Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pattern detection in a remote LAN environment (EN)

5,230 views

Published on

A minor thesis submitted by Bruno VALENTIN in part fulfillment of the degree of M.Sc. in Forensic Computing and CyberCrime Investigation with the supervision of Dr. Pavel GLADYSHEV

Published in: Engineering
  • Be the first to comment

Pattern detection in a remote LAN environment (EN)

  1. 1. PATTERN
DETECTION
IN
 A
REMOTE
LAN
ENVIRONMENT IPOLE
PROJECT BRUNO
VALENTIN A
minor
thesis
submi.ed
in
part
fulfillment
of
the
degree
of
M.Sc.
in
Forensic Compu<ng
and
Cyber
Crime
Inves<ga<on
with
the
supervision
of
Dr.
Pavel
GLADYSHEV. School
of
Computer
Science
and
Informa<cs University
College
Dublin August
2008
  2. 2. 
 Table of contents 1
INTRODUCTION...................................................................................................................................................5 1.1
Background...........................................................................................................................................................5 1.2
Needs
and
requirements......................................................................................................................................6 1.3
Selected
approach................................................................................................................................................7 1.4
Summary
of
achievements...................................................................................................................................9 2
BACKGROUND...................................................................................................................................................10 2.1
Internal
versus
external
intercep<ons................................................................................................................10 2.2
Ac<ve
and
passive
monitoring............................................................................................................................12 2.3
Deep
Packet
Inspec<on......................................................................................................................................15 2.4
Recording
of
just
filtering
the
traffic?.................................................................................................................17 2.5
Delivery
of
the
data............................................................................................................................................17 3
PROBLEM
STATEMENT.......................................................................................................................................19 3.1
What
is
the
problem
and
why
it
needs
to
be
solved..........................................................................................19 3.2
Exis<ng
solu<ons
...............................................................................................................................................22 3.2.1
Niksun
NetDetectorLive...............................................................................................................................22 3.2.2
Qosmos
Qwork............................................................................................................................................23 3.2.3
Blueye
project.............................................................................................................................................24 3.2.4
Drawbacks
of
exisAng
soluAons..................................................................................................................24 3.3
Requirements......................................................................................................................................................26 3.3.1
reliability.....................................................................................................................................................26 3.3.2
FuncAonaliAes.............................................................................................................................................27 3.3.3
Flexibility.....................................................................................................................................................28 3.3.4
Speed...........................................................................................................................................................29 3.3.5
Security........................................................................................................................................................30 3.3.6
Cost.............................................................................................................................................................32 3.3.7
Legality........................................................................................................................................................33 4
ADOPTED
APPROACH........................................................................................................................................34 4.1
Overview
of
overall
architecture........................................................................................................................34 4.1.1
The
central
server........................................................................................................................................35 4.1.2
The
probes...................................................................................................................................................37 4.2
Se_ng
up
SMS
and
Email
accounts
to
receive
alerts.........................................................................................40 4.2.1
TelecommunicaAon
operator......................................................................................................................40 4.2.2
Email‐to‐SMS
providers...............................................................................................................................42 2
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  3. 3. 
 4.3
Installa<on
of
the
central
server.........................................................................................................................43 4.3.1
Technical
choices.........................................................................................................................................43 4.3.2
InstallaAon
of
Debian
Etch
on
the
central
server........................................................................................44 4.3.3
CompleAon
of
the
RAID
configuraAon........................................................................................................47 4.3.4
Basic
system
configuraAon.........................................................................................................................49 4.3.5
Virtual
Private
Network
Server
and
CerAficaAon
authority........................................................................51 4.3.6
Web
pages
compression
and
installaAon
of
a
Web
Proxy..........................................................................55 4.3.7
Logging
of
alerts.........................................................................................................................................59 4.3.8
Monitoring
the
probes................................................................................................................................61 4.3.9
Backups.......................................................................................................................................................64 4.3.10
Securing
the
server....................................................................................................................................65 4.3.11
The
Graphical
User
Interface....................................................................................................................68 4.4
Installa<on
and
configura<on
of
a
probe...........................................................................................................70 4.4.1
InstallaAon
of
a
Linux
operaAng
system
on
the
probe...............................................................................70 4.4.2
Password
se[ng.........................................................................................................................................71 4.4.3
SSH
public
key
exchange.............................................................................................................................72 4.4.4
Network
configuraAon
...............................................................................................................................72 4.4.5
Repositories
se[ngs...................................................................................................................................74 4.4.6
DeacAvaAon
of
useless
services..................................................................................................................74 4.4.7
Security
Hardening......................................................................................................................................75 4.4.8
Virtual
Private
Network
client.....................................................................................................................76 4.4.9
Syslog
configuraAon....................................................................................................................................78 4.4.10
Transparent
redirecAon
of
HTTP
requests
via
proxy
server......................................................................79 4.4.11
Event
detecAon.........................................................................................................................................79 4.4.12
ConfiguraAon
for
automaAc
on‐site
installaAon......................................................................................82 4.5
On‐site
installa<on
of
a
probe............................................................................................................................82 4.5.1
ConfiguraAon
of
the
probe..........................................................................................................................82 4.5.2
Is
the
probe
connected
?.............................................................................................................................83 5
DESCRIPTION
OF
RESULTS.................................................................................................................................85 5.1
transparency
of
the
probe..................................................................................................................................85 5.2
Direct
HTTP
connec<on
without
proxy
redirec<on............................................................................................86 5.3
Indirect
connec<on
to
the
server
(redirec<on
via
Proxy
server)........................................................................89 5.4
Common
Webmail
sites......................................................................................................................................92 5.5
Instant
messaging...............................................................................................................................................99 5.6
Alerts
issued......................................................................................................................................................101 5.7
Assessment
of
the
performance
in
a
real
situa<on..........................................................................................103 3
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  4. 4. 
 5.7.1
DescripAon
of
the
experiment...................................................................................................................103 5.7.2
Results
of
this
experiment.........................................................................................................................105 5.7.3
Conclusion
of
the
experiment...................................................................................................................106 6
EVALUATION
AND
DISCUSSION
OF
RESULTS....................................................................................................107 6.1
Project
achievements.......................................................................................................................................107 6.2
Future
work.......................................................................................................................................................110 6.3
Fields
of
applica<on..........................................................................................................................................111 6.4
Comparison
with
commercial
intercep<on
/
protocol
analysis
systems..........................................................113 7
LIST
OF
REFERENCES........................................................................................................................................117 8
APPENDICES....................................................................................................................................................119 8.1
Automa<c
on‐site
installa<on
script.................................................................................................................119 8.2
OpenVPN
client
configura<on
file
sample........................................................................................................119 8.3
Configura<on
files
for
the
backup
procedure...................................................................................................120 8.3.1
backup.sh..................................................................................................................................................120 8.3.2
backup.incl................................................................................................................................................121 8.3.3
backup.excl................................................................................................................................................121 8.4
Firewall
scripts..................................................................................................................................................122 8.4.1
on.sh..........................................................................................................................................................122 8.4.2
off.sh.........................................................................................................................................................124 4
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  5. 5. 
1
Introduc<on 1
 Introduction As
they
have
fully
understood
how
useful
computers
and
networks
can
be
in
the
scope
of
their
criminal ac<vi<es,
offenders
now
tend
to
widely
use
new
technologies.
Obviously,
because
of
their
illegal business,
one
of
their
main
concern
is
to
remain
anonymous
and
hidden,
not
to
be
iden<fied
and arrested
by
Law
Enforcement
Units. Internet
cafes
are
providing
a
public
access
to
everyone
who
needs
to
be
connected
for
a
short
period
of <me
or
who
has
no
personal
Internet
connec<on.
Depending
on
the
countries,
the
legisla<on
regarding the
regula<on
of
cyber
cafes
is
ohen
loose.
In
contrast
with
the
Internet
Service
Providers
,
they
are ohen
not
compelled
to
be
in
compliance
with
the
legisla<on
related
to
the
reten<on
of
the
connec<on data
and
they
are
not
obliged
to
iden<fy
their
customers
either. Considering
this,
offenders
ohen
use
Internet
cafes
to
commit
their
illegal
acts,
thinking
that
they
will
be protected
by
a
substan<al
anonymity.
As
a
ma.er
of
fact,
even
if
the
Police
unit
in
charge
manage
to subsequently
iden<fy
the
owner
of
the
public
IP
address
from
which
the
offense
was
commi.ed, determining
formally
which
customer
perpetrated
it
is
impossible.
Most
of
the
Internet
cafes
don't
keep any
informa<on
about
their
customers
and
don't
provide
any
way
to
iden<fy
subsequently
a
person
who used
a
worksta<on.
No
video
recording
exists
except
for
security
purpose.
 1.1
 Background
 
 Over
the
past
few
years
the
French
Police
had
to
deal
with
some
cases
of
kidnapping
in
which
people were
abducted
and
the
perpetrators
asked
the
family
for
a
ransom.
Concerned
by
anonymity,
the criminals
were
using
Internet
cafes
to
communicate
with
the
family
of
the
hostage.
They
created
an email
account
on
one
of
the
common
webmail
sites
available
on
the
Internet
and
then
used
this
account to
send
emails
to
the
rela<ves
of
the
vic<m. As
the
discussion
was
going
on
between
the
kidnappers
and
the
family,
the
Police
tried
to
track
down the
criminals
many
<mes
without
succeeding.
As
a
ma.er
of
fact,
since
offenders
were
using
a
set
of internet
cafes
to
connect
the
webmail,
the
Police
had
to
perform
several
opera<ons
prior
to
being
in posi<on
of
arres<ng
them.
 First
of
all,
they
had
to
analyze
the
full
header
of
the
electronic
mail
sent
to
the
family
to
get
the
public 5
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  6. 6. 
1
Introduc<on IP
address
of
the
Internet
connec<on
from
which
it
originated.
Then
they
had
to
contact
the
appropriate Internet
Service
Provider
to
perform
the
iden<fica<on
of
the
IP
address
in
order
to
be
able
to
locate
the Internet
cafe.
This
second
opera<on
was
really
depending
on
the
ISP
used
and
its
quickness
to
answer
to the
official
requests
sent
by
the
Police.
 Once
the
loca<on
of
the
Internet
cafe
was
iden<fied,
the
Police
could
go
to
this
place
to
carry
on
their inves<ga<on.
Of
course,
the
kidnappers
had
leh
a
long
<me
before
they
arrived.
Since
they
didn't
know which
computer
of
the
cyber
cafe
was
used
to
send
the
email,
they
had
to
perform
an
exhaus<ve forensic
analysis
of
every
worksta<on.
But
most
internet
cafes
had
ohen
more
than
20
computers connected.
 Each
<me
they
had
to
write
to
the
family
or
to
get
the
replies
to
their
own
emails,
the
offenders
went
in a
different
cyber
cafe.
This
procedure
allowed
them
to
cover
their
tracks.
But
since
they
were
staying
in the
same
part
of
the
city,
the
Police
forces
no<ced
that,
aher
a
while,
the
offenders
tended
to
go
again
in a
cyber
cafe
visited
already. 1.2
 Needs
and
requirements
 
 By
the
<me
this
inves<ga<on
was
conducted,
the
only
concern
of
the
Police
was
to
iden<fy
and
arrest the
perpetrators
of
the
kidnapping
urgently.
it
was
observed
that
the
Police
had
currently
no
way
to
do that
and
needed
a
system
or
equipment
to
quickly
and
formally
iden<fy
the
internet
cafe
as
soon
as
the criminals
were
connec<ng
to
their
webmail
account.
The
requirements
for
such
a
system
were
rapidly iden<fied. To
avoid
the
constraint
of
going
to
the
ISP
and
asking
for
iden<fica<on,
the
system
had
to
inform
the Police
of
the
real
loca<on
of
the
Internet
cafe
without
relying
on
public
IP
address,
pertaining
to
the
ISP. The
alert
had
to
be
sent
in
real‐<me,
to
allow
the
Police
officers
to
enter
the
internet
cafe
soon
enough to
arrest
the
criminals
whilst
they
were
connected.
Of
course,
since
the
Police
officers
were
on
the
spot, they
had
to
be
informed
by
a
means
they
could
use,
such
as
mobile
phone
or
email. Next,
as
the
waste
of
<me
analyzing
the
huge
number
of
computers
in
various
internet
cafes
was enormous,
and
since
the
Police
wanted
to
pinpoint
quickly
the
computer
involved,
the
system
had
to record
the
private
IP
address
of
the
worksta<on
as
well.
Obviously,
focusing
directly
on
the
relevant computer
is
always
much
faster
and
more
effec<ve. 6
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  7. 7. 
1
Introduc<on In
case
a
new
email
address
was
discovered
as
being
used
by
the
criminals,
all
the
detec<on
systems
had to
be
updated
to
start
recognizing
this
new
informa<on
immediately.
Of
course,
as
an
inves<ga<on
has usually
no
boundaries
na<onwide,
the
system
had
to

be
composed
of
modules
that
could
be
spread over
the
whole
country. Finally,
the
Police
unit
had
a
constraint
in
terms
of
financial
allowance.
It
was
required
that
the
system was
affordable
enough
to
not
exceed
the
limits
regarding
the
expenses
allowed
for
the
case. Of
course
some
commercial
solu<ons
for
intercep<ng
network
traffic
existed
already.
They
were
all provided
as
very
expensive
and
cumbersome
appliances.
It
was
unconceivable
to
put
this
kind
of equipment
in
an
internet
cafe,
since
it
was
impossible
to
insert
them
in
a
<ny
network
infrastructure without
arousing
the
suspicion
of
customers.
 Also
the
price
to
pay
for
each
of
these
equipments
was
very
high.
Due
to
the
number
of
appliances needed
to
cover
all
the
internet
cafes
involved,
the
Police
unit
in
charge
of
this
inves<ga<on
could
not afford
spending
so
much
money
for
a
single
case,
even
if
it
was
a
very
sensi<ve
one. The
Police
rapidly
came
to
a
conclusion
that
no
exis<ng
solu<on,
given
their
characteris<cs
and
prices, were
suitable
for
handling
such
issues. 1.3
 Selected
approach
 
 Since
no
appropriate
system
existed
by
the
<me
these
inves<ga<ons
were
conducted,
a
solu<on
has been
designed
in
the
scope
of
this
disserta<on
with
the
goal
of
making
it
possible
in
the
future
to
solve this
kind
of
cases. The
system
which
has
been
designed
aims
to
sa<sfy
the
needs
of
the
Police
units
every
<me
they
come across
an
offender
repeatedly
using
internet
cafes
to
connect
the
Internet
with
the
goal
of
remaining anonymous. The
selected
infrastructure
is
composed
of
a
set
of
probes
linked
to
a
central
server,
accessible
via
a
VPN tunnel.
Each
of
the
probe
is
actually
a
cheap
SOHO
router
from
Linksys,
sold
in
every
computer
shop
and converted
into
a
transparent
filtering
and
detec<on
equipment.

 7
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  8. 8. 
1
Introduc<on All
The
probes
can
be
configured
at
once
through
a
Graphical
User
Interface
build
specifically
for
this project
and
hosted
on
the
central
server.
As
soon
as
the
probes
have
been
updated
with
the
filtering rules,
they
begin
monitoring
the
remote
local
area
networks
of
the
Internet
cafes
where
they
have
been installed. Each
<me
any
of
the
probe
detects
a
pa.ern
on
the
network
that
matches
a
filtering
rule,
it
reports
the detec<on
to
the
central
server
which
informs
the
local
Police
officers
in
real
<me
via
SMS
or
Email no<fica<ons. The
current
approach
is
in
fact
a
central
one.
The
command
and
control
server
is
responsible
for upda<ng
and
monitoring
the
probes
as
well
as
sending
no<fica<ons
to
the
Police
officers
in
charge.
A probe
has
to
be
installed
in
every
internet
cafe
used
by
the
kidnappers,
with
the
coopera<on
of
the manager
of
the
cyber
cafe.
This
way,
the
transparent
probe
can
filter
the
network
flow
on
the
LAN
and can
determine
which
private
IP
address
has
triggered
the
alert. As

every
probe
is
connected
to
the
central
server
through
a
Virtual
Private
Network
tunnel,
the
server
is capable
of
iden<fying
formally
the
probe
upon
its
private
IP
on
the
VPN
range.
Therefore,
the
Police don't
have
to
rely
on
the
public
IP
address
of
the
Internet
cafe
to
iden<fy
the
loca<on
of
the
probe.
As
no third
party
is
involved
in
the
iden<fica<on
process,
it
can
be
done
quickly. Eventually,
if
the
criminals
come
back
to
an
Internet
cafe
they
have
used
already,
the
Police
will
be no<fied
instantly
and
they
will
be
able
to
arrest
the
offenders
red‐handed. 8
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION Illustration 1.1.: Overview of network architecture
  9. 9. 
1
Introduc<on 1.4
 Summary
of
achievements
 
 The
current
solu<on,
designed
for
the
comple<on
of
this
disserta<on
provides
an
effec<ve
approach
of intercep<ng
occurrences
of
interest
on
the
remote
private
networks
of
many
internet
cafes.
It
is currently
possible
to
update
the
probes
from
a
remote
loca<on
and
to
set
new
filtering
rules
which
can evolve
constantly
during
the
inves<ga<on.

 The
probes
are
being
monitored
on
a
permanent
basis
and
in
real‐<me
by
a
central
server
which
is
also responsible
for
sending
the
no<fica<ons
instantly
to
the
Police
officers
upon
detec<on
reported
by
any of
the
probes.
All
the
communica<ons
between
the
central
server
and
the
probes
are
fully
encrypted with
SSL
by
the
use
on
a
VPN
tunnel. Even
if
the
adopted
solu<on
has
drawbacks,
it
could
be
evolved
in
some
ways.
It
can
undeniably
be
used for
solving
the
global
issue
of
intercep<ng
occurrences
simultaneously
in
several
remote
Local
Area Networks. This
solu<on
is
applicable
either
to
Internet
cafes
or
to
wireless
hotspots,
as
long
as
it
is
plugged
on
the wire
which
connects
the
local
network
to
the
internet.
Even
if
wireless
func<onali<es
are
disabled
on
the probes,
it
has
no
impact
on
their
ac<on
since
they
only
focus
on
the
data
transmi.ed
on
the
wire. From
all
the
tests
made,
it
emerges
that
this
approach
can
allow
the
Police
to
iden<fy
urgently
and without
the
need
of
a
third
party,
the
loca<on
of
an
Internet
cafe
and
also
the
worksta<on
used
by
an offender
to
perpetrate
his
criminal
ac<vi<es.
Thus,
the
Police
unit
in
charge
of
the
case

will
be
able
to arrest
the
offenders
without
delay. Finally,
with
regards
to
the
cost
of
the
global
solu<on,
it
appears
dispropor<onate
compared
to
the exis<ng
commercial
or
open‐source
solu<ons
which
rely
on
expensive
appliances
to
work
properly. 9
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  10. 10. 
2
Background 2
 Background As
seen
previously
in
the
introduc<on,
the
topic
of
the
current
document
is
to
set
up
a
solu<on
in
order to 
simultaneously 
intercept
a
set
of
local
area
networks
from
a
remote
point
of
view,
and
for
Law Enforcement
needs.
This
kind
of
subject
ma.er

is
ohen
not
published
or
disclosed
since
it
is
considered as 
 sensi<ve 
 by 
 the 
 private 
 companies 
 which 
 are 
 designing 
 on‐purpose 
 equipment 
 and 
 the 
 Law Enforcement
Agencies. Though,
some
white
papers
have
been
released
publicly
by
academic
ins<tu<ons
and
private
sector.
An overview 
 of 
 the 
 current 
 state 
 of 
 art 
 regarding 
 wire 
 tapping 
 has 
 been 
 done 
 to 
 determine 
 how intercep<ons
can
be
implemented
for
solving
the
issue
exposed
in
this
disserta<on. The
white
papers
and
other
documents
found
are
introducing
the
different
ways
of
intercep<ng communica<ons
on
a
IP
network.


 2.1
 Internal
versus
external
interceptions
 
 Depending
on
how
accessible
the
network
is
to
monitor
and
where
the
wiretapping
equipment
can
be installed,
an
intercep<on
process
can
be
referred
to
as
internal
or
external.
 Internal
intercep<on
allows
the
Law
Enforcement
Agencies
to
extract
the
data
directly
from
the
internal networks
of
internet
service
providers
[2‐1]
involved
in
the
transmission
of
the
data
of
interest
over
the Internet.

In
this
case,
the
whole
traffic
of
the
target
is
intercepted
and
delivered
to
the
LEA
in
its
raw format.
This
is
commonly
completed
using
sohware
or
hardware
sniffers
capable
of
dealing
with
IP traffic. Of
course,
since
it
is
crucial,
from
a
Law
Enforcement
prospec<ve,
that
the
target
doesn't
know
they
are being
monitored,
some
mechanisms
must
be
put
in
place
to
ensure
the
intercep<on
system
remains transparent.
This
means
that
the
system
has
to
be
thought
of
and
designed
in
a
secure
manner.
[2‐1] Unfortunately,
in
many
developed
countries,
ISPs
are
ohen
reluctant
to
provide
access
to
their
core networks
to
the
LEA.
There
is
usually
a
strong
opposi<on
[2‐1]
leading
to
a
legal
figh<ng
between
LEA and
service
providers. When
pu_ng
in
place
an
internal
intercep<on
is
not
feasible,
intercep<on
must
be
performed
at 10
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  11. 11. 
2
Background network
 access 
 level 
 outside
 the 
 network
 of
 the
 service 
 provider. 
 Typically, 
 this
 means
 that 
 the intercep<on
material
has
to
be
connected
out
of
the
immediate
target
network,
for
instance
at
adjacent networks
or
public
network
concentra<on
points
[2‐1].
This
network
pertains
usually
to
the
network operator,
as
depicted
on
the
figure
below. The
systems
capable
of
doing
external
intercep<ons
are
ohen
designed
and
commercialised
by
private companies.
As
performing
an
external
intercep<on
is
much
more
complicated
than
doing
an
internal one,
 
such
systems
tend
to
be
sophis<cated
and
not
officially
publicised.
In
fact,
WAN
monitoring
is considerably
not
a
simple
task
to
complete.
It
must
support
a
much
wider
range
of
network
topologies and
protocols
(PPP,
mul<link
PPP,
Cisco
HDLC,
frame
relay,
ATM)
[2‐2]
and
must
be
able
to
deal
with several
levels
of
protocol
encapsula<on. As
it
was
the
case
already
in
the
internal
intercep<on,
targets
must
be
unaware
that
they
are
under electronic.
Therefore,
any
no<ceable
informa<on
that
could
reveal
the
monitoring
process
should
be avoided
[2‐1].
For
instance,
the
“Traceroute”
command
could
show
a
new
router
hop
in
the
path
from the
target
to
the
Internet.
Also,
degrada<on
or
interrup<on
of
service
has
to
be
avoided
as
much
as
can be
by
the
use
of
appropriate
technologies. In
conclusion,
any<me
it
is
applicable,
internal
intercep<on
is
considerably
more
straighporward
to
put in
place.
Also,
the
content
data
resul<ng
from
this
intercep<on
can
be
filtered
more
effec<vely
since
IP data
is
already
and
does
not
need
to
be
translated
prior
to
being
analysed. 11
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION Illustration 2.1: Typical configuration for xDSL
  12. 12. 
2
Background 2.2
 Active
and
passive
monitoring
 
 As
external
intercep<ons
are
not
very
well
documented
publicly,
the
emphasis
will
be
put
on
Internal intercep<ons,
which
are
more
suitable
to
address
the
global
issue
stated
at
the
beginning
of
this document. There
are
typically
two
approaches
in
monitoring

a
network
flow
:
the
passive
and
the
ac<ve
ways. First,
the
passive
monitoring,
also
referred
to
as
non‐intrusive
[2‐2],
has
the
ability
to
intercept
the
data transmi.ed
over
a
network
without
interfering
with
the
flow
of
network
traffic.
This
kind
of
topology
is said
to
be
invisible
and
undetectable
[2‐4]
and
even
if
the
intercep<on
equipment
comes
to
fail
for
any reason,
the
data
will
con<nue
to
flow
across
the
network.
In
fact,
the
intercep<on
equipment
just
has
to deal
with
a
copy
of
the
packets. With
a
hub‐based
network,
each
worksta<on
can
see
the
traffic
transmi.ed
to
or
from
any
of
the
other computers
connected
to
the
same
network.
Hence,
pu_ng
in
place
a
passive
monitoring
in
a
network environment
composed
of
hubs
is
very
straighporward.
As
Robert
Graham
says
in
his
FAQ
[2‐3],
Ethernet was
built
around
a
“shared”
principle:
all
the
machines
on
the
local
network
share
the
same
wire. Contrarily,
switched
networks
cannot
be
monitored
as
easily.
In
fact,
in
a
switched
network
topology,
the switch
isolates
the
network
traffic
of
each
worksta<on
and
restrict
the
transmission
to
the
worksta<ons involved
in
the
ongoing
communica<on
only.
It
means
that
na<vely,
a
monitoring
equipment
connected to
a
port
on
the
switch
cannot
see
the
traffic
intended
for
another
computer.
[2‐2] 12
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION Illustration 2.2: Passive monitoring
  13. 13. 
2
Background Two
ways
exist
for
solving
the
issue
of
performing
intercep<ons
in
a
switched
network
topology.
The
first one
is
tapping
all
single
segment
on
the
switch.
The
second
one
is
using
a
switch
which
comes
with
a monitoring
port.
The
monitoring
port
is
a
specific
network
port
on
the
switch
that
provides
the equipment
connected
to
this
port
with
a
copy
of
each
single
packet
transmi.ed
over
the
network. Obviously,
this
approach
is
more
cost‐effec<ve
to
solve
this
problem
than
the
first
one
[2‐2]. In
addi<on,
some
techniques
exist
to
sniff
the
IP
flow
in
a
switched
network
environment
by
hijacking the
traffic
[2‐3].
For
instance,
one
of
the
most
effec<ve
is
named
Switch
jamming.
This
technique
allows to
flood
a
switch
with
a
lot
of
spoofed
mac
addresses.
This
big
amount
of
forged
 mac
addresses
is overflowing
the
mac
address
tables
of
the
switch.
That
leads
from
the
switch
prospec<ve
to
operate
as
a hub.

 Decision
computer
also
names
this
type
of
monitoring
“Mirror
mode”.
It
is
said
to
be
the
most
common mode
used.
This
mode
has
to
be
used
when
the
data
flow
in
customer
site
is
large.
It
is
possible
to handle
up
to
1000
users
with
this
kind
of
topology
[2‐4].
If
deployed
in
a
passive
mode,
an
IDS
can monitor
the
traffic
without
being
capable
of
applying
any
modifica<on
to
the
packets
[2‐6] Contrarily,
the
second
type
of
monitoring
is
called
ac<ve
monitoring.
Also
named
“intrusive
monitoring” [2‐2],
it
splits
the
network
in
two
parts
and
allows
the
packets
to
be
transmi.ed
from
one
part
to
the other
while
monitoring
the
data.
Since
it
is
usually
installed
in
a
strategic
point
on
the
network
(choke point),
all
the
data
must
pass
through
this
equipment
in
order
to
be
transmi.ed
to
the
Internet. 13
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  14. 14. 
2
Background This
type
of
topology
is
used
when
the
data
is
required
to
be
manipulated
before
being
transmi.ed
over the
network
[2‐2]. 
For
instance,
if
the
data
has
to
be
relayed
via
a
transparent
proxy,
the
ac<ve monitoring
can
change
the
port
and
the
des<na<on
IP
in
real
<me
to
hijack
the
packets
from
their original
path.
Again,
it
is
also
recommended
to
deploy
the
equipment
in
a
way
that
its
existence
is hidden
from
the
other
devices
connected
to
the
network
[2‐6]. This
<me,
decision
computer
suggests
to
use
this
topology
they
name
“bridge
mode”
to
monitor
the ac<vity
of
a
group
composed
of
up
to
200
users
[2‐4].
NetOp<cs
underlines
that
the
devices
deployed “in‐line”
can
introduce
excessive
latency
due
to
internal
processing
[2‐6].
Moreover,
if
the
whole
traffic flows
through
a
single
device,
it
needs
to
be

capable
of
dealing
with
all
the
packets
in
real‐<me.
For instance,
monitoring
a
gigabit
backbone
though
a
spanned
100
megabit
port
is
impossible
since
not
all the
packets
will
be
seen
by
the
device
[2‐6]. Depending
on
the
case,
passive
or
ac<ve
monitoring
can
be
adopted
accordingly
[2‐6].
Most
of
the
<me, the
monitoring
equipment
is
deployed
at
the
enterprise
firewall
in
order
to
intercept
the
whole
traffic coming
from
and
going
to
the
Internet.
However,
the
selected
topology
must
be
able
to
absorb
the whole
network
flow
under
all
condi<ons
and
ensure
the
network
reliability
and
availability.
To
be
fully func<onal,
the
IDS
must
be
able
to
access
the
network
in
full
duplex
and
full‐bandwidth. 14
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION Illustration 2.3: Active monitoring
  15. 15. 
2
Background 2.3
 Deep
Packet
Inspection
 
 The
key
concept
of
monitoring
communica<ons
in
an
IP
network
is
how
deep
the
intercep<on
process will
dig
into
the
packets
in
order
to
inspect
them. Intercep<ons
can
be
performed
at
different
layers
of
the
OSI
model.
Layer
2
and
3
monitoring
systems are
commonly
referred
to
as
“protocol
analysers”
[2‐2].
 However,
most
common
E‐mail
or
webmail
services
such
as
Hotmail
and
Yahoo
are
offered
by
service providers
instead
of
network
operators.
Network
services
are
focused
rather
on
layers
6
and
7
which
are a
bit
higher
in
the
IP
OSI
model.
[2‐1].
 Therefore,
according
to
Thomas
Porter
[2‐6],
it
is
important
to
dis<nguish
between
the
different
depths of
packet
inspec<on
: Shallow
packet
inspec<on
[2‐6,
2‐8]
is
the
tradi<onal
way
of
examining
the
packets,
usually
in
a
firewall located
at
the
boundary
of
a
corporate
network.
Shallow
packet
inspec<on
is
performed
at
a
choke
point (a
point
between
two
networks
where
all
the
packets
must
pass)
.

It
usually
provides
network
address transla<on,
logging,
and

basic
filtering
based
on
IP
and
ports.
 Since
it
only
extracts
basic
protocol
informa<on,
Shallow
packet
inspec<on
deals
with
the
headers
and
is insufficient
to
operate
filtering
of
applica<on‐related
data
[2‐8]. Deep
packet
inspec<on
is
the
most
advanced
technology
for
iden<fying
applica<on
data
carried
by
IP packets
[2‐7].
It
digs
deeper
in
the
content
of
the
packet
by
analysing
the
header
of
each
layer
and
the payload
carried
by
each
packet.
In
a
sense,
one
can
say
that
DPI
is
more
applica<on
aware
[2‐8]. 15
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION Illustration 2.4: Shallow packet inspection - data from packet headers
  16. 16. 
2
Background If
a
non
standard
applica<on
uses
a
standard
port
such
as
port
80
to
exchange
data,
deep
packet inspec<on
will
be
able
to
determine
it
whereas
shallow
packet
inspec<on
will
just
no<ce
that
port
80 (supposed
to
be
HTTP)
is
used. For
instance,
a
lot
of
applica<ons
use
standard
protocols
(HTTP)
to
transmit
the
content
data.
DPI
allows to
dis<nguish
between
the
genuine
HTTP
traffic
and
the
other
applica<ons
using
HTTP
as
a
vector
of transmission
[2‐6]. Deep
packet
Inspec<on
na<vely
examines
each
packet
and
applies
some
predefined
filtering
rules
to
it. Depending
on
its
content,
the
packet
can
match
with
a
rule
and
can
be
accepted
or
rejected.
The
rules can
be
based
for
instance,
on
signature
or
regular
expression
matching.
[2‐6].
DPI
allows
any
string
of bytes
contained
in
the
packet
to
be
compared
with
the
rules
database
in
order
for
the
IDS
to
make
a decision. IDS
sohware
looks
for
pa.erns
outside
from
the
defined
policy.
One
of
the
most
commonly
used
IDS
is called
snort.
Snort
allows
the
user
to
define
par<cular
condi<ons
that
generate
alarms
upon
detec<on
of known
pa.erns
such
as
keywords.
 In
his
paper,
Dr
Thomas
Porter
also
indicates
that
the
signature
database
must
be
easily
updatable
since it
is
dynamic
[2‐5].
Indeed,
since
the
strings
the
IDS
has
to
search
for
can
change
during
the
intercep<on process,
it
is
important
that
new
strings
can
be
appended
to
the
signature
database.
For
instance,
the program
called
I‐Watch,
the
FBI
used
in
1996
,
could
be
programmed
to
capture
connec<ons
that contained
a
par<cular
keyword
[2‐7].
 The
length
of
the
packets
can
differ,
depending
on
the
total
payload
they
are
carrying.
Therefore,
since
it is 
 impossible 
 for 
 the 
 IDS 
 to 
 know 
 precisely 
 where 
 to 
 get 
 the 
 strings 
 to 
 compare, 
 it 
 can 
 be 
 a 16
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION Illustration 2.5: Kazaa string match analysis
  17. 17. 
2
Background computa<onally
expensive
task
to
search
through
the
packet
for
matching
strings
[2‐5].
 In
conclusion,
Deep
Packet
Inspec<on
is
a
promising
technology,
now
implemented
in
appliances manufactured
by
the
most
popular
vendors
such
as
Microsoh,
Cisco
and
Checkpoint.
Combining
Firewall and
IDS
in
a
single
equipment
eases
the
configura<on
and
the
management
of
the
system
[2‐5]. The
Deep
packet
Inspec<on
is
mandatory
for
an
intercep<on
system
to
be
capable
of
analyzing
the payload
of
an
IP
packet
to
a
level
necessary
to
intercept
‐
for
example
‐
accesses
of
a
par<cular
user
to
a par<cular
web
mail
service. 2.4
 Recording
of
just
Oiltering
the
trafOic?
 
 Depending
on
the
type
of
intercep<ons
to
put
in
place,
one
ques<on
arises.
Is
it
necessary
to
record
and store
all
the
data
or

is
it
sufficient
to
just
filter
them
? Simson
Garfinkel
defines
an
approach
that
he
calls
“catch
it
as
you
can”
[2‐7].
It
describes
the
process
of recording
every
type
of
packet
transmi.ed
through
the
intercep<on
system.
Since
it
immediately
writes the
data
to
the
disk
and
perform
analysis
aherwards,
this
approach
requires
to
use
large
disks,
usually configured
as
RAID
systems. Another
way
of
filtering
the
data
is
the
approach
called
“stop,
look
and
listen”
[2‐7].
It
consists
in analyzing
the
content
data
in
real‐<me
as
it
flows
over
the
network
and
record
the
relevant
packets
only. As
a
consequence,
large
disks
are
not
required
any
more,
but
analyzing
the
packets
on‐the‐fly
can
take much
computa<onal
resources
again.
This
approach
was
introduced
in
the
1990s
by
Marcus
Ranum
and used
to
be
employed
in
the
FBI
wiretapping
system
called
“Carnivore”. Anyhow,
the
hardware
selected
for
comple<ng
the
task
of
intercep<ng
the
data,
mainly
depends
on
the size
of
the
network
to
monitor.
For
instance,
a
66MHz
486
computer
is
enough
to
capture
the
packets
on a
384Kbps
DSL
link
whereas
a
much
bigger
computer
would
be
required
to
do
it
on
a
fully‐loaded
gigabit network
[2‐7]. 2.5
 Delivery
of
the
data
 
 How
the
intercepted
data
has
to
be
delivered
to
the
Law
Enforcement
Agencies
is
defined
in
the
ETSI standard
and
CALEA
(Communica<on
Assistance
for
Law
Enforcement
Act).
 17
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  18. 18. 
2
Background Clearly,
the
delivery
of
data
must
ensure
that
the
flow
has
been
securely
transmi.ed
by
taking
care
of the
following
func<ons
:
Authen<ca<on,
Confiden<ality,
Integrity,
and
Non‐repudia<on.
For
the
data
to be
transmi.ed
securely,
Aqsacom
recommend
to
use
dedicated
circuits
or
a
Virtual
Private
Network circuit
over
the
public
Internet
[2‐1]. Internet
is
not
a
safe
place
to
transmit
confiden<al
data.
Most
of
the
informa<on
is
transmi.ed
in
clear text,
with
no
protec<on.
Since
the
data
resul<ng
from
an
intercep<on
is
always
very
sensi<ve,
sending them
over
a
public
network
as
Internet
must
be
avoided. Dedicated
circuit
is
the
most
secure
link
because
the
line
is
dedicated
to
the
communica<on
between Law
Enforcement
and
the
ISP
that
is
doing
the
intercep<on.
Since
this
dedicated
link
has
to
be
leased, the
result
is
a
higher
cost
for
the
LEA. It
is
strongly
recommended
to
use
a
Virtual
Private
Network
[2‐1]
over
the
Internet
to
transmit
the
data as
it
can
take
care
of
all
the
required
func<ons
with
no
addi<onal
cost
for
the
LEA.
In
this
case,
a
secure tunnel
is
build
between
both
the
LEA
and
the
en<ty
performing
the
intercep<on.
All
the
data
are transmi.ed
though
this
encrypted
path.
[2‐9] 18
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  19. 19. 
3
Problem
Statement 3
 Problem
Statement 3.1
 What
is
the
problem
and
why
it
needs
to
be
solved
 
 Nowadays,
the
new
technologies
are
widely
used
by
criminals
to
exchange
informa<on
(terrorism, organized
crime)
or
to
stay
in
touch
with
their
vic<ms
(blackmailing).
Computers
are
everywhere
and offenders
now
have
the
skills
to
use
them
for
their
criminal
ac<vi<es,
whatever
they
are. When
these
people
have
to
send
emails
they
know
that
doing
this
from
an
Internet
cafe
is
a
good
way
to remain
anonymous
and
to
ensure
that
they
won't
be
traced
back.
Anonymity
is
one
of
their
main concern.
 Furthermore,
they
are
aware
that
going
repeatedly
in
the
same
internet
cafe
may
compromise
them. Indeed,
the
Law
Enforcement
unit
in
charge
of
the
case
can
determine
where
the
mail
was
sent
from
by analyzing
the
header
of
the
email.
If
the
unit

gets
the
reply
to
the
legal
request
sent
to
the
ISP,
it
will
be able
to
arrest
the
perpetrator
the
next
<me
he
comes
to
this
internet
cafe.
 For
this
reason,
criminals
tend
to
be
roaming
between
several
internet
cafes,
in
order
to
confuse
the Police.
But
they
are
usually
visi<ng
the
same
ones,
ohen
located
in
the
same
area
of
the
city.
Most
of them
do
not
select
a
new
loca<on
each
<me
they
have
to
connect
the
Internet.
Aher
a
while,
they
tend to
go
again
in
a
cyber
cafe
visited
already.
Not
all
criminals
commit
their
crimes
from
big
ci<es
in
which
a good
deal
of
Internet
cafes
are
located.
Some
of
them
also
operate
from
smaller
towns.
They
don't
have as
many
possibili<es
when
they
are
roaming
between
Internet
cafes. Most
of
the
<me,
the
managers
of
the
internet
cafes
agree
to
cooperate.
It's
not
that
common
to
face
an inves<ga<on
case
in
which
even
the
internet
cafe
is
involved
and
should
be
considered
as
an
accomplice of
the
suspect. Changing
internet
cafe
for
each
connec<on
to
the
Internet
means
that
the
public
IP
address
used
by
the perpetrator
is
changing
all
the
<me
as
well.
The
criminals
are
aware
of
this
fact
too. In
the
cases
in
which
there
is
a
need
of
communica<on
between
criminals
and
their
vic<ms
(e.g. kidnapping),
there
are
very
frequently
several
exchanges
of
emails
between
both
the
two
par<es.
It
is ohen
a
game
of
ques<ons
and
answers
in
which
the
Police
get
many
IP
addresses
involved. 19
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  20. 20. 
3
Problem
Statement Some
Internet
cafes
are
open
to
the
customers
24
hours
a
day.
As
suspects
are
liable
to
connect
the Internet
any<me,
it
is
hardly
conceivable
to
think
about
having
a
police
officer
in
front
of
each
cyber
cafe all
the
<me.
 Of
course,
one
can
be
thinking
of
pu_ng
all
the
Internet
cafes
under
monitoring.
Unfortunately,
such internet 
 intercep<ons, 
 whether 
 on 
 the 
 core 
 network 
 of 
 an 
 ISP 
 or 
 locally 
 in 
 the 
 facili<es 
 of 
 a telecommunica<on
operator
are
very
expensive
and
require
much
efforts
to
analyze
the
whole
traffic. Indeed,
tradi<onal
Internet
intercep<ons
are
recording
the
whole
traffic
coming
from
and
going
to
a specific
target.
It
would
be
useless
if
the
only
aim
is
arres<ng
the
perpetrator.
Further
computer forensics
will
prove
he
was
using
the
computer
for
criminal
purposes
by
the
<me
he
was
arrested
and will
determine
what
he
was
exactly
doing. Internet
cafes
are
some<mes
the
only
loca<on
where
the
perpetrator
can
be
arrested.
If
the
criminal
is careful
and
takes
all
the
precau<ons
not
to
be
iden<fied,
he
never
connects
the
Internet
from
another type
of
internet
access.
That
ensures
that
no
personal
IP
address
will
be
recorded
in
the
log
files
or
in
the mail
headers
of
the
vic<m. Furthermore,
from
Law
Enforcement
prospec<ve,
arres<ng
a
suspect
while
he
is
commi_ng
his
crime, with
his
hands
on
the
computer
is
the
best
way
to
get
undeniable
evidences
of
his
culpability
and
thus
to prove
he
is
really
involved.
Unfortunately,
arres<ng
a
criminal
in
such
condi<ons
is
not
that
easy.
 Indeed,
many
major
problems
come
up,
due
to
technical
restric<ons
or
misappropria<on
of
the
law. Depending
on
the
countries,
no
legal
provision
exist
with
regards
to
the
public
access
to
the
Internet offered
by
private
companies. In
France
for
instance,
Internet
cafes
are
not
obliged
to
comply
with
any
legisla<on
with
regards
to
the iden<fica<on
of
their
customers.
 The
managers
of
the
Internet
cafes
are
not
compelled
to
ask
people
for
their
iden<ty
and
even
if
they do,
they
are
not
obliged
to
keep
any
track
of
it.
It
means
that
if
the
Police
come
across
an
IP
address allocated
to
an
Internet
cafe
by
the
<me
the
offense
was
commi.ed,
they
cannot
simply
go
to
the manager
and
get
the
list
of
the
people
who
were
using
the
computers.
From
a
Law
Enforcement prospec<ve,
this
is
a
big
issue
as
no
subsequent
iden<fica<on
can
be
done.
The
suspect
has
to
be iden<fied
and
arrested
in
real‐<me. 20
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  21. 21. 
3
Problem
Statement Very
ohen
there
is
no
camera
installed
in
the
Internet
cafes.
Even
if
there
are,
they
are
used
for
security purpose
only
and
no
video
recording
exists.
Again,
it
is
a
constraint
for
the
Police
to
subsequently iden<fy
a
suspect.
If
the
Police
officers
can
iden<fy
the
Internet
cafe
the
connec<on
was
established from
and
even
the
worksta<on
used,
they
won't
by
able
to
get
any
picture
or
video
of
the
criminal. Moreover,
most
Internet
cafes
are
linked
to
the
Internet
via
a
broadband
connec<on
with
a
dynamic
IP allocated.
 Depending
on
 the
 ISP, 
 it
can 
take
 much
<me
 ge_ng
 a
 reply
to
 the
 legal
 request
 for iden<fica<on
sent.
Some
of
them
tend
to
reply
not
rapidly
enough
to
fit
the
constraints
imposed
by
a criminal
inves<ga<on.
If
the
case
is
about
kidnapping
for
instance,
it
is
crucial
that
the
loca<on
the connec<on
is
origina<ng
from
is
iden<fied
urgently. Furthermore,
when
the
Police
receive
the
reply
from
the
ISP
iden<fying
the
Internet
cafe
involved, obviously
only
the
public
IP
is
iden<fied
as
this
is
the
only
informa<on
the
ISP
knows
of.
Some
internet cafes
are
equipped
with
a
huge
number
of
worksta<ons.
Every
computer
is
using
a
private
IP
and
the traffic
is
routed
to
the
Internet
through
the
public
IP
of
the
router/gateway.
 Internet
cafes
usually
have
a
basic
network
infrastructure.
They
are
not
equipped
with
a
filtering
and logging
appliance
such
as
a
proxy
server.
 
A
proxy
would
allow
the
Police
to
make
a
correspondence between
the
requested
URL
and
the
private
internal
IP
address
of
the
worksta<on
on
which
it
was requested.
For
instance,
if
the
Police
know
that
the
suspect
was
using
Yahoo
webmail
at
a
specific moment,
they
could
analyze
the
logs
of
the
proxy
and
make
a
selec<on
of
all
the
computers
connected to
this
web
site
at
the
<me
the
connec<on
occurred. As
it
is
some<mes
impossible
to
guess
which
worksta<on
was
used,
it
can
take
a
considerable
amount
of <me
analyzing
every
computer
in
a
forensic
perspec<ve.
It
can
take
<me
also
searching
for
keywords
on every
hard
disk
to
determine
which
one
contains
the
evidences
related
to
the
criminal
ac<vi<es
of
the user. Some<mes
it
is
not
even
possible,
as
some
Internet
cafes
are
equipped
with
an
auto
re‐installa<on process
that
restores
a
generic
system
image
on
the
hard
disk
when
the
client
logs
off.
In
some
cases,
the whole
system
is
virtual
and
runs
completely
in
memory.
It
is
even
more
complicated
to
find
digital evidences
if
the
computer
is
examined
subsequently. All
these
technical
and
judicial
issues
make
the
inves<ga<on
longer
and
more
complex
than
it
should
be in
an
ideal
world. 21
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  22. 22. 
3
Problem
Statement Nonetheless,
some
solu<ons
can
be
thought
of
to
ease
and
make
it
quicker
to
iden<fy
and
arrest
a criminal
connec<ng
the
Internet
from
Internet
cafes. 3.2
 Existing
solutions
 



 3.2.1
 Niksun
NetDetectorLive
 
 In
terms
of
network
detec<on,
a
private
company
named
Niksun
provides
an
autonomous
appliance allowing
to
monitor
both
the
incoming
and
outgoing
network
flows
in
real‐<me. This
equipment
called
NetDetectorLive
(tm)
can
capture
the
network
traffic
and
simultaneously
search for
non‐authorized
pa.erns
in
transmi.ed
packets
with
regards
to
the
internal
policy
of
a
company. The
main
purpose
of
this
equipment
is
to
be
used
in
the
scopes
of
intellectual
property
protec<on
and outbound
content
control.
This
appliance
makes
it
possible
for
the
administrator
of
a
network
to
be informed
in
real‐<me
of
policy
viola<ons,
par<cularly
about
sensi<ve
content
like
R&D
and
financial informa<on
for
instance. Although
it
has
not
been
designed
specifically
as
a
lawful
intercep<on
product,
this
equipment
includes some
of
the
func<onali<es
that
could
be
required
to
address
the
problem
described
in
the
previous chapter.
 NetDetectorlive
provides
real
<me
archiving
of
data
and
allows
reconstruc<on
of
the
content
in
its context
aherwards.
For
instance,
it
can
store
all
email
messages
or
instant
messages
for
a
later
search. Furthermore,
it
is
capable
of
categorizing
and
reconstruc<ng
most
of
the
standard
protocols
sessions (smtp,
pop,
imap,
web,
instant
messaging,
hp
,
p2p)
as
well
as
intercepted
documents
transmi.ed through
the
network
(office
documents,

text
files,
PDF
files,
embedded
images). Each
<me
an
incident
is
detected
on
the
network
an
event
is
generated
and
an
alarm
is
issued.
Detected incidents
are
logged
in
a
database
to
allow
subsequent
filtering
and
analysis. 22
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION Illustration 3.1: NetDetectorLive Appliance From Niksun
  23. 23. 
3
Problem
Statement The
appliance
comes
with
a
graphical
user
interface
installed.
Hence
the
user
can
add
new
rules
without deep
knowledge
in
terms
of
computers
and
networks.
This
GUI
is
accessible
remotely
over
HTTP
and HTTPS. Therefore,
as
it
is
constantly
audi<ng
the
traffic
and
as
it
is
capable
of
looking
up
for
a
specific
content based
on
rules,
it
could
be
a
poten<al
solu<on
to
the
overall
problem
of
detec<ng
strings
in
the
network flow
and
issuing
alerts
upon
detec<on. 3.2.2
 Qosmos
Qwork
 
 Qwork
appliances
from
Qosmos
are
designed
to
recognize
and
classify
traffic
flows
and
to
extract valuable
informa<on
in
real
<me.
 Designed
for
private
companies,
the
ini<al
aim
of
these
probes
is
content
classifica<on.
The
proprietary technology
developed
by
Qosmos
and
installed
on
this
kind
of
appliances
records
the
whole
traffic
of
an IP
network
and
stores
it
in
a
database
for
further
processing.

 It
is
capable
of
recognizing
almost
any
kind
of
protocol
from
layers
2
to
7
(P2P,
web
services,
chat,
mail) and
discovers
all
applica<ons
and
usages
of
the
network
as
well
as
it
can
perform
sta<s<cs
in
real‐<me.
It can
extract
business‐cri<cal
data
from
live
flows
at
network
speed. These
appliances,
which
are
said
to
be
transparent
on
the
network,
can
perform
measurements
on network
streams
from
2Mb/s
to
2x1Gb/s
and
build
reports
in
a
dashboard.
Upon
events,
the
probe
can also
generate
alarms. The
equipment,
sold
as
a
1U
case,
can
be
configured
through
a
Graphical
User
Interface
that
allows
to manage
the
various
func<onali<es
of
the
probe.
 23
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION Illustration 3.2: Qwork appliance from Qosmos
  24. 24. 
3
Problem
Statement 3.2.3
 Blueye
project
 
 Finally,
with
regard
to
keyword
based
network
sniffing,
a
project
has
been
ini<ated
by
the
BL7
group
and made
available
for
download
for
windows
and
Linux
under
GPL2
license
on
their
website
[323‐1]
. This
project
called
Blueye
Layer
7
sniffer
aims
at
detec<ng
keywords
in
a
high‐rate
network
stream (wired
or
wireless
links)
in
real‐<me.
Ini<ally,
this
project
has
been
designed
to
allow
the
administrators to
monitor
the
backbone
of
their
private
company
for
security
reasons.
For
instance,
it
can
be
used
in the
field
of 
intellectual property defense to prevent internal users to send sensitive content outside the corporate network without being noticed. Filtering rules can be defined and the configuration of blueye can be changed by modifying a set of text files. So far, no graphical user interface exists to perform this task. As
soon
as
user‐defined
keywords
are
detected,
this
layer
7
sniffer
uses them
to
extract
valuable
and
relevant
informa<on,
rebuilds
fragmented TCP
session
and
stores
them
on
the
hard
disk
of
the
computer.

It
can also
issue
some
alerts
by
email
on
relevant
events. All
the
logged
packets
are
stored 
as
PCAP
files
and
also
indexed
in
a
MySQL
database
for
later iden<fica<on
and
retrieval.
The
system
is
scalable
to
fit
the
needs
of
intercep<ng
a
mul<‐sites
network as
well.
For
this
purpose,
it
can
be
deployed
as
a
distributed
infrastructure
composed
of
several
front‐ ends
and
one
back‐end
which
stores
all
the
records
in
a
centralized
database. Although
Blueye
is
just
a
piece
of
sohware
and
doesn't
have
anything
to
do
with
hardware
equipment,
it relies
on
ninjabox
plaporms
to
sniff
the
network
flow.
Ninjabox
plaporms
are
commercialized
by
a
UK‐ based
company
named
Endace. Ninja
plaporms
are
basically
3U
appliances
equipped
with
2
intel
xeon
dual
core
CPU
and
4GB
of
internal memory.
They
come
with
2
built‐in
1Gb/s
network
ports.
They
are
also
equipped
with
a
RAID
array composed
of
eight
250GB
hard
drives
for
an
overall
capacity
of
2TB. 3.2.4
 Drawbacks
of
existing
solutions
 
 The
exis<ng
solu<ons
iden<fied
have
all
been
designed
with
a
specific
goal
and
for
a
special
use. However,
they
all
provide
some
func<onali<es
that
are
needed
and
useful
for
solving
the
current
issue
of 24
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION Illustration 3.3: blueye logo
  25. 25. 
3
Problem
Statement simultaneously
intercep<ng
occurrences
in
mul<ple
remote
local
networks.
It
is
possible
to
use
these technologies
in
order
to
address
the
stated
problem. They
all
come
with
an
alert
mechanism
capable
of
sending
no<fica<ons
by
email
upon
detec<on
of
the strings
they
are
seeking
for.
It
is
very
important
for
solving
the
current
problem
as
being
informed urgently
is
crucial
for
arres<ng
the
perpetrator
as
he
is
connec<ng
his
webmail
or
his
MSN
account
for instance. They
are
all
transparent
on
the
network.
This
is
a
good
thing
since
it
is
also
important
that
the
customers of
the
internet
cafe
cannot
no<ce
that
a
device
is
performing
network
analysis
and
IP
filtering
on
the local
network
they
are
currently
connected
to. Due
to
the
network
equipments
they
are
relying
on,
they
are
all
capable
of
filtering
network
flows
at
a network
speed
of
at
least
200Mb/s.
This
is
a
notable
func<onality.
However
it
is
not
required
for
filtering an
cyber
cafe
because
the
network
connec<on
of
an
Internet
cafe
is
never
as
high. However,
despite
the
above
benefits,
all
these
solu<ons
have
some
limita<ons
and
drawbacks
that
make them
not
appropriate
to
the
current
situa<on.
 One
of
the
biggest
disadvantages
of
these
three
exis<ng
solu<ons
is
the
cumbersomeness
of
the appliances
needed
to
use
these
technologies.
They
all
require
heavy
servers
(over
30kgs)
which
are
not discreet
at
all
and
can
hardly
be
inserted
in
the
network
infrastructure
of
an
Internet
cafe.
Amongst
the requirements
imposed
by
the
current
situa<on,
stealth
is
crucial.
Indeed,
it
is
important
that
the customers
of
the
Internet
cafe
don't
pay
a.en<on
to
the
network
equipment
that
is
doing
the
filtering.
 Aside
from
issuing
alerts
when
some
content
of
interest
is
detected,
all
these
solu<ons
are
designed
to record
the
valuable
traffic
on
a
set
of
hard
disks
for
subsequent
analysis.
On
the
one
hand
this func<onality
is
useless
for
just
sending
no<fica<ons.
On
the
other
hand
it
can
even
be
a
disadvantage
as some
countries
have
more
restric<ve
laws
with
regards
to
the
intercep<ons
in
which
the
content
of communica<ons
is
being
recorded.
Some
legisla<ons
make
a
big
difference
between
filtering
and recording
of
private
communica<ons.


 Niksun
and
Qosmos
are
private
companies
and
therefore
are
very
sensi<ve
in
terms
of
intellectual property
protec<on.
Therefore,
they
provide
their
proprietary
sohware
without
the
source
code
to
avoid being
copied.
Given
the
sensi<vity
of
the
data
filtered
by
the
probes,
it
is
dangerous
to
rely
on
a
third 25
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  26. 26. 
3
Problem
Statement party
to
deal
with
the
content. As
the
connec<ons
can
occur
from
various
internet
cafes
in
a
short
period
of
<me,
a
distributed infrastructure
has
to
be
put
in
place.
It
is
important
that,
as
soon
as
a
new
loca<on
has
been
iden<fied,
a monitoring
probe
is
plugged
on
the
network
to
detect
further
connec<ons
made
from
this
loca<on. Apart
from
Blueye
project,
the
commercial
solu<ons
don't
provide
this
func<onality.
All
the
other exis<ng
appliances
are
provided
as
autonomous
probes
which
are
performing
the
filtering
process
for themselves.
 It
is
also
a
major
need
to
have
a
graphical
user
interface
available
to
allow
a
regular
user
to
configure
the system
without
specific
knowledge
in
terms
of
computers
and
networks.
This
GUI
should
allow
the ability
to
add
probes,
loca<ons,
recipients
and
manage
the
cases
easily.
Blueye
project
does
not
come with
a
graphical
user
interface
and
has
to
be
configured
through
a
set
of
text
files.
 Finally,
the
cost
is
one
of
the
major
issue
encountered
when
Law
enforcement
agencies
have
to
deal
with Internet
intercep<ons.
Because
these
equipments
are
very
advanced
in
terms
of
hardware
configura<on, they
are
all
very
expensive
and
exceed
the
price
a
common
Police
Unit
can
afford
for
pu_ng
in
place
an electronic
supervision
of
the
ac<vity
at
an
Internet
cafe.

 It
is
barely
conceivable
to
install
one
of
those
appliances
in
every
internet
cafe
to
put
under
monitoring. The 
 global 
 cost 
 of 
 the 
 inves<ga<on 
 would 
 be 
 colossal. 
 Only 
 the 
 most 
 important 
 and 
 sensi<ve inves<ga<ons
would
make
it
possible
to
use
these
kind
of
network
intercep<ons.
For
this
reason,
and
to get
more
flexibility,
a
cheaper
solu<on
has
to
be
thought
of. 3.3
 Requirements
 
 As
stated,
handling
an
inves<ga<on
case
in
which
the
offender
connects
the
Internet
from
a
cyber
cafe leads 
 for 
 Law 
 Enforcement 
 to 
 face 
 various 
 issues 
 that 
 make 
 the 
 iden<fica<on 
 and 
 arrest 
 more complicated.
In
order
to
take
those
issues
into
considera<on
and
to
solve
these
problems,
a
technical solu<on
can
be
designed.
It
needs
to
have
some
specific
func<onali<es
and
characteris<cs. 3.3.1
 reliability
 
 Criminal
inves<ga<ons
are
ohen
very
important
and
sensi<ve
in
terms
of
content.
To
avoid
missing
any relevant
informa<on
related
to
the
current
inves<ga<on,
the
infrastructure
need
to
be
highly
reliable. 26
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  27. 27. 
3
Problem
Statement Indeed,
how
efficient
would
be
a
system
that
Law
Enforcement
Agencies
would
not
be
able
to
trust
?
 As
criminal
ac<vi<es
occurs
24
hours
a
day,
the
L.E.A.
should
be
able
to
use
this
solu<on
on
a
permanent basis.
As
a
consequence
the
solu<on
has
to
remain
online
all
the
<me. To
ensure
that
no
power
outage
will
have
a
nega<ve
impact
on
the
availability,
the
central
server
must be
supplied
by
a
UPS.
This
device
will
provide
the
computer
with
electrical
current
even
if
the
main power
supply
fails.
It
will
also
prevent
the
file
system
from
being
damaged
if
the
computer
is
stopped suddenly. As
the
system
has
to
stay
online
all
the
<me,
it
should
be
able
to
afford
the
loss
of
a
storage
device.
That means
that
this
computer
needs
to
maintain
a
real‐<me
copy
of
the
main
hard
drive.
If
one
of
those
two disks
comes
to
fail,
one
will
be
s<ll
opera<ng
and
the
whole
system
won't
be
stopped. It
is
also
important
to
have
a
strong
backup
policy.
Even
if
the
file
system
is
protected
against
the
physical loss
of
one
disk,
maintaining
a
real
<me
copy
also
means
that
the
sohware
errors
are
replicated
as
well. A
good
backup
policy
allows
the
user
to
restore
previously
exis<ng
data.
It
is
useful
when
a
file
has
been erased
or
modified
by
mistake
for
instance.
 With
regards
to
the
network
connec<on,
a
sta<c
IP
address
is
a
necessary
requirement
for
this
kind
of project.
Indeed,
as
the
system
has
to
be
reachable
on
a
permanent
basis,
it
is
faster
and
safer
to
make sure
this
IP
address
won't
change.
If
the
computer
is
provided
with
a
dynamic
IP
address
as
it
is
ohen
the case
for
broadband
connec<ons,
an
external
dynamic
DNS
service
has
to
be
used
and
this
is
not appropriate
in
terms
of
reliability
and
confiden<ality.
This
system
is
expected
to
handle
data
related
to criminal
cases.
For
this
reason,
it
is
safer
that
it
relies
on
its
own
infrastructure. 3.3.2
 Functionalities
 
 When
designing
an
intercep<on
system,
one
of
the
key
point
is
to
make
it
able
to
react
in
real
<me
to any
addi<onal
informa<on
encountered
during
the
inves<ga<on. In
the
current
situa<on,
if
a
new
email
address
is
found
by
the
police
officers
as
being
used
by
the offenders,
it
has
to
be
added
urgently
to
all
of
the
probes
in
the
various
internet
cafes
involved. In 
 a 
 non‐centralized 
 infrastructure 
 it 
 is 
 necessary 
 to 
 append 
 the 
 keyword 
 to 
 every 
 single 
 probe individually.
In
fact
it
means
that
a
Police
officer
in
charge
has
to
go
into
each
internet
cafe,
connects
to 27
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  28. 28. 
3
Problem
Statement the
probe
locally
and
applies
a
modifica<on
to
the
filtering
rules.
 In
fact,
the
police
officers
from
local
police
unit
some<mes
don't
have
the
technical
skills
to
handle
such computer
systems.
Also,
it
can
take
much
<me
doing
that
if
the
probes
are
distributed
na<onwide
for
a single
inves<ga<on
case. To
avoid
this
kind
of
inefficient
process,
a
centralized
architecture
has
been
adopted.
Actually,
if
all
the probes
are
connected
to
a
central
server
on
a
permanent
basis,
one
single
opera<on
is
enough
to
update them
all.
The
modifica<on
is
applied
to
the
server
and
this
server
is
responsible
for
spreading
it
over
the network
of
probes.
No
ma.er
how
many
probes
are
connected
to
the
infrastructure,
the
<me
spent
by the
user
won't
be
increased. Since
the
role
of
the
server
is
cri<cal
in
such
an
infrastructure,
it
has
been
decided
to
make
the
central Law
Enforcement
Agency
responsible
for
it.
This
is
the
reason
of
the
choice
of
a
centralized
architecture instead
of
a
non‐centralized
one
in
which
each
single
probe
would
have
been
isolated. Thus,
the
central
part
of
the
solu<on
will
be
able
to
propagate
addi<onal
rules
to
the
local
modules without
delay
through
a
secure
channel.
If
the
offender
goes
to
another
Internet
cafe
under
monitoring anywhere
in
the
country,
this
new
string
will
be
detected
immediately. Obviously,
with
regards
to
reliability,
this
channel
can
be
used
in
both
ways.
For
instance,
it
can
be
used by
the
central
server
to
control
the
modules
as
well.
 As
it
is
important
that
all
the
modules
remain
online
and
stay
connected
to
the
server
on
a
permanent basis,
the
server
can
be
used
to
ensure
that
the
probes
are
reachable
all
the
<me.
Therefore,
a
flag
will be
raised
up
each
<me
a
module
has
been
disconnected
for
a
while. 3.3.3
 Flexibility
 
 An
inves<ga<on
case
can
be
conducted
na<onwide.
Therefore,
this
central
system
should
be
able
to receive
and
take
care
of
data
coming
from
local
modules
located
everywhere
across
the
whole
country. These
inves<ga<on
can
also
be
conducted
by
numerous
Police
officers
pertaining
to
various
unit.
 The
number
of
Police
officers
in
charge
of
a
single
case
should
not
be
limited.
Thus,
if
an
event
is detected
by
a
module,
the
central
system
will
be
able
to
inform
all
of
them
simultaneously
whether
on 28
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  29. 29. 
3
Problem
Statement their
email
address
or
on
their
mobile
phone.





 Likewise,
as
this
system
is
designed
as
and
expected
to
be
a
central
solu<on,
it
should
be
able
to
handle many
inves<ga<on
from
more
than
one
unit
at
a
<me. Indeed,
this
solu<on
is
intended
to
be
managed
by
a
central
Law
Enforcement
Agency.
But
this
unit
is
not going
to
conduct
all
the
inves<ga<on
by
itself,
even
if
it
takes
care
of
the
technical
aspects.
Analyzing
the content
data
will
remain
with
the
local
unit,
fully
aware
of
the
case. Therefore,
if
an
alert
is
issued,
it
has
to
be
sent
to
the
local
Police
officers
as
they
have
the
best knowledge
of
the
case
and
they
will
assess
the
real
urgency
of
the
event. 3.3.4
 Speed
 
 The
local
modules
are
intended
to
be
installed
in
Internet
cafes
and
other
public
loca<ons
providing access
to
the
Internet.
Those
places
are
usually
frequented
by
numerous
customers
during
opening hours. To
avoid
these
people
no<ce
that
a
detec<on
module
is
being
installed,
it
has
to
be
put
in
place
as quickly
as
possible.
Therefore,
this
module
needs
to
be
provided
with
an
automated
on‐site
installa<on procedure
which
eases
opera<ons
and
shortens
the
<mes
spent
by
the
Police
officer
for
installing
the probe. Once
the
module
is
opera<onal,
it
should
begins
filtering
the
traffic
immediately. Currently,
the
only
goal
is
arres<ng
the
individual
commi_ng
a
crime.
For
doing
this,
speed
is
essen<al
at any
stage
of
the
process. The
traffic
needs
to
be
analyzed
in
real‐<me.
While
the
inves<ga<on
is
going
on,
it
would
be
useless
to record
the
data
for
further
analysis.
Exis<ng
solu<ons
iden<fied
in
a
previous
chapter
would
take
care
of this
efficiently.
Moreover,
computer
forensic
techniques
applied
to
the
computer
this
suspect
was
using will
reveal
subsequently
what
he
was
doing
when
he
was
arrested. But
there
are
some
significant
informa<on
the
Police
officers
need
to
know
for
arres<ng
the
man.
 A
very
important
one
is
the
internal
IP
address
of
the
computer
that
the
suspect
is
using.
As
some 29
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  30. 30. 
3
Problem
Statement Internet
cafes
have
many
computers
installed,
it
is
important
from
a
Law
Enforcement
prospec<ve
to
be able
to
determine
very
quickly
which
one
was
used
by
the
perpetrator. In
other
words,
each
local
modules
should
be
able
to
get
and
report
the
private
local
IP
address
allocated to
the
worksta<on
that
which
the
alert
to
be
sent. Since
it
is
much
important
to
enter
the
premises
of
the
internet
cafe
as
quickly
as
possible,
the
alerts should
be
sent
by
the
detec<on
modules
without
delay. The
solu<on
needs
to
consider
this
point
as
a
primary
requirement.
Indeed,
the
aim
of
such
a
project
is not
only
to
iden<fy
the
computer.
The
main
goal
of
the
Police
officers
is
to
arrive
on
<me,
when
the suspect
is
s<ll
connected
to
the
Internet 3.3.5
 Security
 
 The
next
requirement
imposed
by
such
a
project
is
security.
As
it
is
going
to
take
care
of
data
related
to criminal
inves<ga<on,
it
is
mandatory
that
those
data
remain
confiden<al
except
from
legi<mate
users. No
informa<on
should
be
disclosed
at
any
<me,
either
to
the
suspect
or
to
the
manager
of
the
Internet cafe
under
monitoring.
Likewise,
if
the
solu<on
requires
from
Law
Enforcement
to
rely
on
a
third
party (hos<ng
company
for
instance),
the
data
should
not
be
accessible
from
this
external
provider. Therefore,
encryp<on
needs
to
be
considered
at
two
levels. The
first
one
is
the
security
of
the
transmission
of
the
data
in
both
the
incoming
and
outgoing
ways..
 Indeed,
as
the
manager
of
the
internet
cafe
should
ignore
what
content
is
under
monitoring,
the
local modules
should
not
be
sensi<ve
to
sniffing.
This
is
the
reason
why
the
communica<on
has
to
be encrypted
and
the
data
have
to
be
sent
through
this
secure
channel
over
Internet
instead
of
simply
in clear
text. Similarly,
the
local
modules
will
report
the
alerts
to
the
central
server
via
this
encrypted
tunnel.
This
type of
encrypted
transmission
will
be
provided
by
any
Virtual
Private
Network
solu<on. Next,
encryp<on
may
be
needed
for
storing
the
sensi<ve
data
on
the
storage
device. 30
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  31. 31. 
3
Problem
Statement For
instance,
if
the
central
server
is
hosted
in
the
facili<es
of
a
private
company
(data
center),
the employees
may
poten<ally
have
access
to
all
the
computers
of
their
customers.
Even
if
the
central
server is
a
dedicated
computer,
used
by
no
other
customer,
it
should
not
be
assumed
that
no
one
will
ever
gain access
to
the
hard
drives
of
this
computer. In
fact,
if
one
of
the
drives
has
a
physical
failure,
the
provider
will
replace
it.
But
no
one
can
guess
in advance
what
this
hard
drive
will
become
aherwards.
What
will
happen
if
the
hard
disk
gets
repaired and
is
allocated
to
another
customer
?
Basic
forensic
technique
and
data
carving
opera<ons
applied
on the
drive
will
allow
this
new
customer
to
find
data
related
to
a
criminal
inves<ga<on. This
would
not
be
suitable
at
all
in
terms
of
confiden<ality
with
regards
to
judicial
material. Therefore,
encryp<on
is
a
possible
solu<on
to
protect
the
sensi<ve
data
from
a
non‐legi<mate
access. Even
if
it
doesn't
protect
them
from
a
network
access
while
the
server
is
up
and
running,
it
is
a
good preven<on
against
off‐line
analysis
and
data
restora<on
techniques
used
directly
on
the
hard
disk
itself. For
security
to
be
increased
slightly,
the
computer
needs
to
be
protected
against
illegal
uses
from
the network
as
well.
Indeed,
the
access
to
the
sensi<ve
data
should
be
restricted
to
the
administrator
or
the authen<cated
and
allowed
users.
The
system
is
not
intended
to
be
a
public
service
on
the
internet,
open to
any
user.
Instead,
it
is
expected
to
be
a
private
solu<on
limited
to
Law
Enforcement
Agencies. From
a
technical
point
of
view,
it
means
that
it
should
be
protected
by
a
firewall
and
that
the
service should
not
use
well
known
ports
which
are
very
sensi<ve
to
port
scanning.
It
should
be
configured
rather to
operate
with
ports
that
won't
be
guessed
easily. Another
important
aspect,
in
terms
of
security
is
the
stealth
of
the
solu<on.
As
said
before,
it
is recommended
that
the
customers
of
the
Internet
cafe
don't
no<ce
that
the
traffic
is
filtered
and analyzed 
 in 
 real‐<me. 
 Thus, 
 the 
 local 
 modules 
 used 
 on‐site 
 need 
 to 
 be 
 invisible 
 from 
 the 
 user perspec<ve. The
modules
should
not
appear
on
the
path
to
the
Internet.
The
users
should
believe
they
are
connected directly
to
the
Internet,
with
no
addi<onal
hop.
It
will
prevent
unauthorized
access
a.empts
as
it
will
be very
difficult
for
the
users
to
guess
there
is
a
probe
installed
and
what
its
IP
address
is. Finally,
the
last
thing
to
take
into
considera<on
in
terms
of
security
is
the
physical
equipment
itself.
Even if
this
module
is
installed
with
the
coopera<on
of
the
manager
of
the
Internet
cafe,
it
should
easily
be 31
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  32. 32. 
3
Problem
Statement hidden
from
customer
view.
 Therefore,
in
order
to
remain
discreet,
these
modules
need
to
be
composed
of
a
small
devices
instead
of big
computers
or
heavy
and
cumbersome
appliances.
This
way,
they
can
be
easily
included
in
the network
equipment
of
the
Internet
cafe
without
being
no<ced.
Furthermore,
the
fact
that
the
probe
has no
screen
and
no
keyboard
will
prevent
the
manager
to
be
tempted
to
access
it. 3.3.6
 Cost
 
 The
cost
of
such
a
system
is
among
the
constraints
of
every
Police
unit.
How
interes<ng
would
be
a solu<on
that
no
Law
Enforcement
Agency
can
afford
because
it
would
exceed
the
financial
possibili<es of
the
Unit
? Indeed,
the
solu<on
thought
of
in
the
scope
of
this
project
should
be
an
affordable
one.
This
will
ensure that
almost
every
Police
Unit
can
use
it.
The
cheaper
it
is,
the
more
widely
it
will
be
used. Therefore,
instead
of
being
built
from
commercial
solu<ons,
this
solu<on
could
be
composed
of
open‐ source
components
so
that
it
will
not
cause
any
unnecessary
expenses.
Open‐source
components
are now
widely
deployed
and
reliable
enough
to
handle
such
projects. With
respect
to
the
global
cost
of
the
solu<on,
it
is
also
important
that
the
hardware
configura<on
is composed
of
affordable
equipments.
It
is
hardly
conceivable
to
use
hardware
equipments
specifically built
for
this
project
as
this
tailor‐made
solu<on
would
be
an
expensive
one.
Instead,
the
project
could be
achieved
by
using
standard
equipments
configured
to
fulfill
the
required
func<onali<es. For
instance,
the
local
modules
to
be
installed
in
the
Internet
Cafes
could
be
composed
of
exis<ng hardware
devices
and
not
standard
computers
(either
laptops
or
worksta<ons).
Even
if
the
price
of
the computers
has
slightly
decreased
over
the
last
decade,
the
required
features
can
be
achieved
by
a cheaper
type
of
equipment. Furthermore,
in
case
this
equipment
is
robbed
from
the
facili<es
where
it
is
installed,
it
won't
cause
the same
loss
from
a
Law
Enforcement
perspec<ve.
The
cheaper
an
equipment
is,
the
less
temp<ng
it
is
for
a thief.
Also,
a
robber
will
understand
very
obviously
what
he
can
do
with
a
computer,
whatever
it
is.
But he
will
probably
not
steal
an
equipment
that
appears
useless
from
his
point
of
view.
 32
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  33. 33. 
3
Problem
Statement 3.3.7
 Legality
 
 Lastly,
the
adopted
solu<on
should
match
the
legal
system
of
the
country
it
is
deployed
in.
 In
order
to
ease
the
use
of
this
system
in
terms
of
legal
restric<ons,
it
needs
to
be
a
detec<on
and repor<ng 
 system 
 instead 
of 
 an 
 intercep<on 
 solu<on. 
This 
point 
is 
crucial 
 as 
 na<onal 
regula<ons regarding
intercep<on
of

telecommunica<ons
are
ohen
very
restric<ve. Thus
this
system
won't
record
the
traffic
and
won't
keep
any
track
of
the
user
data.
Only
some monitored
strings
will
cause
alerts
to
be
issued
to
the
law
enforcement.
 This
system
should
be
a
binary
one.
The
only
important
point
is
“Is
any
occurrence
detected
or
not”
?
If it
is,
the
event
should
be
reported
urgently
to
the
Police
officers
in
charge
of
the
case
since
the
criminal is
currently
connected
and
has
to
be
arrested
without
delay. Obviously,
if
the
na<onal
legisla<on
of
the
country
requires
that
the
Police
Unit
obtains
a
warrant
or
an authoriza<on
from
a
judge
prior
to
pu_ng
a
probe
in
place,
this
installa<on
should
be
done
with
regards to
the
local
legal
provisions. 33
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION
  34. 34. 
4
Adopted
Approach 4
 Adopted
Approach The
previous
sec<ons
iden<fied
the
issues
encountered
by
Law
Enforcement
Agencies
in
catching
a roaming
perpetrator
and
the
func<onali<es
a
good
system
would
require.
This
chapter
defines
an approach
to
solve
the
problems
that
come
up
by
building
a
cheap
detec<on
and
alert
system
for
Local Area
Networks. 4.1
 Overview
of
overall
architecture
 
 As
the
sec<on
3.3
iden<fied
the
necessity
of
building
a
centralized
system,
the
solu<on
is
composed
of two
main
components.
The
first
one,
called
“central
server”
is
located
on
the
Law
Enforcement
side.
The second
one
is
iden<fied
as
“probe”
and
has
to
be
installed
in‐situ
on
each
loca<on
to
be
remotely monitored.
 The
key
point
of
the
selected
infrastructure
is
the
central
server
which
has
the
responsibility
of
managing 34
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION Illustration 4.1.: Diagram of the overall architecture
  35. 35. 
4
Adopted
Approach the
whole
infrastructure.
This
computer
has
to
stay
in
contact
with
the
probes
on
a
permanent
basis
in order
to
be
able
to
update
and
monitor
them
all
on
demand. The
probes
are
composed
of
regular
and
cheap
SOHO
routers
which
have
been
modified
and
updated especially
for
this
project.
Each
probe
has
been
flashed
to
replace
its
firmware
with
a
mini
Linux opera<ng
system
in
order
to
be
able
to
implement
the
features
required
for
the
fulfillment
of
this project. An 
 ordinary 
 computer 
 such 
 as 
 a 
 laptop 
 could 
 have 
 achieved 
 the 
 same 
 bridging 
 and 
 sniffing func<onali<es
as
long
as
an
addi<onal
network
card
has
been
provided. But
with
regards
to
the
constraints
on
the
cost
of
the
overall
solu<on,
it
was
apparent
choosing
cheap equipment,
already
equipped
with
mul<ple
network
cards
was
more
appropriate. 4.1.1
 The
central
server
 
 The
central
server
is
the
core
of
this
architecture.
It
has
to
perform
various
tasks
and
implement
several func<onali<es,
on
a
permanent
basis.
Therefore,
it
is
crucial
that
this
server
remains
on‐line
all
the
<me and
stays
accessible
by
the
probes
all
the
<me. 1 Hosting Thus,
one
of
the
primary
considera<on
about
this
server
is
hos<ng.
Indeed,
as
the
whole
infrastructure
is organized
around
a
central
server
that
has
to
be
reachable
all
the
<me,
how
this
computer
is
hosted
is essen<al
for
the
system
to
work.
There
are
actually
two
types
of
solu<ons
that
can
be
used
to
host
such a
computer. The
first
one
consists
in
hos<ng
the
server
in
Law
Enforcement
facili<es.
 It
requires
that
the
link
connec<ng
the
premises
to
the
Internet
has
a
high
bandwidth,
dedicated
to
this purpose.
This
connec<on
should
be
provided
by
the
ISP
with
a
sta<c
IP
address.
This
point
is
crucial because
the
probes
are
going
to
use
the
IP
address
of
the
server
as
the
end
for
the
virtual
private network
tunnel. This
type
of
hos<ng
can
bring
privacy
and
security
as
the
physical
access
to
the
server
can
be
restricted. It
is
also
a
cheap
solu<on
as
a
broadband
access
is
nowadays
very
affordable
for
any
unit. 35
of
124 
 B.
VALENTIN
–
MSC
DISSERTATION

×