Transcript Presentation Slides - network forensics | Lawful Interception

Technology and Method behind Cross-border
Fraud Investigation in Telecom and Internet
How to Combat Cyber Crime Effectively
Outlines
Fraud Crime Cases through Telecom and
Internet
Challenges
Trace Communication Route and Obtain
Related Data
Case Study of the Recent Investigation on
Cyber Crime
Conclusion
2
Fraud Crime Cases
through Telecom
and Internet
Nature of Cyber Crimes
3
Traditional
crime with the
cutting edge
technology
Hard to analyze
large volume of
complicated data
during
investigation
Crime
globalization
Emerging type of
fraud crime cases
through telecom and
Internet and its
associated features
Crime toward
seamless
processes
and delicate
organization
4
Traditional Crime with Cutting Edge Technology
Traditional Crime
Emerging type
of Crime
Advanced
Technology
With mobile, Internet, IP phone, mobile Internet access or other valueadded telecom services, swindlers commit more crimes easily; However,
by whatever advanced technology and tool they use, the nature of their
crimes always stays all the same. We still need to profile such crimes by
the analysis on conditions, mindset, and behavior of crime.
5
Crime Globalization
As applications and services of telecom technology and
Internet are developing rapidly and pervasively, people are
also familiar with those services. Fraud crimes through
telecom and Internet, which are just like contagious
diseases, may widespread globally by networks.
6
Globalized Crime Issue
Borderless Internet makes crime behavior more globalized. Through the Internet and
cloud computing, communication in swindler group can be enhanced and anonymous.
Because of limitation of state authority and anonymity, it is really hard for state
prosecutors and police to take investigation on the entire crime activities.
Thailand
Taiwan
Swindlers
North America
South Korea
China/HK
Vietnam
Japan
Cloud Computing = Network Computing
Through Internet, computers can cooperate with each
other, or services are available more far-reaching
7
Hard to analyze large volume of complicated data
There is often large volume of data or information (such as phone multiple
transfers) produced by telecom and Internet fraud crimes because of
converged IT network and telecom routes. In reality, such huge amount of
data is acquired from multiple service providers. Investigators must apply
multiple orders from court in advance to connect with data from those
service providers.
(for example: If there is phone transfer between 2 operators, investigator must request both to
provide CDR information and call content by 2 orders from court ahead of time, and integrate all
information for further analysis.)
Therefore, it is no way to cope with such telecom and Internet fraud crime
only by tradition way of comparing, claiming or tracing targets manually. It is
the best way for investigator to adopt several effective software tools to
analyze such huge amount of data.
8
Converged ICT Communication Routes
Internet D
Cross Border
Telecom
Network A
Telecom
Network
IT Network
Illegal ISP
Internet E
Fixed
Network B
Illegal DMT by
ISP
Mobile C
Illegal Transfer
Domestic
9
Crime toward seamless processes
and delicate organization
It is a nature trend that group crime
is toward seamless process and
delicate organization. There is very
clear hierarchy of role and
responsibility (R&R) for leader,
telecom engineer and service staff
in crime group. They never mix the
Swindler
use of phones for crime and private, Group
and adopt one-way contact in order
not to be cracked with whole group.
Such crime model can be easily
duplicated. Fraud crime group often
splits into small ones, forms new
gang, commits more crimes, and
exchanges information and new
techniques of fraud.
Telecom
Telecom
contact
Internet
Private
collection
Jump
board
Cash flow
Finance
ATM
Operation
New crime
R&D
Recruiting
Monitor
Police
10
Common Features
Converged ICT
technologies in daily
life and not far above
police head
Converged
ICT
Technologies
Faults can be tracked
from human behavior
Telephone
Criminals
(Group)
Faults by
human
Telephone as primary
communication during
crime commitment
Skillful at
all
services
Skillful at all Internet
and telecom services
but not familiar with
operations behind and
LI by police
11
Challenges
12
Hard to
Identify
Criminal
● By new technologies (like IP phones), it is
hard to intercept their calls with existing
equipment. We need professionals and
suppliers to find the way out
Hard to Track
Cross-border
Phone
● Looking for cross border cooperation or
other related clues if no cooperation
Hard to Find
Foreign Proxy or
Router as Jump
Board
● VPN, Foreign Proxy as Jump Board for
criminals may be hidden behind deeper in
Internet
13
Large Volume of
CDR, and Hard to
Take Analysis
Wrong CDR or
Missing Partial
Data
Hard to Track
Calls with
Dummy
Accounts
● Analyze data and find the key information
by text mining and data warehousing
● CDR is for billing management of ISP, and we
must find how it is happening and analyze the
reason
● Find source and links, and know the key
point by technical assistance and help from
ISPs
14
Trace Communication
Route and Obtain
Related Data
Methodology and Guidelines
of
Cyber Crime Investigation
15
Check Post
Deployment
Archive Look-up
Tenant Interview
Tracking
Lawful Intercept
Warrant & Confiscation
e-Positioning
The way of investigation on fraud crimes behind telecom and Internet is the same
with the one on traditional crimes. All the techniques are not for specific case,
but can be used flexibly by need.
16
Gap between Physical and Cyber Crimes
Physical Crimes
Clues
•Informers
•others
•Finance Record
•Interview（Video） Enforcement •human：apprehend arrest
•place：warrant, confiscate
•CDR, LI
Different sources dealt by police:
hard to get clue (don’t know how to
do it), and no way to trace!
Cyber Crimes
•Crime side
Sourcing （web or tool）
clues •non-Crime side
Evidence
collection &
investigation
Analysis &
highlight
（Social network）
•human：
•others
Evidence •IP tracking
apprehend,
collection &
excluded
Enforcement
•Finance
Record
arrest
（Useless） investigation • CDR, LI
•place：warrant,
•Lock
confiscate
activities
（by Account）
17
Quest for Investigation on Cyber Crimes
Tenant List
CDR
Car Plate
Car Meter
Record
Credit card、
Insurance
Resident
Information
Cable TV、
Broadband
Cross Check
Find Links
Internet googling
Relatives
Crime
Record
165 voice signature
Finance
Transaction
Co-prisoners
Shipping
List
Property Tax
Immigrant
Labor
Insurance
18
There is no difference between cyber crime and traditional crime in nature.
With the advantages of convenience, anonymity and mobility of telecom
and Internet, criminals are able to disguise their command center and
disrupt the direction of investigation. Lawful enforcement officers need to
make more effort in studying crime model and finding the way out to combat
criminals.
1、Set up dedicated
database for
information collection
and analysis
3、data
organization and
link analysis by
software
2、clear about
crime tool and
method, and
find the key
point
19
Process Flow for Investigation
Follow-up
Primary data
sourcing and
collection
Suspect arrest
and evidence
collect
Primary data
study and
further
collection &
sourcing
Further
Investigation
20
Primary data
sourcing and
collection
● A1 clue、informer、case claim、daily crime
information collection and integration,
sourcing
Primary data study
and further collection
& sourcing
● Study primary data, cross check databases
in Police Department, googling in Internet
and confirm crime type in order to prepare
investigation
Further
Investigation
Suspects arrest
and evidence
collection
Follow-up
● Phone record, check post、lawful intercept,
tracking, location positioning, knowledge of
crime organization and members
● Arrest all suspects, confiscate all evidence,
check all computers, telephone record,
booking record…etc.
● follow-up investigation on related targets &
evidence and hunting for clues from other
members to combat all gangsters
21






VoIP based Interception and data interception of
other 150 Internet services
Flexible implementation in multiple telecom
operators
Intercept all VoIP routes from different sources
simultaneously
Collect original pcap as well as reconstructed voice
data for evidence in court
Support all common VoIP protocols such as
G.711a-law, G,711µ-law, G.726, G.729, iLBC
Meet the requirement of state LI Law, ESTI
standards
22
LAN Internet Monitoring, Data Retention, Data Leakage Protection
& IP Network Forensics Analysis Solution
Solution for:





Route of Internet Monitoring/Network Behavior Recording
Auditing and Record Keeping
Forensics Analysis and Investigation,
Legal and Lawful Interception (LI)
VoIP Tactic Server & Mediation Platform
E-Detective Standard System Models and Series (Appliance based)
FX-06
FX-30N
FX-100
FX-120
Telco/ISP
Lawful Interception
Caller
Phone #
Date
& Time
IP Address
Callee
Phone #
Play back of reconstructed VoIP audio file using Media Player
Duration






Source IP Address
Telephone number of caller
Telephone number of receivers/victims
Date & time of calls
Duration of calls
Call content
26
Case Study of the
Recent Investigation
on Cyber Crimes
Lessons and Experience
27
Real Case on VOIP Investigation
Problem Here:
The most common tool by swindler
group is telephone. While arriving
the telecom room of criminal,
sometimes police can’t do anything
because they know nothing about
these equipments and can’t track
IP phone source from Internet.
28



Group and Billing Systems
Account information in SIP
Gateway or IP-PBX Servers
Detail CDR from SIP Gateway or
IP-PBX Servers
29
VOIP Tracking from Swindler Group –
Group and Billing System
Group System-Random to Call
Billing System-Call CDR
30
VOIP Gateway Investigation from Swindler groupTrack SIP Server
Server
IP
Account
Password
31
VOIP Tracking from Operator –
CDR of SIP Server
Callee ID and CDR of IP phone from ISP
Callee VOIP ID Caller Callee
Initial Time
Ans Time
VAD Srvc- Redial
End time
Interval
IP of VOIP ID
32
Key Points of Investigation
1) Aggressively hunting for intelligence
2) Don’t give up any follow-up opportunities，
and carefully analyze any useful information
3) Active Lawful Intercept：tap into suspected
lines, intercept phone number and IMEI,
phones in China, interview resident houses,
and clarify criminal organization, identity
and location
33
Experience
1) familiar with law and regulations, understand what the
target is and what the key evidence is. For example: find
Chinese victim information and testimony through
cooperation with Chinese Police after breaking cross-strait
swindler group in Taiwan. Otherwise, these criminal will
be non-prosecuted or non-guilty sentence by court.
2) Telecom equipment supplier, telecom shop, network
engineer, telecom engineer, telecom sales …network and
telecom professionals usually are aware of information
and location of suspects.
34
Experience
(continue…)
3) Understand calling flow, and accounts of swindler group
from operators side in order to find more background
information from CRM and billing systems
4) Active Lawful Intercept：Tap into suspected lines,
intercept phone numbers to China
5) Carefully Trail down： Prepare information (Time, place,
behavior) in advance, trail by segment (not to expose self),
identify criminal from different sides
6) Use confiscated computers for investigation to find more
strong evidence
35
Conclusion
Follow-up…
36
1) It is quite nature for criminal to use advanced ICT technologies.
Human is the key of every crime act. Although there may not be
fault in technology itself, human may make mistakes by using it.
Investigators are able to find the way out and combat these
criminals
2) Enhanced on-job technical training for police to promote
capability of investigation and understanding of criminal law
3) From viewpoint of investigation, more horizontal coordination
among all units in order not to waste resources. From tactical
viewpoint, more international, cross-strait cooperation to combat
cross-border swindler group
4) God will help those who work hard for justice
37
Q&A
38