Interesting Internet-Based Investigative Techniques

In this article, detailing the Australian and then worldwide investigation of a particularly heinous child-abuse ring, there are a lot of details of the pedophile security practices and the police investigative techniques. The abusers had a detailed manual on how to scrub metadata and avoid detection, but not everyone was perfect. The police used information from a single camera to narrow down the suspects. They also tracked a particular phrase one person used to find him.

This story shows an increasing sophistication of the police using small technical clues combined with standard detective work to investigate crimes on the Internet. A highly painful read, but interesting nonetheless.

Posted on August 24, 2016 at 9:30 AM • 29 Comments


SoWeMeetAgainAugust 24, 2016 1:34 PM

I find the article a bit ... strange.
Worst-ever british paedophile?
Have they forgotten about the whole Rotherham thing?

BenAugust 24, 2016 1:45 PM

@Blaw: I just posted the following comment on the Threatpost article:

‘The headline (“new collision attacks against 3DES, Blowfish”) is very misleading. This attack has been known for as long as block ciphers have existed, and it has nothing to do with 3DES or Blowfish beyond the fact that they have a 64-bit block size. The designers of both ciphers were fully aware of this attack and they made security/performance decisions that were sensible at the time.

When the EFF built its DES cracker, it wasn’t a “new attack on DES”. It was just a practical demonstration that DES was nearing the end of its useful life. We always knew it would happen and we even knew roughly when. This paper makes the same point about 64-bit block ciphers in general. It’s not a “new attack”.’

UhuAugust 24, 2016 1:46 PM


Maybe it's progressed beyond a simple fingerprint, maybe it's full fledged GPS watermarking these days?

ianfAugust 24, 2016 3:03 PM

@ SoWeMeetAgain

wasn't Rotherham more of an overt grooming and teenage rent-boy & pimping "operation", rather than what's commonly referred to as pædophile ring? In any event I don't recall the Rotherham perps using anything as sophisticated as crypto and DarkWeb communications, which is partly why they could stay under the radar for so long (I've yet to read the article in depth though).

Jonathan WilsonAugust 24, 2016 5:47 PM

Only an idiot should be using insecure ciphers like DES or even Blowfish in 2016 for anything important or that needs to remain secure.

Jesse ThompsonAugust 24, 2016 5:56 PM

@Ben: I'm with you. Parallel construction.

We are basically at a point in history where it is impossible to trust any government's account on any chain of evidence ever, because they are literally cooking the evidence books.

Just imagine what McCarthy and Hoover would have done with this level of power to manipulate the rule of law.

Now realize exactly how many people precisely that crooked and clever are presently in those positions of power today.

You and I are exactly as safe as we would be if we were paying into the Mob's protection racket: we won't see any direct negative consequences until the dice happen to roll the wrong way or until we get onto the radar of anybody petty and powerful enough. But once we do, every centimeter of the legislative system designed to protect us from them will instead act as an extension of their already extravagant power against us.

In short, we're slipping back into feudalism and our advanced infrastructures won't be able to survive it for long.

VerticalAugust 24, 2016 7:56 PM

Governments should never be trusted.

Germany and France encouraged mass migration into Europe and when the obvious started and some killings happened, they say encryption is at fault and needs to get banned so they can snoop into everyone's communications:

So basically let anyone enter your country without listening to common sense, then start complaining that you can't spy enough on people.

Even that Australian case is full of government BS:

''They included an anonymous call in March 2011 warning authorities the then-nanny was inappropriately physical with some children. It was ignored, along with a psychological assessment one year later, that found him to be “high risk” and “very unsuitable” for the job.''

So they were totally incompetent when they were given the hints, but later they became so smart to find his truck??????

Sally HornerAugust 24, 2016 9:07 PM

@Vertical +10! (factorial, not exclamation) this case shows that pedophiles get stopped not to protect children but to sensationalize the propaganda for surveillance. If authorities wanted to stop children getting raped by this ring they would have acted on the four thousand ear-splitting warnings in the physical world. They would have stopped child trafficking at Penn State 30 years ago. They wouldn't have sat on their thumbs until Jeffrey Epstein's victims grew up. They wouldn't have let Jimmy Savile rape kids in helpless droves. They wouldn't have sent Lawrence King's victims to prison. Now there's an internet full of dissidents to surveil so there's pedos under every cyber-rock, 99 per cent of them cops entrapping each other with actual porn. Used to be the best job for pedos was scoutmaster. Now cop's the pedo dream job.

PeterAugust 25, 2016 12:45 AM

Very good police work. Web of Lies is actually quite good show detailing case after case where criminals thinking they are "anonymous" get busted.

As a security researcher, constantly amazed at the lies tor users engaging in serious crime and site operators tell themselves.

My positive review of an ID network show, lol, will deceive them. The attack surface of these sites and clients is quite huge. And unlike intelligence targets - even for hacking sites - the chance for detection and exposure extremely minute.

Of course, while they do perform their own anti-undercover security, they are open about their methods of criteria for trust and distrust. As such closed groups have always been, ironically being forced to reveal such criteria directly and indirectly.

They are basicly attempting to roll their own counterintelligence when they do so, which is equivalent to attempting to perform heart surgery on their spouse after seeing it done on a fictional tv show.

Of course little fish just buying pot will swear it is secure in their expert opinion because nobody has arrested them yet.

And the serious criminals already are on your effective list, just waiting for the bust. After your two, three year investigation.

How do you know it us safe? Why are you trusting your opinion, when you could never get a job in any of these fields for having no real experience or knowledge?

But keep on believing, because you really want to and pedo or other, you are addicted and can not stop.

PeterAugust 25, 2016 12:56 AM

Spelling grammer mistakes, cause dont buhlweve me, lol.

"parallel reconstruction"... could be though u could pick up some bsu articles and books on forensic linguistics, or hey, study some case files. Know what gets you caught. If you are going to do the crime, maybe do some research.

Sure there are plenty of phish sites.Sure, parallel reconstruction from that. Cheaper then even very cheap undercover social engineering, or mass repeatable zero day.

So what? And no laws against that, because it is legal for one nation to do this and tip off others.

Many nations have no laws for such work domestically or foreign at all.

Nothing like one nation's agency using illegal means to tip off another domestic agency.

Easy details to forget, when you really want what you want. Bait, fish. Prey, ambush predator. lil fish, lil pond... suddenly in the great, big sea.

Hardlt moral criteria secual predators can condemn... lol

PetterAugust 25, 2016 3:12 AM

There's also a possibility to analyse and log sensor inconsistencies such as hot or dead pixels, op-amp noise etc and compare them with other material such as publicaly known photos or earlier evidence.

It will not reveal the serial of the camera but it will be an effective figerprint of the recorders sensor(s) which can lead to the serial which then can be traced.

Harmless DrudgeAugust 25, 2016 5:54 AM

I found "Lolita" material on a network once* but failed to find the originator. However, the search uncovered other things that were dealt with (a not uncommon thing in my experience... once you start turning over stones).

*Actually, it was drawn to my attention

And I once stumbled on something worse when investigating file sharing software being used by employees.

I don't agree at all with the paranoid and stupid comments above that the incidents reported on are to justify surveillance. They don't, but if evil exists and you are confronted with it you must respond or be complicit. Clearly, the police work was reactive, but I have seen some online shrieking about government run paedophile sites as if this exculpated those using them. Perhaps some of those for whom all government is bad would be happy to see the detection and jailing, and, if they're lucky, the treatment, of paedophiles privatised? Private prisons have been such a success.

I just wonder when someone will be framed for this offence? It's entirely within the capabilities of the NSA and others, and trivially so. A corrupt police force might be capable of it.

The best discouragement is a likelihood of being caught and of being unable to trust others. Hopefully, articles like this will deter some and not merely tip them off about ways of tripping up. Truth is, on the Internet you never know who is a policeman.

The idea of any govt running a paedophile site is repugnant but not taking the opportunity to catch as many paedophiles as possible, in effect letting them off to continue not just sharing content but abusing children, is worse.

Allegedly, continuing to operate a site further victimises abused children. That is debatable. The abuse has already happened. Only paedophiles are ever likely to encounter it, and children grow up and are not ordinarily recognisable. The argument against depends, it seems to me, on the availability of content causing more harm (inspiring more abuse) than good (by catching paedophiles).

Surely most parents would favour actions that lead to successful detection, apprehension & prosecution of child abusers?

JasonAugust 25, 2016 8:47 AM

"Embedded in some of his images, overlooked when he swept the files of metadata, was the brand and model of his Olympus camera."

A number of years ago a friend in law enforcement told me the cameras they used (Nikon) had the model and serial numbers encoded into the image. Not the usual EXIF data, but somehow encoded within the image. He didn't know how it worked, and told me the method was propriatory to the manufacturer. This was used at the time to certify at a trial that the image was original and had not been modified by a program such as Photoshop. The image had to be submitted to the manufacturer, who then certified the authenticity. One can only assume that the techniques have improved over time, and a lot of metadata, including geolocation, is hidden in the image.

"Huckle was arrested at Gatwick airport on 19 December 2014. Computers and hard drives in his possession contained more than 20,000 indecent images of children, around 1,000 depicting children he had himself abused. To this day he has refused to divulge the keys to encrypted files on his laptop, thought to reveal additional victims, and thousands more images and videos."

So he encrypted his laptop, but walked through customs with 20,000 unencrypted images on other drives? Epic fail!

"Membership was tightly managed. Quiet accounts raised suspicion and could be suddenly terminated. Those who stayed had to upload new material frequently. More than 45,000 people complied."

"By the time they pulled the plug on the forum 85 children had been rescued and hundreds of people across the globe arrested."

Out of 45,000 users, they managed to arrest hundreds? It sounds like good police work and sloppy security on the part of those discovered.

Martin Stites and Matthew SheetsAugust 25, 2016 8:53 AM

Classic statist sockpuppetry on display:

multiple yammering posts from Peter, combining the resistance-is-futile line with a retro McCarthy smear associating Tor users with criminals.

from HarmlessDrudge, using the dumb-cop strawman 'all government is bad;' dishonestly inferring exculpation from criticism of lax enforcement; and chin-stroking about the government porn trade.

All you poor dumb gumshoes kept off the beat on your fat deskbound ass pretending to be little girls, you're just pathetic dupes. Child trafficking is exactly like drugs - the US government doesn't want to stop the trade, it wants to control the trade. To get intelligence assets, blackmail material, and a cut they can divert to illegal ultra vires operations. And like any other criminal enterprise, the US government uses grave crimes for initiation and group cohesion. For the Crips it's murder, for CIA it's pedophile sex crimes. The 44,750 who got away were government VIPs.

Clive RobinsonAugust 25, 2016 9:09 AM

@ All,

If you are thinking of running MS Win 10 Home --or others for that matter-- behind a firewalling router, can I suggest you realy should go further than that...

As others have noted, each patch appears to bring new methods of trying to get the instrumentation out. Think seriously about what this means, especially when they will receive no criminal sanction if they fork the data over to US authorities.

Ask yourself "How long before zero days" are used --if they are not already--?"

Then ask yourself "What are these zero days for?"

Asis fairly well known network appliance zero days outlast those of the OS by a factor of years over months, even with diligent patchers.

Now ask yourself what would happen if MS used a zero day against your home forewall / router appliance?

Yup not good, and this is almost certainly the way things will go. Not just with MS but any other commercial OS, and I'm guessing most FOSS OS's as well. It's just a qquestion of time...

Thus the question of "What to do about it arises?".

Personally I think trying to fight the OS perverters on their home turf is a waste of time, it's like the "authorities-v-terrorists" argument which says "You have to get lucky every time, thay just the once".

Obviously "air-gapping" is a consideration, but as Uni Students reinvent the EmSec wheel, that alone is insufficient thus the difficult "energy-gapping". But such effort is over the top for many, and impractical even for those it is not. Thus a "half way house is required, which raises the question of "Is there cost effective system that will work?"

Well it rather depends on what you mean by "work" but the answer is yes for those that are a little tech savvy but pocket poor.

ve mentioned it before and I call it "The garden path solution" because it's real workd analog is your garden gate, front door and a maned CCTV camera on your garden path.

Put simply you have two firewalls one from your "private network" to the DMZ --this is your "front door" -- and one between your DMZ and the Internet. You add an instrumentation host via "cut wire data diodes" or "start tap data diodes" to both the inbound and out bound paths on the DMZ. Importantly ensure you own both firewalls and that they realy are from different manufactures in different countries and not from the likes of Auz, Canada, UK, US and quite a few European countries.

MikeAugust 25, 2016 9:54 AM

At the risk of sounding like I am defending pedophiles(NOPE!), in many of these cases, sentencing is based on the concept that literally each time an image is shared/copied, it is a "revictimization" and prosecuted as such. This is an important factor in getting gigantic sentences. OK, fine, sure, whatever.

But if that's the case, why is it somehow different when no doubt thousands of images/files were shared and copied by this site while it was wholly under the control of the government? Are they not, by their own criteria, victimizers of children at this point?

It's all semantic nonsense, but we're talking sentencing guidelines and peoples' lives(Yes, pedophile lives, but still.)

albertAugust 25, 2016 10:27 AM

Note to @all,

Some of the comments posted here read like All that's missing is the black background and multi-colored type.

Far out, man!
. .. . .. --- ....

albertAugust 25, 2016 1:36 PM

@Little Saint James,

Nothing surprises me anymore. Interestingly, Rense has tons of pedophilia articles on his site.

. .. . .. --- ....

albertAugust 25, 2016 1:55 PM

Correction, not "just out", but I can't find the page that cited that link.
. .. . .. --- ....

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.