U.S. flag

An official website of the United States government, Department of Justice.

NCJRS Virtual Library

The Virtual Library houses over 235,000 criminal justice resources, including all known OJP works.
Click here to search the NCJRS Virtual Library

Internet Intercepts Part II: They've Got Mail

NCJ Number
Law Enforcement Technology Volume: 31 Issue: 6 Dated: June 2004 Pages: 56,58,60
Brian Girardi; David Thompson
Date Published
June 2004
3 pages
This article, the second of a two-part series, describes how to technically perform an Internet intercept to aid in computer crime investigations.
The first step involved in an Internet intercept is to tie the target of the investigation to the data that is to be collected. This involves, first, identifying the Internet service provider (ISP) of the target so that a subpoena for billing records can be issued to the ISP. The second step involves the data collection, which is the most difficult part of an Internet intercept. Finding and collecting the correct data is crucial; this task is aided by commercially available technology such as TopLayer’s DCFD, which is a hardware implementation that performs legal intercept provisioning. In some cases, portions of the network infrastructure must be configured to accept these devices. Once the network is engineered to gain access to the Internet’s traffic, the data must be extracted. Software applications called “sniffers” are available for this function. Once the data has been collected, it must be analyzed. Internet communications occur in the form of packets, which must be collected and then reassembled by investigators. One of the most widely used tools by law enforcement is the Etherpeek from WildPakets, which not only offers many collection features but also offers analytics for packet analysis. NetWitness from Forensics Explorers also offers both collection and analysis applications. The ultimate goal of the analysis is to reproduce what the target actually saw on the Internet, all the while preserving the data for use in court. Three important points about data preservation are: (1) never perform data analysis on the original data; (2) data transfers between agencies should follow chain of evidence procedures; and (3) data should be digitally encrypted or hashed with a 128-bit encryption algorithm. As cybercrime flourishes in the lawless culture of the Internet, police agencies must be vigilant about staying current with new investigative technology designed to capture cyber-criminals.