|
|
|
|
|
|
by gea0
646 days ago
|
|
|
So, LE observes: - This IP had malicious activity or is otherwise relevant to a (maybe complicated) case
- It says "tor" on a landing page, or in WHOIS, or the IP is on the public list of nodes
... does "it will be 100% worthless to investigate" really follow from only this?Some things to consider: - All kinds of other servers, services or proxies could also be running on or behind this IP
- The node could be misconfigured in a variety of ways to keep forensic traces, even being a VM that is being snapshotted regularly
- Some lunatic could be running an exit on his personal machine, but just coincidentally to the observed criminal activity
- A high percentage of nodes is malicious, keeps logs, mines data, poisons traffic and tries opportunistic TLS stripping (those poor, naive souls clicking the warning away...)
It does NOT follow that there are no useful forensic traces to be found, not even that the traffic actually originates from the TOR network.Not to encourage raids on node operators, but it is worthwhile to keep in mind that there could be actual reasoning behind these actions. If you are smart about this, you can even get the relevant and obtainable info with little LE resources and without unduly harassing the operator. |
|
|