Reverse Engineering a Nit That Unmasks Tor Users (original) (raw)

Proposal / Submission Type

Peer Reviewed Paper

Location

Daytona Beach, Florida

Start Date

25-5-2016 1:00 PM

Abstract

This paper is a case study of a forensic investigation of a Network Investigative Technique (NIT) used by the FBI to deanonymize users of a The Onion Router (Tor) Hidden Service. The forensic investigators were hired by the defense to determine how the NIT worked. The defendant was ac- cused of using a browser to access illegal information. The authors analyzed the source code, binary files and logs that were used by the NIT. The analysis was used to validate that the NIT collected only necessary and legally authorized information. This paper outlines the publicly available case details, how the NIT logged data, and how the NIT utilized a capability in flash to deanonymize a Tor user. The challenges with the investigation and concerns of the NIT will also be discussed.

Keywords: Tor, NIT, deanonymization, Tor Hidden Services, flash

Scholarly Commons Citation

Miller, Matthew; Stroschein, Joshua; and Podhradsky, Ashley, "Reverse Engineering a Nit That Unmasks Tor Users" (2016). Annual ADFSL Conference on Digital Forensics, Security and Law. 10.
https://commons.erau.edu/adfsl/2016/wednesday/10

DOWNLOADS

Since January 17, 2017

Included in

Aviation Safety and Security Commons, Computer Law Commons, Defense and Security Studies Commons, Forensic Science and Technology Commons, Information Security Commons, National Security Law Commons, OS and Networks Commons, Other Computer Sciences Commons, Social Control, Law, Crime, and Deviance Commons

COinS

May 25th, 1:00 PM

Reverse Engineering a Nit That Unmasks Tor Users

Daytona Beach, Florida

This paper is a case study of a forensic investigation of a Network Investigative Technique (NIT) used by the FBI to deanonymize users of a The Onion Router (Tor) Hidden Service. The forensic investigators were hired by the defense to determine how the NIT worked. The defendant was ac- cused of using a browser to access illegal information. The authors analyzed the source code, binary files and logs that were used by the NIT. The analysis was used to validate that the NIT collected only necessary and legally authorized information. This paper outlines the publicly available case details, how the NIT logged data, and how the NIT utilized a capability in flash to deanonymize a Tor user. The challenges with the investigation and concerns of the NIT will also be discussed.

Keywords: Tor, NIT, deanonymization, Tor Hidden Services, flash