Comparing paedophile activity in different P2P systems

Peer-to-peer (P2P) systems are widely used to exchange content over the Internet. Knowledge on paedophile activity in such networks remains limited while it has important social consequences. Moreover, though there are different P2P systems in use, previous academic works on this topic focused on one system at a time and their results are not directly comparable. We design a methodology for comparing \kad and \edonkey, two P2P systems among the most prominent ones and with different anonymity levels. We monitor two \edonkey servers and the \kad network during several days and record hundreds of thousands of keyword-based queries. We detect paedophile-related queries with a previously validated tool and we propose, for the first time, a large-scale comparison of paedophile activity in two different P2P systems. We conclude that there are significantly fewer paedophile queries in \kad than in \edonkey (approximately 0.09% \vs 0.25%).Comment: Submitte

Mining bipartite graphs to improve semantic pedophile activity detection

International audiencePeer-to-peer (P2P) networks are popular to exchange large volumes of data through the Internet. Paedophile activity is a very important topic for our society and some works have recently attempted to gauge the extent of paedophile exchanges on P2P networks. A key issue is to obtain an efficient detection tool, which may decide if a sequence of keywords is related to the topic or not. We propose to use social network analysis in a large dataset from a P2P network to improve a state-of-the-art filter for paedophile queries. We obtain queries and thus combinations of words which are not tagged by the filter but should be. We also perform some experiments to explore if the original four categories of paedophile queries were to be found by topological measures only

Comparing Methods for Detecting Child Exploitation Content Online

The sexual exploitation of children online is seen as a global issue and has been addressed by both governments and private organizations. Efforts thus far have focused primarily on the use of image hash value databases to find content. However, recently researchers have begun to use keywords as a way to detect child exploitation content. Within the current study we explore both of these methodologies. Using a custom designed web-crawler, we create three networks using the hash value method, keywords method, and a hybrid method combining the first two. Results first show that the three million images found in our hash value database were not common enough on public websites for the hash value method to produce meaningful result. Second, the small sample of websites that were found to contain those images had little to no videos posted, suggesting a need for different criteria for finding each type of material. Third, websites with code words commonly known to be used by child pornographers to identify or discuss exploitative content, were found to be much larger than others, with extensive visual and textual content. Finally, boy-centered keywords were more commonly found on child exploitation websites than girl-centered keywords, though not at a statistically significant level. Applications for law enforcement and areas for future research are discussed

iCOP: Automatically Identifying New Child Abuse Media in P2P Networks

The increasing levels of child sex abuse (CSA) media being shared in peer-to-peer (P2P) networks pose a significant challenge for law enforcement agencies. Although a number of P2P monitoring tools to detect offender activity in such networks exist, they typically rely on hash value databases of known CSA media. Such an approach cannot detect new or previously unknown media being shared. Conversely, identifying such new previously unknown media is a priority for law enforcement - they can be indicators of recent or on-going child abuse. Furthermore, originators of such media can be hands-on abusers and their apprehension can safeguard children from further abuse. The sheer volume of activity on P2P networks, however, makes manual detection virtually infeasible. In this paper, we present a novel approach that combines sophisticated filename and media analysis techniques to automatically flag new previously unseen CSA media to investigators. The approach has been implemented into the iCOP toolkit. Our evaluation on real case data shows high degrees of accuracy while hands-on trials with law enforcement officers highlight iCOP's usability and its complementarity to existing investigative workflows

iCOP:live forensics to reveal previously unknown criminal media on P2P networks

The increasing levels of criminal media being shared in peer-to-peer (P2P) networks pose a significant challenge to law enforcement agencies. One of the main priorities for P2P investigators is to identify cases where a user is actively engaged in the production of child sexual abuse (CSA) media – they can be indicators of recent or on-going child abuse. Although a number of P2P monitoring tools exist to detect paedophile activity in such networks, they typically rely on hash value databases of known CSA media. As a result, these tools are not able to adequately triage the thousands of results they retrieve, nor can they identify new child abuse media that are being released on to a network. In this paper, we present a new intelligent forensics approach that incorporates the advantages of artificial intelligence and machine learning theory to automatically flag new/previously unseen CSA media to investigators. Additionally, the research was extensively discussed with law enforcement cybercrime specialists from different European countries and Interpol. The approach has been implemented into the iCOP toolkit, a software package that is designed to perform live forensic analysis on a P2P network environment. In addition, the system offers secondary features, such as showing on-line sharers of known CSA files and the ability to see other files shared by the same GUID or other IP addresses used by the same P2P client. Finally, our evaluation on real CSA case data shows high degrees of accuracy, while hands-on trials with law enforcement officers demonstrate the toolkit’s complementarity to extant investigative workflows

A systematic survey of online data mining technology intended for law enforcement

As an increasing amount of crime takes on a digital aspect, law enforcement bodies must tackle an online environment generating huge volumes of data. With manual inspections becoming increasingly infeasible, law enforcement bodies are optimising online investigations through data-mining technologies. Such technologies must be well designed and rigorously grounded, yet no survey of the online data-mining literature exists which examines their techniques, applications and rigour. This article remedies this gap through a systematic mapping study describing online data-mining literature which visibly targets law enforcement applications, using evidence-based practices in survey making to produce a replicable analysis which can be methodologically examined for deficiencies

Criminal Careers in Cyberspace: Examining Website Failure within Child Exploitation Networks

Publically accessible, illegal, websites represent an additional challenge for control agencies, but also an opportunity for researchers to monitor, in real time, changes in criminal careers. Using a repeated measures design, we examine evolution in the networks that form around child exploitation (CE) websites, over a period of 60 weeks, and determine which criminal career dimensions predict website failure. Network data were collected using a custom-designed web-crawler. Baseline survival rates were compared to networks surrounding (legal) sexuality and sports websites. Websites containing CE material were no more likely to fail than comparisons. Cox regression analyses suggest that increased volumes of CE code words and images are associated with premature failure. Websites that are more popular have higher odds of survival. We show that traditional criminal career dimensions can be transferred to the context of online CE and constitute some of the key determinants of an interrupted career

Forensic investigations on child pornography file sharing using file sharing software on peer-to-peer networks

La prova informatica richiede l’adozione di precauzioni come in un qualsiasi altro accertamento scientifico. Si fornisce una panoramica sugli aspetti metodologici e applicativi dell’informatica forense alla luce del recente standard ISO/IEC 27037:2012 in tema di trattamento del reperto informatico nelle fasi di identificazione, raccolta, acquisizione e conservazione del dato digitale. Tali metodologie si attengono scrupolosamente alle esigenze di integrità e autenticità richieste dalle norme in materia di informatica forense, in particolare della Legge 48/2008 di ratifica della Convenzione di Budapest sul Cybercrime. In merito al reato di pedopornografia si offre una rassegna della normativa comunitaria e nazionale, ponendo l’enfasi sugli aspetti rilevanti ai fini dell’analisi forense. Rilevato che il file sharing su reti peer-to-peer è il canale sul quale maggiormente si concentra lo scambio di materiale illecito, si fornisce una panoramica dei protocolli e dei sistemi maggiormente diffusi, ponendo enfasi sulla rete eDonkey e il software eMule che trovano ampia diffusione tra gli utenti italiani. Si accenna alle problematiche che si incontrano nelle attività di indagine e di repressione del fenomeno, di competenza delle forze di polizia, per poi concentrarsi e fornire il contributo rilevante in tema di analisi forensi di sistemi informatici sequestrati a soggetti indagati (o imputati) di reato di pedopornografia: la progettazione e l’implementazione di eMuleForensic consente di svolgere in maniera estremamente precisa e rapida le operazioni di analisi degli eventi che si verificano utilizzando il software di file sharing eMule; il software è disponibile sia in rete all’url http://www.emuleforensic.com, sia come tool all’interno della distribuzione forense DEFT. Infine si fornisce una proposta di protocollo operativo per l’analisi forense di sistemi informatici coinvolti in indagini forensi di pedopornografia.Digital evidences require precautions as in any other scientific investigation. We provide an overview about methodology and application of computer forensics based on the recent ISO / IEC 27037:2012 relating to the processing of finding information in the stages of identification, collection, acquisition and preservation of digital data. These methods comply with the requirements of integrity and authenticity of the rules of computer forensics, in particular the Law 48/2008 about the ratification of the Budapest Convention on Cybercrime. Concering the child pornography crime, we offer an overview of EU and national legislation, with emphasis on relevant aspects for computer forensic analysis. We provide an overview of the peer-to-peer protocols and systems used for file sharing, with an emphasis on the eDonkey and eMule software that are widely spread in Italy. The design and implementation of eMuleForensic allows the computer forenser to perform a highly accurate and rapid operations analysis of the events that occur using eMule; the software is available in the url http://www.emuleforensic.com network, both as a forensic tool in the distribution DEFT. Finally, we provide a proposal for an operating protocol for forensic analysis of computer systems involved in forensic investigations on child pornography