Using digital forensics to collect and analyze digital evidence

Although advancements in information technology have made society dramatically more convenient, crimes that exploit computers and the internet are on the rise. One tool that is becoming more important in this context is digital forensics. “Digital forensics is the study of collecting, preserving, and analyzing the evidence left behind in the digital world,” explains Uehara. Having built up a significant track record of research in information security, Uehara has turned his focus to research related to digital forensics in recent years. One of his most recent findings comes from a study in which he collected the fingerprints of anonymous servers, thus allowing the operators of websites to be identified.

“As privacy protection and confidentiality in internet communication become important issues, anonymous network technologies are being developed to ensure anonymous communications by keeping IP addresses, which are used to identify users, confidential. Of these, the technology that holds one of the largest shares in the world is Tor, or The Onion Router.” According to Uehara, Tor has a feature called “Onion Service” that can anonymize not only the individual client but also the server. While this makes it possible to operate a website anonymously, it has also often been used for running illegal websites—commonly referred to as the “dark web”—involving activities such as posting unlawful content or leaking information stolen in cyberattacks.

Uehara has been researching methods to identify the operators of illegal (malicious) websites that use Onion Service, without directly compromising Tor’s anonymity. To do this, it is first necessary to gather as many Onion sites—that is, sites using .onion domains—as possible. Due to Tor’s inherent anonymity, there is no comprehensive search engine like Google, so Uehara developed a technique that can quickly crawl URLs containing .onion domains from a simple HTTP request, which has allowed him to collect upwards of 200,000 .onion domains.

Next, Uehara focused on the fact that even among Onion sites, the fingerprints derived from their distinctive response characteristics differ from server to server. He devised a method to identify site operators using the fingerprints that can be obtained from Onion sites. After analyzing the 200,000 .onion domains, he successfully identified around a dozen sites with the same operators as known malicious sites. He was able to demonstrate that even operators of sites that use Onion Service can be identified. These research findings are expected to contribute to the detection of illegal websites going forward.

Using mixing to track hidden Bitcoin transfers

Now that money can be exchanged via the internet, information security has become an integral part of the adoption of cryptocurrencies. Among them, Bitcoin—whose adoption is becoming more widespread—is said to be particularly prone to criminal use. “For example, in recent years there has been an increase in ransomware attacks, in which stolen data is encrypted and a ransom is demanded in exchange for its restoration. In some cases, Bitcoin is used to transfer the ransom, and one method used to make the stolen Bitcoin harder to trace is a money-laundering technique called ‘mixing,’” explains Uehara.

According to Uehara, mixing was originally developed to protect privacy in Bitcoin transactions, which are otherwise traceable. The process involves conducting a series of complex transactions with multiple addresses when sending Bitcoin, thereby making it impossible to identify the sender’s address. If the movement of Bitcoin after mixing could be traced, it would serve as a deterrent to crimes involving Bitcoin.

With this in mind Uehara and his team actually used a service provided by a mixing service provider (MS provider) in an attempt to track the flow of Bitcoin. “What we found is that the Bitcoin we sent to the MS provider was traded among numerous addresses through several transactions and then stored in one or two addresses, but the thousands of addresses and transactions that are created before the money actually arrives have proven to be extremely difficult to track.”

The report they wrote was later used to draft regulations for cryptoasset service providers in Japan.

A dedication to developing security standards to facilitate cryptoasset risk management

“The difficult part of crime deterrence and legal regulation related to cryptoassets is that cryptocurrencies have no borders,” says Uehara. According to him, the OECD has formulated regulations to enable the tracking of international money transfers between member countries, but even so, policing cryptoasset transactions is not easy. He also points out that the members of the general public using cryptoassets lack awareness and knowledge about risk management and security. To address these issues, a voluntary organization called the Cryptoassets Governance Task Force (CGTF)—comprising security experts and representatives from cryptocurrency exchange operators—has been established with the aim of promoting cryptoasset user and consumer protection and risk management. As one of CGTF’s final decision-makers, Uehara is also devoting his energies to the formulation of safety standards.

His research will become increasingly indispensable for the further proliferation of cryptocurrencies that anyone can use safely.