摘要
隨著網際網路的盛行,使得技術單純及建置成本較低的網路電話(VoIP)也隨之廣為流行。然而、不幸的是,網路電話的特性不僅受合法的使用者所喜好,同時也吸引了歹徒將其運用為進行非法活動(如詐騙、恐嚇等)時躲避執法單位(LEA)監察(Interception)的通訊工具,因此、執法單位如何對網路電話服務進行鑑識(含找出發話者所使用的IP)則成為重要的議題。 論文中,我們研擬了一套針對網路電話服務的協同鑑識的機制(collaborative forensics mechanism, CFM),這機制會與網路提供者(Network Operators)、服務提供者(Service Providers)合作,不需要於溯源路徑上的路由器協助,就能對SIP-based的網路電話進行鑑識(含攻擊源的網址識別, attacking source IP identification)。我們也針對SIP-based網路電話服務的典型攻擊方式,對「詢問訊息」(query message)可被偽造的欄位進行討論,藉由觀察這些可被偽造的欄位,可主動進行協同鑑識(Active Forensics),減低所儲存的網路電話資訊,在啟動協同鑑識之前因超過儲存的期限而被刪除的機率,如此,將有助於執法單位對網路電話服務的犯罪行為進行鑑識之成功率。 近年來對網路協同鑑識的研究、大多數的學者僅僅研擬進行鑑識工作的架構,並未對所研擬的鑑識架構同時設計共同的鑑識協定(Collaborative Forensics Protocol, CFP),因此所研提的協同鑑識架構無法於網路上廣為推行。有鑑於此,在此論文中,我們依所研提的協同鑑識架構及程序,為其在應用層設計了一套專屬使用的協同鑑識協定,提供不同區域的鑑識中心能相互交換協同鑑識的「詢問訊息」及「回覆訊息」(response message);同時,在論文中將討論協同鑑識機制架構在公開金鑰基礎建設上的合作方式,來防護網路上不同型式的攻擊;另我們依協同鑑識機制建立雛型,用來驗證協同鑑識程序並用四個例子展示鑑識分析,最後我們也對協同鑑識程序的效能(時間與記憶體)進行評估,並對所設計的協同鑑識協定(CFP)的特性進行分析。
並列摘要
The simplicity and low cost of Voice over Internet Protocol (VoIP) services has made these services increasingly popular as the Internet has grown. Unfortunately, the advantages of VoIP are attractive to both legitimate and nefarious users, and VoIP is often used by criminals to communicate and conduct illegal activities (such as fraud or blackmail) without being intercepted by Law Enforcement Agencies (LEAs). Therefore, how to perform forensics (including attacking source IP identification) for VoIP services is one of the most import issues for LEAs. In this doctoral dissertation, we propose a collaborative forensics mechanism (CFM) that cooperates with related network operators (NWO) and service providers (SvP) in forensics for VoIP calls without depending on routers throughout the full trace path. We discuss the various kinds of attacks of VoIP services and the characteristics of VoIP service requests as they pertain to those attacks. We propose a procedure for identifying forged header field values (HFVs) on SIP requests, and introduce the concept of active forensics, which could lead to a reduction in the probability of important information being deleted by the time collaborative forensics is initiated and could thus assist law enforcement agencies in intercepting criminals. Currently, VoIP researchers have only proposed a framework for this type of partnership and have yet to provide a common protocol for forensic Internet collaboration. As a result, Internet-based collaboration between agencies is not widespread. Building from the collaborative forensics mechanism and the procedures of collaborative forensics work, this dissertation designs a novel application-layer collaborative forensics protocol (CFP) to exchange collaborative request and response messages between collaborative forensics region centers, in order to acquire collaborative forensics information. We present a procedure for collaborative forensics and discuss the details of protocol design. In addition, we discuss the defense of public-key infrastructure (PKI) working with CFM against various types of attacks; we set up a prototype of a collaborative forensics mechanism to validate the collaborative forensic procedure and demonstrate forensic analyses for four scenarios. Lastly, we evaluate the time consumption and memory for a collaborative forensics procedure and analyze the features of CFP.