Proposal / Submission Type
Peer Reviewed Paper
Location
Daytona Beach, Florida
Start Date
25-5-2016 1:00 PM
Abstract
This paper is a case study of a forensic investigation of a Network Investigative Technique (NIT) used by the FBI to deanonymize users of a The Onion Router (Tor) Hidden Service. The forensic investigators were hired by the defense to determine how the NIT worked. The defendant was ac- cused of using a browser to access illegal information. The authors analyzed the source code, binary files and logs that were used by the NIT. The analysis was used to validate that the NIT collected only necessary and legally authorized information. This paper outlines the publicly available case details, how the NIT logged data, and how the NIT utilized a capability in flash to deanonymize a Tor user. The challenges with the investigation and concerns of the NIT will also be discussed.
Keywords: Tor, NIT, deanonymization, Tor Hidden Services, flash
Scholarly Commons Citation
Miller, Matthew; Stroschein, Joshua; and Podhradsky, Ashley, "Reverse Engineering a Nit That Unmasks Tor Users" (2016). Annual ADFSL Conference on Digital Forensics, Security and Law. 10.
https://commons.erau.edu/adfsl/2016/wednesday/10
Included in
Aviation Safety and Security Commons, Computer Law Commons, Defense and Security Studies Commons, Forensic Science and Technology Commons, Information Security Commons, National Security Law Commons, OS and Networks Commons, Other Computer Sciences Commons, Social Control, Law, Crime, and Deviance Commons
Reverse Engineering a Nit That Unmasks Tor Users
Daytona Beach, Florida
This paper is a case study of a forensic investigation of a Network Investigative Technique (NIT) used by the FBI to deanonymize users of a The Onion Router (Tor) Hidden Service. The forensic investigators were hired by the defense to determine how the NIT worked. The defendant was ac- cused of using a browser to access illegal information. The authors analyzed the source code, binary files and logs that were used by the NIT. The analysis was used to validate that the NIT collected only necessary and legally authorized information. This paper outlines the publicly available case details, how the NIT logged data, and how the NIT utilized a capability in flash to deanonymize a Tor user. The challenges with the investigation and concerns of the NIT will also be discussed.
Keywords: Tor, NIT, deanonymization, Tor Hidden Services, flash
