A minor thesis submitted by Bruno VALENTIN in part fulfillment of the degree of M.Sc. in Forensic Computing and CyberCrime Investigation with the supervision of Dr. Pavel GLADYSHEV
10. 2 Background
2 Background
As seen previously in the introduc<on, the topic of the current document is to set up a solu<on in order
to simultaneously intercept a set of local area networks from a remote point of view, and for Law
Enforcement needs. This kind of subject ma.er is ohen not published or disclosed since it is considered
as sensi<ve by the private companies which are designing on‐purpose equipment and the Law
Enforcement Agencies.
Though, some white papers have been released publicly by academic ins<tu<ons and private sector. An
overview of the current state of art regarding wire tapping has been done to determine how
intercep<ons can be implemented for solving the issue exposed in this disserta<on.
The white papers and other documents found are introducing the different ways of intercep<ng
communica<ons on a IP network.
2.1 Internal versus external interceptions
Depending on how accessible the network is to monitor and where the wiretapping equipment can be
installed, an intercep<on process can be referred to as internal or external.
Internal intercep<on allows the Law Enforcement Agencies to extract the data directly from the internal
networks of internet service providers [2‐1] involved in the transmission of the data of interest over the
Internet. In this case, the whole traffic of the target is intercepted and delivered to the LEA in its raw
format. This is commonly completed using sohware or hardware sniffers capable of dealing with IP
traffic.
Of course, since it is crucial, from a Law Enforcement prospec<ve, that the target doesn't know they are
being monitored, some mechanisms must be put in place to ensure the intercep<on system remains
transparent. This means that the system has to be thought of and designed in a secure manner. [2‐1]
Unfortunately, in many developed countries, ISPs are ohen reluctant to provide access to their core
networks to the LEA. There is usually a strong opposi<on [2‐1] leading to a legal figh<ng between LEA
and service providers.
When pu_ng in place an internal intercep<on is not feasible, intercep<on must be performed at
10 of 124 B. VALENTIN – MSC DISSERTATION
11. 2 Background
network access level outside the network of the service provider. Typically, this means that the
intercep<on material has to be connected out of the immediate target network, for instance at adjacent
networks or public network concentra<on points [2‐1]. This network pertains usually to the network
operator, as depicted on the figure below.
The systems capable of doing external intercep<ons are ohen designed and commercialised by private
companies. As performing an external intercep<on is much more complicated than doing an internal
one, such systems tend to be sophis<cated and not officially publicised. In fact, WAN monitoring is
considerably not a simple task to complete. It must support a much wider range of network topologies
and protocols (PPP, mul<link PPP, Cisco HDLC, frame relay, ATM) [2‐2] and must be able to deal with
several levels of protocol encapsula<on.
As it was the case already in the internal intercep<on, targets must be unaware that they are under
electronic. Therefore, any no<ceable informa<on that could reveal the monitoring process should be
avoided [2‐1]. For instance, the “Traceroute” command could show a new router hop in the path from
the target to the Internet. Also, degrada<on or interrup<on of service has to be avoided as much as can
be by the use of appropriate technologies.
In conclusion, any<me it is applicable, internal intercep<on is considerably more straighporward to put
in place. Also, the content data resul<ng from this intercep<on can be filtered more effec<vely since IP
data is already and does not need to be translated prior to being analysed.
11 of 124 B. VALENTIN – MSC DISSERTATION
Illustration 2.1: Typical configuration for xDSL
19. 3 Problem Statement
3 Problem Statement
3.1 What is the problem and why it needs to be solved
Nowadays, the new technologies are widely used by criminals to exchange informa<on (terrorism,
organized crime) or to stay in touch with their vic<ms (blackmailing). Computers are everywhere and
offenders now have the skills to use them for their criminal ac<vi<es, whatever they are.
When these people have to send emails they know that doing this from an Internet cafe is a good way to
remain anonymous and to ensure that they won't be traced back. Anonymity is one of their main
concern.
Furthermore, they are aware that going repeatedly in the same internet cafe may compromise them.
Indeed, the Law Enforcement unit in charge of the case can determine where the mail was sent from by
analyzing the header of the email. If the unit gets the reply to the legal request sent to the ISP, it will be
able to arrest the perpetrator the next <me he comes to this internet cafe.
For this reason, criminals tend to be roaming between several internet cafes, in order to confuse the
Police. But they are usually visi<ng the same ones, ohen located in the same area of the city. Most of
them do not select a new loca<on each <me they have to connect the Internet. Aher a while, they tend
to go again in a cyber cafe visited already. Not all criminals commit their crimes from big ci<es in which a
good deal of Internet cafes are located. Some of them also operate from smaller towns. They don't have
as many possibili<es when they are roaming between Internet cafes.
Most of the <me, the managers of the internet cafes agree to cooperate. It's not that common to face an
inves<ga<on case in which even the internet cafe is involved and should be considered as an accomplice
of the suspect.
Changing internet cafe for each connec<on to the Internet means that the public IP address used by the
perpetrator is changing all the <me as well. The criminals are aware of this fact too.
In the cases in which there is a need of communica<on between criminals and their vic<ms (e.g.
kidnapping), there are very frequently several exchanges of emails between both the two par<es. It is
ohen a game of ques<ons and answers in which the Police get many IP addresses involved.
19 of 124 B. VALENTIN – MSC DISSERTATION
20. 3 Problem Statement
Some Internet cafes are open to the customers 24 hours a day. As suspects are liable to connect the
Internet any<me, it is hardly conceivable to think about having a police officer in front of each cyber cafe
all the <me.
Of course, one can be thinking of pu_ng all the Internet cafes under monitoring. Unfortunately, such
internet intercep<ons, whether on the core network of an ISP or locally in the facili<es of a
telecommunica<on operator are very expensive and require much efforts to analyze the whole traffic.
Indeed, tradi<onal Internet intercep<ons are recording the whole traffic coming from and going to a
specific target. It would be useless if the only aim is arres<ng the perpetrator. Further computer
forensics will prove he was using the computer for criminal purposes by the <me he was arrested and
will determine what he was exactly doing.
Internet cafes are some<mes the only loca<on where the perpetrator can be arrested. If the criminal is
careful and takes all the precau<ons not to be iden<fied, he never connects the Internet from another
type of internet access. That ensures that no personal IP address will be recorded in the log files or in the
mail headers of the vic<m.
Furthermore, from Law Enforcement prospec<ve, arres<ng a suspect while he is commi_ng his crime,
with his hands on the computer is the best way to get undeniable evidences of his culpability and thus to
prove he is really involved. Unfortunately, arres<ng a criminal in such condi<ons is not that easy.
Indeed, many major problems come up, due to technical restric<ons or misappropria<on of the law.
Depending on the countries, no legal provision exist with regards to the public access to the Internet
offered by private companies.
In France for instance, Internet cafes are not obliged to comply with any legisla<on with regards to the
iden<fica<on of their customers.
The managers of the Internet cafes are not compelled to ask people for their iden<ty and even if they
do, they are not obliged to keep any track of it. It means that if the Police come across an IP address
allocated to an Internet cafe by the <me the offense was commi.ed, they cannot simply go to the
manager and get the list of the people who were using the computers. From a Law Enforcement
prospec<ve, this is a big issue as no subsequent iden<fica<on can be done. The suspect has to be
iden<fied and arrested in real‐<me.
20 of 124 B. VALENTIN – MSC DISSERTATION
21. 3 Problem Statement
Very ohen there is no camera installed in the Internet cafes. Even if there are, they are used for security
purpose only and no video recording exists. Again, it is a constraint for the Police to subsequently
iden<fy a suspect. If the Police officers can iden<fy the Internet cafe the connec<on was established
from and even the worksta<on used, they won't by able to get any picture or video of the criminal.
Moreover, most Internet cafes are linked to the Internet via a broadband connec<on with a dynamic IP
allocated. Depending on the ISP, it can take much <me ge_ng a reply to the legal request for
iden<fica<on sent. Some of them tend to reply not rapidly enough to fit the constraints imposed by a
criminal inves<ga<on. If the case is about kidnapping for instance, it is crucial that the loca<on the
connec<on is origina<ng from is iden<fied urgently.
Furthermore, when the Police receive the reply from the ISP iden<fying the Internet cafe involved,
obviously only the public IP is iden<fied as this is the only informa<on the ISP knows of. Some internet
cafes are equipped with a huge number of worksta<ons. Every computer is using a private IP and the
traffic is routed to the Internet through the public IP of the router/gateway.
Internet cafes usually have a basic network infrastructure. They are not equipped with a filtering and
logging appliance such as a proxy server. A proxy would allow the Police to make a correspondence
between the requested URL and the private internal IP address of the worksta<on on which it was
requested. For instance, if the Police know that the suspect was using Yahoo webmail at a specific
moment, they could analyze the logs of the proxy and make a selec<on of all the computers connected
to this web site at the <me the connec<on occurred.
As it is some<mes impossible to guess which worksta<on was used, it can take a considerable amount of
<me analyzing every computer in a forensic perspec<ve. It can take <me also searching for keywords on
every hard disk to determine which one contains the evidences related to the criminal ac<vi<es of the
user.
Some<mes it is not even possible, as some Internet cafes are equipped with an auto re‐installa<on
process that restores a generic system image on the hard disk when the client logs off. In some cases, the
whole system is virtual and runs completely in memory. It is even more complicated to find digital
evidences if the computer is examined subsequently.
All these technical and judicial issues make the inves<ga<on longer and more complex than it should be
in an ideal world.
21 of 124 B. VALENTIN – MSC DISSERTATION
22. 3 Problem Statement
Nonetheless, some solu<ons can be thought of to ease and make it quicker to iden<fy and arrest a
criminal connec<ng the Internet from Internet cafes.
3.2 Existing solutions
3.2.1 Niksun NetDetectorLive
In terms of network detec<on, a private company named Niksun provides an autonomous appliance
allowing to monitor both the incoming and outgoing network flows in real‐<me.
This equipment called NetDetectorLive (tm) can capture the network traffic and simultaneously search
for non‐authorized pa.erns in transmi.ed packets with regards to the internal policy of a company.
The main purpose of this equipment is to be used in the scopes of intellectual property protec<on and
outbound content control. This appliance makes it possible for the administrator of a network to be
informed in real‐<me of policy viola<ons, par<cularly about sensi<ve content like R&D and financial
informa<on for instance.
Although it has not been designed specifically as a lawful intercep<on product, this equipment includes
some of the func<onali<es that could be required to address the problem described in the previous
chapter.
NetDetectorlive provides real <me archiving of data and allows reconstruc<on of the content in its
context aherwards. For instance, it can store all email messages or instant messages for a later search.
Furthermore, it is capable of categorizing and reconstruc<ng most of the standard protocols sessions
(smtp, pop, imap, web, instant messaging, hp , p2p) as well as intercepted documents transmi.ed
through the network (office documents, text files, PDF files, embedded images).
Each <me an incident is detected on the network an event is generated and an alarm is issued. Detected
incidents are logged in a database to allow subsequent filtering and analysis.
22 of 124 B. VALENTIN – MSC DISSERTATION
Illustration 3.1: NetDetectorLive Appliance From Niksun
24. 3 Problem Statement
3.2.3 Blueye project
Finally, with regard to keyword based network sniffing, a project has been ini<ated by the BL7 group and
made available for download for windows and Linux under GPL2 license on their website [323‐1] .
This project called Blueye Layer 7 sniffer aims at detec<ng keywords in a high‐rate network stream
(wired or wireless links) in real‐<me. Ini<ally, this project has been designed to allow the administrators
to monitor the backbone of their private company for security reasons. For instance, it can be used in
the field of intellectual property defense to prevent internal users to send sensitive content
outside the corporate network without being noticed.
Filtering rules can be defined and the configuration of blueye can
be changed by modifying a set of text files. So far, no graphical
user interface exists to perform this task.
As soon as user‐defined keywords are detected, this layer 7 sniffer uses
them to extract valuable and relevant informa<on, rebuilds fragmented
TCP session and stores them on the hard disk of the computer. It can
also issue some alerts by email on relevant events.
All the logged packets are stored as PCAP files and also indexed in a MySQL database for later
iden<fica<on and retrieval. The system is scalable to fit the needs of intercep<ng a mul<‐sites network
as well. For this purpose, it can be deployed as a distributed infrastructure composed of several front‐
ends and one back‐end which stores all the records in a centralized database.
Although Blueye is just a piece of sohware and doesn't have anything to do with hardware equipment, it
relies on ninjabox plaporms to sniff the network flow. Ninjabox plaporms are commercialized by a UK‐
based company named Endace.
Ninja plaporms are basically 3U appliances equipped with 2 intel xeon dual core CPU and 4GB of internal
memory. They come with 2 built‐in 1Gb/s network ports. They are also equipped with a RAID array
composed of eight 250GB hard drives for an overall capacity of 2TB.
3.2.4 Drawbacks of existing solutions
The exis<ng solu<ons iden<fied have all been designed with a specific goal and for a special use.
However, they all provide some func<onali<es that are needed and useful for solving the current issue of
24 of 124 B. VALENTIN – MSC DISSERTATION
Illustration 3.3: blueye logo
33. 3 Problem Statement
3.3.7 Legality
Lastly, the adopted solu<on should match the legal system of the country it is deployed in.
In order to ease the use of this system in terms of legal restric<ons, it needs to be a detec<on and
repor<ng system instead of an intercep<on solu<on. This point is crucial as na<onal regula<ons
regarding intercep<on of telecommunica<ons are ohen very restric<ve.
Thus this system won't record the traffic and won't keep any track of the user data. Only some
monitored strings will cause alerts to be issued to the law enforcement.
This system should be a binary one. The only important point is “Is any occurrence detected or not” ? If
it is, the event should be reported urgently to the Police officers in charge of the case since the criminal
is currently connected and has to be arrested without delay.
Obviously, if the na<onal legisla<on of the country requires that the Police Unit obtains a warrant or an
authoriza<on from a judge prior to pu_ng a probe in place, this installa<on should be done with regards
to the local legal provisions.
33 of 124 B. VALENTIN – MSC DISSERTATION
35. 4 Adopted Approach
the whole infrastructure. This computer has to stay in contact with the probes on a permanent basis in
order to be able to update and monitor them all on demand.
The probes are composed of regular and cheap SOHO routers which have been modified and updated
especially for this project. Each probe has been flashed to replace its firmware with a mini Linux
opera<ng system in order to be able to implement the features required for the fulfillment of this
project.
An ordinary computer such as a laptop could have achieved the same bridging and sniffing
func<onali<es as long as an addi<onal network card has been provided.
But with regards to the constraints on the cost of the overall solu<on, it was apparent choosing cheap
equipment, already equipped with mul<ple network cards was more appropriate.
4.1.1 The central server
The central server is the core of this architecture. It has to perform various tasks and implement several
func<onali<es, on a permanent basis. Therefore, it is crucial that this server remains on‐line all the <me
and stays accessible by the probes all the <me.
1 Hosting
Thus, one of the primary considera<on about this server is hos<ng. Indeed, as the whole infrastructure is
organized around a central server that has to be reachable all the <me, how this computer is hosted is
essen<al for the system to work. There are actually two types of solu<ons that can be used to host such
a computer.
The first one consists in hos<ng the server in Law Enforcement facili<es.
It requires that the link connec<ng the premises to the Internet has a high bandwidth, dedicated to this
purpose. This connec<on should be provided by the ISP with a sta<c IP address. This point is crucial
because the probes are going to use the IP address of the server as the end for the virtual private
network tunnel.
This type of hos<ng can bring privacy and security as the physical access to the server can be restricted.
It is also a cheap solu<on as a broadband access is nowadays very affordable for any unit.
35 of 124 B. VALENTIN – MSC DISSERTATION