Lawful Interception & Packet Forensics Analysis System

fishecologistMobile - Wireless

Dec 12, 2013 (3 years and 8 months ago)

85 views

Lawful Interception & Packet Forensics
Analysis System

Casper Kan Chang

Decision Group

June 2010

IP

Packet Capture Way

There are 3 types of IP

packet capture ways based on
application and industry standard





Packet captured from IP network


for IP network

infrastructure in enterprises, ISP, IDC and LTE/WiMAX
operators


IP packet from Telco switch



1.
Tradition switch through
Mediation Platform

2.
For IMS and all IP networks, IP Packet can be
captured through service broker of application
layer or directly from IP core switch of
Media
and End Point

layer of IMS system

3.
From Cable TV





IP Packet Capture Way


Sniffer

All data packets on Ethernet are broadcasted in the network, i.e., all
physical signals will flow to the network Interface card of the
appliance. NIC card can be under promiscuous mode, so it can
receive all data no matter what the MAC address it is. This is what
the basic of Sniffer all about.

Enterprise, ISP, IDC,
LTE/WiMAX

E
-
Detective

Lawful Interception Can get that evidence?

4

For example :
Email

Sender email address, Receive email address

Time and date

Content

Location

… …

More

Sample: Email (POP3, SMTP and IMAP)

Sample: IM
-
Yahoo, MSN, ICQ, IRC, QQ, GTalk etc…

What Lawful Interception Needs Now…..

Network Packet Capture and Reconstruction

Ethernet


VoIP

Off
-
line

Training & Support

Wireless

802.11a/b/g/n


HTTPS/ SSL

E
-
Detective


Mirror Mode Implementation

Organization or Corporate

Network Deployment

Wireless
-
Detective

Standalone System
-

Captures WLAN packets
transmitted over the air ranging up to 100 meters or more
(by using
enhanced system with High Gain Antenna)


Wireless
-
Detective


Implementation Diagram (1)

WLAN Lawful Interception


Standalone Architecture

Wireless
-
Detective Deployment

(Capture a single channel, a single AP or a single STA)


Wireless
-
Detective


WPA
-
PSK Cracking Sol.

WPA
-
PSK Cracking
Solution

WPA Handshake packets
need to be captured for
cracking WPA key.

Utilize
Single Server
or
Distributed Servers
(multiple
smart password list attack
simultaneously) to crack WPA
key.

Acceleration technology:
GPU Acceleration

Note:
WPA handshakes packet can be captured by Standalone Wireless
-
Detective system or Distributed Wireless
-
Detective systems.

EDDC Offline Forensics Product

Offline Raw Data (PCAP)
Decoding

and
Reconstruction

system.

Comes with
User
and
Case Management
features.

Investigator 1

Case 1

Investigator 2

Case 2

Case 1 Results

Case 2 Results

Collect,

Import

Raw Data

For Case 1

Case 1

Case 2

Collect,

Import

Raw Data

For Case 2

Decode and Reconstruct various Internet Protocols and
Services

HTTPS/SSL MITM Interception System

Intercept and reconstruct HTTPS/SSL
traffic. Obtain HTTPS page login
username and password. Intercept on
specific targets (suspects)

HTTPS/SSL MITM Interception System

Intercept and reconstruct HTTPS/SSL
traffic. Obtain HTTPS page login
username and password. Intercept on
specific targets (suspects)

14

Software
Architecture

IM/Chat

(Yahoo,

MSN, ICQ,

QQ, IRC,

Google Talk

Etc.)


Email

Webmail

HTTP

(Link, Content,

Reconstruct,

Upload

Download)

File Transfer

FTP, P2
P

Others

Online Games

Telnet etc.

More Then 140 Internet Protocols Supported

VOIP

SBC

TDM

RTP

Stream

HI
-
3 Content

HI
-
2 IRI

HI
-
1 Provisioning

Control

Information


Control

Information

Router/IAD

USER

MEDIATION

ANALYSIS

USER

Edge

Router

Target

Edge

Router

INI
-
3 Call Content

gateway
Server

Data Captured through Tradition Telco Switch



EDDC

LEA side

Telco side

From LI port of Soft Switch/TDM to capture signals by ETSI/CALEA standard.
Passing through mediation platform and convert the data for further analysis
through Handover Interface (HI) before reaching EDDC for further packet
analysis



Router/IAD

IMS

Router/IAD

USER

ANALYSIS

USER



Router/IAD

Target

Edge

Router

SGIM

Data Packet Captured through Telco IP Switch



EDDC

LEA side

Telco side

Core Switch

Edge

Router

(application layer)

(media layer)



E
-
Detective



E
-
Detective

Directly capture IP data packets from both application or media layers of IMS/all
IP networks. So it is not necessary to pass through mediation platform. It’s
predicted that this will be the future trend for all Telco operators



CMS

(session layer)

Data Packet Captured through Cable TV

18

User loop

STB

Analog fiber
optic

CM

CMTS

50~1000MHz

5~42MHz

NIU

NIU

Cable TV

Broadcasting

NIU

……

Internet

Computer

TV

Tel phone

Mediation

E
-
Detective

fiber optic node

Technology Transfer Program


To Help ETRI to Enhance Capability of LI
Application Research


Target


E
-
Detective


Wireless
-
Detective


Scope


Source Codes


On
-
Site Training


On
-
Site Assistance for Software Development


Reasonable Fee

19

Contact Information

Casper Chang Kan/ CEO chang_kan@decision.com.tw

Ted Chao/ Product Manager ted@decision.com.tw


Address

4/F No. 31, Alley 4, Lane 36, Sec.5, Ming
-
Shan


Phone No


+886 2 2766 5753

Fax No


+886 2 2766 5702

URL



www.edecision4u.com


East Road Taipei, Taiwan,

R.O.C .