|
The increased usage of Internet-based communications such as chat, instant messaging, blogs, VoIP services and the old standby, email, has placed a new challenge on our surveillance teams – how to mine this intelligence source.
One of the challenges facing technical investigators is that many service providers haven’t complied with the FCC’s Communications Assistance for Law Enforcement Act (CALEA); this legislation requires all telecommunications providers to supply lawful interception assistance to law enforcement. When there is non-compliance, as is frequently the case, service providers aren’t able to execute court-ordered intercepts.
A self-contained intercept system
|
This non-compliance problem is usually encountered with Internet protocol (IP) based services, such as VoIP and email/web/chat. When this occurs, the law enforcement agency (LEA) is faced with taking legal action against the service provider to force them to become compliant (usually very time-consuming), just ignoring the intercept, or providing their own equipment (sometimes called a probe) and executing the intercept themselves – often called a tactical intercept. |
Since tactical intercepts are becoming more prevalent, let’s look into the logistics and considerations that need to be made for this type of probe. First, the equipment installed by the LEA needs to be portable and remotely accessible. There are such devices on the market that are packaged in small form-factors such as a rack-mount server or luggable system. These systems are transported to the service provider facilities and can be installed anywhere there is room. They are also available with either AC or DC power supplies.
Second, it needs to be passive. The probe surveillance interfaces cannot affect the service provider’s network traffic (not adding additional latency, not degrading signal quality, etc). Also, they need to be identity-free, so they aren’t visible to other devices on the network.
Third, it needs be intelligent and self-contained. The intelligent probe should incorporate the probe/access point, mediation, and administration functions of the typical intercept system – all in a single package. It should be capable of doing intelligent discovery of targets; this allows investigators to discover a target based on a user ID, a dynamically assigned IP address, or a phone number. Additionally, the device can’t rely on service provider equipment such as routers or session border controllers to perform intercepts.
The most difficult problem to overcome is implementing VoIP wiretaps, especially in the case of non-managed VoIP services such as those offered by Vonage. In these instances, there are two key complicating factors. First, inherent in VoIP is the likelihood that the signaling traffic (e.g., SIP) and the encoded voice (e.g., RTP) will traverse different network paths and in most cases both will not be routed through the non-managed VoIP providers’ facilities.
Without altering the normal network routing (sometimes called a ‘forced routing’) the best place to perform the intercept is close to the target, normally at the target’s ISP.
To perform these intercepts, LEAs need tactical intercept systems that can be transported to the target’s ISP, and, these systems need to be capable of intercepting VOIP calls.
The second complicating factor is due to the fact that the ISP isn’t offering the VoIP service, they most likely don’t have ‘VoIP-aware’ equipment (e.g., session border controller, SIP server, etc) to assist in the intercept. So, the tactical intercept system has to be completely self-contained and able to discover VoIP calls based on, for example, a phone number, and then intercept the call per the court order.
Since surveillance court orders are most often pen registers (i.e., orders to record the phone numbers called by a phone system user), the intercept system can’t be a simple packet recorder; it must adhere to the electronic surveillance laws and support pen register, trap & trace (where phone numbers calling a particular phone user are recorded), and full content intercepts, as well as deliver the content in ‘near real-time’ to support LEA minimization guidelines.
In summary, Internet-based communications represents a growing percentage of all communications, thus driving the need and importance of obtaining Internet intercepts. Barring a change in the FCC’s CALEA enforcement practices, technical investigators will need to be prepared to mobilize and deploy a tactical intercept system (probe) to facilitate these intercepts.
Kevin Graves holds a Bachelor of Science degree in Computer Science from Pennsylvania State University and has over 20 years of experience in the telecommunications and networking field. Prior to becoming CTO and co-founder of IP Fabrics (www.ipfabrics.com) in 2002, he held management and engineering positions at IBM and RadiSys. Kevin may be reached at (503)444-2411 or kevin.graves@ipfabrics.com |
