Communications - May 2011

Internet which the [fugitive] is appar-
ently using...”
Though unable to discuss the de-
tails of the case publicly, we can con-
sider the model: The police have a
single packet trace known to be from
the fugitive’s device (perhaps a threat-
ening email message) and now seek to
determine if other threatening mes-
sages were also sent from the same de-
vice, thereby identifying the fugitive’s
current IP address and, hence, geo-
graphic area of operation.

Also increasingly common is for authorities to recover computer equipment when suspects are taken into custody. Tying it to other online actions, especially beyond a reasonable doubt, is challenging absent a strong forensic identifier. A strong forensic identifier would allow a recovered laptop to be directly and unambiguously bound to particular messages logged by law enforcement.

Background and Related Work

The value of forensic attribution—use of technical means to establish the presence of a person or object at a crime scene after the fact—has a long history in law enforcement, dating to the late 19th century.a Lacking an eyewitness to a crime, forensic methods often become a critical tool in an investigation.

Forensic professionals, security researchers, and Internet industry leaders alike recognize that Internet crime poses a special challenge for forensic attribution. Unlike physical evidence (such as fingerprints and DNA), digital objects are, prima facie, not unique. The Internet architecture places no technical restrictions on how a host generates packets, so every bit of a packet can be trivially manipulated in subtle ways to hide its provenance.

Indeed, criminals have long spoofed the source address of their Internet traffic to conceal their activity. 7, 16 While a range of systems has been proposed to detect and/or block IP source-address spoofing, such systems are deployed inconsistently, and none are foolproof, even in their ideal embodiment. A long line of literature has focused on tracing spoofed pack- a The city of Calcutta first systematically used human fingerprints for criminal records in 1897, followed by Scotland Yard in Britain in 1901.

ets back to their source, 17, 19 but their approaches are motivated by network operational needs and focus on delivering topological path information, an even more abstract property than an IP address.

More important, IP addresses are not unique identifiers, even when used as intended. An IP address represents a topological location in the network for the purpose of routing, not as a way to specify a physical endpoint. It is common for protocols (such as DHCP, Mobile IP, and NAT) to dynamically change the mapping between IP address and physical machine as part of their normal use. While some mappings are logged, this data is commonly retained for only a limited period. “The Internet,” David Aucsmith wrote, “provides criminals two of the most coveted qualities: anonymity and mobility.” 3

While we are unaware of other published attempts to provide network-level forensic attribution to physical hosts, a number of related research projects make similar use of cryptographic mechanisms. The source-au-thentication systems, or “packet passports,” of Liu et al. 14 and “Accountable Internet Protocol” of Andersen et al. 1 both use cryptographic identifiers. However, these systems focus on ensuring the consistency and topological validity of the IP source address itself to prevent address spoofing and do not address either user privacy concerns or the need for long-term physical linkage required for forensic attribution.

Design Goals

Clue reflects the following basic requirements:

Physical names. Attribution must
provide a link to a physical object
(such as the sending computer). A
physical computer can have an associ-
ated owner and permit association via
sales-and-maintenance records. More-
over, given continuous ownership, a
physical computer may be reused in
multiple attacks. Identifying this com-
puter allows the attacks to be linked,
even if the physical computer is never
recovered. Finally, a physical computer
accretes physical forensic evidence as a
side effect of its use. Indeed, much of
this article was written on a laptop with
extensive fingerprint evidence on the
screen and, upon examination, a range
of hair and skin samples beneath the
keyboard. If this laptop were found, it
could be unambiguously linked to one
of the authors via DNA or fingerprint
comparisons;