Post on 03-Feb-2016
description
transcript
Technology and Method behind Cross-border Fraud Investigation in Telecom and Internet
How to Combat Cyber Crime EffectivelyHow to Combat Cyber Crime Effectively
Fraud Crime Cases through Telecom and Internet
Challenges
Trace Communication Route and Obtain Related Data
Case Study of the Recent Investigation on Cyber Crime
Conclusion
OutlinesOutlines
2
3
Fraud Crime Cases through Telecom and
Internet
Nature of Cyber CrimesNature of Cyber Crimes
Traditional crime with the cutting edge technology
Crime globalization
Hard to analyze large volume of complicated data during investigation
Crime toward seamless processes and delicate organization
Emerging type of Emerging type of fraud crime cases fraud crime cases through telecom and through telecom and Internet and its Internet and its associated featuresassociated features
4
5
With mobile, Internet, IP phone, mobile Internet access or other value-added telecom services, swindlers commit more crimes easily; However, by whatever advanced technology and tool they use, the nature of their crimes always stays all the same. We still need to profile such crimes by the analysis on conditions, mindset, and behavior of crime.
Traditional Crime with Cutting Edge Technology
Traditional Crime
Advanced Technology
Emerging type of Crime
6
Crime Globalization
As applications and services of telecom technology and Internet are developing rapidly and pervasively, people are also familiar with those services. Fraud crimes through telecom and Internet, which are just like contagious diseases, may widespread globally by networks.
7
Globalized Crime IssueGlobalized Crime IssueBorderless Internet makes crime behavior more globalized. Through the Internet and cloud computing, communication in swindler group can be enhanced and anonymous. Because of limitation of state authority and anonymity, it is really hard for state prosecutors and police to take investigation on the entire crime activities.
Thailand
North America
China/HK
Japan
South Korea
TaiwanSwindlers
Vietnam
Cloud Computing = Network ComputingThrough Internet, computers can cooperate with each
other, or services are available more far-reaching
8
Hard to analyze large volume of complicated data
There is often large volume of data or information (such as phone multiple transfers) produced by telecom and Internet fraud crimes because of converged IT network and telecom routes. In reality, such huge amount of data is acquired from multiple service providers. Investigators must apply multiple orders from court in advance to connect with data from those service providers.
(for example: If there is phone transfer between 2 operators, investigator must request both to
provide CDR information and call content by 2 orders from court ahead of time, and integrate
all information for further analysis.)
Therefore, it is no way to cope with such telecom and Internet fraud crime only by tradition way of comparing, claiming or tracing targets manually. It is the best way for investigator to adopt several effective software tools to analyze such huge amount of data.
9
Converged ICT Communication RoutesConverged ICT Communication Routes
IT NetworkTelecomNetwork
Cross Border
Domestic
Illegal Transfer
Internet D
Internet E
TelecomNetwork A
FixedNetwork B
Mobile C
Illegal DMT by ISP
Illegal ISP
10
Crime toward seamless processes and delicate organization
It is a nature trend that group crime is toward seamless process and delicate organization. There is very clear hierarchy of role and responsibility (R&R) for leader, telecom engineer and service staff in crime group. They never mix the use of phones for crime and private, and adopt one-way contact in order not to be cracked with whole group. Such crime model can be easily duplicated. Fraud crime group often splits into small ones, forms new gang, commits more crimes, and exchanges information and new techniques of fraud.
Swindler Group
Telecom
Internet
Finance
R & D
Telecom
contact
Private collection
Jump board
Cash flow
ATM Operation
New crime
Recruiting
Monitor Police
11
Common FeaturesCommon Features
Converged ICT technologies in daily life and not far above police head
Telephone as primary communication during crime commitment
Skillful at all Internet and telecom services but not familiar with operations behind and LI by police
Faults can be tracked from
human behavior
Telephone
Criminals(Group)
Converged ICT
Technologies
Skillful at all
services
Faults by human
12
ChallengesChallenges
13
Hard to Identify Criminal
Hard to Track Cross-border
Phone
Hard to Find Foreign Proxy or Router as Jump Board
● By new technologies (like IP phones), it is hard to intercept their calls with existing equipment. We need professionals and suppliers to find the way out
● Looking for cross border cooperation or other related clues if no cooperation
● VPN, Foreign Proxy as Jump Board for criminals may be hidden behind deeper in Internet
14
Large Volume of CDR, and Hard to Take
Analysis
Wrong CDR or Missing
Partial Data
Hard to Track Calls with Dummy
Accounts
● Analyze data and find the key information by text mining and data warehousing
● CDR is for billing management of ISP, and we must find how it is happening and analyze the reason
● Find source and links, and know the key point by technical assistance and help from ISPs
15
Trace Communication Route and Obtain
Related Data
Methodology and GuidelinesMethodology and Guidelinesofof
Cyber Crime InvestigationCyber Crime Investigation
16
The way of investigation on fraud crimes behind telecom and Internet is the same with the one on traditional crimes. All the techniques are not for specific case, but can be used flexibly by need.
Check Post
Deployment
Archive Look-up
Tenant Interview
Tracking
Lawful Intercept
Warrant & Confiscation
e-Positioning
17
Gap between Physical and Cyber Crimes
Physical Crimes
Cyber Crimes
CluesEvidence
collection & investigation
Enforcement
Sourcing
clues
Analysis & highlight
Evidence collection & investigation
Enforcement
Different sources dealt by police: hard to get clue (don’t know how to do it), and no way to trace!
•Finance Record•Interview ( Video )•CDR, LI
•Informers•others
•human : apprehend arrest•place : warrant, confiscate
•Crime side ( web or tool )•non-Crime side ( Social network )
•others excluded ( Useless )•Lock activities ( by Account )
•IP tracking•Finance Record• CDR, LI
•human :apprehend, arrest•place :warrant, confiscate
18
Quest for Investigation on Cyber Crimes
Tenant List
Credit card 、 Insurance
Cable TV 、 Broadband
Internet googling
165 voice signature
Finance Transaction
Shipping List
ImmigrantLabor Insurance
Property Tax
Car Meter Record
Co-prisoners
Crime Record
Relatives
Resident Information
Car PlateCDR
Cross CheckFind Links
19
There is no difference between cyber crime and traditional crime in nature. With the advantages of convenience, anonymity and mobility of telecom and Internet, criminals are able to disguise their command center and disrupt the direction of investigation. Lawful enforcement officers need to make more effort in studying crime model and finding the way out to combat criminals.
1 、 Set up dedicated database for information collection and analysis
3 、 data organization and link analysis by software
2 、 clear about crime tool and method, and find the key point
20
Process Flow for Investigation
Follow-up
Primary data sourcing and collection
Suspect arrest and evidence collect
Further Investigation
Primary data study and
further collection &
sourcing
21
Primary data sourcing and
collection
Primary data study and further collection
& sourcing
Further Investigation
Suspects arrest and evidence
collection
Follow-up
● A1 clue 、 informer 、 case claim 、 daily crime information collection and integration, sourcing
● Study primary data, cross check databases in Police Department, googling in Internet and confirm crime type in order to prepare investigation
● Phone record, check post 、 lawful intercept, tracking, location positioning, knowledge of crime organization and members
● Arrest all suspects, confiscate all evidence, check all computers, telephone record, booking record…etc.
● follow-up investigation on related targets & evidence and hunting for clues from other members to combat all gangsters
VoIP based Interception and data interception of other 150 Internet services
Flexible implementation in multiple telecom operators
Intercept all VoIP routes from different sources simultaneously
Collect original pcap as well as reconstructed voice data for evidence in court
Support all common VoIP protocols such as G.711a-law, G,711µ-law, G.726, G.729, iLBC
Meet the requirement of state LI Law, ESTI standards
22
LAN Internet Monitoring, Data Retention, Data Leakage Protection & IP Network Forensics Analysis Solution
Solution for: Route of Internet Monitoring/Network Behavior Recording Auditing and Record Keeping Forensics Analysis and Investigation, Legal and Lawful Interception (LI) VoIP Tactic Server & Mediation Platform
FX-30NFX-06
FX-100 FX-120
E-Detective Standard System Models and Series (Appliance based)
Telco/ISPLawful Interception
Play back of reconstructed VoIP audio file using Media Player
CalleePhone #
CallerPhone #
IP Address
DurationDate & Time
Source IP Address Telephone number of caller Telephone number of receivers/victims Date & time of calls Duration of calls Call content
26
27
Case Study of the Recent Investigation
on Cyber Crimes
Lessons and ExperienceLessons and Experience
28
Real Case on VOIP InvestigationReal Case on VOIP Investigation
The most common tool by The most common tool by
swindler group is telephone. swindler group is telephone.
While arriving the telecom room While arriving the telecom room
of criminal, sometimes police of criminal, sometimes police
can’t do anything because they can’t do anything because they
know nothing about these know nothing about these
equipments and can’t track IP equipments and can’t track IP
phone source from Internet.phone source from Internet.
Problem Here:Problem Here:
Group and Billing Systems Account information in SIP
Gateway or IP-PBX Servers Detail CDR from SIP Gateway
or IP-PBX Servers
29
30
VOIP Tracking from Swindler Group – Group and Billing SystemGroup and Billing System
Group System-Random to Call
Billing System-Call CDR
31
VOIP Gateway Investigation from Swindler group- Track SIP ServerTrack SIP Server
ServerIP
AccountPassword
32
VOIP Tracking from Operator – CDR of SIP ServerCDR of SIP Server
Callee ID and CDR of IP phone from ISP
Callee VOIP ID Caller Callee VAD Srvc- Redial
Initial Time Ans Time End time Interval
IP of VOIP ID
33
Key Points of Investigation
1) Aggressively hunting for intelligence
2) Don’t give up any follow-up opportunities ,
and carefully analyze any useful
information
3) Active Lawful Intercept : tap into
suspected lines, intercept phone number
and IMEI, phones in China, interview
resident houses, and clarify criminal
organization, identity and location
3434
Experience
1) familiar with law and regulations, understand what
the target is and what the key evidence is. For
example: find Chinese victim information and
testimony through cooperation with Chinese Police
after breaking cross-strait swindler group in Taiwan.
Otherwise, these criminal will be non-prosecuted or
non-guilty sentence by court.
2) Telecom equipment supplier, telecom shop, network
engineer, telecom engineer, telecom sales …network
and telecom professionals usually are aware of
information and location of suspects.
35
3) Understand calling flow, and accounts of swindler
group from operators side in order to find more
background information from CRM and billing systems
4) Active Lawful Intercept : Tap into suspected lines,
intercept phone numbers to China
5) Carefully Trail down : Prepare information (Time,
place, behavior) in advance, trail by segment (not to
expose self), identify criminal from different sides
6) Use confiscated computers for investigation to find
more strong evidence
Experience (continue…)
36
Conclusion
Follow-up…Follow-up…
37
1) It is quite nature for criminal to use advanced ICT technologies.
Human is the key of every crime act. Although there may not be
fault in technology itself, human may make mistakes by using it.
Investigators are able to find the way out and combat these
criminals
2) Enhanced on-job technical training for police to promote capability
of investigation and understanding of criminal law
3) From viewpoint of investigation, more horizontal coordination
among all units in order not to waste resources. From tactical
viewpoint, more international, cross-strait cooperation to combat
cross-border swindler group
4) God will help those who work hard for justice
Q & AQ & A
38