Established since 1986, is one of the leaders in manufacturing of PC-Based Multi-Port RS232/422/425 Serial Cards, Data Acquisition & Measurement Products and Industrial Automation and Control Systems. Decision Group, since the year 2000, started new line of industry involved in designing and development of equipment and software for Internet Content Monitoring and Forensics Analysis Solutions.
E-Detective is a real-time Internet interception, monitoring and forensics system that captures, decodes and reconstructs various types of Internet traffic. It is commonly used for organization Internet and behavioral monitoring, auditing, record keeping, forensics analysis and investigation as well as legal and lawful interception for lawful enforcement agencies such as Police Intelligence, Military Intelligence, Cyber Security Department, National Security Agencies, Criminal Investigation Agencies, Counter Terrorism Agencies etc. It also provides compliance solution for many standards or acts like Sarbanes Oxley Act (SOX), HIPAA, GLBA, SEC, NASD, E-Discovery and many others.
E-Detective is capable to decode, reassembly and reconstruct various Internet applications such as:
Wireless-Detective is a complete and comprehensive Wireless LAN (WLAN) legal interception and forensics investigation solution for the intelligence related units/agencies such as police, military, criminal investigation department, national security department etc. In fact, it is the most reliable solution to trace, identify all illegal Wireless LAN Internet activities or transactions and preserve all of this evidence.
Wireless-Detective is the smallest and lightest WLAN forensics investigation tool available. It consists of a small laptop (12.1 inches monitor screen) with Linux base OS integrated with Wireless-Detective software installed. With that small size (mobility), forensic professional can easily carry it out to any places (such as restaurant, shopping mall, airport, café, hotspot etc.) for legal interception and forensics investigation task without the notice of the public and most importantly, the suspect/target won’t know about it. With the capability to scan all WLAN channels (802.11a/b/g 2.4 GHz and 5 GHz frequency bands) to capture/sniff WLAN traffic from available Wi-Fi networks, decrypt WEP encrypted (WPA-PSK optional module) wireless network (automatically or manually),decode and reconstruct captured WLAN raw data, store the raw data captured and store the reconstructed data in its database, and display them in the original and exact content format, it make it the most complete (All-in-One) WLAN interception and forensic investigation tool. Furthermore, the Wireless-Detective user management interface or GUI (accessed through a browser) is very user friendly, easy to operate and manage.
Wireless-Detective is capable of decoding and reconstruct WLAN Internet traffic in real time such as:
After the decoding and reconstruction of the captured traffic, it displays them in its menu list according to different protocol/category types in exact or original content format. With capability of search by keyword or search by parameter (conditional search), it allows further forensics investigation and analysis to be carried out. This has proven that Wireless-Detective is an All-in-One system (all WLAN investigation work is conducted in one machine) that can speed up the entire investigation process.
E-Detective Decoding Centre (EDDC) is designed as a Linux based centralized system for offline Internet raw data file parsing and reconstruction. It can be used to parser (decode and reconstruct) raw data files in PCAP format collected from different sources. Internet raw data (Internet packets) files can be collected from an Ethernet/LAN network or a WLAN network through different packet capturing or sniffing tools such as Ethereal, Wireshark, tcpdump, WinDump etc.
EDDC comes with specifically designed features that allow different forensic investigators to identify project or case specific offline Internet raw data files for decoding and reconstruction on a system. It allows the administrator to create different user accounts and different cases of investigation for various users or forensic professionals or investigators. The administrator has the flexibility to assign different rights and access levels to different users to manage access to the reconstructed data on different cases. The users can then import their Internet raw data files collected from different sources into the system to carry out the parser and analyzing process.
EDDC allows Internet Content Forensics tasks to be carried out easily and systematically in order to obtain a variety of information and evidence needed from the Internet raw data files collected. EDDC also aims to assist Police Intelligence Services, Military Intelligence Organizations, Intelligence Bureaus, National Security Agencies, Government Intelligence Agencies and all forensics related agencies in conducting Internet Content Forensics geared towards enhancing their investigative effort.
HTTPS/SSL Network Forensics Device (HTTPS/SSL Interceptor) is designed specially for forensics purpose where it is used to decrypt HTTPS/SSL traffic. It can be used by legal enforcement bodies, police, investigation units, forensics firms, government departments for tracking or monitoring suspects HTTP and HTTPS activities (through Internet). HTTPS/SSL Device has E-Detective web reconstruction function (HTTP Link and HTTP Content) integrated into the system which allow the administrator to see the web page content of normal and secured web page.
HTTPS/SSL Interceptor can works in two modes: 1. Man in the Middle Attack (MITM); and 2. Offline Method (Decrypting HTTPS raw data with Private Key Available). In MITM method, it acts as a proxy to the targeted PC/suspect. All traffic from the targeted PC or suspect will be redirected to the HTTPS/SSL Interceptor. Therefore, it can collect the genuine certificate from SSL Server if the targeted PC access to the SSL Server. At the mean time, the HTTPS/SSL Interceptor returns with its own generated certificate. In this method, it allows the HTTPS/SSL Interceptor to decrypt the HTTPS traffic. In Offline Method, with the HTTPS raw data captured, HTTPS/SSL Interceptor is capable to decrypt the traffic if the private key is available.
Login usernames and passwords like Google or Gmail login, Yahoo Mail login, ebay login etc. can be captured by the HTTPS/SSL Interceptor.
Decision Group launches VOIP-DETECTIVE, VOIP interception and reconstruction tool in 2009. This tool is capable to capture, decode and reconstruct VOIP sessions (RTP sessions). It allows the play back of voice calls on network. Besides, all the voice calls content can be stored and backup for further reference purpose. The supported protocols include SIP (technology that is most commonly used) and H.323. The supported CODECs include G.729, G.711-a law and G.711-u law, G.726 and ILBC.
Network Investigation Toolkit (NIT) is designed specially by Decision Group for LEA such as Police, Military, Criminal Investigation Agencies, National Security Agencies, Cyber Security Agencies, Counter Terrorism Department, Forensics Investigator etc. to conduct network based forensics investigation whether it is on a Wired or Wireless LAN networks. NIT is a portable unit (laptop based) with comprehensive network forensics features which can be carried at any location for network based investigation task. NIT can be used to intercept on targeted networks or users to collect the necessary evidences and trace out the source of communication. The unique capability of this system is its combination of various features and functions to conduct LAN real-time interception, WLAN real-time interception, HTTPS/SSL MITM interception on both LAN and WLAN networks as well as offline analysis and reconstruction of pre-captured raw data files. The 3.5G/HSDPA USB Adapter is included in the package for user to remote access and manage the system.
Unauthorized internal/external data access and attack to organization internal file servers or database system have become very common issues nowadays. Staffs nowadays can easily access to information shared in the organization networks including the Database (customer information/vendor information etc.) and internal confidential/non-confidential files stored within internal network (usually at Server Farm). We read about cases of customers information stolen by internal staffs in banks, financial organization or Government organizations and this information are then sold to competitor or other marketing profiting parties. We experience it ourselves as well as we picked up some calls from banks or credit cards related party which we never has any relationship with and asking us to subscribe to their services. All these are serious issues in all organization that does not have sufficient protection to their internal Database and File Servers systems.
E-Detective Data Guard System is used for monitoring and logging all accesses and activities to internal Database (MS SQL, MySQL, Oracle DB etc.), CIFS file servers, local email servers (POP3/SMTP/IMAP), Webmail (Zimbra Mail), FTP servers etc within the organization networks. It also comes with alert and notification functions which allow the Administrator to be alerted if a certain pre-configured condition is matched/triggered. Besides, it has full range search and query capability and a range of reporting function.
Central Management Server (CMS) is high performance Linux based network appliance that extends the reach of E-Detective across your huge enterprise or even ISP scale networks, providing real-time centralized reporting, searching and querying as well as alert and notification functions. CMS aggregates and manage cluster of distributed E-Detective systems (which can be in the same location or in multiple locations) in real-time, facilitate single and hierarchical enterprise view across your network.
Central Management Server is specially designed to aggregate data hierarchically from multiple or distributed E-Detective systems for ultimate scalability and deployment flexibility across various organization-specific or ISP scale network topologies and infrastructures. The CMS design also allows hierarchical analysis or investigation operation and visibility which includes querying, searching, alerting, notifying and reporting extend to multiple E-Detective systems. This provides a single point of access to multiple E-Detective systems.
Diagram 1: E-Detective, DRMS and CMS implementation in ISP network for LI purpose
Diagram 2: CMS aggregating and managing multiple or distributed E-Detective systems deployed in different office branches (in different locations).