Research: Using Network Investigative Techniques (NITs) to Home in on Tor Cybercriminals
Network Investigative Techniques (NITs) are special forms of digital law enforcement tools that enable law enforcement agencies (LEAs) to hack into suspicious computers via the exploitation of vulnerabilities. NITs have aided in the location and identification of cybercriminals operating on various darknets where conventional investigative means proved to be useless. They play a significant role in cybercrime investigations, as well as in the national cybersecurity sphere. However, disclosure of certain NITs’ codes can greatly undermine law enforcement operations relying on these codes. In many federal cases, criminal defendants tried to access NITs’ code, and courts have had to decide whether or not LEAs must disclose this code. The LEA’s emphasis on confidentiality is considerably tense when cybercriminal defendants’ right to discover information to their defense is considered.
A recently published paper by the New York University School of Law presented some valuable information regarding NITs and how they have been used to convict individuals committing federal crimes on Tor.
NITs and exploitation of vulnerabilities:
A NIT is a special form of software that can control access to a suspicious computer via overriding its security features. Essentially, NITs are malware, or exploits, that are specifically engineered to take advantage of given technological vulnerabilities. As such, NITs enable LEAs to access and control suspicious computers and obtain their identifying information including their IP addresses via the exploitation of software vulnerabilities.
When someone discovers a vulnerability, they have no guarantee of being the only party knowing it exists, and the chances that another party identifies it increase every day. Whenever a vulnerability is disclosed, software developers and antivirus companies will act promptly to fix it. Consequently, LEAs must detect and rely on vulnerabilities that have not been identified or patched by others. This is extremely expensive – vulnerabilities can cost more than $100,000, and even the FBI itself can sometimes lack the resources needed to develop exploits. As such, a vulnerability usually has a limited shelf-life, as NITs will become obsolete after the vulnerability is identified and patched.
Using NITs to target and identify criminals:
During the past few years, the FBI has been relying on NITs to identify vulnerabilities in Tor so that they may deanonymize clients using it. These NITs circumvent Tor’s operation to identify users’ real IP addresses and point investigators to users’ ISPs and physical geo-locations. A NIT is composed of four elements:
1- A generator
2- The exploit
3- The payload
4- A logging server
The generator runs on a Tor hidden service. It generates a unique ID to associate it with a website visitor and delivers that ID with the exploit and payload to the computer of the website visitor. The generator enables the FBI to track specific NIT implementations to a computer. After the generator transmits elements of the NIT to the computer of the website visitor, the exploit, which represents the actual code that takes advantage of a vulnerability to override and control a computer system, takes control of the target computer’s Tor browser to load and execute the payload. The payload code runs on the target computer, searches for authorized information, and then transmits it to the logging service running on an FBI computer. The logging service saves the information collected from the computer, the ID assigned by the generator’s code, and the target computer’s IP address.
Once the FBI obtains information via a NIT, it can effectively use conventional investigative techniques to identify the location of targeted individuals. Typically, a computer’s IP address, assigned by an ISP, reveals its location. Using publicly available info, the FBI can identify the ISP that provides a computer’s IP address. The FBI then serves an administrative subpoena on the ISP to identify the name and physical address of the client linked to the IP address. This allows LEAs to conduct surveillance of target premises and obtain appropriate search warrants. However, a mere IP address is not always enough to identify a criminal.
How the FBI used NITs to hone in on cybercriminals?
We will take a look at a few example cases:
Consider Aaron McGrath, who was hosting three child pornography websites: one from his residence and the other two from his work. The IP address associated with the website hosted from his residence had been linked to the woman who shared his residence. It was only via physical surveillance of the residence, searches of social media accounts, pen registers, and the execution of search warrants that the FBI was able to convict McGrath. The FBI has expressed a firm belief that NITs represent the only investigative technique with a reasonable likelihood of securing the needed evidence to prove beyond a reasonable doubt the real physical location and identity of suspects using anonymizing services, such as Tor, to commit federal cybercrimes.
What identifying information does a NIT provide to LEAs? Since IP addresses do not represent reliable leads alone, a NIT identifies more than a suspect computer’s IP address, but only identifies enough information to ensure that the FBI has located and identified the correct suspect. The FBI’s use of NITs in multiple child pornography operations denotes how it has refined its techniques over time and how it is now able to obtain more specific identifying information for an accurate conviction.
For instance, the NIT used by the FBI in Operation Torpedo managed to obtain the suspect computer’s IP address as well as the date and time the NIT identified the IP address, the “unique session identifier” that a website usually assigns to a visiting machine, and the type of operating system running on the suspect’s computer. The FBI explained why each piece of information was essential in closing in on the suspect – the IP address could be associated with an ISP and ISP client, the session identifier would distinguish one computer’s data from another, and the operating system details would help distinguish the suspect’s computer from other computers using the same ISP within the same premises.
The Playpen NIT obtained slightly more information. In addition to obtaining the same aforementioned information, the Playpen NIT collected information about whether or not the NIT had been successfully delivered to the suspect’s computer, the suspect computer’s host name, the suspect computer’s active operating system username, and the suspect computer’s MAC address. The host name helped in identification of the device in various forms of electronic communications, including communications over the Internet. Moreover, the MAC address, which identifies the network adapter used to connect a computer to a network, enabled the FBI to determine whether or not suspects used the same network adapter.