The Association of Digital Forensics, Security and Law (ADFSL)
The popularity of Voice over the Internet Protocol (VoIP) is increasing as the cost savings and ease of use is realised by a wide range of home and corporate users. However, the technology is also attractive to criminals. This is because VoIP is a global telephony service, in which it is difficult to verify the user’s identification. The security of placing such calls may also be appealing to criminals, as many implementations use strong encryption to secure both the voice payload as well as to control messages making monitoring such VoIP calls difficult since conventional methods such as wire-tapping is not applicable to VoIP calls. Therefore, other methods of recovering electronic evidence and information from VoIP are required. This research looks at what protocol evidence remains after a VoIP call has taken place examining both a virtual hard disk and the Random Access Memory (RAM). This paper proposes a set of identifiable credentials based on packet header information contained within the VoIP protocol stack. A series of controlled tests were undertaken whereby these credentials were forensically searched for on a virtual machine which was used to make the VoIP call. This experiment was then repeated by a search for the same protocol credentials within the RAM.
Download (2009a). Skype Downloaded July 20, 2009 at www.skype.com.
Download (2009b). VM Workstation Downloaded July 15, 2009 at www.vmware.com.
Download (2009c). Wireshark Downloaded July 20, 2009 at www.wireshark.org,
Download (2009d). X-Lite Downloaded July 24, 2009 at www.counterpath.com.
Download (2009e). X-Ways Downloaded July 18, 2009 at www.x-ways.net,
ETSI TR 101 944 V1.1.2 (2001). Telecommunication Security - Lawful Interception - Issues on IP Interception ETSI TR 101 944 V1.1.2.
IETF RFC 768 (1980). User Datagram Protocol, Postel, J. IETF RFC 791 (1981a). Internet Protocol, Postel, J.
IETF RFC 793 (1981b). Transmission Control Protocol, Postel, J.
IETF RFC 894 (1984). A Standard for the Transmission of IP Datagrams over Ethernet Networks, Hornig, C.
IETF RFC 3261 (2002). SIP: Session Initiation Protocol, Rosenberg, J. Et al.
IETF RFC 3550 (2003). RTP: A Transport Protocol for Real-Time Applications, Schulzrinne, H., Casner, S., Frederick, R., Jacobson, V.
Karpagavinayagam, B., State, R. And Festor, O. (2007). Monitoring Architecture for Lawful Interception in VoIP Networks, Second International Conference on Internet Monitoring and Protection.
Leung, C.M., Chan, Y.Y. (2007). Network Forensic on Encrypted Peer-to-Peer VoIP Traffics and the Detection, Blocking, and Prioritization of Skype Traffics, 16th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaboration Enterprises.
Pelaez, J.C., Fernandez, E.B. (2009). VoIP Network Forensic patterns, 2009 Fourth International Multi Conference on Computing in the Global Information Technologies.
Seedorf, J. (2008). Principles, Systems and Applications of IP Telecommunications, Services and Security for Next Generation Networks, Second International Conference, IPTComm 2008.
Simon, M. (2008). Packet reconstruction software: Defence and Systems Institute (DASI) at the University of South Australia.
Simon, M. and Slay, J. (2006). Voice over IP: Forensic Computing Implications, 4th Australian Digital Forensics Conference, Edith Cowan University, School of Computer and Information Science, December 4, 2006.
Simon, M.and Slay, J. (2009). Enhancement of Forensic Computing Investigations through Memory Forensic Techniques. 2009 International Conference on Availability, Reliability and Security. Fukuoka Institute of Technology, Fukuoka, Japan pp.995-1000.
Slay, J. and Simon, M. (2008). Voice over IP Forensics. e-forensics 08: Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia, Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering.
Irwin, David; Slay, Jill; Dadej, Arek; and Shore, Malcolm
"Extraction of Electronic Evidence from VoIP: Forensic Analysis of a Virtual Hard Disk vs RAM,"
Journal of Digital Forensics, Security and Law: Vol. 6
, Article 2.
Available at: http://commons.erau.edu/jdfsl/vol6/iss1/2