Comparing paedophile activity in different P2P systems

Peer-to-peer (P2P) systems are widely used to exchange content over the Internet. Knowledge on paedophile activity in such networks remains limited while it has important social consequences. Moreover, though there are different P2P systems in use, previous academic works on this topic focused on one system at a time and their results are not directly comparable. We design a methodology for comparing \kad and \edonkey, two P2P systems among the most prominent ones and with different anonymity levels. We monitor two \edonkey servers and the \kad network during several days and record hundreds of thousands of keyword-based queries. We detect paedophile-related queries with a previously validated tool and we propose, for the first time, a large-scale comparison of paedophile activity in two different P2P systems. We conclude that there are significantly fewer paedophile queries in \kad than in \edonkey (approximately 0.09% \vs 0.25%).Comment: Submitte

Comparing Methods for Detecting Child Exploitation Content Online

The sexual exploitation of children online is seen as a global issue and has been addressed by both governments and private organizations. Efforts thus far have focused primarily on the use of image hash value databases to find content. However, recently researchers have begun to use keywords as a way to detect child exploitation content. Within the current study we explore both of these methodologies. Using a custom designed web-crawler, we create three networks using the hash value method, keywords method, and a hybrid method combining the first two. Results first show that the three million images found in our hash value database were not common enough on public websites for the hash value method to produce meaningful result. Second, the small sample of websites that were found to contain those images had little to no videos posted, suggesting a need for different criteria for finding each type of material. Third, websites with code words commonly known to be used by child pornographers to identify or discuss exploitative content, were found to be much larger than others, with extensive visual and textual content. Finally, boy-centered keywords were more commonly found on child exploitation websites than girl-centered keywords, though not at a statistically significant level. Applications for law enforcement and areas for future research are discussed

Criminal Careers in Cyberspace: Examining Website Failure within Child Exploitation Networks

Publically accessible, illegal, websites represent an additional challenge for control agencies, but also an opportunity for researchers to monitor, in real time, changes in criminal careers. Using a repeated measures design, we examine evolution in the networks that form around child exploitation (CE) websites, over a period of 60 weeks, and determine which criminal career dimensions predict website failure. Network data were collected using a custom-designed web-crawler. Baseline survival rates were compared to networks surrounding (legal) sexuality and sports websites. Websites containing CE material were no more likely to fail than comparisons. Cox regression analyses suggest that increased volumes of CE code words and images are associated with premature failure. Websites that are more popular have higher odds of survival. We show that traditional criminal career dimensions can be transferred to the context of online CE and constitute some of the key determinants of an interrupted career

iCOP:live forensics to reveal previously unknown criminal media on P2P networks

The increasing levels of criminal media being shared in peer-to-peer (P2P) networks pose a significant challenge to law enforcement agencies. One of the main priorities for P2P investigators is to identify cases where a user is actively engaged in the production of child sexual abuse (CSA) media – they can be indicators of recent or on-going child abuse. Although a number of P2P monitoring tools exist to detect paedophile activity in such networks, they typically rely on hash value databases of known CSA media. As a result, these tools are not able to adequately triage the thousands of results they retrieve, nor can they identify new child abuse media that are being released on to a network. In this paper, we present a new intelligent forensics approach that incorporates the advantages of artificial intelligence and machine learning theory to automatically flag new/previously unseen CSA media to investigators. Additionally, the research was extensively discussed with law enforcement cybercrime specialists from different European countries and Interpol. The approach has been implemented into the iCOP toolkit, a software package that is designed to perform live forensic analysis on a P2P network environment. In addition, the system offers secondary features, such as showing on-line sharers of known CSA files and the ability to see other files shared by the same GUID or other IP addresses used by the same P2P client. Finally, our evaluation on real CSA case data shows high degrees of accuracy, while hands-on trials with law enforcement officers demonstrate the toolkit’s complementarity to extant investigative workflows

Forensic investigations on child pornography file sharing using file sharing software on peer-to-peer networks

La prova informatica richiede l’adozione di precauzioni come in un qualsiasi altro accertamento scientifico. Si fornisce una panoramica sugli aspetti metodologici e applicativi dell’informatica forense alla luce del recente standard ISO/IEC 27037:2012 in tema di trattamento del reperto informatico nelle fasi di identificazione, raccolta, acquisizione e conservazione del dato digitale. Tali metodologie si attengono scrupolosamente alle esigenze di integrità e autenticità richieste dalle norme in materia di informatica forense, in particolare della Legge 48/2008 di ratifica della Convenzione di Budapest sul Cybercrime. In merito al reato di pedopornografia si offre una rassegna della normativa comunitaria e nazionale, ponendo l’enfasi sugli aspetti rilevanti ai fini dell’analisi forense. Rilevato che il file sharing su reti peer-to-peer è il canale sul quale maggiormente si concentra lo scambio di materiale illecito, si fornisce una panoramica dei protocolli e dei sistemi maggiormente diffusi, ponendo enfasi sulla rete eDonkey e il software eMule che trovano ampia diffusione tra gli utenti italiani. Si accenna alle problematiche che si incontrano nelle attività di indagine e di repressione del fenomeno, di competenza delle forze di polizia, per poi concentrarsi e fornire il contributo rilevante in tema di analisi forensi di sistemi informatici sequestrati a soggetti indagati (o imputati) di reato di pedopornografia: la progettazione e l’implementazione di eMuleForensic consente di svolgere in maniera estremamente precisa e rapida le operazioni di analisi degli eventi che si verificano utilizzando il software di file sharing eMule; il software è disponibile sia in rete all’url http://www.emuleforensic.com, sia come tool all’interno della distribuzione forense DEFT. Infine si fornisce una proposta di protocollo operativo per l’analisi forense di sistemi informatici coinvolti in indagini forensi di pedopornografia.Digital evidences require precautions as in any other scientific investigation. We provide an overview about methodology and application of computer forensics based on the recent ISO / IEC 27037:2012 relating to the processing of finding information in the stages of identification, collection, acquisition and preservation of digital data. These methods comply with the requirements of integrity and authenticity of the rules of computer forensics, in particular the Law 48/2008 about the ratification of the Budapest Convention on Cybercrime. Concering the child pornography crime, we offer an overview of EU and national legislation, with emphasis on relevant aspects for computer forensic analysis. We provide an overview of the peer-to-peer protocols and systems used for file sharing, with an emphasis on the eDonkey and eMule software that are widely spread in Italy. The design and implementation of eMuleForensic allows the computer forenser to perform a highly accurate and rapid operations analysis of the events that occur using eMule; the software is available in the url http://www.emuleforensic.com network, both as a forensic tool in the distribution DEFT. Finally, we provide a proposal for an operating protocol for forensic analysis of computer systems involved in forensic investigations on child pornography

Quantifying paedophile activity in a large P2P system

International audienceIncreasing knowledge of paedophile activity in P2P systems is a crucial societal concern, with important consequences on child protection, policy making, and internet regulation. Because of a lack of traces of P2P exchanges and rigorous analysis methodology, however, current knowledge of this activity remains very limited. We consider here a widely used P2P system, eDonkey, and focus on two key statistics: the fraction of paedophile queries entered in the system and the fraction of users who entered such queries. We collect hundreds of millions of keyword-based queries; we design a paedophile query detection tool for which we establish false positive and false negative rates using assessment by experts; with this tool and these rates, we then estimate the fraction of paedophile queries in our data; finally, we design and apply methods for quantifying users who entered such queries. We conclude that approximately 0.25% of queries are paedophile, and that more than 0.2% of users enter such queries. These statistics are by far the most precise and reliable ever obtained in this domain

Quantifying Paedophile Activity in a Large P2P System

Abstract—Increasing knowledge of paedophile activity in P2P systems is a crucial societal concern, with important consequences on child protection, policy making, and internet regulation. Because of a lack of traces of P2P exchanges and rigorous analysis methodology, however, current knowledge of this activity remains very limited. We consider here a widely used P2P system, eDonkey, and focus on two key statistics: the fraction of paedophile queries entered in the system and the fraction of users who entered such queries. We collect hundreds of millions of keyword-based queries; we design a paedophile query detection tool for which we establish false positive and false negative rates using assessment by experts; with this tool and these rates, we then estimate the fraction of paedophile queries in our data; finally, we design and apply methods for quantifying users who entered such queries. We conclude that approximately 0.25 % of queries are paedophile, and that more than 0.2 % of users enter such queries. These statistics are by far the most precise and reliable ever obtained in this domain. I

Assessment of routinely collected information on internet sex offenders by criminal justice social workers and the police in Scotland: an exploratory study

The number of offenders who have been convicted of possession, distribution or production of sexually explicit media involving children (SEMIC) has increased exponentially in the last decade. The majority of these cases have been facilitated by increased availability and affordability of the internet and mobile technology. This has led both practitioners and academics to question whether or not internet sex offenders are a new type of offender or whether they are similar to contact offenders who target children offline. Questions have also been raised as to whether or not such internet sex offenders are a homogenous group or whether they can be distinguished by their potential to recidivate or escalate to contact offences. This thesis contributes to this body of knowledge by assessing the information routinely collected on internet sex offenders by criminal justice social workers and the police in Scotland. The forensic reports produced by the police (N=80) alongside matched social enquiry reports from criminal justice social workers (N=30), on all of the offenders convicted for breach of section 52 of the Civic Government Scotland Act (1982) in a particular region of Scotland from 2002-2009, were assessed. Police reports contained detailed information relating to specific offending behaviours: the number of images/videos found on the offender’s computer; the age and sex of the children depicted; the severity of the SEMIC (based on the modified COPINE scale); where the SEMIC was from and how it was stored; whether the offender attempted to hide any images or videos, and whether or not he shared or produced any SEMIC. These reports also noted whether the offender had any previous convictions, as well as age at the time of the offence. Based on the social enquiry reports, the criminal justice social workers focused on demographic characteristics (age, educational background, employment history, family status) of the offenders as well as the attitudes or beliefs they might have held (expression of remorse or guilt and admission to being sexually attracted to children). The social enquiry reports also provided risk assessments, which assessed this group of internet sex offenders as a normally distributed range from low to very high risk to reoffend utilizing the RM2000 and Stable/Acute 2007. The criminal justice social workers did not differentiate between offenders in their management recommendations, which as reported in social enquiry reports, included: no use of the internet except for education or employment; no ownership of devices capable of taking or receiving images/videos, and no unsupervised access to children. Statistical analysis of this sample showed that distinctions between internet sex offenders could be made based on their offending behaviour, demographic information and attitudes they held about the crime. Correlation analysis suggested that offenders who were in possession of SEMIC depicting very young children were also likely to be in possession of SEMIC depicting boys and Level 4/5 images or videos (based on the modified COPINE scale). In addition, offenders who possessed very large collections of SEMIC were also the most likely to be in possession of the most deviant images and videos. Post-hoc analysis suggested offenders who were producers of SEMIC were more likely to have been in relationships and single offenders were more likely to be in possession of the more deviant collections. Contrary to what was expected, the size of an offender’s collection of SEMIC was negatively correlated with the risk assessment level reported by the criminal justice social workers. These results are discussed in the context of current research on risk assessment and management. Based on that current literature and the results of this research, it is recommended that criminal justice social workers utilize information relating the offender’s behaviour, or more specifically the quantity and deviancy of the SEMIC he possessed, in relation to his social circumstances when making recommendations for management and assessing his risk to reoffend