Published on March 24th, 2020 | by Dr. Keith Bhatia
Communications have shifted from traditional (voice, email and SMS offered by telecom operators) to encrypted, over-the-top (OTT) applications. Which unfortunately leaves law enforcement agencies (LEAs) the world over missing vital information needed for their investigations. Additionally, because the privacy rules for the OTT apps are governed by their associated home country, access can be slow or even blocked (in almost all cases). This prevents LEAs access to stored communications or subscriber information. Moreover, with the launch of 5G communications and the ready supply of fiber-optic speed internet, LEAs are presented with a growing challenge of data volumes measuring in the hundreds of gigabits to terabits?
So how do LEA analysts capture the intelligence they need from the encrypted applications and communications?
One answer is Internet Communication Records (ICR). ICRs provide deep, application-level information about every packet and every flow. ICRs can be generated from raw packets, as part of intercepted communications, or can be generated in real time from internet links operating at gigabits to terabits. Even when the communications are encrypted, ICRs provide far more relevant, investigative-level information than simple flow records. Investigators using ICRs gain higher efficiency when analyzing captured Internet communications. Even with a wider net, they can provide insights to planning, recruiting and hierarchy of organizations.
ICRs offer four very unique and powerful differentiators:
- 1) reduce the records while maintaining fidelity via summarization
- 2) associating all of the flows for a service with the service
- 3) detection of encrypted devices and services
- 4) identification of services leveraged in communications channels
Modern websites and OTT applications involve a large number of communications flows. For example, a visit to CNN.com results in over 300 unique flows. Almost all of these flows are associations with social networking services, search engines, web analytics, content delivery networks and marketing tools. Presented individually, these would consume an analyst’s time and consume database space, screen real estate and bog-down indexing with little to no forensics value. CNN.com is not unique in the number of flows – it is typical for nearly all news, search, retail or entertainment sites.
The ideal intercept platform would learn and become aware of modern internet sites and OTT applications and it would be able to optimize the output for maximum forensics fidelity and investigative value. As a result, the session results are in a single, powerful high definition record which provides the investigator what they need and accounts for all of the packets across all flows. While the presence of encryption can impact the resulting number of records, association (described next) assists in this issue.
As mentioned above, an OTT app or a modern internet site can result in hundreds of individual flows. Add to that, the typical smartphone or desktop user has multiple apps or pages open at the same time. Identifying which flows are associated with which app is critical for proper accounting and investigations.
Which means, the ideal intercept platform would not only learn and become aware of modern internet sites and OTT applications, it would be able to associate the parent application with the proper children flows. Association can be utilized on apps such as Facebook, Google Search, MSN Search, Yahoo Search, Skype, Gmail, WhatsApp, Twitter, YouTube, Instagram, LinkedIn, Pinterest, Reddit, Flickr, Apple iMessage, Apple iCloud, and others. Association functionality is a huge benefit to LEA analysts determining application usage and its related activities.
Encrypted Event Detection
In today’s world, much of the relevant communication is assumed to be encrypted. Once the initial certificates and key exchanges complete, the follow-on flows are completely encrypted. However, despite the use of encryption and best efforts of developers, certain critical information can still be provided to LEAs. The ideal intercept platform engine leverages the information still available to enrich the intelligence pulled from the encrypted flows. It is also able to detect and enrich the records derived from the encrypted flows, creating high definition records. The enriched extraction results in new insights to a user’s activities, communications channels and their patterns of life.
So even despite the use of encryption in many OTT apps, much can be learned from the packet flows. Coupling that knowledge with heuristics on the flow itself, allows for identification of the type of information used by the app. For example, the following are identifiable encrypted communications:
- Tweets/emails/direct messages using Apple iMessage, Skype, Twitter, WhatsApp, Signal, WeChat, QQ Chat, SnapChat, Viber, Line, Telegram, Gmail and Facebook
- Uploads to Pinterest, YouTube, Instagram and Flickr
- File transfers (up or down) using Dropbox, iDrive, GoogleDrive, OneDrive
- Posts/comments to LinkedIn, Pinterest, Instagram and Reddit
- A call using Apple Facetime, Google Voice, Skype and WhatsApp with differentiation between a voice and video call
So, while communication may have changed from traditional to OTT and encrypted, the latest intercept platforms can still provide LEAs with succinct and vital information required for criminal investigations. Leveraging engineering methodologies that allow the technology to “learn” and “become” aware paints a more wholistic picture of how a user moves from app to app and what they do within that app.
About Dr. Keith Bhatia
As CEO of SS8, Keith combines his broad technical and market knowledge to advance the future of lawful intelligence. In his tenure, he has positioned SS8 as a leader in a world connected by 5G and shaped by increasing digitalization and automation. Keith is impassioned to show how technology can have a positive impact on our world.
About SS8 Networks
SS8 provides Lawful Intelligence platforms. They work closely with leading intelligence agencies, communication providers, law enforcement agencies and standards bodies and their technology incorporates the methodologies discussed in this blog. Xcipio® is already proven to meet the very high demands of 5G and provides the ability to transcode (convert) between lawful intercept handover versions and standard families. Intellego® XT natively supports ETSI, 3GPP and CALEA handovers, as well as national variants. Intellego XT’s MetaHub component is a best-in-class data analytics tool. Both product portfolios are used worldwide for the capture, analysis and delivery of data for the purposes of criminal investigations.