Finding the Needle in the Lawful Intercept Haystack

Modern encryption techniques have resulted in Law Enforcement and Intelligence Agencies losing the benefits that came from carrying out Lawful Intercept activities. Indeed the time required to investigate a lawful intercept PCAP file for relevant and useful information is now such that should any artefact be found, it is almost certainly found long after the time when the information could have been at its most useful.

Communications channels have gone way beyond the simple calls and text messages of the past. The proliferation of messaging apps (WhatsApp, Signal, Telegram etc.), the ability to send messages via social media platforms (Facebook, Nextdoor, Instagram etc.) and the use of video communication platforms (FaceTime, Zoom etc.) has resulted in a very complex environment to investigate and analyse when looking for that particular artefact that will break the case, or that specific piece of intelligence that will lead the investigators to where they need to go, and this is before you add the problem that all investigators have when these communications are encrypted.

Additional information and intelligence you may want to know is which websites have been visited, when, with what frequency, for how long, etc. Another thing that Wireshark won’t do for you here, but a good LEA workflow will, is categorise each website into a category; is it Ads, Shopping, Food, Travel, Furniture, Pornography, Social Networking, Political Ideology, Terrorism, etc.

What is required is a tool that examines the lawful intercept network data (most likely a PCAP) and synthesises the output into a clear website profiling view. When that kind of analysis takes seconds and can be immediately reflected from a large collection of PCAPs, then we’re really cooking on gas. 

Today Lawful Intercept of data services can still be an effective tool against communication apps. What is being said is lost to unbreakable encryption, but that is not what is often needed to progress an investigation. Each call leaves a digital footprint in the packet captures, and that is clearly visible to the right tool, regardless of if that app is WhatsApp or some obscure dialler you have never heard of. Some of these applications are quite challenging to ‘fingerprint’ within the network noise, but the right application of machine learning can classify these applications with high confidence. 

If you would like to find out more about how to find that Needle in the Lawful Intercept Haystack and work in Law Enforcement or Intelligence, then subscribe to Digital Forensics Magazine and read the full article, and join Sandvine for a Live Demonstration of Digital Witness.

Digital Witness Webinar Registration (sandvine.com)

(167)

Share