Computer Forensics Critical in the Trial of Silk Road’s Ross Ulbricht

The ongoing trial of Silk Road creator Ross Ulbricht (a.k.a. Dread Pirate Roberts, or DPR) is not only fascinating, but it will have tremendous implications for criminals in the future.

With close to a million registered users on the Silk Road and approximately $1.3 billion in transactions, the government had no choice but to prosecute the creator and alleged chief executive – Ross Ulbricht.

The Tor network Ulbricht used for years has been notorious for shielding the identities of some of the world’s most unsavory characters – trading in child abuse images, dealing narcotics, proffering stolen credit card numbers, pedaling guns and ammunition and many other illicit activities. If the government proves their case and successfully convicts Ulbricht, it will send shockwaves through the Dark Net community of criminal actors.

Some will argue Ulbricht is a libertarian or an entrepreneur, but those who opt to conduct their business on Tor and use Bitcoin as the only means to transact their business must know that they are engaging with some of the most notorious underground criminals seeking to ply their trade off the grid away from government surveillance.

Editor’s note: Read Homeland Security Today’s November 2013 cover illustration award-winning report, The Dark Web: The Place Where Digital Evil Lurks.

Government agents and prosecutors have put together an impressive case against Ulbricht, and it’s difficult to understand why a plea deal was not accepted. The defendant admitted he created the Silk Road; Charlie Shrem pled guilty to transferring $1 million in Bitcoin to the Silk Road and essentially laundered money for this notorious online criminal bazaar; Cornelis Jan Slomp, also known as “SuperTrips,” pled guilty to drug trafficking via the Silk Road; and numerous other witnesses for the government have so far provided potentially damning evidence.

Additionally, a package containing fake IDs with Ulbricht’s photograph on each one was seized at the Canadian border by US Border Patrol agents, which subsequently led investigators to Ulbricht.

We might conclude Ulbricht continues his fight because he is facing the prospect of life in prison — or perhaps he is fighting the case on principal; after all, he does have many supporters outside the Silk Road, as evidenced by freeross.org and his supporters outside the courtroom. We should also consider Ulbricht has a very competent defense attorney – Harvard Law graduate Joshua Dratel, who has defended terrorists and a Guantanamo detainee, and is certainly no stranger to advocating for some of the most notorious defendants. If Ulbricht did in fact net $420 million in commissions, as prosecutors contend, then he can certainly afford high-profile, hard-hitting counsel.

This case clearly identifies how critical computer forensics is today in building a solid case against suspected cyber criminals. Prosecutors have hardly put a foot wrong in this case except that a list of their exhibits and potential defense objections were inadvertently leaked online and later reposted on other Websites. This, of course, will provide defense counsel with an interesting perspective on how the case will proceed. Nevertheless, it is intriguing for the neutral to view the evidence that will be presented by the prosecution.

At Pace University, we have conducted forensic examinations of computers that have utilized anonymous peer-to-peer network browsers like I2P, DuckDuckGo and, of course, Tor. Unfortunately, digital traces of a person’s activity on this anonymous network is minimal … if not non-existent. To put this in perspective, an investigator is more likely to gather incriminating evidence from a user who deleted their browsing history and cache, and used an application to further sanitize his browsing history. However, in this case, investigators managed to log the live “connection status” of DPR on Tor after entering the Glen Park library, captured the chat logs of DPR with a user called “Cirrus” on the Silk Road.

Most significantly, federal agents managed to arrest Ulbricht in the library without the suspect having an opportunity to power down his computer. Federal agents caused a loud disturbance in the library as a couple pretended to argue. With Ulbricht distracted, they grabbed his laptop. Notonly were investigators able to take screenshots of the alleged administrator panel for the Silk Road on his screen, but with the computer still powered on investigators presumably performed live forensics on the computer, which entails performing a RAM capture. RAM is a treasure trove of evidence for investigators because it shows a list of running processes, Websites visited, online chat and often passwords – but only if the computer is still powered on. Seizing a computer that is powered on is also critical to ensuring that files, folders or drives do not become encrypted and that password-protection is not enabled.

Other incriminating evidence was allegedly recovered from the suspect’s computer, including “Bitcoin-Wallet,” records of Bitcoin transactions, illicit goods and services for sale and a spreadsheet detailing Ulbricht’s net worth. The most interesting — and potentially destructive to the defendant’s argument that the Silk Road was merely an economic experiment that Ulbricht later walked away from — are the journals reportedly found on Ulbricht’s Samsung 700z laptop.

Ultimately, on Tor it is even more challenging to prove whom you’re chatting with online and verifying dates and times are difficult because messages are routed through so many proxy computers worldwide. This will be problematic for FBI investigators and other witnesses for the prosecution fielding questions under cross-examination from Dratel, as we have already seen in the courtroom. Proving who was contacting who and when will be difficult, and, therefore, traditional witness testimony will be pivotal in proving Ulbricht’s intentions after his economic experiment became a reality.

The Silk Road was, by some accounts, a highly sophisticated online marketplace with support staff. Testimony from those employees may be more important than the testimony of the vendors that used the site.

While there are many large organized criminals gangs located in Russia and Eastern Europe, the trials of Ross Ulbricht, Albert Gonzalez (who was convicted in 2009 for hacking into companies like TJX CorpandHeartlandPaymentSystems) and others remind us that some of the most successful “ecommerce entrepreneurs,” who develop new ways to facilitate criminal activity are homegrown, and that the Internet continues to make criminal global partnerships extremely lucrative.

Consequently, there is a desperate need to educate and graduate sophisticated computer forensics researchers and not simply focus on computer security analysts, who possess a completely different skillset.

Darren Hayes, Ph.D, is Assistant Professor and Director of Cybersecurity at Pace University’s Seidenberg School of Computer Science and Information Systems in New York, and author of, A Practical Guide to Computer Forensics Investigations, published in December 2014. In 2013, he was listed as one of the Top 10 computer forensics professors, by Forensics Colleges.

(Visited 48 times, 1 visits today)

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply