Presentation Slides - network forensics | Lawful Interception

Technology and Method behind Cross-border Fraud Investigation in Telecom and Internet

How to Combat Cyber Crime Effectively

Outlines Fraud Crime Cases through Telecom and Internet Challenges Trace Communication Route and Obtain Related Data

Case Study of the Recent Investigation on Cyber Crime Conclusion 2

Fraud Crime Cases through Telecom and Internet Nature of Cyber Crimes

3

Traditional crime with the cutting edge technology

Hard to analyze large volume of complicated data during investigation

Crime globalization

Emerging type of fraud crime cases through telecom and Internet and its associated features Crime toward seamless processes and delicate organization 4

Traditional Crime with Cutting Edge Technology Traditional Crime

Emerging type of Crime

Advanced Technology

With mobile, Internet, IP phone, mobile Internet access or other valueadded telecom services, swindlers commit more crimes easily; However, by whatever advanced technology and tool they use, the nature of their crimes always stays all the same. We still need to profile such crimes by the analysis on conditions, mindset, and behavior of crime. 5

Crime Globalization

As applications and services of telecom technology and Internet are developing rapidly and pervasively, people are also familiar with those services. Fraud crimes through telecom and Internet, which are just like contagious diseases, may widespread globally by networks.

6

Globalized Crime Issue Borderless Internet makes crime behavior more globalized. Through the Internet and cloud computing, communication in swindler group can be enhanced and anonymous. Because of limitation of state authority and anonymity, it is really hard for state prosecutors and police to take investigation on the entire crime activities.

Thailand Taiwan Swindlers

North America

South Korea China/HK

Vietnam Japan Cloud Computing = Network Computing Through Internet, computers can cooperate with each other, or services are available more far-reaching

7

Hard to analyze large volume of complicated data There is often large volume of data or information (such as phone multiple transfers) produced by telecom and Internet fraud crimes because of converged IT network and telecom routes. In reality, such huge amount of data is acquired from multiple service providers. Investigators must apply multiple orders from court in advance to connect with data from those service providers. (for example: If there is phone transfer between 2 operators, investigator must request both to provide CDR information and call content by 2 orders from court ahead of time, and integrate all information for further analysis.)

Therefore, it is no way to cope with such telecom and Internet fraud crime only by tradition way of comparing, claiming or tracing targets manually. It is the best way for investigator to adopt several effective software tools to analyze such huge amount of data.

8

Converged ICT Communication Routes Internet D Cross Border

Telecom Network A

Telecom Network

IT Network

Illegal ISP

Internet E

Fixed Network B

Illegal DMT by ISP

Mobile C

Illegal Transfer Domestic

9

Crime toward seamless processes and delicate organization It is a nature trend that group crime is toward seamless process and delicate organization. There is very clear hierarchy of role and responsibility (R&R) for leader, telecom engineer and service staff in crime group. They never mix the Swindler use of phones for crime and private, Group and adopt one-way contact in order not to be cracked with whole group. Such crime model can be easily duplicated. Fraud crime group often splits into small ones, forms new gang, commits more crimes, and exchanges information and new techniques of fraud.

Telecom

Telecom contact

Internet

Private collection

Jump board Cash flow

Finance

ATM Operation New crime

R&D

Recruiting Monitor Police 10

Common Features Converged ICT technologies in daily life and not far above police head Converged ICT Technologies

Faults can be tracked from human behavior

Telephone

Criminals (Group)

Faults by human

Telephone as primary communication during crime commitment

Skillful at all services Skillful at all Internet and telecom services but not familiar with operations behind and LI by police 11

Challenges

12

Hard to Identify Criminal

● By new technologies (like IP phones), it is hard to intercept their calls with existing equipment. We need professionals and suppliers to find the way out

Hard to Track Cross-border Phone

● Looking for cross border cooperation or other related clues if no cooperation

Hard to Find Foreign Proxy or Router as Jump Board

● VPN, Foreign Proxy as Jump Board for criminals may be hidden behind deeper in Internet

13

Large Volume of CDR, and Hard to Take Analysis

Wrong CDR or Missing Partial Data

Hard to Track Calls with Dummy Accounts

● Analyze data and find the key information by text mining and data warehousing

● CDR is for billing management of ISP, and we must find how it is happening and analyze the reason

● Find source and links, and know the key point by technical assistance and help from ISPs

14

Trace Communication Route and Obtain Related Data Methodology and Guidelines of Cyber Crime Investigation

15

Check Post Deployment Archive Look-up

Tenant Interview

Tracking Lawful Intercept Warrant & Confiscation

e-Positioning

The way of investigation on fraud crimes behind telecom and Internet is the same with the one on traditional crimes. All the techniques are not for specific case, but can be used flexibly by need. 16

Gap between Physical and Cyber Crimes Physical Crimes

Clues

•Informers •others

•Finance Record •Interview（Video） Enforcement •human：apprehend arrest •place：warrant, confiscate •CDR, LI

Different sources dealt by police: hard to get clue (don’t know how to do it), and no way to trace!

Cyber Crimes •Crime side

Sourcing （web or tool） clues •non-Crime side

Evidence collection & investigation

Analysis & highlight

（Social network）

•human： •others Evidence •IP tracking apprehend, collection & excluded Enforcement •Finance Record arrest （Useless） investigation • CDR, LI •place：warrant, •Lock confiscate activities （by Account）

17

Quest for Investigation on Cyber Crimes Tenant List

CDR

Car Plate Car Meter Record

Credit card、 Insurance

Resident Information

Cable TV、 Broadband

Cross Check Find Links

Internet googling

Relatives

Crime Record

165 voice signature

Finance Transaction

Co-prisoners Shipping List

Property Tax Immigrant

Labor Insurance

18

There is no difference between cyber crime and traditional crime in nature. With the advantages of convenience, anonymity and mobility of telecom and Internet, criminals are able to disguise their command center and disrupt the direction of investigation. Lawful enforcement officers need to make more effort in studying crime model and finding the way out to combat criminals.

1、Set up dedicated database for information collection and analysis

3、data organization and link analysis by software

2、clear about crime tool and method, and find the key point 19

Process Flow for Investigation

Follow-up

Primary data sourcing and collection

Suspect arrest and evidence collect

Primary data study and further collection & sourcing

Further Investigation

20

Primary data sourcing and collection

● A1 clue、informer、case claim、daily crime information collection and integration, sourcing

Primary data study and further collection & sourcing

● Study primary data, cross check databases in Police Department, googling in Internet and confirm crime type in order to prepare investigation

Further Investigation

Suspects arrest and evidence collection

Follow-up

● Phone record, check post、lawful intercept, tracking, location positioning, knowledge of crime organization and members ● Arrest all suspects, confiscate all evidence, check all computers, telephone record, booking record…etc. ● follow-up investigation on related targets & evidence and hunting for clues from other members to combat all gangsters

21













VoIP based Interception and data interception of other 150 Internet services Flexible implementation in multiple telecom operators Intercept all VoIP routes from different sources simultaneously Collect original pcap as well as reconstructed voice data for evidence in court Support all common VoIP protocols such as G.711a-law, G,711µ-law, G.726, G.729, iLBC Meet the requirement of state LI Law, ESTI standards 22

LAN Internet Monitoring, Data Retention, Data Leakage Protection & IP Network Forensics Analysis Solution Solution for: 

   

Route of Internet Monitoring/Network Behavior Recording Auditing and Record Keeping Forensics Analysis and Investigation, Legal and Lawful Interception (LI) VoIP Tactic Server & Mediation Platform

E-Detective Standard System Models and Series (Appliance based)

FX-06 FX-30N

FX-100

FX-120

Telco/ISP Lawful Interception

Caller Phone #

Date & Time

IP Address

Callee Phone #

Play back of reconstructed VoIP audio file using Media Player

Duration

  

  

Source IP Address Telephone number of caller Telephone number of receivers/victims Date & time of calls Duration of calls Call content

26

Case Study of the Recent Investigation on Cyber Crimes Lessons and Experience

27

Real Case on VOIP Investigation Problem Here: The most common tool by swindler group is telephone. While arriving

the telecom room of criminal, sometimes police can’t do anything because they know nothing about these equipments and can’t track

IP phone source from Internet.

28

 



Group and Billing Systems Account information in SIP Gateway or IP-PBX Servers Detail CDR from SIP Gateway or IP-PBX Servers

29

VOIP Tracking from Swindler Group – Group and Billing System

Group System-Random to Call

Billing System-Call CDR

30

VOIP Gateway Investigation from Swindler groupTrack SIP Server

Server IP

Account Password

31

VOIP Tracking from Operator – CDR of SIP Server Callee ID and CDR of IP phone from ISP

Callee VOIP ID Caller Callee

Initial Time

Ans Time

VAD Srvc- Redial

End time

Interval

IP of VOIP ID

32

Key Points of Investigation 1) Aggressively hunting for intelligence 2) Don’t give up any follow-up opportunities， and carefully analyze any useful information 3) Active Lawful Intercept：tap into suspected lines, intercept phone number and IMEI, phones in China, interview resident houses, and clarify criminal organization, identity and location

33

Experience 1) familiar with law and regulations, understand what the

target is and what the key evidence is. For example: find Chinese victim information and testimony through cooperation with Chinese Police after breaking cross-strait swindler group in Taiwan. Otherwise, these criminal will be non-prosecuted or non-guilty sentence by court. 2) Telecom equipment supplier, telecom shop, network engineer, telecom engineer, telecom sales …network and telecom professionals usually are aware of information and location of suspects. 34

Experience

(continue…)

3) Understand calling flow, and accounts of swindler group from operators side in order to find more background information from CRM and billing systems 4) Active Lawful Intercept：Tap into suspected lines, intercept phone numbers to China 5) Carefully Trail down： Prepare information (Time, place, behavior) in advance, trail by segment (not to expose self), identify criminal from different sides 6) Use confiscated computers for investigation to find more strong evidence

35

Conclusion Follow-up…

36

1) It is quite nature for criminal to use advanced ICT technologies.

Human is the key of every crime act. Although there may not be fault in technology itself, human may make mistakes by using it. Investigators are able to find the way out and combat these criminals 2) Enhanced on-job technical training for police to promote capability of investigation and understanding of criminal law 3) From viewpoint of investigation, more horizontal coordination

among all units in order not to waste resources. From tactical viewpoint, more international, cross-strait cooperation to combat cross-border swindler group 4) God will help those who work hard for justice 37

Q&A

38