DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2013.46
Marc Liberatore , University of Massachusetts Amherst, Amherst
Brian Neil Levine , University of Massachusetts Amherst, Amherst
Clay Shields , Georgetown University, Washington
Brian Lynn , University of Massachusetts Amherst, Amherst
Measurements of the Internet for law enforcement purposes must be forensically valid. We examine the problems inherent in using various network- and application-level identifiers in the context of forensic measurement, as exemplified in the policing of peer-to-peer file sharing networks for sexually exploitative imagery of children (child pornography). First, we present a one-year measurement performed in the law enforcement context. We then show how the identifiers in these measurements can be unreliable, and propose the tagging of remote machines. Our proposed tagging method marks remote machines by providing them with application- or system-level data that is valid, but which covertly has meaning to investigators. This tagging allows investigators to link network observations with physical evidence in a legal, forensically strong, and valid manner. We present a detailed model and analysis of our method, show how tagging can be used in several specific applications, discuss the general applicability of our method, and detail why the tags are strong evidence of criminal intent and participation in a crime. We then describe the tagging mechanisms that have we implemented using the eMule file sharing client.
empirical observation, forensics, internet, child pornography, criminal investigations
M. Liberatore, B. N. Levine, C. Shields and B. Lynn, "Efficient Tagging of Remote Peers During Child Pornography Investigations," in IEEE Transactions on Dependable and Secure Computing.