08: NITs


Next class (23 February) is our first midterm. Please arrive on time and seat yourself such that you are not immediately adjacent to other students.

(Note that today's topics will not be on the first midterm.)

Today: Network Investigations

The techniques we've covered so far have been related to analysis of data in our possession. But first, investigators need to get ahold of the disk in question to image it. How might they do so when crimes are being committed over the Internet?

As we mentioned in response to a question in a previous class, one responsibility of law enforcement is to stop the trafficking of contraband on the Internet, including images of child sexual exploitation (aka "child porn" or CP; though I don't like how that term minimizes the awful nature of the imagery in question, is it widely used).

  • crime being committed (analogy to drug trafficking)
  • localize (subpoena process)
  • possible direct observation / knock+talk
  • warrant
  • then comes forensic exam

It all hinges on public IP in step 2 above

Sophisticated criminals

Tor is a system for decoupling IPs from requests. (On board: typical client-server request, then a Tor request).

Not only that, Tor can be used to provide "hidden services" where the server itself is hidden from the use, too. (On board)

How can LE investigate in this scenario?

Playpen case

(Most of the following is excerpted from Hennessey and Weaver.)

"The FBI learned, through a foreign partner, a website dedicated to the distribution of child sexual abuse materials was determined to be located within the United States. While the FBI was able to locate the server, and bring the site under government control, it was still unable to determine the physical location of individuals who were accessing and posting child pornography on the site."

"The FBI used, in essence, a court authorized hacking method to circumvent the operation of Tor to determine genuine IP addresses. After obtaining a warrant—the subject of a distinct controversy not addressed here—the FBI operated the site for two weeks, during which it deployed the NIT to learn the location of any users who logged in and accessed particular pages hosting contraband child pornography."

NIT consists of:

  • generator: unique nonce, associate with user, transmit ID, exploit, payload to user's PC
  • exploit: 0day the browser, execute the playload
  • payload: conduct search (MAC, username, etc.); transmit over IP to logging server (which also reveals IP)
  • logging server: record response (HTTP?); also PCAP (packet capture) all data transmitted

FBI then follows usual process (subpoena ISP, find address, get search warrant...) "The seizure of the computer is technically relevant because the NIT recorded information that identified the particular computer, and therefore a match demonstrates that an individual visited Playpen using the actual computer in question rather than an unknown third-party using the suspect's network connection without his knowledge."

Disclose or dismiss

Defense attorneys gotta defend. One line of defense that's been reasonably successful has leveraged the "disclose or dismiss" doctrine. If:

  • a court agrees that a technical portion of LE's techniques (in this case, the exploit) is privileged and cannot be disclosed safely; and
  • the defense demonstrates this portion is material to the defense

...then the prosecution must either disclose the exploit, or dismiss the case.

The question then is how much of the NIT is needed for the defense to fully understand it, or at least, know everything it needs to have a robust defense/

Gov't asserted only payload, but later disclosed much (but not all). In particular, kept the exploit. In Michaud case, "Despite the judge’s initial skepticism, following an ex parte hearing, he was convinced that the assertion of law enforcement privilege was proper, and that the government could not safely disclose the exploit to defense experts, even under a protective order...whatever the government showed the judge was utterly convincing on the point. He reversed a previous order requiring disclosure and agreed with the government that no protective order was sufficient to guard the interests at stake."

Hennessey and Weaver: "We believe the Michaud court erred." Possibly. Here's their argument. "NITs offer the defense an opportunity to perform a detailed evaluation of the functionality, to determine what the NIT searched for, how it conducted the search, what data was seized, and the chain of custody. Evaluating those different questions requires access to different components, and what failures within these particular systems might mean has different evidentiary consequences."

  1. Does the ID number uniquely identify a single user of the site?

    Even with duplicates, IPs still show a visit. Specific mappings of accounts -> evidence observed over network might be lost (but recoverable from disk forensics).

    "A defective generator would be visible in the logs which would show multiple invocations of the NIT with the same ID number. So the non-existence of a defect related to unique identifiers is verifiable without seeing the exploit and the exploit is not necessary to understanding the generator defect."

  2. What did the NIT seize from the defendant’s system and send to the logging service?

    PCAP file contains all evidence seized; exploit needn't be disclosed.

  3. Who did the NIT target?

    Logs at Playpen server + logging service show that the NIT wasn't deployed overbroadly.

  4. Is there a solid chain of custody?

    "The primary NIT evidence—identification of the defendant’s computer with a particular MAC address, hostname, and a given username—is captured in the pcap file at the logging service. The pcap file—combined with the site’s logs and generator log to ensure that the ID is associated with a unique user on the site—represents the key evidence. As long as these files are properly generated and stored, there is proof of an effective chain of custody because any errors in the larger logging server will result in discrepancies between the results of the larger logging program and the captured pcaps"

    Bigger question of unencrypted tx: "that third party would need to have advance awareness of the FBI’s activity, posses a valid login for the hidden site hosting the NIT (to obtain the ID which was used used), and simultaneously have a detailed profile of the target’s computer, including the MAC address as well as control of the target’s network as a man-in-the-middle."

    "This activity would represent highly-sophisticated tradecraft and would suggest capabilities on par with nation-states, particularly in obtaining detailed knowledge of protected FBI operational plans. Because this kind of conspiracy against a defendant would defy ordinary logic, there would likely need to be a threshold showing of probability."

    "Ignoring the absurdity of the hypothetical, as a technical matter, it is almost certain that a third-party attacker would have control over the target’s computer directly. Therefore, the most likely evidence as to whether a target may have been framed by someone capable of tampering with the NIT’s communication would be obtained by examining the defendant’s computer for signs of that third party."

    Exploit still not relevant!

  5. Did the NIT correctly gather the seized information?

    Key is in payload, not exploit. Self-validating: the logs should match the seized data. If not, there's a problem somewhere.

  6. Did the NIT seize additional information from the defendant’s system and send it to a different system on the internet?

    Logger only logs what is sent to it. Validating that no data was sent elsewhere requires examining all code sent to client, including exploit.

    "A government expert could testify to the fact that the exploit only transmitted to the logging system."

    "If there is a determination that independent verification is needed as to whether the government expert has committed perjury... mutually agreeable expert could examine only the exploit code under secure conditions and then attest as to whether the FBI had lied."

  7. Did the search conducted by the NIT exceed the scope of the warrant without seizing information?

    Did NIT only search for what was asked for in the warrant? Again, requires examining all code. No bearing on the integrity of the NIT or the evidence obtained from the computer, but would go to the potential invalidity of the government’s warrant. As above, would be malice, not a mistake, on FBI's part.

  8. Did the NIT introduce additional weaknesses to the defendant’s computer?

    An unintentional backdoor? Very unlikely technically! Would require examining all code.

    But has no bearing on gathered evidence, unless you also assume third party leveraged this hypothetical backdoor and (i) user visited Playpen but didnt' download files, but third party planted relevant evidence, or (ii) third party remote-controlled computer.

    "It strains belief, but if this is in fact the defense theory, than examination of the exploit is material to that claim."

Three strategies for defense

Three scenarios: An honest but careless FBI, an unknown third party, and a dishonest FBI.

"Verifying the correct operation of the NIT requires examining the pcaps, generator, generator logs, server logs, and the computer seized from the defendant. If the NIT operated properly, then the generator should generate unique IDs, the logs should show that each invocation used a unique ID, and the seized data in the pcaps should match a system seized with a physical search warrant. If this is the case, then any errors that might have existed in the payload or exploit resulted in a failure to collect evidence and did not in any way compromise evidence which was successfully collected."

"The defense could assert that an unknown third party planted or otherwise compromised evidence. Seeing the exploit—and in fact the payload—would be immaterial to this claim. The method to identify if an unknown third party acted to frame the defendant requires examination of the defendant’s computer for signs that such an intruder left on the system. The NIT itself would not benefit or enable an intruder under any realistic circumstances. And if, implausibly, the NIT actually did open the defendant’s computer up to attack, that attack would have occurred at some period after the NIT. If the defense wished to explore a theory of elaborate framing, then experts should examine the computer and not the exploit."

"The only scenario in which a defense could gain new information material to its case is if the FBI deliberately programmed the NIT to exceed the scope of the warrant, either by searching for (ultimately undiscovered) evidence beyond the authorization or by transmitting information to a separate FBI server. This activity would certainly speak to the validity of the government’s warrant, however it would not have any bearing on the veracity or forensic integrity of the evidence collected. If the court permits the defense to explore the theory of corrupt law enforcement, then it could minimize risk to the sensitive exploit information by permitting examination of the exploit by a neutral expert who could verify the accuracy of the FBI’s representations."