Using file and folder naming and structuring to improve automated detection of child sexual abuse images on the Dark Web

Abstract

Increasing dissemination of child sexual abuse material (CSAM), especially on the Dark Web, has necessitated greater reliance on automated detection tools. These tools typically match images and videos to known CSAM databases, which is an ineffective method for identifying unknown CSAM. To identify potential complimentary methods, we analysed 162 unique known images, displayed 7289 times on 988 Dark Web websites, to determine if patterns in file/folder naming and structuring tendencies existed on websites. Overall, websites prioritised organisation (ease of access) over obfuscation (security) and hosted almost all images they displayed. File/folder names were commonly alphanumeric, however, there was evidence of sequence file naming patterns. Webpages displaying CSAM were explicitly named, often using underage and/or incest-related keywords. Structuring patterns revealed presence of website copies (mirrors) which can impede effective CSAM removal. Recommendations for supplementing automated detection techniques are discussed.