Technology and Method behind Cross-border Fraud Investigation in Telecom and Internet How to Combat Cyber Crime Effectively

Outlines Fraud Crime Cases through Telecom and Internet Challenges Trace Communication Route and Obtain Related Data Case Study of the Recent Investigation on Cyber Crime Conclusion

Fraud Crime Cases through Telecom and Internet Nature of Cyber Crimes

Crime globalization Traditional crime with the cutting edge technology Emerging type of fraud crime cases through telecom and Internet and its associated features Hard to analyze large volume of complicated data during investigation Crime toward seamless processes and delicate organization

Traditional Crime with Cutting Edge Technology Emerging type of Crime Advanced Technology With mobile, Internet, IP phone, mobile Internet access or other value-added telecom services, swindlers commit more crimes easily; However, by whatever advanced technology and tool they use, the nature of their crimes always stays all the same. We still need to profile such crimes by the analysis on conditions, mindset, and behavior of crime.

Crime Globalization As applications and services of telecom technology and Internet are developing rapidly and pervasively, people are also familiar with those services. Fraud crimes through telecom and Internet, which are just like contagious diseases, may widespread globally by networks.

Globalized Crime Issue Borderless Internet makes crime behavior more globalized. Through the Internet and cloud computing, communication in swindler group can be enhanced and anonymous. Because of limitation of state authority and anonymity, it is really hard for state prosecutors and police to take investigation on the entire crime activities. Thailand Taiwan Swindlers North America South Korea China/HK Vietnam Japan Cloud Computing = Network Computing Through Internet, computers can cooperate with each other, or services are available more far-reaching

Hard to analyze large volume of complicated data There is often large volume of data or information (such as phone multiple transfers) produced by telecom and Internet fraud crimes because of converged IT network and telecom routes. In reality, such huge amount of data is acquired from multiple service providers. Investigators must apply multiple orders from court in advance to connect with data from those service providers. (for example: If there is phone transfer between 2 operators, investigator must request both to provide CDR information and call content by 2 orders from court ahead of time, and integrate all information for further analysis.) Therefore, it is no way to cope with such telecom and Internet fraud crime only by tradition way of comparing, claiming or tracing targets manually. It is the best way for investigator to adopt several effective software tools to analyze such huge amount of data.

Converged ICT Communication Routes Internet D Cross Border Telecom Network A Telecom Network IT Network Fixed Network B Illegal ISP Internet E Illegal DMT by ISP Mobile C Illegal Transfer Domestic

Crime toward seamless processes and delicate organization Telecom Telecom It is a nature trend that group crime is toward seamless process and delicate organization. There is very clear hierarchy of role and responsibility (R&R) for leader, telecom engineer and service staff in crime group. They never mix the use of phones for crime and private, and adopt one-way contact in order not to be cracked with whole group. Such crime model can be easily duplicated. Fraud crime group often splits into small ones, forms new gang, commits more crimes, and exchanges information and new techniques of fraud. contact Private collection Internet Jump board Swindler Group Cash flow Finance ATM Operation New crime R & D Recruiting Monitor Police

Common Features Telephone as primary communication during crime commitment Converged ICT technologies in daily life and not far above police head Telephone Skillful at all services Converged ICT Technologies Criminals (Group) Skillful at all Internet and telecom services but not familiar with operations behind and LI by police Faults can be tracked from human behavior Faults by human

Challenges

Hard to Identify Criminal ● By new technologies (like IP phones), it is hard to intercept their calls with existing equipment. We need professionals and suppliers to find the way out Hard to Identify Criminal Hard to Track Cross-border Phone ● Looking for cross border cooperation or other related clues if no cooperation Hard to Find Foreign Proxy or Router as Jump Board ● VPN, Foreign Proxy as Jump Board for criminals may be hidden behind deeper in Internet

Large Volume of CDR, and Hard to Take Analysis ● Analyze data and find the key information by text mining and data warehousing Wrong CDR or Missing Partial Data ● CDR is for billing management of ISP, and we must find how it is happening and analyze the reason Hard to Track Calls with Dummy Accounts ● Find source and links, and know the key point by technical assistance and help from ISPs

Trace Communication Route and Obtain Related Data Methodology and Guidelines of Cyber Crime Investigation

Warrant & Confiscation Check Post Tracking Deployment Lawful Intercept Archive Look-up Warrant & Confiscation Tenant Interview e-Positioning The way of investigation on fraud crimes behind telecom and Internet is the same with the one on traditional crimes. All the techniques are not for specific case, but can be used flexibly by need.

Gap between Physical and Cyber Crimes Physical Crimes Evidence collection & investigation •Finance Record •Interview（Video） •CDR, LI Clues •Informers •others Enforcement •human：apprehend arrest •place：warrant, confiscate Different sources dealt by police: hard to get clue (don’t know how to do it), and no way to trace! Cyber Crimes •Crime side （web or tool） •non-Crime side （Social network） •human：apprehend, arrest •place：warrant, confiscate •others excluded （Useless） •Lock activities （by Account） Evidence collection & investigation Sourcing clues •IP tracking •Finance Record • CDR, LI Analysis & highlight Enforcement

Quest for Investigation on Cyber Crimes CDR Tenant List Car Plate Credit card、Insurance Car Meter Record Cable TV、Broadband Resident Information Internet googling Cross Check Find Links Relatives Crime Record 165 voice signature Finance Transaction Co-prisoners Shipping List Property Tax Labor Insurance Immigrant

There is no difference between cyber crime and traditional crime in nature. With the advantages of convenience, anonymity and mobility of telecom and Internet, criminals are able to disguise their command center and disrupt the direction of investigation. Lawful enforcement officers need to make more effort in studying crime model and finding the way out to combat criminals. 1、Set up dedicated database for information collection and analysis 3、data organization and link analysis by software 2、clear about crime tool and method, and find the key point

Primary data study and further collection & sourcing Process Flow for Investigation Primary data sourcing and collection Follow-up Primary data study and further collection & sourcing Suspect arrest and evidence collect Further Investigation

Primary data sourcing and collection ● A1 clue、informer、case claim、daily crime information collection and integration, sourcing Primary data study and further collection & sourcing ● Study primary data, cross check databases in Police Department, googling in Internet and confirm crime type in order to prepare investigation ● Phone record, check post、lawful intercept, tracking, location positioning, knowledge of crime organization and members Further Investigation Suspects arrest and evidence collection ● Arrest all suspects, confiscate all evidence, check all computers, telephone record, booking record…etc. ● follow-up investigation on related targets & evidence and hunting for clues from other members to combat all gangsters Follow-up

VoIP Tactic Server in Investigation into Cyber Crimes VoIP based Interception and data interception of other 150 Internet services Flexible implementation in multiple telecom operators Intercept all VoIP routes from different sources simultaneously Collect original pcap as well as reconstructed voice data for evidence in court Support all common VoIP protocols such as G.711a-law, G,711µ-law, G.726, G.729, iLBC Meet the requirement of state LI Law, ESTI standards

E-Detective Tactic Server LAN Internet Monitoring, Data Retention, Data Leakage Protection & IP Network Forensics Analysis Solution Solution for: Route of Internet Monitoring/Network Behavior Recording Auditing and Record Keeping Forensics Analysis and Investigation, Legal and Lawful Interception (LI) VoIP Tactic Server & Mediation Platform E-Detective Standard System Models and Series (Appliance based) FX-06 FX-30N FX-100 FX-120

E-Detective Lawful Interception Solutions Telco/ISP Lawful Interception

Sample: VoIP Calls (with Play Back) Caller Phone # Date & Time Duration Callee Phone # IP Address Play back of reconstructed VoIP audio file using Media Player

Data from E-Detective VoIP Tactic Server Source IP Address Telephone number of caller Telephone number of receivers/victims Date & time of calls Duration of calls Call content

Case Study of the Recent Investigation on Cyber Crimes Lessons and Experience

Real Case on VOIP Investigation Problem Here: The most common tool by swindler group is telephone. While arriving the telecom room of criminal, sometimes police can’t do anything because they know nothing about these equipments and can’t track IP phone source from Internet.

What to Check from Swindler Computers Group and Billing Systems Account information in SIP Gateway or IP-PBX Servers Detail CDR from SIP Gateway or IP-PBX Servers

VOIP Tracking from Swindler Group – Group and Billing System Group System-Random to Call Billing System-Call CDR

VOIP Gateway Investigation from Swindler group- Track SIP Server Account Password

VOIP Tracking from Operator – CDR of SIP Server Callee ID and CDR of IP phone from ISP Callee VOIP ID Caller Callee VAD Srvc- Redial Initial Time Ans Time End time Interval IP of VOIP ID

Key Points of Investigation Aggressively hunting for intelligence Don’t give up any follow-up opportunities，and carefully analyze any useful information Active Lawful Intercept：tap into suspected lines, intercept phone number and IMEI, phones in China, interview resident houses, and clarify criminal organization, identity and location

Experience familiar with law and regulations, understand what the target is and what the key evidence is. For example: find Chinese victim information and testimony through cooperation with Chinese Police after breaking cross-strait swindler group in Taiwan. Otherwise, these criminal will be non-prosecuted or non-guilty sentence by court. Telecom equipment supplier, telecom shop, network engineer, telecom engineer, telecom sales …network and telecom professionals usually are aware of information and location of suspects. 34

Experience (continue…) Understand calling flow, and accounts of swindler group from operators side in order to find more background information from CRM and billing systems Active Lawful Intercept：Tap into suspected lines, intercept phone numbers to China Carefully Trail down： Prepare information (Time, place, behavior) in advance, trail by segment (not to expose self), identify criminal from different sides Use confiscated computers for investigation to find more strong evidence

Conclusion Follow-up…

It is quite nature for criminal to use advanced ICT technologies It is quite nature for criminal to use advanced ICT technologies. Human is the key of every crime act. Although there may not be fault in technology itself, human may make mistakes by using it. Investigators are able to find the way out and combat these criminals Enhanced on-job technical training for police to promote capability of investigation and understanding of criminal law From viewpoint of investigation, more horizontal coordination among all units in order not to waste resources. From tactical viewpoint, more international, cross-strait cooperation to combat cross-border swindler group God will help those who work hard for justice

Thank you for your Patience Q & A