Looking for Computer Forensic Evidence in Telephone Switches
For many years, digital phone systems have provided customer conveniences like â€œCaller IDâ€, â€œCall Waitingâ€, â€œCall Forwardingâ€, â€œThree Way Callingâ€, etc. etc. For almost as long those services have been misused by the bad guys for illicit purposes. My purpose here is not to prevent or interdict such activity. Rather it is to learn techniques that are used detect, after the fact, that there has been such a compromise, and of course to determine all there is to learn about that compromise.
The switches (computers) used to manage such telephone traffic, are not only used at telephone company central offices, but at large and medium sized facilities such as hotels, hospitals, large law firms, police departments, government buildings, chemical process companies, etc. Telephone companies have their own problems and I would like to avoid discussing them here.
The specific type of activity I am interested in deals with â€œThree Way Callingâ€. If one of those 3 parties is on-line listening, without the knowledge of the other two, it suddenly changes its name from â€œThree Way Callingâ€ to â€œWiretapâ€ and becomes a crime.
Generally, we are looking at large cabinets full of computer driven circuitry. Like all well behaved computers, the computers built into these dedicated switches, do exactly what they are supposed to do each and every time. They do it in complete silence except for the whir of the cooling system. The switches themselves are normally housed in a locked or even guarded room. Hundreds of trunk lines come into that room from the phone company to feed the switch and hundreds of â€œStation Linesâ€ exit that switch and connect to the various phones in the facility. Quite often, there is a printer and a dedicated monitor and keyboard in the room.
Although, there is often an operator who directs the switch where to send the various calls, she is never inside that room Quite often, a human operator not to be found anyplace in the system.
The switch itself is clearly a special purpose computer. Maintenance of the system is often outsourced to specially trained and â€œtrustedâ€ people and is generally under the control of the Director of Communications or the Chief Operator, as opposed to the Director of MIS.
This â€œtrustedâ€ maintenance person can enter that locked room, lock the door behind him, and instruct the switch to, for example, â€œSet up 3 way Calling so that every time the CEO picks up his phone, a mute line is set up so that Mr. Bad can listen in silence.â€ As all in this group know, he can go on to issue instructions as to time or days of operation and to take other steps to avoid getting caught.
Of course, the â€œTrustedâ€ employee doesnâ€™t even have to go inside the locked telephone equipment room. All he has to do is enter the switch from his laptop halfway around the world and issue instructions through the modem that is connected to the switch through a maintenance port. It is not my purpose to discuss the security of this or other systems. If security was always perfect, we would all be out of business.
The most practical approach to dealing with the security issue might have been described by a guy named Vinnie â€œAsprinsâ€. Vinnie is a mafia torture expert who got his nickname by drilling holes in peopleâ€™s heads with his electric drill. Vinnie was arrested here in Las Vegas on unrelated charged and told the US Magistrate how he had been sent here from Florida to straighten out a problem some clients had been having with others who insisted on diverting illicit business away from his clients to themselves using this same technology. So much for passwords and locked doors.
Although real time detection would be interesting, my purpose in this posting is to determine if anybody on here has addressed this as a computer forensics problem, looking in these switches for artifacts that could have probative value or be used as evidence – and if so, how did you do it?