In this episode, we get the opportunity to learn about a niche aspect of investigative research. Carolina Christofoletti, a passionate advocate and researcher, shares how she and her peers fight the proliferation of CSAM (Child Sexual Abuse Materials) on the Dark Web. In this chat we covered the role of OPSEC in sensitive investigations, how she approaches the process of conducting investigations, how cybercrime studies make her a better researcher, and how aspiring practitioners can get started down the same career path as her.
Big Ideas from This Episode
- Being a CSAM researcher requires knowledge across disciplines such as
– Understanding how cyber criminals behave (mechanics, techniques, etc.)
– Practicing good OPSEC to protect the researcher
– Coordinating with Law Enforcement and other researchers across the globe
– OSINT techniques
– Understanding blockchain
- What is very counterintuitive is that researching the Surface Web (the subpoena world) might be harder than researching the Dark Web. Because they are in plain sight, CSAM criminals tend to use much more complex techniques to build their networks in the Surface Web — compared to the Dark Web, where CSAM intelligence seems to be more concentrated.
- The way in which investigative findings are reported is CRITICAL. First, CSAM researchers must report their findings in a way that (1) does not inform criminals about how to evade researchers in the future (2) does not compromise current Law Enforcement work.
- “We’re not dealing with doughnut sellers” — it’s important to understand the nature of the adversary; they are highly sensitive to detecting when researchers might be reviewing their activity (e.g. they will change the website if they think they are under scrutiny and maybe even try to intimidate researchers)
- CSAM threat actors are highly organized; they are constantly trying to identify counter intelligence (CSAM researchers; the good guys).
- It is CRITICAL for CSAM researchers to coordinate with Law Enforcement, as to not become the target of LE investigations, when they’re fighting CSAM.
– Carolina Christofoletti’s Research Articles on LinkedIn
– Beyond Tolerance: Child Pornography on the Internet by Philip Jenkins
– Research from Dr. Bryce Westlake, Associate Professor of Criminology and Digital Forensics
Use CONTROL + F to search the transcript below if you want to learn more!
Transcript from this episode (#5)
*Note: this transcript was generated using automated software, and my not be a perfect transcription. But I hope you find it useful.
Travis 1:33 So to get things started, could you share a little bit about the role that you play today? And then also, if you could explain see Sam that would also be really useful for the audience as well. Carolina 1:46 For sure, at present I'm CSAM research currently assigned to TRM Labs. And what I can say about my role is that I solve puzzles aimed at achieving the best positive impacts possible in the crypto industry. So to guarantee that we are able to deal with cryptocurrency in a way that is free from system. And I would say that my role involves not only mapping seasoned threat actors, but also guarantee that the field often a single piece of address information that we are able to get from threat actors becomes exponentially 10,000 additional valuable threat intelligence inputs for the blockchain. And yet for the cryptocurrency industry, this might be exactly the value of System Research onboard. So that to make threat intelligence on every living function, reading, so blockchain intelligence, Travis 2:42 I see. And for CSAM, like what can you share more about what CSAM is maybe what qualifies as CSAM and Carolina 2:50 absolutely more there? Yeah, that's a very good question. And also, if we consider that system criminals, they are often hiding in plain sight, meaning that they use some kind of very specific and optimization techniques. So to guarantee that, for example, if you don't have a very specific knowledge about how those threat networks operate, they have a high chance of just passing by without being even noticed yet. And for the system is specifically we have two very different cases. One is the case where we have explicit system images. So being offered for so commercial purposes. So that's one case. And the other case that we have, and it's particularly interesting is just like Susan criminals trying to hide with, for example, photos that are sold victims photos that they simply share, just by so with the intent of alerting other criminals that they have content with this victim and that they're really to share and willing also to sell. So that's two very different frameworks, but on the system problem here that we are speaking about. Travis 4:01 That's such an interesting topic to do research around and like, like when you think about your day to day if someone ever asks you. Hey Carolina, so in your day to day, what types of projects do you typically find yourself working on? How would you describe that to someone? Carolina 4:20 Yeah, I think I would say I will need to say that I have almost the world. As I mentioned, I'm a system blockchain analyst at urine labs, United States, but I'm also assistant researcher here at University of San Paulo, Brazil, where I work in partnership with national and international law enforcement agencies. In parallel to that, I also volunteer in some child protective initiatives, some of them which are we analysis some, but what I can say is that we are kind of trying to understand some more in depth, how those criminal networks operate. So to be able also to kind of build a sort of reactivate intelligence in A way that we can, for example, also work in a predictable fashion. So that we can say for example, given the uncertainty unknown, so events in the future, we can at least have a set of possibilities that we are expecting to happen for some threat actor so that we can first so kind of arrive at the point. So before criminals do, so yeah, kind of working with this kind of predict predictive analysis and everything. Travis 5:32 Wow, that's so cool. So you're developing relationships with law enforcement, you're working with universities and collaborating with them to develop more research? That's, that's fascinating. And how does this all relate back to the blockchain? Like for me, I'm very unfamiliar with Blockchain. So how does your research relate to the blockchain? Carolina 5:56 Yeah, that's a super interesting question also to answer what a system researcher is doing at a blockchain intelligence company. That's super interesting, because yeah, the CSUN cases, specifically, it has some very important features, I would say that we must consider, you know, so especially when we are dealing with criminal actors, not every system so address or that everything related to system is spirit, you know, so most of the times we have addresses that are shared, so a manga, lots of other system entities, we have addresses that. By seeing the blockchain, we know that there's something else running on the background and we try to figure out what so the problem or maybe the challenge here, I'd say of studying. So system inside blockchain is just like trying to figure out what those mechanics are. So most of the times we are working, as I have already previously mentioned it with a single piece of data in a single piece of data in the blockchain is too little. So we are trying to find out ways to expand that in order to guarantee that, yes, so we are up to date with criminal techniques inside of blockchain, also to be able to best or to better inform the the industry here. That's the point I will say. Travis 7:19 I see. Yeah, that's very useful. So yeah, so blockchain gets back to like the finances that support people that are that are distributing see Sam. Absolutely. And for you Carolina, were there any early influences or late influences that drove you in the direction of becoming a C Sam researcher? Carolina 7:42 Yeah, for sure. And if I could have someone here would be specifically to the system field. Philip Jenkins who is a professor of history at Baylor University in the United States. And he's also the author of a book that is today, she's my inspiration for the work I do. It's called Beyond tolerance, child pornography on the Internet. And indeed, this is how I evaluate, for example, the usefulness of a library for my studies today. So if they do have this book or not, and for me, what is particularly interesting about the work that Jenkins has done is that in my opinion, this is a work that is completely unique. And even though system has not become the main topic or research topic of the altar, he was, in my opinion, one of the first ones to point out the relevance of understanding the system mechanic, according to its own particularity. So it's the first written stories that we have about so system forms, how they work, how system, criminals interact with each other. So he was the first one to prove the value of that. And also someone who had said explicitly that he had done that, but he was super sure that this kind of research, it will become harder and harder, because we start to become also highly dependent on law enforcement approval, or lots of other kinds of formal approval to conduct this kind of work. So that's super interesting, you know? Travis 9:13 Yeah, it's so cool, how just reading one book from, you know, some authors in the United States really put you down that path Carolina 9:21 absolutely it was decisive for me. Travis 9:26 So I'll definitely include a link to that book in in the show notes after the podcasts. And then I was talking to someone recently and they, they had an interest in pursuing pursuing a career in doing online research to fight human trafficking to fight See, Sam, what advice do you usually give to people who are young professionals who want to get involved in a career like yours? Like is there any particular path for them? Carolina 9:56 Yes, specifically in specially ... how huge such a thing as OSINT is or even the cybersecurity industry, my best advice here would be be specific in what you are doing. And specificity means here particularly being just like very objective in what kind of things you are doing. So what your focus here is. So for example, we set off just researching all things overall, you become really specialize it in a rational threat actor group that, yeah has been proving as an emerging threat, or something that can really viewed you as a differential here. So I think it's super important. Also, when we talk about threat intelligence overall, that we do have a notion of everything that is going on in the scenario. So to guarantee, for example, that this is a researcher can also receive input from the dark web researcher, the dark markets, researchers in everything. But for me, it's super important that we have kind of these more specific approach, because most of the times, that's exactly what, so it's missing, you know, that's what the market is looking for. And it's also where you have the better chances of developing yourself as a career, you know, so exactly in those points that haven't been researched yet. So that would be specifically, yeah, my advice here have a focus in making it super specific. So that would be my advice overall, here. Travis 11:35 Thank you that that's, that's very useful. And when you talk about, oh, synth, is your type of research, do you find that most of the work that you're doing is on the dark web? Is it is any part of your investigations on, you know, just the normal internet on the surface web and deep web? Carolina 11:52 Yeah, it's super interesting, because for me, they are showing misconceptions here. First, that the dark web is harder than the surface vibe, I would say that the very opposite. So especially because some criminals, they are operating, in other words, that we have logs, we have someone that we can submit a subpoena to, that's super important that we consider that they are going to try to make things harder and harder, you know. So most of the times because criminals, they are located on the dark web, they have this sense of protection, you know, they think that they are only always protecting them. And most of the times what ends up happening is that the amount of information that we find on the dark web is much higher than what we find on the surface web for what we need a very specific kind of knowledge in order to dig deeper into. So for me, it's super important also that we recognize what is happening with this boom of dark web research is simply an area that I myself find easier to research compared to the surface web, most of the times and also because on the surface web, you have to have a very good documentation of how you are seeing, for example, that there is a system something behind you know, most of the times the puzzles are much more complex than the ones that we are seeing on the dark web. And that's something that we must consider also, in terms of methodology, not necessarily the methodology that we are using for the dark web, you also remain valid for the surface. But and yeah, those are two different telescopes that we need to consider if we're going to just speak about a system research. Travis 13:30 That's interesting. And that's so counterintuitive, because for me, someone who's like, in my experience working in like corporate intelligence, and corporate threat assessment type investigations. Most of all, the work that I've ever done has just been on, you know, the regular internet using surface web using using the deep web using like proprietary data sources that like private investigators and other organizations might use. So I'm far less familiar with the dark web. But it's fascinating that you mentioned that you mentioned being on the dark web, it's basically easier to get some more more deep details that that you find useful in the investigation. So that's, that's so counterintuitive for me. That's interesting. Yeah, absolutely. Carolina 14:16 If I can even give you an example about that. So when you talk about system forums, we have just like a single place where system criminals they are group it. So it's much easier for us to know who taught with who or whether you are talking about what the context is specific of this form is the same thing does not happen for the surface web, in a case that I can mention to you here is for example, a payment page that was completely separated, located also in another jurisdiction if compared to the joint page. Where is initially where the season indicator should be. But yeah, when we look at that page, we had a bad feeling. We know we knew that something was wasn't completely right there. But just really researching that we could find the rest of the page, located somewhere in a jurisdiction in Western Europe. So that could prove really, so here is system Nexus. So let's deep dive into it. So it's super harder when you, you don't even have something to say, Oh, here's where you need to look for. So you need to also when we are researching the surface web, we need to develop super specific methodologies. And that also includes, for example, knowing how we are going to apply something just like Google Docs, jerseys and research. So provided that Google has already blocked all the useful system intelligence or keywords and everything. So how are you going really to, to fight the algorithm here, and also the trusses empty? So systems in order to find out where had those various systems broken, you know, so that's super important also, for me to realize what a system researcher has to do with trust and safety, you know? So that's kind of the third method, if I'm able to bypass the system and find something that's the system criminals are doing that. So the system somehow got broken. And that's also what I tried to do with the articles No. So of course, we report all the content. So always should be text and everything. But for me more than reporting, what is important to me is that, so big text, and anyone who is involved as a stakeholder here in the system scenario, so really recognizes what the point is such a proposal, new changes, and also I cannot change to it, I cannot change matter. But I can simply go there and say here's the case, here's how it was bypass it. So here's how you correct it also. So provided that I was the one initiating the research here. So you kind of is collaborative network here. Travis 16:53 I see. Yeah. So it sounds like developing relationships is something that's really important in your role, like you mentioned, of course, developing relationships with law enforcement. But now you also mentioned developing relationships with the trust and safety teams at big tech so that you can go to them so that you can report information so that you could let them know about, you know, criminal activity about maybe loopholes that are enabling criminals. That's very interesting. I also remember that you're studying cybercrime. Could you share a little bit about how your studies in cybercrime kind of inform the research that you do? Carolina 17:33 Yeah, that's a super nice question. Also, because yeah, I'm pursuing just like a cybersecurity master. So in cybercrime means thing right now. And for me, one of the most important things here is that, so we need to have a parameter to research something that if there is any research, so it's paper that is held by law enforcement agencies, and that we will not be able to have access to this knowledge. So for me, it's very important that, for example, while we have seen with dark markets or cyber crimes, which are kind of a more research area, can inform my work also the system researcher. So for me, what I could simply realize in all those years, so research in system is that there are lots of mechanics that they are dopey duplicate it. And most of the times they are not originated in the system scenario itself, but rather somewhere else. So we can mention, for example, the usage of PGP keys, that's something very common to Dark Web markets. So also a way of protecting so criminal information or to guarantee some kind of authenticity. And for me, it's super important also knowing for example, how this function works or where it was originally sourced it. So to be able to understand what season criminals really want with that. So it's super interesting here also, because we start so working in a comparative fashion. So for example, not necessarily the usage that so threat actors have for PGP keys on Dark Web markets, they are the same so as the usage of keys on forums. So for me, it's super important to understand this general panorama. So to be able to know where the differentiation lies, if ever. Travis 19:29 Yeah, that's really good point. So a lot of your cybercrime studies come back to studying the mechanics and the techniques and tools used by cyber criminals. And then I also imagined to like another big area is to, I guess, to be more proficient when it comes to operational security, like being able to implement whatever procedures and tools you need as a researcher to protect yourself and to protect your fellow researchers. As you're as you're doing this type of research, Carolina 20:02 yeah, and that's a very important point, because specifically, when we talk about something just like system research needs to be able to guarantee that we will make, we will not make ourselves identifiable among the criminals. And we will not make ourselves also a target to criminals in a way that, for example, we start reporting things with search in extensive detail, that they are able to recognize where this information was collected from whom was it collected by in some other kind of threat intelligence that can really play against us. So it's super important. So specifically, when we are dealing with social sensitive research area, a system that we guarantee that if we are ever writing about it, we need to write it in a way that, for example, law enforcement work in a similar case, can recognize the mechanic but cannot recognize the case. So very specifically, in the reason of that is just not make our sale ourselves identifiable to criminals. And also guaranteeing that we are not advocating criminals are criminals should be in the middle, you know. So for me, it's super important, not only guaranteeing my OpSec, but also guaranteeing that I'm not just doing a statement of fact, so I'm just writing a thing, if I do have a formal proposal here how we can counter that. Because otherwise, what I would just be doing is just like giving a framework of how one should really work if you want. One, one should be just like a system criminal, you know. So things need also to come with a proposal to guarantee Yeah, that we are always working on the right side. And that things don't have unexpected results here. Travis 21:50 Yeah, that's something I'd never even thought about. So because like on my side, just doing like normal, normal investigative research, maybe on someone who makes a threat against a company, that's something that you never have to think about when it comes to like what you said, you have to think in like great detail how you're going to prepare your final research when you present it. Because like you said, if you include too much detail, then like criminals can understand how their network was compromised. So one they can learn, learn, essentially how to how to not get caught, but then also they could potentially identify who is who is reporting on their activities and who's conducting the investigation. So that's something so interesting that I that I've never considered just in my investigative research. Next, I was curious to ask, so over the course of your career, are there any times where a failure has set you up for later success? Like, do you have a favorite failure ever in your career? Yeah, that's Carolina 22:54 a great question. And curiously one that is ...so by, so employers in employee, so interview, that's very interesting. And for me, myself, I think that I, as a researcher, I move it by fillers. So if there was no filler, if there was no gap, so anything I wouldn't able, I wouldn't be able to research into the work that I do. So I think that failures are what pushed me through thinking how could we have done that better? And that's exactly what constitutes a system researcher, and about a favorite failures, I would have many to mention. And, yes, specifically, I think that this is part of that kind of All Saints resignation, that we simply need to know that we are not dealing with Donald sellers, we are dealing with our system criminals, they are violent criminals, in most of the times things are not gonna get so good as we would have wished it so that they have gone I can mention, for example, for example, every time we are doing an operation in a server that we know that is potentially controlled by a system, we know we need to understand that wrong click there could lead to the page being destroyed, so vanishing or simply moving to another jurisdiction, because they kind of identify the researcher movement, you know, and that's super interesting thing, because this is kind of a real in concrete research problem now being dealt by criminologist because they are seeing so a problem also with the crawlers, you know, so system criminals can and we will identify any kind of crawling behavior, any kind of exploratory behavior for so threat intelligence purposes. And as soon as they realize that they will simply for example, shut the audio down something that has already happened with me. So they will simply guarantee that the system page that was a system page yesterday too Morrow with the car page, or so the system studio that existed there. So yesterday, tomorrow, it will display a message that reads all guarantee that you don't have any malware or anything that compromises your computer there. So just to kind of put this kind of theory in the researcher, so it's super important that, firstly, don't panic. And second, we remain resilient. So things will go wrong, and they should go wrong. Because if they don't, so you're probably dealing with that fish. So it's an easy target. And yeah, important is that we don't panic, and we are able to see a path forward, you know, we are able to see alternatives in how we are going really to solve the problem. Travis 25:47 Yeah, and I think so many people listening who are also online researchers, I think everyone can everyone can relate to that when it comes to making mistakes. During the research process, when it comes to using different tools when it comes to like, reporting at the end or collecting, collecting supporting documents. I think everyone can totally relate to that. And yeah, it's all of those little failures, kind of like help you incrementally improve. So I think we could we could all relate to that. And also, I loved your point that, you know, we're not dealing with merchants selling donuts. That's, I think that's a perfect way to put it. In your case, you're dealing with people who are, you know, very hardcore criminals. And next, I wanted to ask you, you mentioned one book by the professor from Baylor. But are there any other books or resources that you think people interested in studying how to fight? See, Sam should check out? Carolina 26:48 Yeah, for sure. First of all, I would say my LinkedIn articles that's very can read, free of charge. And in English, a great part of my published works as a system researcher, and also shorter names that I would get here were also researchers kind of doing a similar work as I am doing also tied to university would be motherland Evander Brueggen. So she's a researcher, so teamed up with the Dutch police and also working this criminological side of system networks in specially on the dark web. So super interesting. So read here. And if you want to deep dive into something that is more surface way, but the name here I'll give is Bruce Westlake. He's a researcher at the Simon Fraser University located in Canada. And that's super interesting, because that's a combination of circumstances of having soul for example, very talented researchers, so ... with so resources or LE agencies that don't give them the opportunity of exploring things anew. So that's super interesting, so fresher to mandatory readings, you're also Travis 28:04 perfect, and I'll be sure to link to link to them. And it's so cool. Also, that you're really working with a global network. You're working with people in the US and Canada, in your shifts. That's awesome. And let's see. So as we're getting ready to wrap up the session, are there any, are there any final thoughts that you want to share with people who might be aspiring to be a CSAM? Researcher? Or learn more about it? Carolina 28:32 Yeah, for sure, just like only to Mesa here a very bad recommendation, because I think it's issue of relevance. So we are dealing with super sensitive fields. And not always we have a comparative network in a way that most of the times we expect that intelligence is much more organized and criminals, but often that's not the case. So it's always important when we are kind of researching system, we need also to recognize that we are so someone just starting to research a threat actor group that is highly organized it so from decades ago, so most of the times so they are researching us, they are also kind of trying to identify who the counterintelligence people their needs are. So it's super important that we keep our OpSec up to date and also to guarantee that we will not become the next law enforcement target. So because we will be the the easiest fish there, simply because we are just trying to understand how they operate. So system criminals have this kind of knowledge so accumulated from decades. And in this sense, it's super important also, when we are starting such a thing as a citizen research to have just like a formal and a very transparent agreement with law enforcement agencies about what is that we are doing so how so who is supervising everything here. So to guarantee that we are not going to leak any important, so intelligence information, which will also create a great problem here, and also not create a problem for us in the sense that we are doing something that is not legally authorized. And so that's also Yeah, to for advisors from here. Travis 30:26 That's, that's great insight. And that's things that I also didn't consider. That's your Research totally comes back to, right the idea of counterintelligence of operational security of Trump while you're doing your research, of course, not doing more harm, but then also absolutely having to work with having to work with law enforcement agencies so that so that you're not doing anything illegal and so that they're not targeting you thinking that criminals that you're researching that's so fascinating. Exactly. Carolina, I'm super grateful that you shared your time with me today, I have a ton of really interesting notes that I wrote here. And for me, this is a topic that's completely new, because I've spent so much of my time just investigating criminals making well not not necessarily criminals, but people making threats against corporations against private people. So for me, it was really interesting to learn about a type of investigations that are totally different, and that are part of like a really cool initiative and movement to get rid of C Sam and to fight human trafficking. So for me, this was a really cool conversation that I learned a lot from. So Carolina, thank you very much for sharing your time with me today. I'm super grateful. Carolina 31:44 That's great to hear. Thanks for having me.