By Michael Geraghty, Vice President of High Technology Investigations, Corporate Investigations Division, Prudential Financial, Newark, New Jersey
he Internet revolution has brought an array of technologies that have touched nearly every aspect of modern life. The ability to communicate and share information instantaneously makes all the distant corners of the world a part of the local communities. It also gives criminals who prey upon children another way to victimize the most vulnerable and innocent members of society.
The Internet provides a child predator with access to children on a scale that makes the world his local playground. It is a medium through which digital images and movies documenting the most horrific crimes against children are distributed to a worldwide audience.
Every client service that the Internet provides has been exploited for the purposes of victimizing children—e-mail, the World Wide Web, instant messaging, Usenet newsgroups—have all been used as distribution and communication channels for the sexual abuse of children. One of the keys to investigating and combating computer-facilitated crimes against children is an understanding of the way the Internet works.
Internet Technical Protocols
At the heart of the Internet and all the traffic that traverses it are rules that dictate how computers communicate with one another. This set of rules, or protocols, requires that every computer on the public Internet have a unique address, just as each telephone requires its own telephone number. The computer address is known as the Internet Protocol (IP) address. Without such uniqueness, e-mail messages could not find their destination, instant messages would collide, and requests for information from Web sites would go unanswered. A single computer can have multiple IP addresses.
Early in the development of the Internet, users would need to remember the IP addresses of the computers that they wanted to access. This was a daunting task because each IP address consists of a series of four sets of eight-bit numbers. Today, IP addresses are hidden from the end user. Instead, the users rely on easy to remember naming conventions to access systems and communicate with one another. In the background the computer makes the necessary translations from names to IP addresses in order deliver the content. For example, users reach the IACP Web site by directing their Web browser software to www.theiacp.org , but their computer translates this name to the IP address, 18.104.22.168, in order to reach the content on the IACP Web site.
While naming conventions make it easy to use the Internet, criminals regularly exploit vulnerabilities in them to disguise themselves, obfuscate their activity, and mislead law enforcement. Identifying the IP address of the computer that an offender is using gets an investigator one step closer to identifying the offender.
Typically, users are assigned IP addresses by their Internet service providers (ISPs), who in turn are assigned blocks of addresses from a regional Internet registry (RIR). At the top of the IP address allocation pyramid is the Internet Assigned Numbers Authority (IANA). IANA is responsible for the global allocation and assignment of IP addresses. By identifying the IP address that an offender is using, an investigator can deduce the ISP responsible for the allocation of that address. Legal process served upon the ISP will usually result in identifying the subscriber to whom the IP address was assigned.
It should always be that simple, but it is not. The reality of today’s Internet is that not all ISPs maintain such records, and the computers that are assigned these IP addresses are not necessarily secure. Viruses and other kinds of malicious software (commonly called malware) and the security vulnerabilities inherent in operating systems and applications can complicate attempts to identify a computer’s IP address, and investigators must account for them.
Identifying the IP address of a computer used to exploit children is a step toward identifying the user of that computer, it is just that, a step. Traditional detective work, including interview and interrogation, surveillance, and due diligence is as important as the technical investigation if not more so. It is, after all, a person who commits the crime, not a computer. Computers have no motives, but criminals do.
The ability to access computers anywhere in the world has removed any sense of locality from the criminal activity that thrives on the Internet. A single Web site featuring digital images and videos of children can maintain all of its content on different computers in multiple jurisdictions, and the criminals who operate these sites can do so from yet another jurisdiction. This presents law enforcement with not only technical challenges but also jurisdictional and legal hurdles.
The Domain Name System (DNS) is a distributed hierarchical database that provides users with the ability to use easily remembered names, rather than the numbers of IP addresses to navigate the Internet. In the DNS, suffixes such as .org, .com, and .net are considered generic top-level domains. In addition to the generic top-level domains there are country code top-level domains that are referenced using a two-letter abbreviation for their corresponding country of territory. For instance .ru is used to refer to the Russian Federation, .uk to the United Kingdom, and .br to Brazil.
Unlawful Internet activity such as the existence of a Web site containing images depicting child pornography may be reported to a local agency far from the apparent geographic location of the site on which the illegal content is hosted. Decisions as to investigative strategies or jurisdictional responsibility should not be based solely on the name of the Web site. Web site addresses typically contain domain names as part of their address string. For those with generic top-level domains, it is impossible to determine the geographic location of the site based solely on this domain name. Even an inspection of its corresponding registration data is insufficient to make such a determination, as those who register domains for illegal purposes often do so using fictitious information.
For country code top-level domains, such as the one contained in www.childporn.co.uk , it would seem likely that this site would exist in the United Kingdom. In reality it could exist anywhere in the world. Only by linking the Web site address to its IP address can an investigator determine the true geographic location of the computer on which the illegal Web site is hosted. And even then investigators must conduct an additional inspection of the content of the site, including the physical locations of the images depicted on it, before determining next steps.
It is this ambiguity, and the confusion it causes, that makes the Internet a relatively safe environment for those wishing to sexually abuse children to operate. As such, it is imperative that investigators assigned to units responsible for the investigation of computer-facilitated crimes against children understand the technical aspects of these crimes.
In any investigation the proper collection and analysis of evidence is essential to its success. Computers that are used to facilitate crimes against children are vast repositories of digital evidence. The volatility of digital evidence, however, presents investigators with another set of challenges. Failure to properly collect, document, and safeguard this evidence can lead to charges of spoliation and the subsequent suppression of it from court proceedings. Only those qualified to process digital evidence should be involved in its collection. And any analysis of this evidence should be made in a way that prevents any alteration of it.
Digital evidence can be found almost anywhere. An obvious source would be the suspect’s or victim’s computer system. In addition, digital evidence can be found on removable storage media, network devices, wireless devices, and other devices. Most of these objects will be located relatively close to the suspect or victim. Additional digital evidence may be secreted in remote locations online. Records and logs maintained by online service providers should be considered additional sources of digital evidence.
The analysis of digital evidence requires not only a knowledge of the technical workings of computer systems and networks, but also the ability to recognize and understand their applicability to the criminal act. E-mail messages sent, instant messages received, Web sites visited—computers record this information. Extracting this evidence requires a distinct technical skill set, but the evidence extracted must be interpreted properly before any conclusions can be drawn.
The sexual abuse of children is not a high-technology crime but one in which the technology allows for such abuse to take place on a global stage. In an effort to combat these crimes, police agencies and related organizations have developed training curricula with assistance from private corporations. To that end, the International Center for Missing and Exploited Children has joined with Interpol in developing a training program for law enforcement agencies throughout the world. The program consists of blocks of instruction that provide solutions to not only the technical issues but also the overall challenges that these crimes pose. Its goal is to make law enforcement more effective in dealing with computer-facilitated crimes against children. During the last three years, this weeklong training program has been delivered in 21 countries on six continents to about 2,000 law enforcement officers representing agencies from around the world. It is only through training programs like this that law enforcement can hope to overcome the technical challenges it faces. ■