1 by gary arstein-kerslake may 13, 2009. 2 topics for presentation background forensics challenges...
TRANSCRIPT
1
By Gary Arstein-KerslakeMay 13, 2009
2
Topics for PresentationBackgroundForensics Challenges Presented by VoIPLegal Framework Related to VoIP ForensicsTechnologies Underlying VOIP SystemsHow Cisco “Corporate” VOIP WorksForensics Options with Cisco VOIPHow Skype Peer-to-Peer VOIP WorksForensics Options with Skype VOIPSkype as Model for Secure “Obfuscated” System
3
Summary re: VoIP ForensicsVoIP is a technically complex environmentWill expand thru 2020, esp. among business usersCorporate comm’l VoIP provide for effective forensicsForensic tools (e.g., FTK/SilentRunner) will improve Some P2P products, like Skype will remain resistant to
forensics analysis, although options may existSkype is dynamic, self-healing; very secure partly through
obfuscation (unfortunately for purists!)
Opinion: VoIP forensics will be easier in 2020+ … “Personal” cell phones will integrate into business systems and eclipse “VoIP”; telecom carriers will be service providers - therefore CALEA-like services will be available!
4
Where We Are Now with VoIPSince 2000, rapid consumer & comm’l growthVonage (2.6M customers)AT&T U-Verse (1M cust.)Cisco VoIP product placement
in “The Office” and “24”Cisco creates
Exec “phone envy”
VoIP becoming commonplace … Forensics requirements becoming more important!
5
Four Major Categories of VoIP1. Consumer-use, consumer-hosted: “peer-to-peer” products like
Skype, VOIP Buster, Google Talk, Yahoo Messenger
2. Consumer-use, vendor-hosted: Vonage, AT&T (U-Verse), etc.
3. Commercial-use, vendor-hosted: AT&T, Covad, Verizon, etc.
4. Commercial-use, internally-hosted: Cisco, Nortel, Avaya, Microsoft (Communications Server), etc.
Note: There are also open source VOIP products available such as Asterisk; same general issues reading VOIP forensics apply to these products also.
6
Consumer-Use “Peer-to-Peer” VoIPSkype is perhaps most successful within this category. Skype initially released in late 2003. By late 2003, ~25% of US households
had high-speed broadband Skype user base increases significantly. In September 2005, eBay purchased Skype for $2.5 billion. Now, a large variety of other consumer-based commercial and
“noncommercial” products similar to Skype.
7
Commercial “Business” VOIPCommercial VOIP also seeing rapid growth. Top five vendors account for 75% of total market revenue:
Avaya, Cisco, Nortel, Siemens, & Alcatel-LucentWide-area telecom costs have dropped substantiallyBusinesses begin migration from traditional phone systems to
VoIP, ostensibly to reduce costs. Potential saving from combining voice & data networks The reality … often significant upfront costs for conversion to
VOIP.
8
“Business” VOIP (continued)
VOIP offers richer & more well-integrated phone services such as customer acct info within the VOIP session.
All major telecommunications vendors (Sprint, Verizon/MCI, and AT&T) now offer VOIP services.
Recent integration of VOIP services with e-mail and calendar yields Unified Messaging.
Unified Messaging market in 3Q 2008 is $3.1 billion, with Avaya (22%), Cisco (18%) and Nortel (11%).
Microsoft joins the party with Communications Server 2007 for “IP Telephony and Video (Telepresence)”
9
Forensic Challenges of VOIPNew technology; forensic specialists w/ limited experienceCommercial VoIP likely well-documented and accessible…
Consumer-based products will not be. Many are standards-based (TCP/IP, H.323, SIP, etc.), but less
standardization on content storage (history, etc.)Limited # of comm’l VoIP forensics products
(FTK AccessData’s Silent Runner & NetScout product)P2P VoIP like Skype presents challenges due to int’l use and
fully distributed deployment and operation. VoIP susceptible to all standard security-related problems
affecting computers/networks (DOS attack, patches, etc.)
10
Legal Issues Re VOIP ForensicsVoIP largely audio/visual; other areas text-based Same legal distinction between transaction info &
message contents: (ph#, date, time, duration vs. recording of “phone conversation”)
Title I of ECPA protects wire, oral, and electronic communications in transit (Wire Tap Act);
Title II protects communication held in electronic storage;
Title III prohibits the use of pen register and/or trap and trace devices to record dialing, routing, addressing, and signalling information.
11
Legal Framework (continued) Same exceptions for real-time interception and/or stored
content and/or transactional informationcourt order (warrant or subpoena), consent of a party to the communication, and provider self defense such as when a hacker or intruder is
“attacking” a system
Recommendation for business-related VOIP systems
Establish consent for VoIP “forensics” via stipulation in employment agreement and “conditions of use” banners.
12
Legal Framework (continued) NEW for VOIP systems - U.S. Communications Assistance for
Law Enforcement Act (CALEA) …. passed in 1994
Law enforcement found many early VOIP-type systems prevented them from performing lawful “wiretaps”
CALEA requires telecom carrier's to provide for “wiretap” interception of communications for law enforcement
Applies to common carriers & interconnected VoIP providers (ISP-like)
CALEA requirements benefit VOIP forensic analysis.
13
Technologies Underlying VOIPIP-based networks… typically no “long distance” chargeOften allows collapsing voice & data networks into one. Variety of hardware and handset options: software-only, to
low-cost USB devices, to expensive “executive” handset … to telepresence systems
Most systems standards-based Session Initiation Protocol (SIP) using various codecs
"Chat" and messenger programs now also incorporate VoIP voice and video
Commercial VoIP systems extend beyond the basic call routing functions to provide many other services.
14
Info on Several Popular VoIP ClientsProgram Operating System Licensing Protocols Encryption
AOL Instant Messenger
MS Windows, Mac OS, Linux FreewareSIP (MS Windows ver. only)
Unknown
Cisco IP Communicator
Windows Closed Proprietary SCCP (Skinny) sRTP
CoccinellaFreeBSD, Linux, Mac OS X, Windows
GPL Free software XMPP TLS/SSL and SASL
Google Talk Mac OS X, Windows XP/2000 Freeware XMPP Unknown
Lotus SametimeLinux and Microsoft Windows, Mac OS X
Closed ProprietarySIP, SIMPLE, T.120 and H.323
Unknown
OfficeSIP Messenger Microsoft Windows FreewareSIP (UDP, TCP, TLS) and RTP (media)
Unknown
SIP CommunicatorLinux, Mac, Windows XP/2000 (all java supported)
LGPL free software SIP/SIMPLE, JabberSecure calls with zRTP is planned for 1.0-rc1
SkypeWindows 2000/XP, Mac OS X, Linux(32-bit i386 only), Windows Mobile, iPhone
Freeware Proprietary P2P protocolRC4, AES, packet compression, 1024 bit RSA/PKI
Yahoo! MessengerMicrosoft Windows, Mac OS (8, 9, X), (Linux/FreeBSD version not VoIP capable)
FreewareSIP (using TLS) and RTP (media)
Unknown
15
Cisco “Corporate VoIP”Cisco Unified Communications Manager
(CUCM), formerly CallManager (CCM)Software-based call-processing system developed by
Selsius Systems, purchased by Cisco in 1998. Enterprise-class VoIP call-processing system including
advanced capabilities, such as mobility, presence, preference, and rich conferencing services.
Cisco “CallManager” handles all call processing functions, including even connectivity to the PSTN.
16
17
Cisco “Corporate VoIP” (continued)
Uses proprietary Skinny Client Control Protocol (SCCP) for signaling hardware endpoints such as IP Phones.
Uses std. H.323, Media Gateway Control Protocol (MGCP) or SIP to pass call signaling to gateways
Supports unified messaging, videoconferencing, contact centers, etc. via open telephony APIs.
Provides a scalable, distributable, and highly available enterprise VoIP for from 1 to 30,000 IP phones per cluster.
Supports quality of service (QoS) across WAN linksCan automatically divert calls to PSTN if WAN congestedIncludes security features to ensure integrity & privacy
18
Forensics Options w/ Cisco VoIPCisco VoIP - full-featured, comprehensive, and expensive. Cisco VoIP is complex; so there is a CCVP certification (Cisco
Certified Voice Professional). … Complexity may warrant analysis by a VoIP forensics expert. Some info for forensics includes:
Cisco CallManager tracing Windows Event LogsConfiguration file (.cnf or .cnf.xml ) of the IP phone Sniffer trace between the IP phone and Cisco CallManager
Next few screen shots demonstrate the types of information available in enterprise products like Cisco for the forensics analyst
19
Note the variety of different protocols for trace filtering: H.245, PRI, ISDN, H.225, MTP, CDR, MGCP, SIP, etc.
… Implies a level of VoIP networking knowledge that may call for specialized VoIP forensics expertise.
20
Earlier versions supported only System Diagnostic Interface (SDI) and wrote run-time events and traces to these log files. Later versions of Call Manager support the more detailed SDL (Signal Distribution Layer) tracing.
Again, note variety of trace options available – Must be “new” layer terminology as TCP is usually either layer 3 (of 4) or 4 (of 7)
21
Can Cisco Support CALEA?Yes! Cisco indicates how to configure their BTS 10200 Softswitch Central Office (CO) switching systems to support “wire taps”. Users are also referred to “RFC 3924 Cisco Architecture for Lawful Intercept in IP Networks”
22
Skype P2P VoIPA little history … written by three Estonia-based developers,
and Swedish-born entrepreneurs Niklas Zennström and Janus Friis
Originally developed Kazaa, a very popular peer-to-peer file sharing application … Mostly music files!
Kazaa was very P2P & eliminated ‘coordination point’ that led to the legal challenges and shutdown of Napster
Kazaa was also challenged in court although court findings were inconclusive
In 2002, Zennström and Friis founded the Skype Group, named for their project: "Sky peer-to-peer".
23
Skype P2P VoIP Client
Clearly a stroke of genius for them to see the technical commonality of “music” file exchange and real-time audio, along with the insight that “personal audio” like phone calls have no licensing restrictions!
24
How Skype Works!Only three basic elements constitute the Skype Network:Skype Client (SC) – a computer running the Skype client to
place voice calls, send text messages, and transfer files.Skype SuperNode (SN) – an elevated form of a Skype Client
w/a public IP, reasonable CPU & memory, & fast Internet connection. When a client becomes a SuperNode, it acquires server functionalities for call routing & collects & retains info about other SuperNodes.
Skype Login server (LS)- a server(s) administered by Skype that stores the Global Index directory of all Skype users, passwords, buddy lists, etc.
25
How Skype Works! (continued)
More on Skype Login Server - Other sources indicate this is decentralized “as a multi-tiered network where supernodes communicate in such a way that every node in the network has full knowledge of all available users …[allowing Skype to] intelligently route encrypted calls through the most effective path possible”
Host cache (HC) – Each client machine retains and updates info on some supernode IP addresses and port pairs. It is believed that the Skype Client app has some “hard-coded” information regarding a small # of fairly static “bootstrap” SuperNodes that are added to the Host Cache at installation.
26
How Skype Works! (continued)
Via supernodes, Skype clients discover aspects about its network environment (e.g., firewall restrictions, NATing)
Clients that are Non-firewalled w/public IP’s (helper nodes?) assist NAT’ed nodes by routing calls as a proxy.
Calls are encrypted end-to-end. As a result of this architecture, Skype works behind most
firewalls and gateways with no special configuration.Skype also allows an interface to PSTN for incoming and
outgoing calls.
27
Where are the Skype Supernodes?The image below depicts the distribution of the estimated 20,000-plus Skype
Supernodes throughout the world in 2006.
28
Forensics Options with Skype Not too many!Skype does support filtering of text from chat sessions
(e.g., in China), but text is not speech! Skype may be able to meet CALEA for interception of call
control information … How? If a client were redirected to a “Skype-controlled” supernode … physically located within a jurisdiction covered under CALEA, then the supernode could possibly collect call control info.
Since Skype issues the encryption keys during a session, theoretically could also capture audio for later decryption … hypothetical, not tested.
29
Forensics Options (continued)
Can review system logs or registry settings to determine when Skype was recently used.
Can use Skype’s searchable user database to provide an option for tracking persons. (Example of Meredith Kercher murder trial in Italy: [one of the key suspects Rudy Hermann] “Guede left Perugia, but he kept checking Facebook for messages from friends. The Communications Police arranged for one of those to contact Guede using Skype from their office, and as the two chatted, the cops traced Guede to a computer in Dusseldorf.”)
Might be able to coax Skype user to Skype-Out and Skype-In which connects to the PSTN, then use traditional “wiretap”.
30
Skype … A Secure “Obfuscated” SystemBasically, it appears that Skype developers have gone to great
lengths to obfuscate the code and operations of the Skype client which, in conjunction with well-known security mechanisms such as PKI, RC4, AES, etc. should yield a highly secure system that is very resistant to forensic analysis … It is!
End of VoIP Forensics Presentation
Questions?
31
Skype … A Secure “Obfuscated” System
From a network security administrator point of viewAlmost everything is obfuscated (looks like /dev/random)Peer to peer architectureMany peersNo clear identification of the destination peerAutomatically reuse proxy credentialsTraffic even when software is not used (pings, relaying)exfiltration (encrypted traffic on strange ports, night activity)Jams the signs of real information exfiltration
From http://www.secdev.org/conf/skype_BHEU06.pdf
32
Skype … A Secure “Obfuscated” System
33
Skype … A Secure “Obfuscated” System•Each checksumer is a bit different: they seem to be polymorphic•They are executed randomly•The pointers initialization is obfuscated with computations•The loop steps have different values/signs•Checksum operator is randomized (add, xor, sub, ...)•Checksumer length is random•Dummy mnemonics are inserted……
34
Skype … A Secure “Obfuscated” System
35