and avoid practices that have already been tested by specialists and have been marked as unsuccessful. In ICT forensics the usage of experience is very important, because going down the wrong path can cost a lot of time and money and will not lead to the desired goal. 

Author: National Organized Crime Agency (CNCA)

Related News