Book Read Free

Advanced Criminal Investigations and Intelligence Operations

Page 18

by Unknown

(a)

  (b)

  (c)

  Figure 8.14 Harmonica mic (a) and infinity mic (b and c).

  numbers in Google Talk (PC-to-phone texting). Google Voice multiway vid-

  eoconferencing (with support for document sharing) is now integrated with Google+ with Hangouts.

  For VOIP calls, you have to snoop on the user datagram protocol ( UDP)

  packets and then convert to real-time transport protocol ( RTP). So someone connecting to your unsecure wireless router would be able to do this. The UDP is one of the core members of the IP suite (the network protocols used for the Internet). With UDP, computer applications can send messages, in

  this case referred to as datagrams, to other hosts on an IP network without prior communications to set up special transmission channels or data paths.

  The RTP defines a standardized packet format for delivering audio and video over IP networks.

  Such services are not available through Wi-Fi and must be hardwired

  through a computer with an Ethernet connection (using the users’ IP address and router IP). An IP address is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the IP

  for communication. An IP address serves two purposes: (1) host or network

  136

  Advanced Criminal Investigations and Intelligence Operations

  interface identification and (2) location addressing. A name indicates what we are looking for, an address indicates where it is located, and a route indicates how to get there.

  Security is usually provided by some type of scrambler like those used

  for IPs to protect Internet activity. One suggestion for added security is to run it on a dedicated machine (e.g., an older Dell Dimension 4500, XP Pro Sp3 with a 1.7 gigahertz [GHz] Intel and 1 GB of RAM) running as a headless server (a computer system or device that has been configured to operate without a monitor, i.e., the missing head, a keyboard, or a mouse). A headless system is typically controlled via a network connection.

  Since you have to first register your new MagicJack (MJ) via your PC, protection against a trojan or a key logger on the PC (which may reveal the MJ nimer) should be used. This means antispyware, malware, virus protection, etc. It is also possible to open an e-mail attachment or visit an infected web page and allow something to be put on your PC. There are also commercially available spying programs that monitor keystrokes and allow spies to see IMs on both sides of the conversation. Once a trespasser gets into a network, he/she may be able to give commands to the target computer to bypass regular proxies and substitute others.

  In computer networks, a proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server, and the proxy server evaluates the request as a way to simplify and control its complexity. Today, most proxies are web proxies, facilitating access to content on the WWW. If you know the trespasser’s IP address, there may be ways to prove who is trespassing by contacting your ISP or the trespasser’s ISP (if you know it).

  Change any and all passwords (including your router’s admin account).

  Many people never change their admin password from “admin.”

  Packet Sniffing on the VOIP Data

  Packet sniffing is used within a network in order to capture and register data flows. Packet sniffing allows you to discern each individual packet and analyze its content based on predefined parameters. Packet sniffing is a form of wiretap applied to computer networks instead of phone networks. It came

  into vogue with Ethernet, which is known as a shared medium network. This means that traffic on a segment passes by all hosts attached to that segment.

  Ethernet cards have a filter that prevents the host machine from seeing traffic addressed to other stations. Sniffing programs turn off the filter and thus see everyone’s traffic.

  Electronic Intelligence and Signals Intelligence

  137

  Packet sniffing, or packet analysis, is the process of capturing any data passed over the local network and looking for any information that may be useful. Most of the time, we system administrators use packet sniffing to trou-bleshoot network problems (like finding out why traffic is so slow in one part of the network) or to detect intrusions or compromised workstations (like a workstation that is connected to a remote machine on port 6667 continuously when you don’t use IRC clients), and that is what this type of analysis originally was designed for. But that didn’t stop people from finding more creative ways to use these tools. The focus quickly moved away from its original intent—so much so that packet sniffers are considered security tools instead of network tools now. Tools like Wireshark, Ettercap, or NetworkMiner give anybody the ability to sniff network traffic with a little practice or training.

  These tools have become increasingly easy to use and continue to make things easier to comprehend, which makes them more usable by a broader user base.

  Steps for Sniffing:

  1.

  Identify your operating system and network structure to determine what kind of packet sniffer to use. Some packet sniffers work across various platforms, but most are written for a specific operating system.

  2.

  Determine if you can capture the traffic that you are concerned about, based upon your network structure. On wired networks, you can sniff packets across the network, depending on the hub or switch that’s

  being used. Check your switch and network setup, since some switches

  may prevent sniffing from another network subnet. On wireless LANs

  (WLANs), you can only monitor traffic on a specified channel.

  3.

  Find out whether the sniffer supports promiscuous mode. It is necessary to set the network adapter on the computer that will do the sniffing to

  promiscuous mode to capture all types of network traffic, not just traffic being sent to the machine or a group that the machine belongs to.

  4.

  Decide how much you want to spend on a packet sniffer. There are

  several options to choose from: free shareware (like Ethereal), sniff-

  ers that are bundled with other software (like Microsoft Network

  Monitor), and fee-based systems (like LANWatch).

  5.

  Research product options from various vendors to determine which is

  best for your needs. Make sure they have documentation, manuals,

  FAQs, and other types of technical support.

  6.

  Download the packet sniffing software and install it according to the manufacturer’s instructions.

  7.

  Configure the software. This varies by application, but generally you will need to set up addresses to capture and choose an interface from

  the menu. For wireless networks, you will have to set the channel to

  be monitored.

  138

  Advanced Criminal Investigations and Intelligence Operations

  8.

  Hit the “Start” button or other command to start monitoring. Choose the “advanced options” to filter incoming results.

  9.

  Select “Stop” to stop the session and “Save” to save the results (pretty self-explanatory).

  10. View the results. You will see each packet’s time, source, destination, protocol used, and general information.

  11. Filter the display or select individual entries. This varies by the type of software but usually shows the results on part of the screen (while

  the entry is highlighted) or in full screen (by double-clicking the

  entry). Most systems allow you to filter the results based on values in

  fields, comparisons between fields, and other options.

  12. Get help from books, online resources, or user forums to le
arn more about how to sniff packets and interpret the results. The results you see on-screen may not be immediately clear until you have some

  experience in learning to decipher them.

  Packet sniffing is a passive technique. No one actually is attacking your computer and looking through the files. It is more like eavesdropping, in that one computer is just listening in on the conversation that another computer is having with the gateway. Typically, most people think that network traffic goes directly from their computers to the router or switch and up to the gateway and then out to the Internet, where it routes similarly until it gets to the specified destination. This is accurate except that the computer isn’t directly sending the data anywhere. It broadcasts the data in packets that have the destination in the header. Every node on your network (or switch) receives the packet, determines whether it is the intended recipient, and then either accepts the packet or ignores it.

  Packet Sniffers: Carnivore and Magic Lantern

  Carnivore and Magic Lantern are methods of intercepting Internet-based

  information, primarily e-mail. The FBI developed Carnivore (referred to as DCS1000 by the FBI), a software tool designed to facilitate the interception of electronic communications on the Internet. Internet messages travel in digital packets that contain a destination, protocol instructions, and a message. Carnivore uses an IP packet sniffer that can select and record a defined subset of the traffic on a network. Packets to be examined by Carnivore can be selected based on IP address, on protocol, or, in the case of e-mail, on the user names in the TO and FROM fields (Foster, 2005, p. 304).

  A sniffer is a program used by network managers to monitor and analyze traffic to detect problems. A sniffer can also be used to capture data being transmitted on a network. A network router analyzes each packet of data

  Electronic Intelligence and Signals Intelligence

  139

  passed to it. The router must determine where to send the information; it may stay on its own network or be passed to the Internet. A router with a sniffer, however, may be able to read the data in the packet. A sniffer can also be a program used to analyze information on a database (Foster, 2005, p. 304).

  In some cases, packets can be selected based on their content. Whenever

  an investigation seeks to intercept the TO and FROM lines, IP address, or user names of an Internet e-mail message, the investigation is “acting much like a pen register in that it is intercepting device-identifying information.”

  This is referred to as the pen mode. However, the Internet transmission can be intercepted in what is called full mode, so the content of the message is also intercepted (Foster, 2005, p. 304).

  Magic Lantern is a computer virus developed by the FBI that is sent

  to and infects a target computer. Once the program has manifested itself, every tap of the target’s fingers on the keyboard is recorded and forwarded to the FBI. This software was developed in order to defeat an offender’s use of encryption technology (Foster, 2005, p. 304).

  Field Expedient Radios

  A crystal radio receiver or cat’s whisker receiver is a simple radio receiver that does not need a battery or power source (Figure 8.15). It runs on the power received from radio waves received by a long-wire antenna. Its most important component is a crystal detector (a diode), originally made with a piece of crystalline mineral such as galena (the natural mineral form of lead sulfide).

  Reduced to its essentials, it consists of four components:

  1. An antenna to pick up the radio waves and convert them to electric currents.

  2. A tuned circuit to select the signal to be received, out of all the signals received by the antenna. This consists of a coil of wire called

  (a) an inductor or tuning coil and (b) a capacitor connected together.

  Antenna

  Detector

  Ear phones

  Tuning coil

  Ground

  Figure 8.15 Crystal radio set.

  140

  Advanced Criminal Investigations and Intelligence Operations

  One or both are adjustable and can be used to tune. In some circuits,

  a capacitor is not used, because the antenna also serves as the capaci-

  tor. The tuned circuit has a natural resonant frequency, which allows

  radio signals at this frequency to pass while rejecting signals of other

  frequencies (Figure 8.16).

  3. A semiconductor crystal detector that extracts the audio signal or modulation from the radio-frequency carrier wave by only allowing current to pass through it in one direction and blocking half of the

  oscillations of the radio wave. Some sets used a cat’s whisker detector or a fine wire touching the surface of a pebble of crystalline mineral

  such as galena.

  4. An earphone or some type of speaker substitute to convert the audio signal to sound that can be heard. The low power produced by crystal

  radios is insufficient to power an unamplified speaker, so earphones

  are usually used.

  A field expedient radio receiver may be made using some basic components

  from commonly found items (Figure 8.17):

  • Something for a base (such as a piece of wood)

  • Lacquer or glue

  • Tacks or screws for fastening components

  • Razor blade

  • Cardboard toilet paper tube

  • Large safety pin

  • Lead from a wooden pencil

  Cardboard

  Condenser

  Cardboard

  Tin foil with cellophane

  between copper strips

  1 1/4 inches

  Tape edges

  Figure 8.16 Homemade capacitor or condenser.

  Electronic Intelligence and Signals Intelligence

  141

  Coldwater pipe for ground

  Coil made of 120 turns of wire

  Antenna

  Pencil point

  connection

  Razor blade

  Safety pin

  Earphones

  Figure 8.17 Field expedient radio receiver.

  • #22 AWG (or so) wire

  • Wire coat hanger or other strip of workable metal

  • Headphones or earphone (2–4 kΩ)

  4G Broadband Public Safety Communications

  The latest version mobile broadband communications is 4G, and it represents a significant increase in speed and capacity for the exchange of mobile data.

  4G is the fourth generation of mobile phone and communications technology standards. 5G (fifth-generation mobile networks or fifth-generation wireless systems) is a term used to denote the next major phase of mobile telecommunications standards beyond the current 4G/IMT-Advanced Standards.

  Broadband wireless technology enables police agencies to use pocket-

  sized handheld devices that have capabilities to stream live on-scene video of an incident to the nearby EOC. Increased bandwidth can turn a patrol car on-scene into a Wi-Fi hotspot. For police video, the 3G experience of 100 ms

  of latency wasn’t good enough for real-time streaming. The new mobile broadband system can deliver about 30 ms latency, a 70 ms difference.

  Future-proof devices are ruggedized communication devices with capabilities in the public safety band spectrum and the ability to operate as vehicular modems for devices that are portable and multifaceted and have

  reasonable battery life.

  Band 14 refers to the frequency spectrum allocated for public safety use.

  In July 2007, the Federal Communications Commission (FCC) revised the

  700 MHz band plan and service rules to promote the creation of a nation-

  wide interoperable broadband network for public safety and to facilitate the availability of new and innovative wireless broadband services for consumers.

  142

  Advanced Criminal Investigations and Intelligence Operations

  The commission desi
gnated the lower half of the 700 MHz public safety band (763–768 and 793–798 MHz) for broadband communications. The commission also consolidated existing narrowband allocations to the upper half of the 700 MHz public safety block (769–775 and 799–805 MHz). Further, in

  order to minimize interference between broadband and narrowband opera-

  tions, the commission adopted a one megahertz guard band (768–769 and 798–799 MHz) between the public safety broadband and narrowband seg-ments. Finally, the commission established a single nationwide license—the Public Safety Broadband License—for the 700 MHz public safety broadband

  spectrum.

  Since broadband is broadband, local network control can be done at the

  end-user level. If multiple units from multiple jurisdictions are responding to an incident, the net controller can isolate the incident. End users will still be on the same network, and it really won’t look any different to the end user.

  Band 14: 700 MHz Public Safety Band

  • 763–768 and 793–798 MHz broadband communications (lower half of the 700 MHz public safety block)

  • 769–775 and 799–805 MHz narrowband allocations (upper half of the 700 MHz public safety block)

  • 768–769 and 798–799 MHz— one megahertz guard band to minimize interference between broadband and narrowband operations

  Routers

  A standard modem al ows you to connect one computer to the Internet at a

  time. A router al ows you to connect one or more computers at a time. It is cal ed a router because signals are being routed back and forth. Routers are manufactured by various companies, such as Linksys, Belkin, D-Link, and Netgear.

  Routers intended for ISP and major enterprise connectivity usually

  exchange routing information using the Border Gateway Protocol (BGP).

  The main purpose of a router is to connect multiple networks and forward

  packets destined either for its own networks or other networks. Another

  function a router performs is to decide which packet should be processed

  first when multiple queues exist. Routers also perform what is called

  policy-based routing where special rules are constructed to override the rules derived from the routing table when a packet forwarding decision is made. These functions may be performed through the same internal paths

 

‹ Prev