Transcript PPT.

Lawful Interception & Packet Forensics
Analysis System
Casper Kan Chang
Decision Group
June 2010
IP Packet Capture Way
There are 3 types of IP packet capture ways based on
application and industry standard :
●
Packet captured from IP network: for IP network
infrastructure in enterprises, ISP, IDC and LTE/WiMAX
operators
●
IP packet from Telco switch :
1. Tradition switch through Mediation Platform
2. For IMS and all IP networks, IP Packet can be
captured through service broker of application
layer or directly from IP core switch of Media
and End Point layer of IMS system
3. From Cable TV
IP Packet Capture Way– Sniffer
All data packets on Ethernet are broadcasted in the network, i.e., all
physical signals will flow to the network Interface card of the
appliance. NIC card can be under promiscuous mode, so it can
receive all data no matter what the MAC address it is. This is what
the basic of Sniffer all about.
Enterprise, ISP, IDC,
LTE/WiMAX
E-Detective
Lawful Interception Can get that evidence?
For example : Email
Sender email address, Receive email address
Time and date
Content
Location
……
More
4
Sample: Email (POP3, SMTP and IMAP)
Sample: IM -Yahoo, MSN, ICQ, IRC, QQ, GTalk etc…
What Lawful Interception Needs Now…..
Network Packet Capture and Reconstruction
VoIP
Off-line
Ethernet
HTTPS/ SSL
Wireless
802.11a/b/g/n
Training & Support
E-Detective – Mirror Mode Implementation
Organization or Corporate
Network Deployment
Wireless-Detective – Implementation Diagram (1)
Wireless-Detective Standalone System - Captures WLAN packets
transmitted over the air ranging up to 100 meters or more (by using
enhanced system with High Gain Antenna)
WLAN Lawful Interception – Standalone Architecture
Wireless-Detective Deployment
(Capture a single channel, a single AP or a single STA)
Wireless-Detective – WPA-PSK Cracking Sol.
WPA-PSK Cracking
Solution
WPA Handshake packets
need to be captured for
cracking WPA key.
Utilize Single Server or
Distributed Servers (multiple
smart password list attack
simultaneously) to crack WPA
key.
Acceleration technology:
GPU Acceleration
Note: WPA handshakes packet can be captured by Standalone Wireless-Detective system or Distributed WirelessDetective systems.
EDDC Offline Forensics Product
Offline Raw Data (PCAP) Decoding and Reconstruction system.
Comes with User and Case Management features.
Collect,
Import
Raw Data
Investigator 1For Case 1
Case 1
Case 1
Case 1 Results
Collect,
Case 2
Import
Investigator 2
Raw Data
Case 2
Case 2 Results
For Case 2
Decode and Reconstruct various Internet Protocols and
HTTPS/SSL MITM Interception System
Intercept and reconstruct HTTPS/SSL
traffic. Obtain HTTPS page login
username and password. Intercept on
specific targets (suspects)
HTTPS/SSL MITM Interception System
Intercept and reconstruct HTTPS/SSL
traffic. Obtain HTTPS page login
username and password. Intercept on
specific targets (suspects)
Software Architecture
14
More Then 140 Internet Protocols Supported
Email
Webmail
IM/Chat
(Yahoo,
MSN, ICQ,
QQ, IRC,
Google Talk
Etc.)
Others
Online Games
Telnet etc.
HTTP
(Link, Content,
Reconstruct,
Upload
Download)
File Transfer
FTP, P2P
VOIP
Data Captured through Tradition Telco Switch
From LI port of Soft Switch/TDM to capture signals by ETSI/CALEA standard.
Passing through mediation platform and convert the data for further analysis
through Handover Interface (HI) before reaching EDDC for further packet
analysis
MEDIATION
gateway
Server
ANALYSIS
HI-1 Provisioning
SBC
TDM
HI-2 IRI
INI-3 Call Content
HI-3 Content
EDDC
Control
Information
Router/IAD
RTP
Stream
Edge
Router
Telco side
Control
Information
Edge
Router
LEA side
Router/IAD
Target
USER
USER
Data Packet Captured through Telco IP Switch
Directly capture IP data packets from both application or media layers of IMS/all
IP networks. So it is not necessary to pass through mediation platform. It’s
predicted that this will be the future trend for all Telco operators
ANALYSIS
(application layer)
(session layer)
E-Detective
SGIM
EDDC
IMS
LEA side
Router/IAD
E-Detective
(media layer)
CMS
Core Switch
Router/IAD
Target
USER
Edge
Router
Telco side
Edge
Router
USER
Data Packet Captured through Cable TV
Mediation
Tel phone
User loop
Internet
NIU
50~1000MHz
CMTS
……
E-Detective
Analog fiber
optic
5~42MHz
NIU
STB
TV
CM
fiber optic node
NIU
Computer
Cable TV
Broadcasting
18
Technology Transfer Program
• To Help ETRI to Enhance Capability of LI
Application Research
• Target
– E-Detective
– Wireless-Detective
• Scope
– Source Codes
– On-Site Training
– On-Site Assistance for Software Development
• Reasonable Fee
19
Contact Information
Casper Chang Kan/ CEO
[email protected]
Ted Chao/ Product Manager [email protected]
Address:4/F No. 31, Alley 4, Lane 36, Sec.5, Ming-Shan
East Road Taipei, Taiwan, R.O.C .
Phone No : +886 2 2766 5753
Fax No : +886 2 2766 5702
URL : www.edecision4u.com