NIT, the Flash code the FBI used to deanonymize pedo’s on Tor

Pierluigi Paganini July 01, 2015

A look to the “NIT Forensic and Reverse Engineering Report, Continued from January 2015”. NIT code was used by the FBI to deanonymize Tor users.

On December 22nd, 2014 Mr. Joseph Gross retained the assistance of Dr. Ashley Podhradsky, Dr. Matt Miller, and Mr. Josh Stroschein to provide the testimony as the expert in the process against pedo’s on Tor.
The suspects are accused in federal court in Omaha of viewing and possessing of child pornography.
The case assumes particular interest because the investigators were informed about the usage of an FBI’s “Network Investigative Technique” (NIT) to deanonymize suspects while exploiting Tor network. The NIT allowed them to identify the IP address of TOR users.

“The NIT was a Flash based application that was developed by H.D.Moore and was released as part of Metasploit. The NIT, or more formally, Metaspolit Decloaking Engine was designed to provide the real IP address of web users, regardless of proxy settings.” states the forensic report.

Tor NIT FBI

According to the act of the process, the investigators were informed that there were three servers containing contraband images that the FBI found and took offline in November of 2012.

The FBI decided to use the server as a bait for online pedos, then the Bureau placed the NIT on the servers and used them to de-anonymize TOR users accessing the illegal content. With this technique the FBI identified the IP addresses of visitors.

Is the NIT really effective for the identification of the Tor users?

Joe Gross challenged the accuracy of the NIT and invited the investigators verify the accuracy of the method.

On January 7th, 2015 the three experts Ashley, Matt and Josh started their investigation to test the accuracy of the NIT. The court requested them to:

  • Understand the functionality of the NIT.
  • Identify whether the scientific technique can be or has been tested.
  • Identify whether the theory or technique has been subjected to peer review.
  • Identify if there is a known rate of error for this technique.
  • Identify whether the technique is generally accepted in the scientific or technical field to which it belongs.

“The investigators were given access to the NIT, decompiled the program, analyzed the code, and then verified the application output and functionality through dynamic testing of the actual application in a virtual environment. The results of this analysis show that the NIT produced the following output from interaction with a client: IP address through the TCP connection, operating system, CPU architecture and session identification. The researchers were able to determine that if a TOR browser accessing the FBI controlled website had proper up-to-date controls configured the NIT would not be able to reveal the true IP address of the users. On the other side, if users were using the current version of the TOR browser their true IP would not be revealed. The investigators believe that the NIT provided a repeatable and reliable process of identifying true IP addresses.”

The final report was issued in the mid-January 2015 and after analysis Mr. Cottom had further technical question about the NIT.

“The investigators turned in their final report mid-January and after analysis Mr. Cottom had further questions about the network and logging environment of the NIT. Mr. Cottom also switched legal representation from Mr. Joseph Gross of Timmermier, Gross and Prentiss to Mr. Joseph Howard of DLT Lawyers.” 

Pierluigi Paganini

(Security Affairs –FBI, NIT)



you might also like

leave a comment