EDetective Series of Products

1
E-Detective Series of Products
Decision Computer Group of Company Website
www.edecision4u.com Email frankie_at_decision.com.t
w
2
Agenda

• Introduction to E-Detective Series of Products
• E-Detective
• Wireless-Detective
• E-Detective Decoding Center (EDDC/XDDC)
• HTTPS/SSL Network Forensics Device
• WatchGuard.WLAN
• VOIP Interception
• Uniqueness of Decision Computer Group
• References
• Others Offering

3
E-Detective (LAN Internet Monitoring/Interception
System)
4
E-Detective
Compliance Solution for Sarbanes Oxley Act
(SOX) HIPAA, GLBA, SEC, NASD, E-Discovery etc.
E-Detective Architecture/Work Flow
010101010 10010101010
E-Detective Standard System Models and Series
FX-100
FX-120
FX-30
FX-06
5
E-Detective Implementation Diagram (1)
Organization Internet Monitoring and Interception
System
6
E-Detective Implementation Diagram (2)
Telco and ISP Internet Lawful Interception (LI)
Solution
Real-Time/Online Decoding and Reconstruction
Offline Decoding and Reconstruction
Nationwide Internet Monitoring for Protecting
National Security
7

• Decoding and Reconstruction Protocols Supported

• Email
• POP3, SMTP, IMAP
• Webmail (Read and Sent)
• Yahoo Mail (Standard and Beta/2.0), Windows Live
  Hotmail, Gmail, Giga Mail etc.
• 3. IM/Chat
• Windows Live Messenger-MSN, Yahoo, ICQ, AOL, QQ,
  Google Talk, IRC, UT Chat Room, Skype call
  session/duration
• File Transfer FTP
• File Transfer P2P
• Bittorent, eMule/eDonkey, Gnutella, Fasttrack
• 5. HTTP
• Link, Content, Reconstruct, Upload/Download,
  Video Stream
• Online Game
• Maplestory, RO, Kartrider, FairyLand, Hero,
  WonderLand etc.
• Telnet/BBS
• VOIP
• Yahoo Messenger reconstructed back to GIPS
  format
• Webcam
• Yahoo and MSN Messenger

8
E-Detective Homepage Dashboard with Reports
9
E-Detective Sample Email POP3/SMTP/IMAP
10
E-Detective Sample Web Mail (Read)
Webmail Yahoo Mail, Gmail, Windows Live Hotmail,
Giga Mail, Hinet etc.
11
E-Detective Sample Web Mail (Sent)
Webmail Yahoo Mail, Gmail, Windows Live Hotmail,
Giga Mail, Hinet etc.
12
E-Detective Sample IM/Chat MSN, Yahoo etc.
13
E-Detective Sample File Transfer - FTP
14
E-Detective Sample File Transfer P2P
P2P Protocols Bittorent, eDonkey/eMule,
Fasttrack etc.
15
E-Detective Sample HTTP Link/Content/Reconstr
uct
Whois function provides you the actual URL Link
IP Address
HTTP Web Page content can be reconstructed
16
E-Detective Sample HTTP Video Stream
Playback of Video File
Video Stream (FLV format) Youtube, Google Video,
Metacafe.
17
E-Detective Sample TELNET
Playback of Telnet Session
18
E-Detective Authority Assignment
Authority Visibility and Operation in Group
(with User defined)
Authority - Visibility
Authority - Operation
Authority Groups with Users
19
E-Detective Backup Auto-FTP/Manual
Auto-FTP Backup
Manual Backup Download ISO or Burn in to CD/DVD
Reserved Raw Data Files and Backup Reconstructed
Data Comes with Hashed Export Function
20
E-Detective Online IP List with IP/Account
Report
21
E-Detective Alert Alert with Content
Alert configured from different service
categories and different parameters such as key
word, account, IP etc.
Alert can be sent to Administrator by Email or
SMS if SMS Gateway is available.
22
E-Detective Search
Search Free Text Search, Conditional Search,
Similar Search and Association Search
Conditional Search
Free Text Search
Association Search
23
Wireless-Detective (WLAN/802.11a/b/g
Interception System)
24
Wireless-Detective - Introduction
Wireless-Detective System WLAN Analytics/Forensics
/Legal Interception System

• Scan all WLAN 802.11a/b/g 2.4 and 5.0 GHz
  channels for AP and STA
• Captures/sniffs WLAN 802.11a/b/g packets.
• Decrypt WEP key (WPA Optional Module)
• Decodes and reconstructs WLAN packets
• Stores data in raw and reconstructed content
• Displays reconstructed content in Web GUI
• Hashed export and archive

Smallest and most complete WLAN Interception
System in the World!
All in One System!
Important Tool for Intelligent Agencies such as
Police, Military, Forensics, Legal and Lawful
Interception Agencies.
25
Wireless-Detective Implementation Diagram (1)
Wireless-Detective Standalone System - Captures
WLAN packets transmitted over the air ranging up
to 100 meters or more (by using Enhanced System
with High Gain Antenna)
WLAN Interception Standalone Architecture
Deployment (Capture a single channel, a single AP
or a single STA)
26
Wireless-Detective Implementation Diagram (2)
Wireless-Detective Extreme System - Utilizing
multiple/distributed Wireless-Detective systems
(Master Slave) to conduct simultaneous capture,
forbidding and location estimation functions.
WLAN Interception Distributed Architecture
Deployment (Utilizing min. of 2 systems for
simultaneously (Master Slaves
capturing/forbidding functions. Capture a single
channel, a single AP or a single STA)
Note For capturing multiple channels, each
Wireless-Detective (WD) can reconfigure/act as
standalone system. For example deploy 4 WD
systems with each capturing on one single
channel.
27
Wireless-Detective Implementation Diagram (3)
Wireless-Detective Standalone Systems Multiple
Channels Capturing Utilizing more than 1
Wireless-Detective to capture different channels.
WLAN Interception Standalone Multiple Channels
Capturing Single WD for single channel capturing.
Multiple WD for multiple channel capturing
Note The advantage to have multiple WD systems
is you have the flexibility to deploy distributed
architecture (for capturing single
channel/target) or you can split it for
standalone system deployment for multiple
channels capturing.
28
Wireless-Detective AP/STA Information
Capture Mode
Displaying information of Wireless devices
(AP/STA) in surrounding area.
29
Wireless-Detective AP/STA Information
Forbidder Mode
Displaying information of Wireless devices
(AP/STA) in surrounding area.
30
Wireless-Detective Forbidder Mode
Implementation

• WLAN Jammer/Forbidder Implementation
• Forbid connectivity of STA
• Forbid connectivity of AP

31
Cracking/Decryption of WEP/WPA Key (1)
WEP Key Cracking/Decryption can be done by
Wireless-Detective System!
Auto Cracking (system default) or Manual Cracking
1) WEP Key Cracking/Decryption-- (64, 128, 256
bit key) Proactive Crack and Passive
Crack Proactive/Active Crack By utilizing ARP
Injection Passive Crack Silently collecting
Wireless LAN packets 64-bit key 10 HEX
(100-300MB raw data /100K-300K IVs
collected) 128-bit key 26 HEX (150-500MB raw
data /150K-500K IVs collected) 2) WPA Key
Cracking/Decryption-- (Optional Module
Available) WPA-PSK cracking is an optional
module. By using external server with Smart
Password List and GPU acceleration technology,
WPA-PSK key can be recovered/cracked. Notes The
time taken to decrypt the WEP key by passive
mode depends on amount network activity. The time
to crack WPA-PSK key depends on the length and
complexity of the key. Besides, it is compulsory
to have the WPA-PSK handshakes packets captured.
32
Automatic System auto crack/decrypt WEP key
(default)Manual Capture raw data and
crack/decrypt WEP key manually

• Cracking/Decryption of WEP Key (2)

Cracking Manually
33

• Cracking/Decryption of WEP Key (3)

WEP Key Cracked!
34
Wireless-Detective WPA Cracking Solution
WPA-PSK Cracking Solution WPA Handshake packets
need to be captured for cracking WPA key. Utilize
Single Server or Distributed Servers (multiple
smart password list attack simultaneously) to
crack WPA key. Acceleration technology GPU
Acceleration
Note WPA handshakes packet can be captured by
Standalone Wireless-Detective system or
Distributed Wireless-Detective systems.
35
Cracking/Decryption of WPA-PSK Key
WPA/WPA2-PSK cracking module is optional
(dedicated server). Application Utilizing
Smart Password List attack and GPU technology
(Graphic Cards) to recover or crack the
WPA/WPA2-PSK Key. Supported WPA WPA-PSK (TKIP)
and WPA2-PSK (AES). Speed up to 30 times faster
than normal CPU. GPU supported NVIDIA and ATI
36

• Decoding and Reconstruction Protocols supported

• Email
• POP3, SMTP, IMAP
• Webmail (Read and Sent)
• Yahoo Mail (Standard and Beta/2.0), Windows Live
  Hotmail, Gmail, Giga Mail etc.
• 3. IM/Chat
• Windows Live Messenger-MSN, Yahoo, ICQ, AOL, QQ,
  Google Talk, IRC, UT Chat Room, Skype call
  session/duration
• File Transfer FTP
• File Transfer P2P
• Bittorent, eMule/eDonkey, Gnutella, Fasttrack
• 5. HTTP
• Link, Content, Reconstruct, Upload/Download,
  Video Stream
• Online Game
• Maplestory, RO, Kartrider, FairyLand, Hero,
  WonderLand etc.
• Telnet/BBS
• VOIP
• Yahoo Messenger reconstructed back to GIPS
  format
• Webcam
• Yahoo and MSN Messenger

37
Wireless-Detective GUI Sample Email POP3
Date/Time, From, To, CC, Subject, Account,
Password
38
Wireless-Detective GUI Sample Web Mail (Read)
Date/Time, Content, Web Mail Type
39
Wireless-Detective Sample Web Mail (Sent)
Date/Time, Form, To, CC, BCC, Subject, Webmail
Type
40
Wireless-Detective Sample IM/Chat MSN
Date/Time, User Handle, Participant,
Conversation, Count
41
Wireless-Detective Sample IM/Chat Yahoo
Date/Time, Screen Name, Participant,
Conversation, Count
Including VOIP and Webcam sessions reconstruction
and playback
42
Wireless-Detective Sample File Transfer - FTP
Date/Time, Account, Password, Action, FTP Server
IP, File Name
43
Wireless-Detective Sample Peer to Peer P2P
Date/Time, Port, Peer Port, Tool, File Name,
Action, Hash
44
Wireless-Detective Sample Telnet
Date/Time, Account, Password, Server IP, File Name
Playback of TELNET Session
45
Wireless-Detective Sample HTTP
Link/Content/Reconstruct
Date/Time, URL
Reconstructed Web Pages
46
Wireless-Detective Sample HTTP
Upload/Download
Date/Time, Action, File Name, HTTP
Download/Upload URL, Size
47
Wireless-Detective Sample Online Games
Date/Time, MAC Address, Port, Peer Port, Game Name
48
Wireless-Detective Search Conditional/Free
Text
Search by Parameters/Conditions
Free Text Search
49
Wireless-Detective Alert and Notification by
Condition
Alert Administrator by Parameters/Conditions
50
Wireless-Detective Wireless Equipment Locator
Utilizes Wireless Sensors and Triangulation
Training Methods to estimate the location of the
targeted Wireless Devices. 1 WD Master system
min. 3 WD Slave systems (sensors)
Note WatchGuard.WLAN can be used in place of WD
slave systems for this Wireless Equipment Locator
function)
51
Wireless-Detective - Advantages/Benefits

• Smallest, portable, mobile and light weight WLAN
  legal interception system. This allows easy
  tracking and capturing of suspects Internet
  activities especially suspect moves from one
  place to another. Suspect wont notice WD
  existence as it looks like normal laptop.
• Detects unauthorized WLAN access/intruders (IDS).
• Provides detailed information of AP, Wireless
  Routers and Wireless Stations (such as channel,
  Mbps, security (encryption), IP, signal strength,
  manufacturer, MAC)
• Provides capturing of WLAN packets from single
  channel, AP, STA or multiple channels by
  deploying distributed/multiple systems. That also
  means flexibility and scalability of deployment
  solution.
• Provides decryption of Wireless key, WEP key (WPA
  cracking is optional module)
• Provides decoding and reconstruction of different
  Internet services/protocols on the fly,
  reconstructed data is displayed in original
  content format on local system Web GUI.
• Supports reserving of raw data captured (for
  further analysis if required) and archiving of
  reconstructed at with hashed export functions.
• Supports condition/parameter search and free text
  search.
• Supports alert by condition/parameter.
• Provides Wireless forbidding/jamming function
• Provides Wireless Equipment Locator function.
• The All-in-One Portable WLAN Interception System

52
E-Detective Decoding Centre (EDDC/XDDC)
53
EDDC/XDDC

• EDDC/XDDC is a Unix/Linux based system specially
  designed for Offline raw data files
  reconstruction.
• It allows Administrator to create different
  project/case for different user/investigator
  (with different level of authority) to conduct
  Internet raw data parser and forensics analysis
  task on the system.
• The system is able to reconstruct Internet
  application/services like Email (POP3, SMTP,
  IMAP), Webmail (Yahoo Mail, Gmail, Hotmail etc.)
  IM (Yahoo, MSN, ICQ, QQ, UT, IRC, Google Talk,
  Skype Voice Call Log), File Transfer (FTP, P2P),
  HTTP (Link, Content, Reconstruct,
  Upload/Download, Video Stream), Telnet, Online
  Games, VoIP (Yahoo), Webcam (Yahoo, MSN).
• User/Case Management Offline Internet Raw Data
  Parser/Reconstruction Search Function
  Export/Backup

EDDC- Standard Offline Reconstruction System XDDC
Offline Reconstruction with Layer 7 Analytics
NEW!
54

• EDDC/XDDC Implementation (1)

Offline Raw Data Decoding and Reconstruction
system. Comes with User and Case Management
functions.
55

• EDDC/XDDC Implementation (2)

Offline Raw Data Decoding and Reconstruction
system. Comes with User and Case Management
functions.
Case 1
Case 1
Investigator 1 Case 1
Case 1 Results
Case 2
Case 2
Investigator 2 Case 2
Case 2 Results
56
E-Detective VOIP Forensics Intelligence System
57

• VOIP Forensic Intelligence System

VOIP Protocols supported SIP (The most common
VOIP protocol used worldwide) H.323
Audio CODECS supported Voice call (VOIP)
sessions can be captured, recorded (in wav file
format) and played back with popular voice media
player. Current available and supported Audio
CODECS developed by Decision include - G.729 -
G.711-a law and G.711-u law - G.723 - G.726 - ILBG
Point to Point Communication
SIP Server Architecture
Relay
Sample Information retrievable
58
HTTPS/SSL Network Forensics Device
59

• HTTPS/SSL Interceptor

• Capable of decrypting HTTPS traffic.
• Two modes of operation
• 1. Man in the Middle Attack (MITM) and
• 2. Offline Method (Decrypting HTTPS raw data
  with Private Key Available)
• Username and passwords (login) can be captured by
  the HTTPS/SSL Device. For instance, Google/Gmail
  login, Hotmail login, Yahoo Mail login, Amazon
  login etc.

To view encrypted content, a key is a needed
60
WatchGuard.WLAN
61
WatchGuard.WLAN

• WLAN IEEE 802.11a/b/g Instruction Detection
  System (IDS), WLAN Defender and Jammer System.
• WatchGuard.WLAN provides WLAN communication
  diagnosis function. It can detect unauthorized
  WLAN communication from access point (AP) or
  wireless station (STA) within the coverage area.
  It can then forbid the unauthorized connection.
  Warning/notification Email/message can be sent to
  the network administrator.
• To prevent/forbid the unauthorized WLAN
  connections, the system can pretend as the
  station to inform the AP to stop the
  communication. Besides, noise signal emission to
  the station and/or AP is another method to
  prevent/deter wireless communication.

To protect from outside attack and prevent from
inside leakage!
62
Application Diagram - WatchGuard.WLAN
63
Uniqueness of Decision Computer Group

• Designer, Architect and Manufacturer for variety
  of Network Security, Content Forensics and
  Internet Interception Solutions.
• We provides OEM and ODM services where we accept
  customization requirements from customers.
• Series of Products Offering
• E-Detective (Ethernet LAN and Telco/ISP Lawful
  Interception System)
• Wireless-Detective (WLAN Lawful Interception
  System)
• EDDC/XDDC (Offline Internet Decoding and
  Reconstruction System)
• HTTPS/SSL Interceptor (HTTPS/SSL Decryption
  System using MITM attack)
• VOIP Forensics Intelligence (VOIP Interception
  System)
• WatchGuard.WLAN (WLAN Forbidding, Jamming and
  Defense tool)
• NuBlock (Write Protection Toolkit)
• Industrial I/O Card Series

64
Decision Computer Group - References Customers

• Criminal Investigation Bureau TW
• The Bureau of Investigation Ministry of Justice
  TW
• National Security Agency (Bureau) in various
  countries
• Intelligence Agency in various countries
• Ministry of Defense in various countries
• National Police, Royal Police in various
  countries
• Government Ministries in various countries
• Federal Investigation Bureau in various countries
• Telco/Internet Service Provider in various
  countries
• Banking and Finance organizations in various
  countries
• Note Due to confidentiality of this
  information, the exact name and countries of the
  various organizations cannot be revealed.