Our research results are based solely on irrefutable evidence obtained through various forensic tools expertly wielded by professionals. This following report may be completely corraborated by Law Enforcement using our data. They shall have no problems to obtain access to full communication logs and email account of the perpetrator.
Bryan Nichols was an active participant on child pornography site hosted abroad. The members of that particular child pornography website were engaged in exchange of thousands of pictures and videos of the most vile abhorrent sort. People like Bryan think that it is OK to exchange child pornography outside of the jurisdiction of the USA and that it is not really a crime. We must prove them wrong together. Alert authorities in all and any ways that you know!
We were able to locate the server where the aformentioned website is hosted. By exploiting the security vulnerabiloties we gained a full control over the server. And the analysis of the mountains of data then followed.
We found and unencrypted a various payment information of some of the members of the website. We start pulling that string.
Here is what we've found in connection to Bryan.
0n 30/Oct/2018 04:15 PM CDT Bryan posted his credit card with a purpose of getting an access to all sections of the website. Here is what he entered:
You see his name, address, phone and CC details. Also you can see the IP address of his machine. Here is what you can get from a simple geolocation check on that IP:
ISP Organization: Spectrum
But because we introduced some obfuscated modifications in the code of CC processing, his card was not accepted and the system gave him an error that the email address is not correlated with the owner of the CC. Bryan then made a second attempt:
Please pay attention to the changed email-address: email@example.com.
This is an excerpt from the log of the webserver. Lets pull apart the first line and you will get an idea what it is about:
/var/log/httpd/custom_access_log-20181031:4535:ryanvandern [Wed 10/31/2018 @ 12:11:20.420 AM MSK] /var/sandbox/gui/sand/files/pictures/ 11yo_jordan_fucked_by_19yo_brother.jpg 188.8.131.52 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" W9jI@M-2kWuCuUhNSDJpxQAAAEc
/var/log/httpd/custom_access_log-20181031:4535 - log file of the webserver and a line number at which the information was found
ryanvandern - this is a name of the user which is issued a request. We already ascertained that this is Bryan Nichols.
[Wed 10/31/2018 @ 12:11:20.420 AM MSK] - date of the request. The timezone is MSK +03:00 (which is [Wed 10/31/2018 @ 04:11:20.420 AM CDT] in Central Daylight Time -05:00)
/var/sandbox/gui/sand/files/pictures/i 11yo_jordan_fucked_by_19yo_brother.jpg - the file which was requested. There are many more files but these are named very explicitly.
184.108.40.206 - address of the machine from which Bryan issued a request. ISP of that IP is "Spectrum".
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" - user-agent of the web-browser. In this particular case we can see that Bryan is using Microsoft Edge on Windows 10.
W9jI@M-2kWuCuUhNSDJpxQAAAEc - id of the forensic log (see below)
Here is a list of IP which Bryan was using:
As can be seen, Bryan was using only one IP address meaning that it is almost certain that he was using the same device to access child pornography website -- the machine from his own home. :)
Please remember that his ISP can corraborate our results with easiness and give it to the authorities without any doubts about any tampering made by anyone.
In this email Bryan sent a zip archive which contained five absolutely disgusting pictures. As we figured out this letter is a mandatory step of the registration proceqs. This means that Bryan knowingly sent a child pornography clearly realizing what he doing and why.
But as it turned out. this letter wasn't the first one. The system of registration consist of two steps. 80 initially Bryan sent a request to join the website:
Bryan absolutely certainly knew what he was doing and why. Nobody can make so many sequential actions by mistake. Would you agree?
We went farther than that and installed two very important changes on the server. The first change is that we switched the webserver from HTTPS protocol to the HTTP protocol. This simple change stripped all the anonymity off of Bryan by transmitting ALL requests from his computers to web-server in the open without a protection of encryption. Every request Bryan ever made to that particular server is now logged in plain text by ISP Spectrum and ready to be claimed by authorities.
The second change is a seamless upgrade of web-server access log capabilities. We added a forensic log module which saves exact fingerprint of a computer and can be served as a concrete and bulletproof evidence. Here is how it looks like:
It was a little more complicated to prove that Bryan is certainly a ryanvandern on the server.
1.a) By the phone number and the address specified by ryanvandern at the CC payment form we found a page about a sale of the house with a sequence of the pictures. In particular. check out this circular fire pit:
1.b) By using the first name, last name. the city and the state which ryanvandern was providing on the CC payment form, we found a facebook profile bryan.nichols2. Pay attention to the same circular fire pit from the one of the pictures of the profile:
This is the same fire pit that we seen in the section 1.a.
2.a) We found out that the email specified by Bryan on the second attempt of the payment is connected with a business Concrete Concepts and to the contact person Molly McElroy
2.b) In the facebook profile of Bryan we found a comment by Molly Nichols in the profile of which you can also find the maiden last name McElroy.
Of course if you confront Bryan, he might tell that he is a victim of a fraud and his CC was stolen and he wasn't a part of the child pornography enterprise. But this is extremely improbable by the follwing reasons:
1.) The primary goal of the criminals — is not $50 purchase of the child pornography but a direct financial gain which is usually done by purchasing something akin to iPhone with a shipment to the mule's address. Fraudsters are not interested in child pornography!
2.) No cybercriminal dealing with a stolen credit cards will use the business email of the victim in order to ship a service to it. This is simply because carders don't want the victims to see any notifications about the purchases. So for a carder it would be much simpler to just take another CC than to try to play around with anti-fraud system which demands a different email address.
3.) We pointed out that ryanvandern was entering CC from IP address which is connected to the ISP Spectrum which is located at the same city where the Bryan lives. Usually carders do not have an access to the computer of the victim so they forced to use a various SOCKS/SSH services which provide PROXY—servers. In this scenario it is virtually impossible to find a proxy-server with a suitable risk-score from the same City and State as the original owner so the carders just using a proxy—server from the same state as the original owner. So if Bryan really was a victim of a fraudsters there would not be the exact match of the City and State as we see in the logs.
So we presented enough evidence and arguments that Bryan is a ryanvandern and that Bryan is a pedophile.
Just ask him where he had been on the following dates (already converted to CDT timezone):
We proved that at these times he had been on the child pornography website.
Additionally, we pulled his conversations with administrator of the forum. Namely at 30/Oct/2018 01:16 PM CDT Bryan Nichols wrote:
As you can see, he confessed that not only he has a child pornography from bunch of different sites, but also he has a hidden cam. It is very probable that this hidden cam is used by Bryan to film his own children. This state of affairs is particularly disturbing and we urge you to act — Bryan has to be stopped.
We'd done our part. Now it is time for you to do yours. People like Bryan destroy lives in silence and with impunity. They are like cockroaches. They are terrified of open spaces and light. You can remain a casual bystander anymore. Help us drag them in the open. People around them have undeniable right to know what's going on. Shed the ligth! Protect our children from hidden predators like Bryan.
We stand by our mission. We can do no other!
Do what is right. Tweet about it. Tell your friends. Tell your neighbors. CALL THE POLICE!