Partner content: Pervasive encryption of communications challenges lawful interception and intelligence practices – investigators need new tools and techniques
As communications and services have proliferated, particularly with over-the-top (OTT) communication platforms such as Telegram, Signal, Messenger, and WhatsApp, so has the pervasiveness of encryption. In this environment, law enforcement agencies (LEAs) are not only unable to read the contents of messages, but often cannot even classify the traffic. In response, it has become increasingly critical to develop and use mechanisms for investigating the evidence that remains available.
In practical terms, extracting intelligence from encrypted communications requires a refocus from the payloads of messages to the traffic flows that surround them. Superior traffic analysis based on deep packet inspection (DPI) can reveal insights that help overcome the limitations to low enforcement authorities (LEAs) of an internet gone dark.
The SS8 lawful intelligence platform provides visibility into encrypted traffic flows using the Enhanced Protocol Extraction Engine (E-PXE), such as what application and underlying service a subject of interest is using, when, and for how long. Building on that foundation, SS8 capabilities make it possible to identify other parties involved, establish patterns of life, and advance investigations, regardless of message encryption.
Analyze traffic flows
SS8 builds on nearly 25 years’ experience to extend the potential of DPI to reveal maximum intelligence from encrypted traffic streams. E-PXE investigates beyond the conventional IP packet headers used for network routing and into the nested headers of encapsulated traffic. By analyzing those headers, DPI makes it possible to generate metadata that can be analyzed to reveal application-level characteristics of the communications from captured data sessions.
After a communication service provider (CSP) responds to a warrant or other authorization with data intercepted from a subject of interest, E-PXE uses enhanced DPI to provide insights from individual packets as well as broader traffic flows. In addition to identifying the application – such as WhatsApp – the Intellego XT lawful intelligence platform can also use this information to identify the specific communication modality, such as text, voice, or video, as well as the devices and IP addresses related to each data flow.
The metadata that the SS8 platform captures and attaches to traffic flows enables matching based on analytics and digital signatures between intercepted traffic flows and known patterns. The scope of metadata tags used varies according to the type of intercepted traffic involved, but they capture information specific to the individual communication session, such in as the following examples:
- Web browsing – URLs, hostnames
- Messaging – Chat IDs, nicknames
- Email – Account login IDs, email addresses
- Voice and video – E.164 international phone numbers, session initiation protocol (SIP) data
The SS8 platform applies heuristics-based analysis to this metadata to deliver probability-based conclusions about the nature of the communications. Timestamps derived using protocol information and heuristic methods can be applied to the traffic flows to provide timelines for specific interactions. Overlaying those timelines with the broader context of a crime can help establish a subject’s patterns of life and determine whether or not that individual was involved with key events. SS8 maintains the signatures used in these processes based on evolving intelligence, similar to antivirus signatures.
Identify and profile subjects
The growing prevalence of direct, peer-to-peer communications between devices in OTT applications adds complexity to the process of developing protocol-oriented insights. For example, most WhatsApp calls are initiated by the service but carried out directly from one handset to the other using Real-time Transport Protocol (RTP) and related mechanisms. While the communications stream does not pass through WhatsApp servers, the information needed to initiate the connection can automatically and efficiently identify, for example, that a video call occurs between two specific IP addresses.
Using that information, an LEA can work with the relevant application providers and mobile network operators to identify the subscriber assigned that IP address at the relevant time. In the common case where the phone number belongs to a burner (pay-as-you-go) phone that does not require registration, the LEA may be unable to associate it with an individual of interest.
Intellego XT works through that limitation, creating a bridge to a real-world identity through integrating open source intelligence. Formal, pre-established workflows in the SS8 platform make it possible for investigators to heuristically find that identity.
The process involves scraping the internet to find relevant associations between the phone number and other information. Investigation can extend to the deep and dark web as well, to identify the existence and nature of potential illegal activities by the subject as well as whether that individual’s information is included in a data breach, for example.
SS8 MetaHub ingests that information and correlates the clues together to posit the identity of the parties on the call. In addition to identity details, additional context about individuals of interest and their associates found through this process can help advance investigations from scraps of information to clear insight.
About the authors
David Anstiss is Director of Solution Engineering at SS8 Networks. He has been with SS8 since 2015 and has significant experience in critical network architecture technology and advanced data analytics. He currently works as part of the Technical CTO Group under the leadership of Dr. Cemal Dikmen and is responsible for leading engagement with both intelligence agencies and Communication Service Providers (CSPs) around the world.
He has been instrumental in helping them transition to 5G, defining system requirements to meet regulatory compliance. As a member of ETSI, he represents SS8 to ensure the adoption of cloud-native infrastructure is met with industry best practices and to guarantee that compliance of lawful interception is maintained. Learn more about David here on his LinkedIn profile.
Rory Quann is Head of International Sales at SS8 Networks and brings with him over 10 years of experience in the Lawful Interception and Data Analysis industry. Prior to joining SS8 in 2013, Rory worked for BAE System Applied Intelligence where he was focused on large scale Government deployments of Intelligence Solutions.
Rory has held multiple positions in the Lawful Intelligence space ranging from Deployment Engineer, System Consultant, and Sales Engineer focusing on Country-wide Passive deployments. Rory is a Certified Microsoft MCSA Engineer and EMC Certified deployment Engineer. You can learn more about Rory on his LinkedIn profile by clicking here.