You are on page 1of 3

Forensic Method Analysis Involving VoIP Crime

Gao Hongtao
Department of Computer Crime Investigation China Criminal Police University Shenyang, Liaoning Province, China

AbstractWith the popularity of Internet phones, relevant criminal activities have emerged. Based on the basic principle of Internet phones, this thesis analyzes the current working principle , basic structure and the existing loopholes of Internet phones, puts forward forensic methods involving VoIP crime, and then makes an actual analysis on forensic methods of the host computer, servers of operators, and arbitrary number modification software, which all involve VoIP crime. KeywordsInternet phone, VoIP, Forensics

I. INTRODUCTION VoIP (Voice over Internet Protocol) refers to digitalize the analog voice signals, and carry out a real-time transmission on the IP network in the form of data packet, which is a voice communication way based on packet in IP technology and digital transmission technology. VoIP uses the advanced and complex network transmission technology and encryption technology, which has the high imperceptibility and difficulties in monitoring. In recent years, it has appeared crimes using VoIP in China, which has also intensified. The most outstanding phenomena are: (1) SMS fraud; (2) dialing telephone numbers directly by the arbitrary number modification software, for fraudulent activities. II. ANALYZE THE WORKING PRINCIPLE OF INTERNET TELEPHONE. A. The basic working principle of Internet phones It involves a lot of technologies for voice communication via the Internet, where the most fundamental technology is VoIP technology. VoIP takes the IP packet switching network as a transmission platform, and makes a series of special treatments such as compressing and packing on analog voice signals, so that it can use the connectionless UDP protocol for transmission. The basic working principle of VoIP refers to compress the voice data codes through voice compression algorithm, pack the voice data according to TCP / IP standard, and then send the data packets to receivers through IP network. Again pack these voice data packets, and return to the original voice signals after decompressing, so as to achieve the purpose of transmitting voices by Internet. The core and key equipment of VoIP is IP gateway. The gateway maps the telephone area code in each region to the corresponding IP address according to telephone area code database information, and determines the IP address of the corresponding gateway. Add the IP address to the IP data packet, and choose the best routing to reduce the transmission delay. IP data packet reaches the gateway of the destination by Internet. Data continuous processing

software completes call processing, digital voice packing and routing management and so on. B. The Basic Structure of Internet Telephone The basic structure of Internet phones is composed of gateway and gate keeper. The main function of gateway is signal processing, H.323 protocol processing, voice coding and decoding and routing protocol processing and so on, which respectively provides the trunk interface connected with PSTN network and the interface connected with IP Internet for the outside. Gatekeeperor net gapis optional in the H.323 system. When the net gap appears in the system, the main function of the gate keeper is user authentication, address resolution, bandwidth management, routing management, security management and regional management, and it provides address translation, admission control, bandwidth control and other services, which also stores much information related to cases, such as call records, system maintenance records and so on. The data is very helpful to the investigation of cases involving VoIP A typical calling process is: The call is initiated by the PSTN voice switch, and accesses to the calling gateway through the trunk interface. After the calling gateway obtains the called numbers users expect, send the query information to the calling gate keeper, who then finds the IP address of the called gate keeper, and determines whether to establish a connection according to network resource. If so, notify the IP address of the called gate keeper to the calling gateway. After the calling gateway obtains this IP address, establish a calling connection with the called gatekeeper by the network. The called gatekeeper sends a call to the PSTN network, and the users are called by the switch. After offhook, the voice channel between the called gateway and the switch has been connected, and gateways start to make an ability exchange by H.245 protocol to determine coding and decoding used in communication. After the ability exchange, the calling and called parties can start their communication. C. Technical Principles of Arbitrary Number Modification Software From a technical perspective, the phone number changing software essentially uses a loophole of VoIP technology. If VoIP want to call a fixed telephone or mobile phone, the gateway must be connected with the fixed telephone network or the mobile communication network. The jargon is named landing. The caller ID display in Internet telephone is generally generated by the calling party. Our country has a request on the calling number transmission in the communication network, especially the calling number transmission between networks. If you need to achieve IP calling, the calling gateway or computer will

increase a false calling number when establishing a call. The calling gateway or some network telephone software all can provide such a false calling number setting function. Apart from meeting the transmission request between in-network or inter-network, the false calling number has no other requirements and rules. In relation to international calls, possibly for the counterpart country does not send the calling number, or the transmitted calling number does not meet the requirement of the called country, the calling number conversion will take place in international gateways. When IP telephone terminal sends the calling partys information to IP telephone gateway, the gateway doesnt make an effectiveness authentication processing for the calling partys number transmitted by telephone terminal, but directly sends the calling number information to the program-controlled switches, finally displayed on the called phone. At present, we lack rigorous technical specifications and relevant law regulations on how the gateway of internet operator switch sends the calling number. Many operators who provide landing gateway services havent filtered and analyzed the calling number, but directly carry out the socalled Unvarnished Transmission. Directly set the calling number in landing gateway exit, or directly hand the right of modifying calling number to VoIP user. Operators use this loophole to provide the service of the caller ID arbitrary display, so as to obtain improper interest, and provide convenience for the criminals to modify calling number by illegal landing gateway. III .FORENSIC METHODS INVOLVING VOIP CRIME A. The Survey Clues Involving VoIP Crime 1) Network identity: Network identity authentication is an independent investigative means in the investigative process of network-involved crime cases, that is through IP address location to determine the information sender. 2) The content of network communication: Though the content of network communication you can know relevant contact person and contact location and so on, which is very important for successfully detecting cases. 3) Network registration information: Most network tools are required to register. Although most of the registration information is false, false information can also reflect personal characteristics, and relevant clues about criminal suspects may be obtained through collecting these clues. 4) The changes in bank accounts: By monitoring the accounts transferring, depositing, withdrawing, remitting and other information, criminal suspects clues and evidence can be obtained. 5) Bank camera record: Through the video about bank accounts tracking process you can find criminal suspects physical characteristics and criminal associates and other related investigation clues. B. Forensic Methods Involving VoIP Crime The conventional Forensic methods are still valid for the investigation involving VoIP crime cases, and you can also investigate and obtain evidence through some special methods. 1) Inspect criminal suspects computer: The collecting evidence of criminal suspects computers should be focused

in the investigation process, and evidence collection and fixation should be in time and fast, such as the files, Internet record, log, chatting record, message content, etc. 2) Examine network equipment: Any net surfing must be through network equipment (routers, firewalls, proxy servers, gateways, etc.), which can have a lot of uploading and downloading information. 3) Check the terminal equipment: Terminal equipments connected with the network are likely to have relevant investigation clues. Bank terminal equipment will reflect account transferring, depositing, withdrawing and other changeable information; the bank camera can reflect a payees relevant information; telecommunications terminal will reflect the relevant information of a phone number. 4) Investigate through the legal monitoring of Internet phones: Legal monitoring is a behavior permitted by law to monitor communication; network investigation department can monitor criminal suspects communication to find criminals trace. But the design of network telephone monitoring system is complex, so our country needs to further study and validate network telephone legal monitoring system, so that it can be truly taken into practice. 5) Investigate providers who provide Internet telephone services: It is mainly divided into landing gateway and aboard gateway. Landing gateway is a data exchange place between VoIP network and traditional PSTN network, where the caller ID is modified; aboard gateway is a data exchange place between the calling party of Internet phones and VoIP network. Landing gateway investigation mainly involves gateway equipment, billing system and other relevant systems, which probably can obtain the called partys real phone number, the real IP address of the calling party or the upper grade VoIP gateway and so on. If it obtains the calling partys real IP address, it can be directly targeted to the calling partys computer. If it obtains the IP address of the upper grade VoIP gateway, it can be looked up through gateway grade by grade, finally getting the calling partys real IP address, so as to determine the calling person. I V. ACTUAL ANALYSIS ON FORENSICS INVOLVING VOIP CRIME A. Examine the Hosting Computer Involving VoIP Crime It mainly refers to examine the used traces of internet telephone software, taking the Skype software for example. After the investigated computers automatically install and operate Skype, they will establish a folder named after a username for each logged user under C:\Documents and Settings \Administrator\Application Data\Skype, which stores users relevant materials. After entering into a folder named after a username, you can see files recording users information, where there are two important documents: callmember256.dbb and call256.dbb. The former is used for storing this users calling record, each arranged from top to bottom according to chronological order. After using UltraEdit to open callmember256.dbb, you can see that each record has recorded the calling number and the display name of this number, corresponding to the record of dialed numbers in Skype software. call256.dbb is used for storing the time of

dialing a telephone number by users, and each record in the document respectively corresponds to the dialing record in call-member256.dbb, which also records whether it gets through and the conservation time, It can also use SkypeLogView software to analyze, through which you can examine each users call records, chatting records and the records for document transmission, and can write them to a text file or web page file as required, so as to fix the evidence. B. Forensic Analysis for Internet Phone Server After obtaining the permission and password of VoIP software used by suspects, investigators can carry on the relevant forensics from the following three aspects: (1) investigate the suspects login IP and other information; (2) retrieve server maintenance logs; (3) retrieve suspects calling logs. 1) Investigate the user's login IP: Firstly, retrieve the login logs of suspects account. Through analyzing the log data, it can find that whether suspects have logged this sever during the incident. 2) Retrieve calling logs: By retrieving calling logs you can find the records between suspects and victims by this internet telephone. 3) Retrieve maintenance logs: In general, criminal suspects who have the maintenance right have an important status in Joint Crime. Generally the maintenance log will record suspects accounts, recharge, changing passwords and adding users and other operational information, and will record the login time and IP. Through the user name, login time, IP and other information in logs, and combining with other clues, further expand the clues of investigation, locking the main suspects. C. The Investigation of Arbitrary Number Modification Software Now there are three main methods to arbitrarily display the calling numbers provided by illegal operators: (1) after setting the website provided by operators, getting through the callback number; (2) independent mobile phone operation method; (3) using software to give an internet phone call on the PC. Among the above methods, only the last method will have traces in user end; the other two kinds

need to be investigates from operators. Through investigating the CDR of the victims mobile phone, you can find suspects real phone number and IP. (1) Retrieve victims CDR, to find the switch code of this phone record. (2) Then according to calling time and the original data of this period of time extracted by its code switch, analyze which switch it calls from. (3) Extract the original data of the corresponding period of time from the corresponding switch, and analyze which line the call is from (that is to find Internet line number and IP address) (4) Find operators through IP, and seal up their materials on the hard disk. Through analyzing the data, the real number or IP can be known. V. CONCLUSIONS This thesis analyzes internet phones from the basic principles of VoIP, arbitrary number modification principle and other aspects, puts forward the specific methods for investigation and evidence collection, which also conducts an actual analysis. However, at present, there is yet to be expanded and improved for the forensic methods involving VoIP crime. For example: (1) Almost all the popular Internet telephone softwares use the encryption algorithm, which can not use conventional methods to capture VoIP data package. (2) With the development of internet telephone product security, the real achievement of internet telephone legal monitoring system still has a great gap. (3) Suspects establish gateways in foreign countries, which undoubtedly will increase the difficulty in investigation. REFERENCES
[1] Wu Zhang Xing. The situation of VoIP, issues and trends [J].World telecommunication, 2007, (8). [2] Liu Hua, Zhang Qiong. VOIP system based on H.323 protocol [J]. Heilongjiang technology information, 2006, (9). [3] Su Weiliang, Zhou shengyuan, Chen Mingsong. VoIP system implementation based on SIP protocol [J]. Popular Science, 2008, (1).