Transcript e-detective - Network Forensics | Lawful Interception

E-Detective
Series of Products Presentation (2009)
by Frankie Chan
Decision Group
www.edecision4u.com
Presentation Content - Agenda
E-Detective – LAN Interception & Monitoring
Wireless-Detective – WLAN Interception & Monitoring
E-Detective Decoding Centre – Offline Reconstruction
HTTPS/SSL Interceptor – Decrypt HTTPS Traffic
VoIP-Detective
1. Introduction to E-Detective
LAN Internet Monitoring, Data and Record Keeping &
Network Content Forensics Analysis Solution
Solution for:
 Organization Internet Monitoring/Network Behavior Recording
 Auditing and Record Keeping for Banking and Finance Industry
 Forensics Analysis and Investigation,
 Legal and Lawful Interception (LI)
Compliance Solution for:
Sarbanes Oxley Act (SOX), HIPAA, GLBA, SEC, NASD, E-Discovery etc.
E-Detective Standard System Models and Series (Appliance based)
User can also opt to purchase software license only from us and use their own hardware/server.
FX-06
FX-30
FX-100
FX-120
E-Detective Architecture
1010101010
10100101010
Using port-mirroring or
SPAN port
Capture
Packets
Display
Reports
Store
Save
Archive
1010101010
1001100111
1011011101
1100011011
Reassemble
& Decode
E-Detective
Architecture
Reconstruct
Email
Back to Actual
Webmail
Content
IM/Chat
HTTP
File Transfer
Telnet
E-Detective Implementation Mode (1)
Organization or Corporate
Network Deployment
E-Detective Implementation Mode (2)
Telco/ISP
Lawful Interception
E-Detective Sample Screenshots - Reports
Homepage – Top-Down Drill to Details Reporting
E-Detective Internet Protocols Supported
Email
Webmail
IM/Chat
(Yahoo,
MSN, ICQ,
QQ, IRC,
Google Talk
Others
Etc.)
Online Games
Telnet etc.
HTTP
(Link, Content,
Reconstruct,
Upload
Download)
File Transfer
FTP, P2P
Sample: Email (POP3, SMTP, IMAP)
Sample: Webmail (Read/Sent) – Y! Mail, Gmail etc.
Webmail Type: Yahoo Mail, Gmail, Windows Live Hotmail, Giga Mail and others
Sample: Instant Messaging -Yahoo, MSN, ICQ etc.
Sample: File Transfer – FTP Upload/Download
Sample: File Transfer – P2P File Sharing
Supports P2P such as Bittorent, eMule/eDonkey, Fasttrack, Gnutella
Sample: HTTP (Link, Content and Reconstruction)
Whois function
provides you the
actual URL Link IP
Address
HTTP Web Page content can be reconstructed
Sample: HTTP Upload/Download
Sample: HTTP Video Streaming
Playback of Video File
Video Stream (FLV format): Youtube, Google Video, Metacafe.
Sample: Telnet (with Play Back)
Admin: System Access Authority Assignment
Authority – Visibility and Operation in Group (with User defined)
Authority - Visibility
Authority - Operation
Authority
Groups with
Users
Export & Backup – Auto (by FTP) and Manual
Auto (with FTP) Backup
Manual Backup
Download ISO or Burn in to CD/DVD
Reserved Raw Data Files and
Backup Reconstructed Data Comes
with Hashed Export Function
Alert and Notification – Alert with Content
Alert configured from
different service
categories and
different parameters
such as key word,
account, IP etc.
Alert can be sent to
Administrator by Email
or SMS if SMS
Gateway is available.
Throughput alert function also available!
Search – Free Text, Condition, Association
Complete Search – Free Text Search, Conditional Search, Similar Search
and Association Search
Conditional
Search
Free Text Search
Association
Search
File Checksum (Hash) – Check File Content Integrity
Shows the file lists and user can import files to check and compare with the files that
has been captured by the system.
Compare file content integrity. Abuser might have changed file name and send out
the file to competitor.
Bookmark (for Review Next Time)
Bookmark items and allow the review of the items.
Bookmark items can also be exported.
Reporting – Network Service Usage - Daily
Drill Down Reporting Capabilities
Reporting – Network Service Usage - Weekly
Drill Down Reporting Capabilities
Reporting – Top Websites Viewed (Users)
Reporting – Daily Excel Log Report
Manually or Automatically
Generate Daily Log Report
In Excel File Format.
2. Introduction to Wireless-Detective System
Wireless-Detective System
WLAN Analytics/Forensics/Legal and Lawful Interception System
• Scan all WLAN 802.11a/b/g/n 2.4 and 5.0 GHz
The Smallest, Mobile,
Portable and most Complete
WLAN
Lawful Interception System
in the World!
channels for AP and STA.
• Captures/sniffs WLAN 802.11a/b/g/n packets.
• Real-time decryption of WEP key (WPA Optional
Module)
• Real-time decoding and reconstruction of WLAN
packets
• Stores data in raw and reconstructed content
• Displays reconstructed content in Web GUI
• Hashed export and backup
All in One System!
Important Tool for Intelligent Agencies such as Police,
Military, Forensics, Legal and Lawful Interception
Agencies.
Notes: Pictures and logo are property of designated source or manufacturer
Wireless-Detective – Implementation (1)
Wireless-Detective Standalone System - Captures WLAN
packets transmitted over the air ranging up to 100 meters or
more (by using enhanced system with High Gain Antenna)
WLAN Lawful Interception – Standalone Architecture
Wireless-Detective Deployment
(Capture a single channel, a single AP or a single STA)
Wireless-Detective – Implementation (2)
Wireless-Detective Extreme Implementation
Utilizing multiple/distributed Wireless-Detective systems (Master – Slave)
to conduct simultaneous capture, forbidding and location estimation
functions.
WLAN Lawful Interception
Distributed Architecture
Wireless-Detective
Deployment
(Utilizing min. of 2 systems for
simultaneous (Master & Slaves)
capturing/forbidding functions.
Capture a single channel, a single
AP or a single STA)
Notes: For capturing multiple channels, each Wireless-Detective (WD) can reconfigure/act as standalone
system. For example: Deploy 4 WD systems with each capturing on one single channel.
AP & STA Information – Capture Mode
Displaying information of Wireless Devices (AP) in surrounding area.
Obtainable
Information:
MAC of Wireless
AP/Router, Channel,
Mbps, Key, Signal
Strength, Beacons,
Packets, SSID,
Number of Stations
Connected.
Cracking/Decryption of WEP and WPA Key
WEP Key Cracking/Decryption can be done by Wireless-Detective System!
Auto Cracking (System Default) or Manual Cracking
1) WEP Key Cracking/Decryption:-- (64, 128, 256 bit key)
Active Crack – By utilizing ARP packet injection (possibly 5-20 minutes)
Passive Crack – Silently collect Wireless LAN packets
64-bit key – 10 HEX (100-300MB raw data /100K-300K IVs collected)
128-bit key – 26 HEX (150-500MB raw data /150K-500K IVs collected)
2) WPA-PSK Key Cracking/Decryption:-- (Optional Module Available)
WPA-PSK cracking is an optional module. By using external server with
Smart Password List and GPU Acceleration Technology, WPA-PSK key
can be recovered/cracked.
Notes:
The time taken to decrypt the WEP key by passive mode depends on amount network activity.
The time to crack WPA-PSK key depends on the length and complexity of the key. Besides, it is
compulsory to have the WPA-PSK handshakes packets captured.
 Cracking/Decryption of WEP Key
Automatic: System auto crack/decrypt WEP key (default)
Manual: Capture raw data and crack/decrypt WEP key manually
Automatic Cracking
Key Obtained
Wireless-Detective- Internet Protocols Supported
Email
Webmail
IM/Chat
(Yahoo,
MSN, ICQ,
QQ, IRC,
Google Talk
Others
Etc.)
Online Games
Telnet etc.
HTTP
(Link, Content,
Reconstruct,
Upload
Download)
File Transfer
FTP, P2P
Wireless-Detective – Unique Advantages/Benefits
 Smallest, portable, mobile and light weight WLAN legal interception system. This allows
easy tracking and capturing of suspect’s Internet activities especially suspect moves from
one place to another. Suspect won’t notice WD existence as it looks like normal laptop.
 Detects unauthorized WLAN access/intruders (IDS).
 Provides detailed information of AP, Wireless Routers and Wireless Stations (such as
channel, Mbps, security (encryption), IP, signal strength, manufacturer, MAC)
 Provides capturing of WLAN packets from single channel, AP, STA or multiple channels
by deploying distributed/multiple systems. That also means flexibility and scalability of
deployment solution.
 Provides decryption of Wireless key, WEP key (WPA cracking is optional module)
 Provides decoding and reconstruction of different Internet services/protocols on the fly,
reconstructed data is displayed in original content format on local system Web GUI.
 Supports reserving of raw data captured (for further analysis if required) and archiving of
reconstructed at with hashed export functions.
 Supports condition/parameter search and free text search.
 Supports alert by condition/parameter.
 Provides Wireless forbidding/jamming function
 Provides Wireless Equipment Locator function.
The All-in-One Mobile WLAN Interception System
3. Introduction to EDDC System
 EDDC is a tool specially designed for Offline Internet raw data files
(PCAP format) reconstruction and analysis.
 It allows Administrator to create and manage user and case easily
with user management and case management functions. Different
authority and accessibility can be created for different users.
 The system is able to reconstruct Internet application/services like
Email (POP3, SMTP, IMAP), Webmail (Yahoo Mail, Gmail, Hotmail etc.)
IM (Yahoo, MSN, ICQ, QQ, UT, IRC, Google Talk, Skype Voice Call
Log), File Transfer (FTP, P2P), HTTP (Link, Content, Reconstruct,
Upload/Download, Video Stream), Telnet, Online Games, VoIP (Yahoo),
Webcam (Yahoo, MSN).
User and Case Management – Raw Data Decoding and
Reconstruction – Data Search – Data Export and Backup – Online
Raw Data Reserving
EDDC Implementation Diagram
Offline Raw Data Decoding and Reconstruction system.
Comes with User and Case Management functions.
Collect,
Import
Raw Data
For Case 1
Case 1
Investigator 1
Case 1
Investigator 2
Case 2
Case 1 Results
Collect,
Import
Raw Data
For Case 2
Case 2
Case 2 Results
EDDC- Internet Protocols Supported
Email
Webmail
IM/Chat
(Yahoo,
MSN, ICQ,
QQ, IRC,
Google Talk
Others
Etc.)
Online Games
Telnet etc.
HTTP
(Link, Content,
Reconstruct,
Upload
Download)
File Transfer
FTP, P2P
4. Introduction to HTTPS/SSL Interceptor
● Decrypt HTTPS/SSL web page traffic, decode and reconstruct the traffic.
● 2 Modes of Operation or Implementation:
1. Man in the Middle Attack (MITM)
2. Proxy Mode Implementation (in New Version)
3. Offline Method (Decrypting HTTPS raw data with Private Key Available)
● Login username and passwords can be captured. For example, Google/Gmail
login, Hotmail login, Yahoo Mail login, Amazon login username/password etc. can
be obtained.
To view encrypted content,
a key is a needed
5. Introduction to VoIP-Detective System
 Capable to capture, decode and reconstruct VoIP RTP
sessions.
 Supports SIP and H.323.
 Supported CODECS: G.711-a law, G.711-u law, G.729,
G.723, G.726 and ILBC.
 Capable to play back VoIP sessions.
VoIP-Detective System Implementation
Sample: Reconstructed VoIP Calls with Playback
Date/Time, Account, Caller No, Called No, Mode, Type, CODEC, File Name and Time/Duration
Play back of reconstructed VoIP audio file using Media Player
References – Implementation Sites and Customers












Criminal Investigation Bureau
The Bureau of Investigation Ministry of Justice
National Security Agency (Bureau) in various countries
Intelligence Agency in various countries
Ministry of Defense in various countries
Counter/Anti Terrorism Department
National Police, Royal Police in various countries
Government Ministries in various countries
Federal Investigation Bureau in various countries
Telco/Internet Service Provider in various countries
Banking and Finance organizations in various countries
Others
Notes: Due to confidentiality of this information, the exact name and countries of
the various organizations cannot be revealed.
E-Detective Online Demo https://60.251.127.208 (root/000000)
Presented by Frankie Chan
Decision Computer Group
[email protected]
www.edecision4u.com