Lawful Interception & Packet Forensics Analysis System Casper Kan Chang Decision Group June 2010 IP Packet Capture Way There are 3 types of IP packet capture ways based on application and industry standard : ● Packet captured from IP network: for IP network infrastructure in enterprises, ISP, IDC and LTE/WiMAX operators ● IP packet from Telco switch : 1. Tradition switch through Mediation Platform 2. For IMS and all IP networks, IP Packet can be captured through service broker of application layer or directly from IP core switch of Media and End Point layer of IMS system 3. From Cable TV IP Packet Capture Way– Sniffer All data packets on Ethernet are broadcasted in the network, i.e., all physical signals will flow to the network Interface card of the appliance. NIC card can be under promiscuous mode, so it can receive all data no matter what the MAC address it is. This is what the basic of Sniffer all about. Enterprise, ISP, IDC, LTE/WiMAX E-Detective Lawful Interception Can get that evidence? For example : Email Sender email address, Receive email address Time and date Content Location …… More 4 Sample: Email (POP3, SMTP and IMAP) Sample: IM -Yahoo, MSN, ICQ, IRC, QQ, GTalk etc… What Lawful Interception Needs Now….. Network Packet Capture and Reconstruction VoIP Off-line Ethernet HTTPS/ SSL Wireless 802.11a/b/g/n Training & Support E-Detective – Mirror Mode Implementation Organization or Corporate Network Deployment Wireless-Detective – Implementation Diagram (1) Wireless-Detective Standalone System - Captures WLAN packets transmitted over the air ranging up to 100 meters or more (by using enhanced system with High Gain Antenna) WLAN Lawful Interception – Standalone Architecture Wireless-Detective Deployment (Capture a single channel, a single AP or a single STA) Wireless-Detective – WPA-PSK Cracking Sol. WPA-PSK Cracking Solution WPA Handshake packets need to be captured for cracking WPA key. Utilize Single Server or Distributed Servers (multiple smart password list attack simultaneously) to crack WPA key. Acceleration technology: GPU Acceleration Note: WPA handshakes packet can be captured by Standalone Wireless-Detective system or Distributed WirelessDetective systems. EDDC Offline Forensics Product Offline Raw Data (PCAP) Decoding and Reconstruction system. Comes with User and Case Management features. Collect, Import Raw Data Investigator 1For Case 1 Case 1 Case 1 Case 1 Results Collect, Case 2 Import Investigator 2 Raw Data Case 2 Case 2 Results For Case 2 Decode and Reconstruct various Internet Protocols and HTTPS/SSL MITM Interception System Intercept and reconstruct HTTPS/SSL traffic. Obtain HTTPS page login username and password. Intercept on specific targets (suspects) HTTPS/SSL MITM Interception System Intercept and reconstruct HTTPS/SSL traffic. Obtain HTTPS page login username and password. Intercept on specific targets (suspects) Software Architecture 14 More Then 140 Internet Protocols Supported Email Webmail IM/Chat (Yahoo, MSN, ICQ, QQ, IRC, Google Talk Etc.) Others Online Games Telnet etc. HTTP (Link, Content, Reconstruct, Upload Download) File Transfer FTP, P2P VOIP Data Captured through Tradition Telco Switch From LI port of Soft Switch/TDM to capture signals by ETSI/CALEA standard. Passing through mediation platform and convert the data for further analysis through Handover Interface (HI) before reaching EDDC for further packet analysis MEDIATION gateway Server ANALYSIS HI-1 Provisioning SBC TDM HI-2 IRI INI-3 Call Content HI-3 Content EDDC Control Information Router/IAD RTP Stream Edge Router Telco side Control Information Edge Router LEA side Router/IAD Target USER USER Data Packet Captured through Telco IP Switch Directly capture IP data packets from both application or media layers of IMS/all IP networks. So it is not necessary to pass through mediation platform. It’s predicted that this will be the future trend for all Telco operators ANALYSIS (application layer) (session layer) E-Detective SGIM EDDC IMS LEA side Router/IAD E-Detective (media layer) CMS Core Switch Router/IAD Target USER Edge Router Telco side Edge Router USER Data Packet Captured through Cable TV Mediation Tel phone User loop Internet NIU 50~1000MHz CMTS …… E-Detective Analog fiber optic 5~42MHz NIU STB TV CM fiber optic node NIU Computer Cable TV Broadcasting 18 Technology Transfer Program • To Help ETRI to Enhance Capability of LI Application Research • Target – E-Detective – Wireless-Detective • Scope – Source Codes – On-Site Training – On-Site Assistance for Software Development • Reasonable Fee 19 Contact Information Casper Chang Kan/ CEO chang_kan@decision.com.tw Ted Chao/ Product Manager ted@decision.com.tw Address:4/F No. 31, Alley 4, Lane 36, Sec.5, Ming-Shan East Road Taipei, Taiwan, R.O.C . Phone No : +886 2 2766 5753 Fax No : +886 2 2766 5702 URL : www.edecision4u.com