VoIP Technology: A New Challenge For Computer Forensics Analysts
As computers have become more affordable, and internet access more commonplace, communications via the internet has been slowly replacing the physical alternatives. Brochures have largely been replaced with websites, letters with emails, and CDs with downloadable MP3s.
Now, landline telephones - one of the few remaining commonplace non-internet based methods of communication - are slowly being replaced by Voice over Internet Protocol (VoIP), a technology which allows voice communications to be carried via the web. While VoIP can offer several benefits for users - including free calls between computers - for law enforcers wishing to intercept the communications of suspected criminals, VoIP poses a series of problems.
When a person makes a call using a landline telephone, it passes through the 'public switched telephone network (PSTN)'. Originally, this network was made up of fixed line telephone systems, but is now largely digital. However, each call still passes through an 'exchange' in its entirety. This means that if law enforcement officials have authorisation to listen in on a telephone call, they can intercept the call via the exchange.
However, with VoIP communications the audio signal is converted in several encrypted digital 'packets' which are sent separately via different routes across the internet, only re-collating when they reach the other user's computer. This means that there is no exchange through which all the information passes and so traditional methods of interception are ineffective. Instead, the problem of interception becomes one for computer forensic analysts.
Computer forensic experts performing analysis of VoIP communications usually have two main remits: to extract information about the contents of the call and to ascertain the locations of the callers. Unlike landline calls, which lead to a definite physical location, VoIP software such as Skype is free to use and has been allowing users to make calls over the internet since 2003 with no proof of identity or details of location.
In determining whether person A has communicated with person B via VoIP, one computer forensics method looks to analyse the encrypted traffic received at both ends and look for correlations in the patterns. However, while this has some application in proving communications between two persons, it does not give any indication of the nature of what has been discussed in the call.
In Germany, this problem is being addressed with the development of government-backed 'malware' which infects a user's PC and allows law enforcement officials to intercept VoIP communications directly from the host computers. This controversial method, however, may be unsuccessful if the suspect has a firewall in place which prevents unauthorised access.
Computer forensic experts are now pursuing the possibility of analysing 'volatile computer memory', the relatively low capacity memory that is used to run processes and only able to maintain stored information while it is receiving power. If a computer system has not been powered off after a VoIP call, there is some evidence to suggest that some of the contents of the call can be extracted for this memory.
As VoIP communications become more common, one thing seems certain: law enforcement officials, and particularly those working in anti-terrorism will increasingly need access to such communications, and it will fall upon computer forensic experts to solve the problem of how to achieve this.