EXTRACTION OF ELECTRONIC EVIDENCE FROM VoIP: IDENTIFICATION & ANALYSIS OF DIGITAL SPEECH

The Voice over Internet Protocol (VoIP) is increasing in popularity as a cost effective and efficient means of making telephone calls via the Internet. However, VoIP may also be an attractive method of communication to criminals as their true identity may be hidden and voice and video communications are encrypted as they are deployed across the Internet. This produces a new set of challenges for forensic analysts compared with traditional wire-tapping of the Public Switched Telephone Network (PSTN) infrastructure, which is not applicable to VoIP. Therefore, other methods of recovering electronic evidence from VoIP are required. This research investigates the analysis and recovery of digitised human voice, which persists in computer memory after a VoIP call. This paper outlines the ongoing development of a software tool, the purpose of which, determines how remnants of digitised human speech from a VoIP call may be identified within a forensic memory capture based on how the human voice is detected via a microphone and encoded to a digital format using the sound card of a personal computer. This digital format is unencrypted whist stored in Random Access Memory (RAM) before it is passed to the VoIP application for encryption and transmission over the Internet. Similarly, an incoming encrypted VoIP call is decrypted by the VoIP application and passes through RAM unencrypted in order to be played via the speaker output. A series of controlled tests were undertaken whereby RAM captures were analysed for remnants of digital audio after a VoIP audio call with known conversation. The identification and analysis of digital audio from RAM attempts to construct an automatic process for the identification and subsequent reconstruction of the audio content of a VoIP call. This research focuses on the analysis of RAM captures acquired using X-Ways Forensics software. This research topic, guided by a Law Enforcement Agency, uses X-Ways Forensics to simulate a RAM capture which is achieved covertly on a target machine without the user's knowledge, via the Internet, during or after a VoIP call has taken place. The authors assume no knowledge of the technique implemented to recover the covert RAM capture and are asked to base their analysis on a memory capture supplied in the format of a file with a '.txt' extension. The methods of analysis described herein are independent of the acquisition method applied to RAM capture. The goal of this research is to develop automated software that may be applied to a RAM capture to identify fragments of audio persisting in RAM after a VoIP call has been terminated, using time domain and signal processing technique, frequency domain analysis. Once individual segments of audio have been identified, the feasibility of reproducing audio from a VoIP call may be determined.