(800) 484-3946 info@derickdowns.com

Telegram latency in Belarus

At the end of October 2020, Qurium received reports from users in Belarus that Telegram service was not working properly. Although the service was reachable, an increased latency was noted among the users.

Beltelecom, the national telecommunications company in Belarus, fully owned by the Government of Belarus and operated by the Ministry of Telecommunications, controls the traffic of Telegram, generating latency for the messenger platform in Belarus.

During the past weeks Qurium Media Foundation and Human Constanta, a human rights NGO in Belarus, have been monitoring an increase of latency against the Telegram network from Belarus. During protests, only certain IP addresses inside of Telegram network had high latency. This behavior is likely the result of a traffic control policy implemented by the operator.

“The traffic policy is individually applied to each of the IPs in the Telegram network so addresses with less traffic experience less latency”, states Qurium’s forensics report. In order to confirm where the traffic shaping is taking place, Qurium measured the latency from different providers during last Sunday’s protests. The measurements showed latency from Beltelecom, while latency was not present in traffic from other providers in the country.

“The increase of latency seems to respond to some kind of traffic shaping strategy. These network traffic control strategies limit the output rate of certain types of traffic, in this case Telegram traffic.” states the report published by Qurium. “An analysis of latency during four days reveals the periodical congestion issues during peak Telegram usage during lunch time and in the evenings.”

Qurium forensics report: Telegram latency and Belarus

About the authors:

Digital forensics: Tord Lundström, Qurium Media Foundation t@virtualroad.org
Media: Clara Zid, Qurium Media Foundation info@virtualroad.org

Fighting Child Exploitation With Digital Forensics

Why it matters

Who will listen to the hundreds, if not thousands, of silent children who cry out for justice after being victims of manipulators or authority figures?

You would think that the answer to the question “why does it matter?” would be obvious. But it is not, which I became aware of one afternoon when I was presenting on behalf of the Florida Office of the Attorney General Child Predator Cybercrime Unit, at a major conference for Law Enforcement administrators.

During the Q&A portion I had a Deputy Sheriff ask me “Why should we spend valuable resources on a Kiddy Porn picture case?”. The question came from a female officer and it caught me by surprise. At the end of this blog, I will give you my answer to her question. But first let us examine how decision-makers feel about Child Pornography cases. (We should never use the term “Child Porn” and “Kiddy Porn” to describe the horrific crime that is being committed against children).

Why does it matter?

Children are precious members of our society and are often forgotten when “adults” talk about issues related to them. Most often crimes against children are overlooked unless it happens to you or is a major community event.

Just ask the Walsh family or the Ryce Family.  Better yet, talk to Alicia Kozakiewicz who at 13 years of age on a cold New Year’s eve was abducted by someone she was communicating with online and who she thought was her age but who turned out to be a 38 year old child predator.

So, when we see pictures of children being abused, it is vitally important to understand that these children are victims of a crime that is repeated every time the picture is resold or reshared. This repetition of the crime, time after time, makes these cases so difficult mentally for investigators. These are not just “pictures”, they are in fact crimes in their own right.

Perpetrators of crimes against children are “preferential sex offenders” as defined by the Nation Criminal Justice Reference Service. They either keep items that belong to the child or they memorialize their molestation by taking pictures or videos of the child as trophies. Every time that image or video is disseminated and viewed by other preferential sex offenders that child is once again abused and made a victim.

I remember my first case dealing with the sexual abuse of a child. It was a joint case with the FBI and legacy Custom. They brought Marvin Hersh case – the former Florida Atlantic University professor who preyed on young children around the world – to my attention.

The case showed me how individuals are capable of harming even the most innocent and vulnerable in our society. Mr. Hersh would travel to the poorest countries in Central and South America and befriend poor families with many children, giving them gifts and money. Once Hersh gained the trust of these families he would then sexually molest the children. He eventually brought a child to the US with a counterfeit birth certificate. The smoking gun in that case was the digital evidence recovered from Hersh’s computer together with the 15-year-old victim’s story.

The sexual molestation of children alters them in ways that we may never know.

In 1998, I helped start the first federally funded “Internet Crimes Against Children” Task Force (ICAC). The Broward Sheriff’s Office (BSO) received one of the eight original federal grants to start the ICAC. That was when I realized how important our roles as Investigators were in combating this heinous crime.

First off, we were initiating a new frontier as law enforcement officers, entering into the dark underbelly of the burgeoning Internet. Remember this was only a few short years after the Internet Browser first debuted in 1993. Secondly, we were in uncharted territory when it came to investigate digital crimes. There were no standard police practices to guide us. Thirdly, there was no case law or precedent dealing with digital evidence. And lastly, we were dealing with digital technology like Bulletin Boards Systems (BBS), Internet Relay Chat (IRC), and News Groups, that most of our supervisors, prosecutors or judges just did not understand. On top of that we were aware that because of the global nature of the Internet we would have to deal with jurisdictional issues both within and outside the United States. This became painfully apparent in the case of Angel Mariscal on which I worked with the United States Postal Investigative Service. Here is an excerpt from the documentation of that case:


The Angel Mariscal case: 100-Year sentence

The second example I’d like to share with you is the Angel Mariscal case. In that case, Angel Mariscal received a 100-year prison sentence on September 30, 2004, after being convicted on seven charges including conspiracy to produce, importation, distribution, advertising, and possession with intent to sell child pornography. As with the first example I mentioned, this case was international in scope: Mariscal traveled repeatedly over a seven-year period to Cuba and Ecuador, where he produced and manufactured child pornography, including videotapes of himself sexually abusing minors, some under the age of 12. But our efforts did not stop with the arrest and prosecution of Mariscal. We launched Operation Lost Innocence to target Mariscal’s customers across the country. To date, Lost Innocence has resulted in 107 searches, 55 arrests/indictments, and 44 convictions. (Read more here)

As a Law Enforcement Against Child Harm (LEACH) and ICAC Task force member and together with Postal Investigator SA Beth Bendel, I investigated Angel Mariscal who, as the Congressional testimony indicates, resided in South Florida. Mariscal was in possession of and distributing thousands of pictures and videos of the sexual molestation of children to other like-minded child predators across the United States and globally. As the digital forensic examiner in the Mariscal case, that case showed me the volume of still images and videos created by Mariscal was daunting. Each item needed to be examined and viewed by a law enforcement officer who could then testify that in fact the individual in the images and video were minors. In 2004 the only tools I had to shield me from the screams of the children being anally or vaginally violated by these sexual predators was to turn off the sound. To make matters worse Mariscal was HIV positive and he exposed his child victims to the horrible disease.

Thankfully that is no longer the case. Today we have tools like Project VIC and VIC II which help prevent us from victimizing these children over again by having to view these images and videos.

Over the years programs such as the Wyoming Toolkit – the predecessor of Grid Cop, CPS, Roundup, ShareazaLE and National Center for Missing and Exploited Children (NCMEC) LE Portal and others – have employed the use of hashing algorithms to determine if an image or video is in fact the sexual molestation of a child. This protects both the victim and the investigator. The exploitation of children is still prevalent online and now has gone mobile and law enforcement has to keep vigilant on what media the child predator is using.

So, my answer to the Deputy Sheriff’s question. I told her about the Mariscal cases. I asked her how many officers they had investigating crimes against children. She told me they had one (1) and that Kiddy Porn pictures or videos are not “Pornography” as that image or video is a just a crime scene photo or video of the sexual molestation of a child. I then asked her how many investigators do you have conducting drug investigations? She said 20+.

I believe that drug investigations are important but to have only one investigator conducting investigations where a predator is seeking children online to molest and having over 20 investigators doing cases doesn’t make sense to me. Especially when the target is arrested and then released even before the paperwork is done and you’re arresting the same targets over and over again.

Putting time and resources into investigating child abuse images and videos is an excellent way to “serve and protect”. It defends some of the most vulnerable members of society and helps take out predators who may escalate from viewing images to physically damaging children. It deals with a real and present danger. But unless and until we viscerally understand that the images and videos are crimes in and of themselves and not just “crime scene photographs” we may never give them the serious consideration (and budget) they need and deserve.

It matters!

Author:  Derick Downs

You can read more on: https://www.octodigitalforensics.com

Issue 5 is Here

Issue 5 is Here

Hi folks,

Issue 5 of Digital Forensics Today is here. This time we’ve put together some great content on topics as far reaching as criminal profiling and volatile memory heap analysis; as well as the usual Legal section, From the Lab, and Angus Marshall’s IRQ column. We also welcome the world-famous, forensics commander-in-chief, a.k.a. Rob Lee, as one of our regulars who will be taking forward his own column in each and every issue from now on (now that’s value for money!). Also, we’ve introduced another new column to our format, this time concentrating on Mac Forensics (entitled Apple Autopsy) and at the helm of that section we welcome Sean Morrissey of Katana Forensic (and the brains behind the Lantern iOS forensics product and the forthcoming book from Apress on iOS forensics).

This is also the first of a series of special issues we’re putting together that focus on very specific themes of forensics. This idea came from a variety of 360 feedback letters and we believe it is a fantastic way of ensuring you get the biggest bang for you buck from your subscription. Issue 5 focuses on all aspects of Training & Education, opening the Pandora’s box of all the difficult issues of professionalism that you face every day.

Finally, we hope that you enjoy this issue of Digital Forensics Magazine, and please spread the word as we’ve really enjoyed our first year and want to make sure we continue publishing long into the future. We welcome all comments to our 360 department and will attempt to answer all your letters as quickly as possible.

Bye for now!


New iPhone Forenics White Paper

New iPhone Forenics White Paper

Are you looking for the best mobile forensics tool for iPhone Forensics? Well, a good place to start is viaForensics’ updated (and free) iPhone Forensics white paper at:


The white paper is geared towards forensic examiners and includes plenty of screenshots, comments and other useful information.

Why do we provide this white paper for free? Well, all of us are struggling with the influx of mobile devices. By reviewing each of the tools, we not only provide a service to the forensics community but we have great dialogue with the development companies and we hope it leads to improvements in their software (a.k.a make our jobs easier). We’ve observed great strides in the software since 2009 and if the community at large shares their feedback, we can make things better.

So check it out…and by all mean, please let us know what you think, where we can improve the tool or any other suggestions you have. And stay tuned for more updates. We are working on our Android Forensics white paper (as well as Syngress books on both iPhone and Android forensics) and since we’re clearly not busy enough, we might kick off a series with DFM on Forensics and Programming.

Andrew Hoog
Chief Investigative Officer
tel: +1 312-878-1100

The first annual (ISC)² Security Congress

The first annual (ISC)² Security Congress

(ISC)² Security Congress – Collocated with the ASIS International 57th Annual Seminar and Exhibits – September 19th – 22nd, Orlando, Florida

The first annual (ISC)² Security Congress offers invaluable education to all levels of information security professionals, not just (ISC)² members. This event will provide information security professionals with the tools to strengthen their security without restricting their business. (ISC)² and ASIS International have teamed up to bring you the largest security conference in the world, with five days of education and networking opportunities. Don’t miss out. Register today! To make your selection from over 200 conference sessions, free education and special pricing on official CISSP and CSSLP Intensive education. For more information, please visit: