E-DETECTIVE - Computer Forensic Decision
Download
Report
Transcript E-DETECTIVE - Computer Forensic Decision
Wireless-Detective
WLAN 802.11a/b/g/n Interception System
Decision Group
www.edecision4u.com
Introduction to Wireless-Detective System
WLAN IEEE 802.11a/b/g/n Interception and Forensics
Analysis System
• Scan all WLAN 802.11a/b/g/n 2.4 and 5.0 GHz
The Smallest, Mobile,
Portable and most
Complete WLAN
Lawful Interception
System
in the World!
channels for Access Points and STAs.
• Captures/sniffs WLAN 802.11a/b/g/n packets.
• Real-time decryption of WEP key (WPA Optional
Module)
• Real-time decoding and reconstruction of WLAN
packets
• Stores data in raw and reconstructed content
• Displays reconstructed content in Web GUI
• Hashed export and backup
All in One System!
Important Tool for Intelligent Agencies such as Police,
Military, Forensics, Legal and Lawful Interception
Agencies.
Notes: Pictures and logo are property of designated source or manufacturer
Wireless-Detective – Implementation Diagram (1)
Wireless-Detective Standalone System - Captures WLAN
packets transmitted over the air ranging up to 100 meters or
more (by using enhanced system with High Gain Antenna)
WLAN Lawful Interception – Standalone Architecture
Wireless-Detective Deployment
(Capture a single channel, a single AP or a single STA)
Wireless-Detective – Implementation Diagram (2)
Wireless-Detective Distributed – Extreme Implementation
Utilizing multiple/distributed Wireless-Detective systems (Master – Slave)
to conduct simultaneous capture, forbidding and location estimation
functions.
WLAN Lawful Interception
Distributed Architecture
Wireless-Detective
Deployment
(Utilizing min. of 2 systems for
simultaneous (Master & Slaves)
capturing/forbidding functions.
Capture a single channel, a single
AP or a single STA)
Notes: For capturing multiple channels, each Wireless-Detective (WD) can reconfigure/act as standalone
system. For example: Deploy 4 WD systems with each capturing on one single channel.
Wireless-Detective – AP Info – Capture Mode (1)
Displaying information of Wireless Devices (AP) in surrounding area.
Obtainable
Information:
MAC of Wireless
AP/Router, Channel,
Mbps, Key, Signal
Strength, Beacons,
Packets, SSID,
Number of Stations
Connected.
Wireless-Detective – STA Info – Capture Mode (2)
Displaying information of Wireless Devices (STA) in surrounding area.
Obtainable Information:
Client MAC Address, Signal Strength, Packets, AP MAC Address, Key
(Encrypted or Unencrypted), SSID.
Wireless-Detective – Forbidder Mode
WLAN Jammer/Forbidder Implementation in Wireless-Detective system:
1.Forbid connectivity of STA
2.Forbid connectivity of AP
Wireless-Detective – AP/STA Info – Forbidder Mode
Forbid AP (stop any STA from connecting to the AP) or Forbid STA (stop the
STA from connecting to any AP).
Cracking/Decryption of WEP/WPA Key (1)
WEP Key Cracking/Decryption can be done by Wireless-Detective System!
Auto Cracking (System Default) or Manual Cracking
1) WEP Key Cracking/Decryption:-- (64, 128, 256 bit key)
Active Crack – By utilizing ARP packet injection (possibly 5-20 minutes)
Passive Crack – Silently collect Wireless LAN packets
64-bit key – 10 HEX (100-300MB raw data /100K-300K IVs collected)
128-bit key – 26 HEX (150-500MB raw data /150K-500K IVs collected)
2) WPA-PSK Key Cracking/Decryption:-- (Optional Module Available)
WPA-PSK cracking is an optional module. By using external server with
Smart Password List and GPU Acceleration Technology, WPA-PSK key
can be recovered/cracked.
Notes:
The time taken to decrypt the WEP key by passive mode depends on amount network activity.
The time to crack WPA-PSK key depends on the length and complexity of the key. Besides, it is
compulsory to have the WPA-PSK handshakes packets captured.
Cracking/Decryption of WEP Key (2)
Automatic: System auto crack/decrypt WEP key (default)
Manual: Capture raw data and crack/decrypt WEP key manually
Automatic Cracking
Key Obtained
Cracking/Decryption of WEP Key (3)
Automatic: System auto crack/decrypt WEP key (default)
Manual: Capture raw data and crack/decrypt WEP key manually
Cracking Manually
Cracking/Decryption of WEP Key (4)
WEP Key Cracked!
Select wireless network manually for cracking. If raw data contains
enough IVs, WEP key can be cracked almost instantly.
Wireless-Detective – WPA-PSK Cracking Sol. (1)
WPA-PSK Cracking
Solution
WPA Handshake packets
need to be captured for
cracking WPA key.
Utilize Single Server or
Distributed Servers
(multiple smart password
list attack simultaneously)
to crack WPA key.
Acceleration technology:
GPU Acceleration
Note: WPA handshakes packet can be captured by Standalone Wireless-Detective system or Distributed
Wireless-Detective systems.
Wireless-Detective – WPA-PSK Cracking Sol. (2)
WPA/WPA2-PSK cracking module is optional (dedicated server).
Application: Utilizing Password List attack and GPU technology (Graphic
Card Processors) to recover or crack the WPA/WPA2-PSK Key.
Supported WPA: WPA-PSK (TKIP) and WPA2-PSK (AES).
Speed: up to 30 times faster than normal CPU.
GPU supported: NVIDIA and ATI
Notes: Pictures and logo are property of designated source or manufacturer
Internet Protocols Supported
Email
Webmail
IM/Chat
(Yahoo,
MSN, ICQ,
QQ, IRC,
Google Talk
Others
Etc.)
Online Games
Telnet etc.
HTTP
(Link, Content,
Reconstruct,
Upload
Download)
File Transfer
FTP, P2P
Reconstruction – Sample Email – POP3
Date/Time, From, To, CC, Subject, Account, Password
Reconstruction – Sample Email – SMTP
Date/Time, From, To, CC, BCC, Subject, Size
Reconstruction – Sample Email – IMAP
Date/Time, From, To, CC, Subject, Account, Password
Reconstruction – Sample Web Mail (Read)
Date/Time, Content, Web Mail Type
Reconstruction – Sample Web Mail (Sent)
Date/Time, Form, To, CC, BCC, Subject, Webmail Type
Reconstruction – Sample IM/Chat – MSN
Date/Time, User Handle, Participant, Conversation, Count
Including Text Chat Messages, File Transfer and
Webcam sessions reconstruction and playback.
Supports Client and Web MSN.
Reconstruction – Sample IM/Chat – Yahoo
Date/Time, Screen Name, Participant, Conversation, Count
Including Text Chat Messages, File
Transfer, VOIP and Webcam sessions
reconstruction and playback
Supports Client and Web Yahoo.
Reconstruction – Sample IM/Chat – Skype Log
Date/Time, Screen Name, Participant, Conversation, Count
Skype Text, VoIP and Webcam sessions are encrypted.
However, Skype VoIP Call duration log can be obtained and
source & destination IP can be obtained.
Reconstruction – Sample File Transfer - FTP
Date/Time, Account, Password, Action, FTP Server IP, File Name
Reconstruction – Sample Peer to Peer – P2P
Date/Time, Tool, File Name, Last Activated, Send/Receive Throughput, Details
Including Action (Download/Upload), Peer IP, Port, Peer
Port & Throughput
Reconstruction – Sample HTTP – Link (URL)
Date/Time, Link/URL
Reconstruction – Sample HTTP – Content
Date/Time, Link/URL
Reconstruction – Sample HTTP – Reconstruct
Date/Time, HTTP Content
Reconstruction – Sample HTTP – Upload/Download
Date/Time, Action, File Name, HTTP Download/Upload URL, Size
Reconstruction – Sample HTTP – Video Streaming
Date/Time, Host, File Name, HTTP Content, File Size
Play back reconstructed FLV video file
Reconstruction – Sample Telnet
Date/Time, Account, Password, Server IP, File Name
Support play back of Telnet
sessions
Reconstruction – Sample VoIP
Reconstruction – Sample Incomplete Sessions
Data Search – Conditions & Free Text Search
Search by Parameters/Conditions (Date-Time, IP, MAC, Account, Subject etc.)
Free Text Search –
Search by Key Words
(Supports Boolean
Search)
Data Export – Backup Reconstructed Data
Backup the reconstructed content (various application) to ISO file report format.
Data Backup – Captured Raw Data Backup
Backup captured raw data (known) and raw data (unknown – unclassified).
Export to external PC or backup through CD/DVD Burner.
Conditional Alert – Alert through Email
Alert Administrator by Parameters/Conditions
Online IP List – IP Information
Status, IP, PC Name, Last Seen Time, ISP, Categorized Group
Location Estimation - Wireless Equipment Locator
Utilizes Wireless Sensors and Triangulation Calculation/Training methodology to estimate
the location of the targeted wireless devices (AP or STA). [Plane Regression]
1 WD as Master system + min. 3 WD as Slave systems (sensors)
Allow finding of approximate location of targeted wireless device in X-Y plane.
Estimation error depending on surrounding environment (ex: blockage etc.). Normally a few meters.
Decision Computer Group
Exporting Raw Data Captured for Further Analysis (1)
Raw data captured can be hashed exported out from WD system for further analysis.
Known Raw Data
Raw data that can be
classified and
reconstructed.
Unknown Raw Data
Raw data that cannot
be classified and
reconstructed.
Exporting Raw Data Captured for Further Analysis (2)
Analyze the raw data files using packet analyzer tool such as Packet Browser,
Wireshark and Ethereal etc.
Exporting Raw Data Captured for Further Analysis (3)
Analyze the raw data files using packet analyzer tool such as Packet Browser,
Wireshark and Ethereal etc.
Exporting Raw Data Captured for Further Analysis (4)
Analyze the raw data files by using offline parsing and reconstruction tool,
EDDC (product of Decision Computer Group)
Wireless-Detective – Unique Advantages/Benefits
Smallest, portable, mobile and light weight WLAN legal interception system. This allows
easy tracking and capturing of suspect’s Internet activities especially suspect moves from
one place to another. Suspect won’t notice WD existence as it looks like normal laptop.
Detects unauthorized WLAN access/intruders (IDS).
Provides detailed information of AP, Wireless Routers and Wireless Stations (such as
channel, Mbps, security (encryption), IP, signal strength, manufacturer, MAC)
Provides capturing of WLAN packets from single channel, AP, STA or multiple channels
by deploying distributed/multiple systems. That also means flexibility and scalability of
deployment solution.
Provides decryption of Wireless key, WEP key (WPA cracking is optional module)
Provides decoding and reconstruction of different Internet services/protocols on the fly,
reconstructed data is displayed in original content format on local system Web GUI.
Supports reserving of raw data captured (for further analysis if required) and archiving of
reconstructed at with hashed export functions.
Supports condition/parameter search and free text search.
Supports alert by condition/parameter.
Provides Wireless forbidding/jamming function
Provides Wireless Equipment Locator function.
The All-in-One Mobile WLAN Interception System
References – Implementation Sites and Customers
Criminal Investigation Bureau
The Bureau of Investigation Ministry of Justice
National Security Agency (Bureau) in various countries
Intelligence Agency in various countries
Ministry of Defense in various countries
Counter/Anti Terrorism Department
National Police, Royal Police in various countries
Government Ministries in various countries
Federal Investigation Bureau in various countries
Telco/Internet Service Provider in various countries
Banking and Finance organizations in various countries
Others
Notes: Due to confidentiality of this information, the exact name and countries of
the various organizations cannot be revealed.
Decision Group
[email protected]
www.edecision4u.com