The amazing forensic work of Mr Andrew Kelly aka Spiney
lfsoft Aug 25th, 2019 123 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- The amazing forensic work of Mr Andrew Kelly aka Spiney
- The follows a brief analysis of the forensic work and open-source-intelligence of Mr Andrew Kelly, who deciphered a vast cache of child abuse material that, as well as being cleverly encrypted, contained huge amounts of "noisy" data, used to obscure the images contained in the cache.
- Let first explain how the disks were encrypted.
- The fist stage was a standard password-locked folder system, easy to exploit using known vulnerabilities in the windows XP kernel.
- After this, they had used the "truecrypt" software to create sub-volumes, mounted as hidden files. The media were contained in folder/volume stacks several layers deep, but easy to unlock with the correct information.
- Lastly, they deleted the files, but then subsequently, prevented write-access to protect the contents of the "deleted" files, which were simple to recover using the "undelete" command in DOS.
- Luckily, spiney was able to locate an 0day in truecrypt, allowing the filesystems to be accessible without the secret key.
- This took a week, from the beginning of the op, to the uncovering of the actual files. We were in a lock-up and had little access to facilities.
- The discovery of the 0day occurred at this time, which meant that the previous weeks work, which involved a timing-based assault on the encryption, had been pointless - we had uncovered little more than a few bits from the key. However we now had full access to the drives.
- Next, spiney went about decrypting the caches. There were 5 disks, three of which had content, resulting in several terabytes of raw data.
- The folders were full of deliberate clutter, but software was used to locate the image caches. These were found to contain a vast amount of sexualised images of children. (more caches were found later which contained the most serious category, however these disks were lost and never found, presumed destroyed).
- These were deliberately arranged so as not to break the precise legal limit for the amount of images of naked children set by law; however, our argument was that the arrangement and structure of the caches pointed to a potential distribution network.
- And this should have been the focus of a further investigation, because in addition to an image cache, there were membership details of illegal websites, including client-side SSL keys (shell logins), and in-browser SSL keys, that would allow a user to access information completely inaccessible from the outside.
- And these were partly hosted on the dark-web, and partly on obscure URLs hosted privately.
- Online caches were found on social media sites, as well as image sharing and file upload sites.
- The URLs were shortened and then concealed in encrypted form, often using stenographic techniques.
- The fact that the image-cachess were concealed at all, and the manner of their concealment, namely, 1) the drives being hidden in a locked case behind a filing cabinet and 2) the encryption and obfuscation of the caches, should also point to the potential of a distribution network.
- The obfuscation methods are also very interesting, and deserve further notes.
- Most interesting is the fact that the images were secretly hashed, using base-pixel chroma-key insertion. That is similar to stenography, which had also been used to conceal shortened URLs, pointing to online folder caches on image sharing sites.
- The online folders were so large that it was impossible to locate the indecent images, and many of these were found to be obscene. However, the images had been grouped by FFT and possibly a neural net, and were all of similar dimensions.
- The folders contained many thousands of images which all looked very similar - the human eye cannot process these and there was no way, without the requisite key, either a text keyword-phrase to use as a search term, or a chroma-key (just an RGB triplet) obtained from a known pixel, to locate the illegal material.
- Text keys were concealed using a known or pre-shared grid, comprising a transparent 1-bit image file.
- The image was overlaid against a text document, usually obtained via a URL, that reveled the location of the concealed document. The spaces in the grid revealed the letters of the final digest.
- Also found were logins to a good many sites on "freedom hosting" (the notorious dark-web provider) as well as the "triforce" network hosted at ecatel.
- No-one volunteered to perform the additional research, and the drives were eventually destroyed.
- The gang continued to hound spiney, until his death in 2013 from an unknown cause.
RAW Paste Data