The standard instrumentality for the criminal acquisition and distribution of images and video of child sexual exploitation is peer-to-peer (p2p) networks. Over 160,000 users based in the US are sharing child pornography (CP) using Gnutella alone. Past studies have found that: 21% of CP possessors had images depicting sexual violence to children such as bondage, rape, and torture; 28% had images of children younger than 3 years old; and that 16% of investigations of CP possession ended with discovery of persons who directly victimized children.
The proposed work aims to make significant advances in forensics methods of investigating criminal acts on peer-to-peer file sharing networks. The project represents a unique multidisciplinary collaboration between computer science and criminology with close participation from existing law enforcement partners.
Intellectual Merit. The project makes the following broad contributions:
- It proposes novel methods of tagging a remote computer over the network with information that can uniquely identify it during a forensic examination. These serve as both identifiers and as indicia of intent.
- It proposes to gather a foundational dataset regarding the prevalence and rate of spread of child pornography on p2p networks. Further, it proposes to measure and quantify the relationships between child abuse and the trading of child pornography on p2p networks. Finally, it proposes the development of models to detect the trafficking of deliberately hidden child pornography on these networks.
Broader Impact. The project aims to reduce the number of children sexually exploited each year by thwarting the trafficking of their images on p2p networks and via the capture of the contact offenders that rape, torture, or otherwise brutalize them. This work will increase cross-disciplinary collaboration between computer science and criminology and between law enforcement and academia; effect technology transfer to law enforcement in the field of online child pornography investigations, which will help reduce the number of victims of crimes in the future; and facilitate broad educational outreach and recruitment of under-represented minorities in undergraduate and graduate research in digital forensics.
For further information see the project web site at the URL: http://prisms.cs.umass.edu/CNS-1018615
This joint project (CNS-1018615 & CNS-1016788) carried out an interdisciplinary research agenda that made significant advances in the security fields of digital forensics and privacy through 1) contributing novel methods of privacy-preserving, network-based investigation, 2) demonstrating vulnerabilities resulting from a mismatch of common security models and the context of digital forensic investigations, and 3) adding to scientific knowledge about cybercrime, specifically illegal trafficking in child pornography on peer-to-peer (p2p) networks. Our work had a strong broader impact due to our practitioner outreach and our development of novel forensic tools that efficiently target and investigate the most serious child pornography traffickers in ways that have not heretofore been possible. Our work was collaborative with law enforcement and developed with an understanding of investigative constraints. The project goals and outcomes were as follows. 1. Forensic Tagging: We designed a novel method of offering recoverable marks to a remote computer over a p2p network, which we call tagging. This method gives law enforcement a privacy-preserving, efficient and accurate way to verify the identity of seized computers that had engaged in cybercrime. Previous methods of gathering information about a remote computer rely on statistical characterizations that are verified upon seizure, including clock skew or radiometrics. In contrast, our method is the first to provide probabilistic guarantees, tunable to high levels, that a device being physically examined is the same one that was previously observed remotely on a p2p network (i.e., a false positive rate lower than 1 in 1,000,000), using only information unintelligible to third parties. 2. Forensic Attacker Model: We showed how finding mismatches between standard attacker models and the technical and legal realities of forensic investigations reveals vulnerabilities. We introduced a new threat model, based on digital forensics and computer crime law, and we applied our insight to anonymous p2p protocols (often used in child pornography trafficking) as an example. 3. Analysis of Cybercrime on P2P Networks: We completed a wide-scale, multi-network study examining the prevalence of cybercrime (child pornography distribution) on p2p networks. We were able to measure and quantify the availability of child pornography (CP) content on these networks and the types of CP content available, using only SHA values and without visual examination or access to illegal images. We surveyed law enforcement investigators about the outcomes of arrest cases for child pornography trafficking on p2p networks and examined relationships between such trafficking and committing offline crimes involving child molestation. Over a one-year period, we observed over 1.8 million distinct peers on eMule and over 700,000 peers on Gnutella, from over 100 countries, sharing hundreds of thousands of CP files. We observed that the majority of CP files are shared by a relatively small set of users; and a smaller set of files are shared so redundantly that their daily availability is guaranteed. We examine methods of target selection designed specifically to reduce content availability on these networks. Our study also revealed Tor usage vulnerabilities: over 90% of linkable user sessions observed on three or more days send traffic from non-Tor IPs at least once after first using Tor, thus negating its protection. We linked ground-truth from the law enforcement surveys about offline crimes committed by arrested cybercriminals with the files they shared in order to design predictive methods for detecting previously unknown images (to help law enforcement identify new victims depicted in images). Further, we developed models to predict offline offender behavior (i.e., child molestation) based upon cybercriminal activities visible on these networks. (We followed approved IRB protocols; no personal details about victims or offenders were identified.) We also completed two major broader impact goals: Practitioner Outreach: Our research has resulted in new methods that law enforcement can use to thwart those who would distribute, receive, and possess child pornography through p2p networks, with the ultimate goals of reducing the amount of CP circulating online and increasing law enforcement ability to identify and arrest the most dangerous child pornography offenders, those that molest children. Our goals, therefore, also seek to improve the usability of trustworthy computing placed in the hands of practitioners, specifically, the value of trustworthy computing in real settings such as used by law enforcement. Our work that measured child pornography on p2p networks has been widely read by practitioners and policy makers outside of the academic security field. Throughout this project we have engaged in regular educational outreach to the law enforcement community, speaking at conferences and describing our work to law enforcement officials at invited presentations. REU Outreach: We have leveraged an NSF-sponsored program on our campus to help diversify the population of students in computer science and engineering. Our activities have involved recruitment of underrepresented minorities from community colleges through a summer-long REU (i.e., Research Experiences for Undergraduates) with two students.
