Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

E-Detective Forensic Analysis Tool

advertisement 
E-Detective
Series of Products
Decision Computer Group of Company
Website: www.edecision4u.com
Email: frankie@decision.com.tw;
DECISION-COMPUTER INTERNATIONAL CO., LTD
 Agenda










Introduction to E-Detective Series of Products
E-Detective
Wireless-Detective
E-Detective Decoding Center (EDDC/XDDC)
HTTPS/SSL Network Forensics Device
WatchGuard.WLAN
VOIP Interception
Uniqueness of Decision Computer Group
References
Others Offering
DECISION-COMPUTER INTERNATIONAL CO., LTD
2
E-Detective
(LAN Internet
Monitoring/Interception System)
DECISION-COMPUTER INTERNATIONAL CO., LTD
3
 E-Detective
Solution for:
• Organization Internet Monitoring/Network Behavior Recording
• Auditing and Record Keeping,
Compliance Solution for:
• Forensics Analysis and Investigation,
Sarbanes Oxley Act (SOX)
• Legal and Lawful Interception (LI)
HIPAA, GLBA, SEC, NASD,
• Others
E-Discovery etc.
E-Detective Architecture/Work Flow
010101010
10010101010
E-Detective Standard System Models and Series
FX-06
FX-30
DECISION-COMPUTER INTERNATIONAL CO., LTD
FX-100
FX-120
4
 E-Detective Implementation Diagram (1)
Organization Internet Monitoring and Interception System
DECISION-COMPUTER INTERNATIONAL CO., LTD
5
 E-Detective Implementation Diagram (2)
Telco and ISP Internet Lawful Interception (LI) Solution
Real-Time/Online
Decoding and Reconstruction
Offline
Decoding and Reconstruction
Nationwide Internet Monitoring for Protecting National Security
DECISION-COMPUTER INTERNATIONAL CO., LTD
6
 Decoding and Reconstruction – Protocols Supported
1.
2.
3.
3.
4.
5.
6.
7.
8.
9.
Email
POP3, SMTP, IMAP
Webmail (Read and Sent)
Yahoo Mail (Standard and Beta/2.0), Windows Live Hotmail, Gmail, Giga Mail etc.
IM/Chat
Windows Live Messenger-MSN, Yahoo, ICQ, AOL, QQ, Google Talk, IRC, UT Chat
Room, Skype call session/duration
File Transfer – FTP
File Transfer – P2P
Bittorent, eMule/eDonkey, Gnutella, Fasttrack
HTTP
Link, Content, Reconstruct, Upload/Download, Video Stream
Online Game
Maplestory, RO, Kartrider, FairyLand, Hero, WonderLand etc.
Telnet/BBS
VOIP
Yahoo Messenger – reconstructed back to GIPS format
Webcam
Yahoo and MSN Messenger
DECISION-COMPUTER INTERNATIONAL CO., LTD
7
 E-Detective – Homepage – Dashboard with Reports
DECISION-COMPUTER INTERNATIONAL CO., LTD
8
 E-Detective – Sample Email – POP3/SMTP/IMAP
DECISION-COMPUTER INTERNATIONAL CO., LTD
9
 E-Detective – Sample Web Mail (Read)
Webmail: Yahoo Mail, Gmail, Windows Live Hotmail, Giga Mail, Hinet etc.
DECISION-COMPUTER INTERNATIONAL CO., LTD
10
 E-Detective – Sample Web Mail (Sent)
Webmail: Yahoo Mail, Gmail, Windows Live Hotmail, Giga Mail, Hinet etc.
DECISION-COMPUTER INTERNATIONAL CO., LTD
11
 E-Detective – Sample IM/Chat – MSN, Yahoo etc.
DECISION-COMPUTER INTERNATIONAL CO., LTD
12
 E-Detective – Sample File Transfer - FTP
DECISION-COMPUTER INTERNATIONAL CO., LTD
13
 E-Detective – Sample File Transfer – P2P
P2P Protocols: Bittorent, eDonkey/eMule, Fasttrack etc.
DECISION-COMPUTER INTERNATIONAL CO., LTD
14
 E-Detective – Sample HTTP – Link/Content/Reconstruct
Whois function
provides you the
actual URL Link IP
Address
HTTP Web Page content can be reconstructed
DECISION-COMPUTER INTERNATIONAL CO., LTD
15
 E-Detective – Sample HTTP Video Stream
Playback of Video File
Video Stream (FLV format): Youtube, Google Video, Metacafe.
DECISION-COMPUTER INTERNATIONAL CO., LTD
16
 E-Detective – Sample TELNET
Playback of Telnet Session
DECISION-COMPUTER INTERNATIONAL CO., LTD
17
 E-Detective – Authority Assignment
Authority – Visibility and Operation in Group (with User defined)
Authority - Visibility
Authority - Operation
Authority
Groups with
Users
DECISION-COMPUTER INTERNATIONAL CO., LTD
18
 E-Detective – Backup – Auto-FTP/Manual
Auto-FTP Backup
Manual Backup
Download ISO or Burn in to CD/DVD
Reserved Raw Data Files and
Backup Reconstructed Data Comes
with Hashed Export Function
DECISION-COMPUTER INTERNATIONAL CO., LTD
19
 E-Detective – Online IP List with IP/Account Report
DECISION-COMPUTER INTERNATIONAL CO., LTD
20
 E-Detective – Alert – Alert with Content
Alert configured from
different service
categories and
different parameters
such as key word,
account, IP etc.
Alert can be sent to
Administrator by Email
or SMS if SMS
Gateway is available.
DECISION-COMPUTER INTERNATIONAL CO., LTD
21
 E-Detective – Search
Search – Free Text Search, Conditional Search, Similar Search and
Association Search
Conditional
Search
Free Text Search
Association
Search
DECISION-COMPUTER INTERNATIONAL CO., LTD
22
Wireless-Detective
(WLAN/802.11a/b/g Interception
System)
DECISION-COMPUTER INTERNATIONAL CO., LTD
23
 Wireless-Detective - Introduction
Wireless-Detective System
WLAN Analytics/Forensics/Legal Interception System
Smallest and most complete
WLAN
Interception System
in the World!
• Scan all WLAN 802.11a/b/g 2.4 and 5.0 GHz
channels for AP and STA
• Captures/sniffs WLAN 802.11a/b/g packets.
• Decrypt WEP key (WPA Optional Module)
• Decodes and reconstructs WLAN packets
• Stores data in raw and reconstructed content
• Displays reconstructed content in Web GUI
• Hashed export and archive
All in One System!
Important Tool for Intelligent Agencies such as
Police, Military, Forensics, Legal and Lawful
Interception Agencies.
DECISION-COMPUTER INTERNATIONAL CO., LTD
24
 Wireless-Detective – Implementation Diagram (1)
Wireless-Detective Standalone System - Captures WLAN
packets transmitted over the air ranging up to 100 meters or
more (by using Enhanced System with High Gain Antenna)
WLAN Interception
Standalone Architecture
Deployment
(Capture a single channel, a
single AP or a single STA)
DECISION-COMPUTER INTERNATIONAL CO., LTD
25
 Wireless-Detective – Implementation Diagram (2)
Wireless-Detective Extreme System - Utilizing multiple/distributed
Wireless-Detective systems (Master – Slave) to conduct simultaneous
capture, forbidding and location estimation functions.
WLAN Interception
Distributed Architecture
Deployment
(Utilizing min. of 2 systems for
simultaneously (Master & Slaves
capturing/forbidding functions.
Capture a single channel, a
single AP or a single STA)
Note: For capturing multiple channels, each Wireless-Detective (WD) can reconfigure/act as standalone
system. For example deploy 4 WD systems with each capturing on one single channel.
DECISION-COMPUTER INTERNATIONAL CO., LTD
26
 Wireless-Detective – Implementation Diagram (3)
Wireless-Detective Standalone Systems Multiple Channels Capturing
Utilizing more than 1 Wireless-Detective to capture different channels.
WLAN Interception
Standalone – Multiple
Channels Capturing
Single WD for single channel
capturing. Multiple WD for
multiple channel capturing
Note: The advantage to have multiple WD systems is you have the flexibility to deploy distributed
architecture (for capturing single channel/target) or you can split it for standalone system deployment for
multiple channels capturing.
DECISION-COMPUTER INTERNATIONAL CO., LTD
27
 Wireless-Detective – AP/STA Information – Capture Mode
Displaying information of Wireless devices (AP/STA) in surrounding area.
DECISION-COMPUTER INTERNATIONAL CO., LTD
28
 Wireless-Detective – AP/STA Information – Forbidder Mode
Displaying information of Wireless devices (AP/STA) in surrounding area.
DECISION-COMPUTER INTERNATIONAL CO., LTD
29
 Wireless-Detective – Forbidder Mode Implementation
WLAN Jammer/Forbidder Implementation
1.Forbid connectivity of STA
2.Forbid connectivity of AP
DECISION-COMPUTER INTERNATIONAL CO., LTD
30
 Cracking/Decryption of WEP/WPA Key (1)
WEP Key Cracking/Decryption can be done by Wireless-Detective System!
Auto Cracking (system default) or Manual Cracking
1) WEP Key Cracking/Decryption:-- (64, 128, 256 bit key)
Proactive Crack and Passive Crack
Proactive/Active Crack – By utilizing ARP Injection
Passive Crack – Silently collecting Wireless LAN packets
64-bit key – 10 HEX (100-300MB raw data /100K-300K IVs collected)
128-bit key – 26 HEX (150-500MB raw data /150K-500K IVs collected)
2) WPA Key Cracking/Decryption:-- (Optional Module Available)
WPA-PSK cracking is an optional module. By using external server with
Smart Password List and GPU acceleration technology, WPA-PSK key
can be recovered/cracked.
Notes:
The time taken to decrypt the WEP key by passive mode depends on amount network activity.
The time to crack WPA-PSK key depends on the length and complexity of the key. Besides, it is
compulsory to have the WPA-PSK handshakes packets captured.
DECISION-COMPUTER INTERNATIONAL CO., LTD
31
 Cracking/Decryption of WEP Key (2)
Automatic: System auto crack/decrypt WEP key (default)
Manual: Capture raw data and crack/decrypt WEP key manually
Cracking Manually
DECISION-COMPUTER INTERNATIONAL CO., LTD
32
 Cracking/Decryption of WEP Key (3)
WEP Key Cracked!
DECISION-COMPUTER INTERNATIONAL CO., LTD
33
 Wireless-Detective – WPA Cracking Solution
WPA-PSK Cracking
Solution
WPA Handshake packets
need to be captured for
cracking WPA key.
Utilize Single Server or
Distributed Servers
(multiple smart password
list attack simultaneously)
to crack WPA key.
Acceleration technology:
GPU Acceleration
Note: WPA handshakes packet can be captured by Standalone Wireless-Detective system or Distributed
Wireless-Detective systems.
DECISION-COMPUTER INTERNATIONAL CO., LTD
34
 Cracking/Decryption of WPA-PSK Key
WPA/WPA2-PSK cracking module is optional (dedicated server).
Application: Utilizing Smart Password List attack and GPU technology
(Graphic Cards) to recover or crack the WPA/WPA2-PSK Key.
Supported WPA: WPA-PSK (TKIP) and WPA2-PSK (AES).
Speed: up to 30 times faster than normal CPU.
GPU supported: NVIDIA and ATI
DECISION-COMPUTER INTERNATIONAL CO., LTD
35
 Decoding and Reconstruction – Protocols supported
1.
2.
3.
3.
4.
5.
6.
7.
8.
9.
Email
POP3, SMTP, IMAP
Webmail (Read and Sent)
Yahoo Mail (Standard and Beta/2.0), Windows Live Hotmail, Gmail, Giga Mail etc.
IM/Chat
Windows Live Messenger-MSN, Yahoo, ICQ, AOL, QQ, Google Talk, IRC, UT Chat
Room, Skype call session/duration
File Transfer – FTP
File Transfer – P2P
Bittorent, eMule/eDonkey, Gnutella, Fasttrack
HTTP
Link, Content, Reconstruct, Upload/Download, Video Stream
Online Game
Maplestory, RO, Kartrider, FairyLand, Hero, WonderLand etc.
Telnet/BBS
VOIP
Yahoo Messenger – reconstructed back to GIPS format
Webcam
Yahoo and MSN Messenger
DECISION-COMPUTER INTERNATIONAL CO., LTD
36
 Wireless-Detective GUI – Sample Email – POP3
Date/Time, From, To, CC, Subject, Account, Password
DECISION-COMPUTER INTERNATIONAL CO., LTD
37
 Wireless-Detective GUI – Sample Web Mail (Read)
Date/Time, Content, Web Mail Type
DECISION-COMPUTER INTERNATIONAL CO., LTD
38
 Wireless-Detective – Sample Web Mail (Sent)
Date/Time, Form, To, CC, BCC, Subject, Webmail Type
DECISION-COMPUTER INTERNATIONAL CO., LTD
39
 Wireless-Detective – Sample IM/Chat – MSN
Date/Time, User Handle, Participant, Conversation, Count
DECISION-COMPUTER INTERNATIONAL CO., LTD
40
 Wireless-Detective – Sample IM/Chat – Yahoo
Date/Time, Screen Name, Participant, Conversation, Count
Including VOIP and Webcam sessions reconstruction and playback
DECISION-COMPUTER INTERNATIONAL CO., LTD
41
 Wireless-Detective – Sample File Transfer - FTP
Date/Time, Account, Password, Action, FTP Server IP, File Name
DECISION-COMPUTER INTERNATIONAL CO., LTD
42
 Wireless-Detective – Sample Peer to Peer – P2P
Date/Time, Port, Peer Port, Tool, File Name, Action, Hash
DECISION-COMPUTER INTERNATIONAL CO., LTD
43
 Wireless-Detective – Sample Telnet
Date/Time, Account, Password, Server IP, File Name
Playback of TELNET
Session
DECISION-COMPUTER INTERNATIONAL CO., LTD
44
 Wireless-Detective – Sample HTTP – Link/Content/Reconstruct
Date/Time, URL
Reconstructed Web Pages
DECISION-COMPUTER INTERNATIONAL CO., LTD
45
 Wireless-Detective – Sample HTTP – Upload/Download
Date/Time, Action, File Name, HTTP Download/Upload URL, Size
DECISION-COMPUTER INTERNATIONAL CO., LTD
46
 Wireless-Detective – Sample Online Games
Date/Time, MAC Address, Port, Peer Port, Game Name
DECISION-COMPUTER INTERNATIONAL CO., LTD
47
 Wireless-Detective – Search – Conditional/Free Text
Search by Parameters/Conditions
Free Text Search
DECISION-COMPUTER INTERNATIONAL CO., LTD
48
 Wireless-Detective – Alert and Notification by Condition
Alert Administrator by Parameters/Conditions
DECISION-COMPUTER INTERNATIONAL CO., LTD
49
 Wireless-Detective – Wireless Equipment Locator
Utilizes Wireless Sensors and Triangulation Training Methods to estimate
the location of the targeted Wireless Devices.
1 WD Master system + min. 3 WD Slave systems (sensors)
Note:
WatchGuard.WLAN can be used in place of WD slave systems for this Wireless Equipment Locator function)
DECISION-COMPUTER INTERNATIONAL CO., LTD
50
 Wireless-Detective - Advantages/Benefits
 Smallest, portable, mobile and light weight WLAN legal interception system. This allows
easy tracking and capturing of suspect’s Internet activities especially suspect moves from
one place to another. Suspect won’t notice WD existence as it looks like normal laptop.
 Detects unauthorized WLAN access/intruders (IDS).
 Provides detailed information of AP, Wireless Routers and Wireless Stations (such as
channel, Mbps, security (encryption), IP, signal strength, manufacturer, MAC)
 Provides capturing of WLAN packets from single channel, AP, STA or multiple channels
by deploying distributed/multiple systems. That also means flexibility and scalability of
deployment solution.
 Provides decryption of Wireless key, WEP key (WPA cracking is optional module)
 Provides decoding and reconstruction of different Internet services/protocols on the fly,
reconstructed data is displayed in original content format on local system Web GUI.
 Supports reserving of raw data captured (for further analysis if required) and archiving of
reconstructed at with hashed export functions.
 Supports condition/parameter search and free text search.
 Supports alert by condition/parameter.
 Provides Wireless forbidding/jamming function
 Provides Wireless Equipment Locator function.
The All-in-One Portable WLAN Interception System
DECISION-COMPUTER INTERNATIONAL CO., LTD
51
E-Detective Decoding Centre
(EDDC/XDDC)
DECISION-COMPUTER INTERNATIONAL CO., LTD
52
 EDDC/XDDC
•
EDDC/XDDC is a Unix/Linux based system specially designed for Offline raw
data files reconstruction.
•
It allows Administrator to create different project/case for different
user/investigator (with different level of authority) to conduct Internet raw data
parser and forensics analysis task on the system.
•
The system is able to reconstruct Internet application/services like Email
(POP3, SMTP, IMAP), Webmail (Yahoo Mail, Gmail, Hotmail etc.) IM (Yahoo,
MSN, ICQ, QQ, UT, IRC, Google Talk, Skype Voice Call Log), File Transfer
(FTP, P2P), HTTP (Link, Content, Reconstruct, Upload/Download, Video
Stream), Telnet, Online Games, VoIP (Yahoo), Webcam (Yahoo, MSN).
User/Case Management – Offline Internet Raw Data
Parser/Reconstruction – Search Function – Export/Backup
EDDC- Standard Offline Reconstruction System
XDDC – Offline Reconstruction with Layer 7 Analytics – NEW!
DECISION-COMPUTER INTERNATIONAL CO., LTD
53
 EDDC/XDDC Implementation (1)
Offline Raw Data Decoding and Reconstruction system.
Comes with User and Case Management functions.
DECISION-COMPUTER INTERNATIONAL CO., LTD
54
 EDDC/XDDC Implementation (2)
Offline Raw Data Decoding and Reconstruction system.
Comes with User and Case Management functions.
Case 1
Case 1
Investigator 1
Case 1
Case 1 Results
Case 2
Case 2
Investigator 2
Case 2
Case 2 Results
DECISION-COMPUTER INTERNATIONAL CO., LTD
55
E-Detective VOIP Forensics
Intelligence System
DECISION-COMPUTER INTERNATIONAL CO., LTD
56
 VOIP Forensic Intelligence System
VOIP Protocols supported:
* SIP (The most common VOIP protocol used worldwide)
* H.323
Audio CODECS supported:
Voice call (VOIP) sessions can be captured, recorded (in “wav” file format) and played
back with popular voice media player. Current available and supported Audio CODECS
developed by Decision include:
- G.729
- G.711-a law and G.711-u law
- G.723
- G.726
- ILBG
Point to Point Communication
SIP Server Architecture
Relay
Sample Information retrievable:
Date/Tim
e
Caller
No.
Called
No.
Duratio
n
Caller
Gateway
(IP)
Called
Gateway
(IP)
Caller
Port
Called Port
Conversati
on
Protocol
Audio
Codec
Session
1
DECISION-COMPUTER INTERNATIONAL CO., LTD
57
HTTPS/SSL
Network Forensics Device
DECISION-COMPUTER INTERNATIONAL CO., LTD
58
 HTTPS/SSL Interceptor
•
•
•
Capable of decrypting HTTPS traffic.
Two modes of operation:
1. Man in the Middle Attack (MITM); and
2. Offline Method (Decrypting HTTPS raw data with Private Key Available)
Username and passwords (login) can be captured by the HTTPS/SSL Device. For
instance, Google/Gmail login, Hotmail login, Yahoo Mail login, Amazon login etc.
To view encrypted content,
a key is a needed
DECISION-COMPUTER INTERNATIONAL CO., LTD
59
WatchGuard.WLAN
DECISION-COMPUTER INTERNATIONAL CO., LTD
60
 WatchGuard.WLAN
• WLAN – IEEE 802.11a/b/g Instruction Detection System (IDS), WLAN
Defender and Jammer System.
• WatchGuard.WLAN provides WLAN communication diagnosis
function. It can detect unauthorized WLAN communication from access
point (AP) or wireless station (STA) within the coverage area. It can
then forbid the unauthorized connection. Warning/notification
Email/message can be sent to the network administrator.
• To prevent/forbid the unauthorized WLAN connections, the system can
pretend as the station to inform the AP to stop the communication.
Besides, noise signal emission to the station and/or AP is another
method to prevent/deter wireless communication.
To protect from outside attack and prevent from inside leakage!
DECISION-COMPUTER INTERNATIONAL CO., LTD
61
 Application Diagram - WatchGuard.WLAN
DECISION-COMPUTER INTERNATIONAL CO., LTD
62
 Uniqueness of Decision Computer Group
 Designer, Architect and Manufacturer for variety of Network Security,
Content Forensics and Internet Interception Solutions.
 We provides OEM and ODM services where we accept customization
requirements from customers.
Series of Products Offering:








E-Detective (Ethernet LAN and Telco/ISP Lawful Interception System)
Wireless-Detective (WLAN Lawful Interception System)
EDDC/XDDC (Offline Internet Decoding and Reconstruction System)
HTTPS/SSL Interceptor (HTTPS/SSL Decryption System – using MITM attack)
VOIP Forensics Intelligence (VOIP Interception System)
WatchGuard.WLAN (WLAN Forbidding, Jamming and Defense tool)
NuBlock (Write Protection Toolkit)
Industrial I/O Card Series
DECISION-COMPUTER INTERNATIONAL CO., LTD
63
 Decision Computer Group - References Customers
•
•
•
•
•
•
•
•
•
•
Criminal Investigation Bureau TW
The Bureau of Investigation Ministry of Justice TW
National Security Agency (Bureau) in various countries
Intelligence Agency in various countries
Ministry of Defense in various countries
National Police, Royal Police in various countries
Government Ministries in various countries
Federal Investigation Bureau in various countries
Telco/Internet Service Provider in various countries
Banking and Finance organizations in various countries
Note: Due to confidentiality of this information, the exact name and countries of the
various organizations cannot be revealed.
DECISION-COMPUTER INTERNATIONAL CO., LTD
64
Related documents
Exercise 2
Exercise 2
INTEGRATED SERVICES DESIGN LTD Environmental Policy
INTEGRATED SERVICES DESIGN LTD Environmental Policy
Introduction to your presentations
Introduction to your presentations
List of members of Council of Experts Concerning the Follow
List of members of Council of Experts Concerning the Follow
ENVIRONMENTAL POLICY – GLASS DIRECT
ENVIRONMENTAL POLICY – GLASS DIRECT
RESERVE BANK OF INDIA DBOD. No. Cl D. 8C.30 120.16
RESERVE BANK OF INDIA DBOD. No. Cl D. 8C.30 120.16
Force Field Analysis Worksheet
Force Field Analysis Worksheet
Download
advertisement