The Association of Digital Forensics, Security and Law (ADFSL)


The Voice over Internet Protocol (VoIP) is increasing in popularity as a cost effective and efficient means of making telephone calls via the Internet. However, VoIP may also be an attractive method of communication to criminals as their true identity may be hidden and voice and video communications are encrypted as they are deployed across the Internet. This produces a new set of challenges for forensic analysts compared with traditional wire-tapping of the Public Switched Telephone Network (PSTN) infrastructure, which is not applicable to VoIP. Therefore, other methods of recovering electronic evidence from VoIP are required. This research investigates the analysis and recovery of digitised human voice, which persists in computer memory after a VoIP call. This paper outlines the ongoing development of a software tool, the purpose of which, determines how remnants of digitised human speech from a VoIP call may be identified within a forensic memory capture based on how the human voice is detected via a microphone and encoded to a digital format using the sound card of a personal computer. This digital format is unencrypted whist stored in Random Access Memory (RAM) before it is passed to the VoIP application for encryption and transmission over the Internet. Similarly, an incoming encrypted VoIP call is decrypted by the VoIP application and passes through RAM unencrypted in order to be played via the speaker output. A series of controlled tests were undertaken whereby RAM captures were analysed for remnants of digital audio after a VoIP audio call with known conversation. The identification and analysis of digital audio from RAM attempts to construct an automatic process for the identification and subsequent reconstruction of the audio content of a VoIP call. This research focuses on the analysis of RAM captures acquired using XWays Forensics software. This research topic, guided by a Law Enforcement Agency, uses X-Ways Forensics to simulate a RAM capture which is achieved covertly on a target machine without the user's knowledge, via the Internet, during or after a VoIP call has taken place. The authors assume no knowledge of the technique implemented to recover the covert RAM capture and are asked to base their analysis on a memory capture supplied in the format of a file with a ‘.txt’ extension. The methods of analysis described herein are independent of the acquisition method applied to RAM capture. The goal of this research is to develop automated software that may be applied to a RAM capture to identify fragments of audio persisting in RAM after a VoIP call has been terminated, using time domain and signal processing technique, frequency domain analysis. Once individual segments of audio have been identified, the feasibility of reproducing audio from a VoIP call may be determined.


Audacity (2011, June 19). Audacity application downloaded. Retrieved from http://http://audacity/sourceforge.net

Beebe, N.L., Clark, J.G., Deitrich, G.B., Ko, M.S., & Ko, D. (2011, November). Post-retrieval search hit clustering to improve information retrieval effectiveness: Two digital forensics case studies. Decision Support Systems, 51(4), 732-744.

Carrier, B. (2003, Winter). Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers. The International Journal of Digital Evidence, 1(4). Retrieved from http://www.digitalevidence.org/papers/ijde_define.pdf

Carvey, H. (2007). Windows Forensic Analysis DVD Toolkit. Burlington, MA: Syngress Publishing.

Casey, E., Gordon, G., & Leeson, L. (2005, February). Origins and Progress. Digital Investigation, 2(1), 1-2.

Civie, V, & Civie, R. (1998). Future Technologies from Trends in Computer Forensic Science. Presented at the Forensic Science in Trial - Seventh Report of Sessions, London: House of Commons.

ESection (2010, November 5). ESection application downloaded. Retrieved from http://www.phon.ucl.ac.uk/resources/sfs/esection

European Telecommunications Standards Institute (ETSI). (2001). Telecommunication Security - Lawful Interception - Issues on IP Interception. TR 101 944 V1.1.2.

Garofolo, J. S., Lamel, L.F., Fisher, W.M., Fiscus, J.G., Pallett, D.S., Dahlgren, N.L., & Zue, V. (1993). TIMIT Acoustic-Phonetic Continuous Speech Corpus, Linguistics Data Consortium.

Hibishi, H., Vidor, T., & Cranor, L. (2011). Usability of Forensics Tools: A User Study. In Proceedings of the 2011 Sixth International Conference on IT Security Incident Management and IT Forensics (IMF), pp. 81-91.

Hornig, C. (1984). A Standard for the Transmission of IP Datagrams over Ethernet Networks. IETF RFC 894.

Jordan, M. (1990). Motor learning and degrees of freedom problem. In M. Jeannerod (Ed.), Attention and Performance XIII, pp. 221-229 (Hillsdale, NJ: Erlbaum).

Kawato, M. (1989). Motor theory of speech perception. In Proceedings of the 8th Symposium on Future Electron Devices, pp. 141-150.

Keller, E. (1994). Fundamentals of Speech Synthesis and Speech Recognition. Chichester: John Wiley & Sons.

McKemmish, R. (June 1999). What is Forensic Computing? The Australian Institute of Criminology.

Mohay, G. (2005). Technical Challenges and Directions for Digital Forensics. In Proceedings of the First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE), Washington, D.C.

Pirani, G. (1990). Advanced Algorithms and Architectures for Speech Understanding. London: Springer-Verlag.

Postel, J. (1980). User Datagram Protocol. IETF RFC 768.

Postel, J. (1981). Internet Protocol. IETF RFC 791.

Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., & Schooler, E. (2002). SIP: Session Initiation Protocol. IETF RFC 3261.

Saltzman, E.L., & Munhall, K.G. (1989). A dynamic approach to gestural patterning in speech production. Ecological Psychology, 1(4), 333-382.

Schatz, B. (2007). Digital Evidence: Representation and Assurance. Information Security Institute, Queensland University of Technology.

Schulzrinne, H., Casner, S., Frederick, R., & Jacobson, V. (2003). RTP: A Transport Protocol for Real-Time Applications. IETF RFC 3550.

Solomon, D., & Russinovich, M. (2005). Microsoft Windows Internals, 4th ed. Seattle, WA: Microsoft Press.

Skype. (2009, August 22). Skype application downloaded. Retrieved from http://www.skype.com

The Open Group. (2010). DD. Retrieved from http://pubs.opengroup.org/onlinepubs/009604499 /utilities/dd.html

VmWare. (2009, July 15). VM Workstation application downloaded. Retrieved from http://www.vmware.com

X-Ways Forensics. (2009, July 18). X-Ways Forensics application downloaded. Retrieved from http:// www.x-ways.net

Yasinsac, A, Manzano, Y. (June 2001). "Policies to enhance computer and network forensics," IEEE Workshop on Information Assurance and Security.




To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.