E-Detective Series of Products Presentation (2009) Decision Group
Presentation Content - Agenda VoIP-Detective HTTPS/SSL Interceptor – Decrypt HTTPS Traffic E-Detective Decoding Centre – Offline Reconstruction Wireless-Detective – WLAN Interception & Monitoring E-Detective – LAN Interception & Monitoring
1. Introduction to E-Detective LAN Internet Monitoring, Data and Record Keeping & Network Content Forensics Analysis Solution Solution for: Organization Internet Monitoring/Network Behavior Recording Auditing and Record Keeping for Banking and Finance Industry Forensics Analysis and Investigation, Legal and Lawful Interception (LI) Compliance Solution for: Sarbanes Oxley Act (SOX), HIPAA, GLBA, SEC, NASD, E-Discovery etc. FX-30FX-06FX-100FX-120 E-Detective Standard System Models and Series (Appliance based) User can also opt to purchase software license only from us and use their own hardware/server.
Webmail IM/Chat HTTP File Transfer Telnet Using port-mirroring or SPAN port E-Detective Architecture Display Reports Capture Packets Reassemble & Decode Reconstruct Back to Actual Content Store Save Archive E-Detective Architecture
E-Detective Implementation Mode (1) Organization or Corporate Network Deployment
E-Detective Implementation Mode (2) Telco/ISP Lawful Interception
E-Detective Sample Screenshots - Reports Homepage – Top-Down Drill to Details Reporting
IM/Chat (Yahoo, MSN, ICQ, QQ, IRC, Google Talk Etc.) Webmail HTTP (Link, Content, Reconstruct, Upload Download) File Transfer FTP, P2P Others Online Games Telnet etc. E-Detective Internet Protocols Supported
Sample: (POP3, SMTP, IMAP)
Sample: Webmail (Read/Sent) – Y! Mail, Gmail etc. Webmail Type: Yahoo Mail, Gmail, Windows Live Hotmail, Giga Mail and others
Sample: Instant Messaging -Yahoo, MSN, ICQ etc.
Sample: File Transfer – FTP Upload/Download
Sample: File Transfer – P2P File Sharing Supports P2P such as Bittorent, eMule/eDonkey, Fasttrack, Gnutella
Sample: HTTP (Link, Content and Reconstruction) Whois function provides you the actual URL Link IP Address HTTP Web Page content can be reconstructed
Sample: HTTP Upload/Download
Sample: HTTP Video Streaming Video Stream (FLV format): Youtube, Google Video, Metacafe. Playback of Video File
Sample: Telnet (with Play Back)
Admin: System Access Authority Assignment Authority – Visibility and Operation in Group (with User defined) Authority - Visibility Authority - Operation Authority Groups with Users
Export & Backup – Auto (by FTP) and Manual Auto (with FTP) Backup Manual Backup Download ISO or Burn in to CD/DVD Reserved Raw Data Files and Backup Reconstructed Data Comes with Hashed Export Function
Alert and Notification – Alert with Content Alert configured from different service categories and different parameters such as key word, account, IP etc. Alert can be sent to Administrator by or SMS if SMS Gateway is available. Throughput alert function also available!
Search – Free Text, Condition, Association Complete Search – Free Text Search, Conditional Search, Similar Search and Association Search Conditional Search Free Text Search Association Search
File Checksum (Hash) – Check File Content Integrity Shows the file lists and user can import files to check and compare with the files that has been captured by the system. Compare file content integrity. Abuser might have changed file name and send out the file to competitor.
Bookmark (for Review Next Time) Bookmark items and allow the review of the items. Bookmark items can also be exported.
Reporting – Network Service Usage - Daily Drill Down Reporting Capabilities
Reporting – Network Service Usage - Weekly Drill Down Reporting Capabilities
Reporting – Top Websites Viewed (Users)
Reporting – Daily Excel Log Report Manually or Automatically Generate Daily Log Report In Excel File Format.
Wireless-Detective System WLAN Analytics/Forensics/Legal and Lawful Interception System Important Tool for Intelligent Agencies such as Police, Military, Forensics, Legal and Lawful Interception Agencies. Scan all WLAN a/b/g/n 2.4 and 5.0 GHz channels for AP and STA. Captures/sniffs WLAN a/b/g/n packets. Real-time decryption of WEP key (WPA Optional Module) Real-time decoding and reconstruction of WLAN packets Stores data in raw and reconstructed content Displays reconstructed content in Web GUI Hashed export and backup All in One System! The Smallest, Mobile, Portable and most Complete WLAN Lawful Interception System in the World! 2. Introduction to Wireless-Detective System Notes: Pictures and logo are property of designated source or manufacturer
Wireless-Detective Standalone System - Captures WLAN packets transmitted over the air ranging up to 100 meters or more (by using enhanced system with High Gain Antenna) Wireless-Detective – Implementation (1) WLAN Lawful Interception – Standalone Architecture Wireless-Detective Deployment (Capture a single channel, a single AP or a single STA)
Wireless-Detective Extreme Implementation Utilizing multiple/distributed Wireless-Detective systems (Master – Slave) to conduct simultaneous capture, forbidding and location estimation functions. Wireless-Detective – Implementation (2) Notes: For capturing multiple channels, each Wireless-Detective (WD) can reconfigure/act as standalone system. For example: Deploy 4 WD systems with each capturing on one single channel. WLAN Lawful Interception Distributed Architecture Wireless-Detective Deployment (Utilizing min. of 2 systems for simultaneous (Master & Slaves) capturing/forbidding functions. Capture a single channel, a single AP or a single STA)
AP & STA Information – Capture Mode Displaying information of Wireless Devices (AP) in surrounding area. Obtainable Information: MAC of Wireless AP/Router, Channel, Mbps, Key, Signal Strength, Beacons, Packets, SSID, Number of Stations Connected.
Cracking/Decryption of WEP and WPA Key 1)WEP Key Cracking/Decryption:-- (64, 128, 256 bit key) Active Crack – By utilizing ARP packet injection (possibly 5-20 minutes) Passive Crack – Silently collect Wireless LAN packets 64-bit key – 10 HEX ( MB raw data /100K-300K IVs collected) 128-bit key – 26 HEX ( MB raw data /150K-500K IVs collected) 2) WPA-PSK Key Cracking/Decryption:-- (Optional Module Available) WPA-PSK cracking is an optional module. By using external server with Smart Password List and GPU Acceleration Technology, WPA-PSK key can be recovered/cracked. Notes: The time taken to decrypt the WEP key by passive mode depends on amount network activity. The time to crack WPA-PSK key depends on the length and complexity of the key. Besides, it is compulsory to have the WPA-PSK handshakes packets captured. WEP Key Cracking/Decryption can be done by Wireless-Detective System! Auto Cracking (System Default) or Manual Cracking
Automatic: System auto crack/decrypt WEP key (default) Manual: Capture raw data and crack/decrypt WEP key manually Automatic Cracking Key Obtained Cracking/Decryption of WEP Key
IM/Chat (Yahoo, MSN, ICQ, QQ, IRC, Google Talk Etc.) Webmail HTTP (Link, Content, Reconstruct, Upload Download) File Transfer FTP, P2P Others Online Games Telnet etc. Wireless-Detective- Internet Protocols Supported
Wireless-Detective – Unique Advantages/Benefits Smallest, portable, mobile and light weight WLAN legal interception system. This allows easy tracking and capturing of suspect’s Internet activities especially suspect moves from one place to another. Suspect won’t notice WD existence as it looks like normal laptop. Detects unauthorized WLAN access/intruders (IDS). Provides detailed information of AP, Wireless Routers and Wireless Stations (such as channel, Mbps, security (encryption), IP, signal strength, manufacturer, MAC) Provides capturing of WLAN packets from single channel, AP, STA or multiple channels by deploying distributed/multiple systems. That also means flexibility and scalability of deployment solution. Provides decryption of Wireless key, WEP key (WPA cracking is optional module) Provides decoding and reconstruction of different Internet services/protocols on the fly, reconstructed data is displayed in original content format on local system Web GUI. Supports reserving of raw data captured (for further analysis if required) and archiving of reconstructed at with hashed export functions. Supports condition/parameter search and free text search. Supports alert by condition/parameter. Provides Wireless forbidding/jamming function Provides Wireless Equipment Locator function. The All-in-One Mobile WLAN Interception System
3. Introduction to EDDC System EDDC is a tool specially designed for Offline Internet raw data files (PCAP format) reconstruction and analysis. It allows Administrator to create and manage user and case easily with user management and case management functions. Different authority and accessibility can be created for different users. The system is able to reconstruct Internet application/services like (POP3, SMTP, IMAP), Webmail (Yahoo Mail, Gmail, Hotmail etc.) IM (Yahoo, MSN, ICQ, QQ, UT, IRC, Google Talk, Skype Voice Call Log), File Transfer (FTP, P2P), HTTP (Link, Content, Reconstruct, Upload/Download, Video Stream), Telnet, Online Games, VoIP (Yahoo), Webcam (Yahoo, MSN). User and Case Management – Raw Data Decoding and Reconstruction – Data Search – Data Export and Backup – Online Raw Data Reserving
EDDC Implementation Diagram Offline Raw Data Decoding and Reconstruction system. Comes with User and Case Management functions. Investigator 1 Case 1 Investigator 2 Case 2 Case 1 Results Case 2 Results Collect, Import Raw Data For Case 1 Case 1 Case 2Collect, Import Raw Data For Case 2
IM/Chat (Yahoo, MSN, ICQ, QQ, IRC, Google Talk Etc.) Webmail HTTP (Link, Content, Reconstruct, Upload Download) File Transfer FTP, P2P Others Online Games Telnet etc. EDDC- Internet Protocols Supported
4. Introduction to HTTPS/SSL Interceptor ●Decrypt HTTPS/SSL web page traffic, decode and reconstruct the traffic. ●2 Modes of Operation or Implementation: 1. Man in the Middle Attack (MITM) 2. Proxy Mode Implementation (in New Version) 3. Offline Method (Decrypting HTTPS raw data with Private Key Available) ●Login username and passwords can be captured. For example, Google/Gmail login, Hotmail login, Yahoo Mail login, Amazon login username/password etc. can be obtained. To view encrypted content, a key is a needed
Capable to capture, decode and reconstruct VoIP RTP sessions. Supports SIP and H.323. Supported CODECS: G.711-a law, G.711-u law, G.729, G.723, G.726 and ILBC. Capable to play back VoIP sessions. 5. Introduction to VoIP-Detective System
VoIP-Detective System Implementation
Sample: Reconstructed VoIP Calls with Playback Date/Time, Account, Caller No, Called No, Mode, Type, CODEC, File Name and Time/Duration Play back of reconstructed VoIP audio file using Media Player
References – Implementation Sites and Customers Criminal Investigation Bureau The Bureau of Investigation Ministry of Justice National Security Agency (Bureau) in various countries Intelligence Agency in various countries Ministry of Defense in various countries Counter/Anti Terrorism Department National Police, Royal Police in various countries Government Ministries in various countries Federal Investigation Bureau in various countries Telco/Internet Service Provider in various countries Banking and Finance organizations in various countries Others Notes: Due to confidentiality of this information, the exact name and countries of the various organizations cannot be revealed.
E-Detective Online Demo (root/000000) Presented by Frankie Chan Decision Computer Group