Technology and Method behind Cross-border Fraud Investigation in Telecom and Internet

How to Combat Cyber Crime Effectively





1. Fraud Crime Cases through Telecom and Internet

I. Traditional Crime with Cutting Edge Technology

With mobile, Internet, IP phone, mobile Internet access or other value-added telecom services, swindlers commit more crimes easily; However, by whatever advanced technology and tool they use, the nature of their crimes always stays all the same. We still need to profile such crimes by the analysis on conditions, mindset, and behavior of crime.

II. crime globalization

As applications and services of telecom technology and Internet are developing rapidly and pervasively, people are also familiar with those services. Fraud crimes through telecom and Internet, which are just like contagious diseases, may widespread globally by networks.

Globalized Crime Issue

Borderless Internet makes crime behavior more globalized. Through the Internet and cloud computing, communication in swindler group can be enhanced and anonymous. Because of limitation of state authority and anonymity, it is really hard for state prosecutors and police to take investigation on the entire crime activities.

Cloud Computing = Network Computing

Through Internet, computers can cooperate with each other, or services are available more far-reaching




III. Hard to analyze large volume of complicated data

There is often large volume of data or information (such as phone multiple transfers) produced by telecom and Internet fraud crimes because of converged IT network and telecom routes. In reality, such huge amount of data is acquired from multiple service providers. Investigators must apply multiple orders from court in advance to connect with data from those service providers.

(for example: If there is phone transfer between 2 operators, investigator must request both to provide CDR information and call content by 2 orders from court ahead of time, and integrate all information for further analysis.)

Therefore, it is no way to cope with such telecom and Internet fraud crime only by tradition way of comparing, claiming or tracing targets manually. It is the best way for investigator to adopt several effective software tools to analyze such huge amount of data.

Converged ICT Communication Routes




IV. Crime toward seamless processes and delicate organization


It is a nature trend that group crime is toward seamless process and delicate organization. There is very clear hierarchy of role and responsibility (R&R) for leader, telecom engineer and service staff in crime group. They never mix the use of phones for crime and private, and adopt one-way contact in order not to be cracked with whole group. Such crime model can be easily duplicated. Fraud crime group often splits into small ones, forms new gang, commits more crimes, and exchanges information and new techniques of fraud.


Common Features


2. Challenges

21 22





3. Trace Communication Route and Obtain Related Data
Methodology and Guidelines of Cyber Crime Investigation

  • Gap between Physical and Cyber Crimes
  • Quest for Investigation on Cyber Crimes

There is no difference between cyber crime and traditional crime in nature. With the advantages of convenience, anonymity and mobility of telecom and Internet, criminals are able to disguise their command center and disrupt the direction of investigation. Lawful enforcement officers need to make more effort in studying crime model and finding the way out to combat criminals.

  • Process Flow for Investigation
39 32

  • VoIP Tactic Server in Investigation into Cyber Crimes
    • VoIP based Interception and data interception of other 150 Internet services
    • Flexible implementation in multiple telecom operators
    • Intercept all VoIP routes from different sources simultaneously
    • Collect original pcap as well as reconstructed voice data for evidence in court
    • Support all common VoIP protocols such as G.711a-law, G,711µ-law, G.726, G.729, iLBC
    • Meet the requirement of state LI Law, ESTI standards

  • E-Detective Tactic Server
  •     LAN Internet Monitoring, Data Retention, Data Leakage Protection & IP Network Forensics Analysis Solution

        Solution for :

    • Route of Internet Monitoring/Network Behavior Recording Auditing and Record Keeping
    • Forensics Analysis and Investigation,
    • Legal and Lawful Interception (LI)
    • VoIP Tactic Server & Mediation Platform

  • E-Detective Standard System Models and Series (Appliance based)
  • 31

  • E-Detective Lawful Interception Solutions
  • 34

  • Sample : VoIP Calls (with Play Back)

  • 35

  • Data from E-Detective VoIP Tactic Server
    • Source IP Address
    • Telephone number of caller
    • Telephone number of receivers/victims
    • Date & time of calls
    • Duration of calls
    • Call content
    • TOP



    Case Study of the Recent Investigation on Cyber Crimes 
    Lessons and Experience

        Real Case on VOIP Investigation

        Problem Here:

        The most common tool by swindler group is telephone. While arriving the telecom room of criminal, sometimes police can’t do anything because they know nothing     about these equipments and can’t track IP phone source from Internet.


  • What to Check from Swindler Computers
    • Group and Billing Systems
    • Account information in SIP Gateway or IP-PBX Servers
    • Detail CDR from SIP Gateway or IP-PBX Servers
  • VOIP Tracking from Swindler Group – Group and Billing System
  • 42

  • VOIP Gateway Investigation from Swindler group- Track SIP Server
  • 43

  • VOIP Tracking from Operator – CDR of SIP Server
  • 44

  • Key Points of Investigation
    1. Aggressively hunting for intelligence
    2. Don’t give up any follow-up opportunities, and carefully analyze any useful information
    3. Active Lawful Intercept:tap into suspected lines, intercept phone number and IMEI, phones in China, interview resident houses, and clarify criminal organization, identity and location

  • Experience
    1. familiar with law and regulations, understand what the target is and what the key evidence is. For example: find Chinese victim information and testimony through cooperation with Chinese Police after breaking cross-strait swindler group in Taiwan. Otherwise, these criminal will be non-prosecuted or non-guilty sentence by court.
    2. Telecom equipment supplier, telecom shop, network engineer, telecom engineer, telecom sales …network and telecom professionals usually are aware of information and location of suspects.
    3. Understand calling flow, and accounts of swindler group from operators side in order to find more background information from CRM and billing systems
    4. Active Lawful Intercept:Tap into suspected lines, intercept phone numbers to China
    5. Carefully Trail down: Prepare information (Time, place, behavior) in advance, trail by segment (not to expose self), identify criminal from different sides
    6. Use confiscated computers for investigation to find more strong evidence.


    5. Conclusion

    1. It is quite nature for criminal to use advanced ICT technologies. Human is the key of crime act. There may not be fault in practice with technology, but human may make mistakes by using it. Investigators are able to find the breakthrough and combat these criminals
    2. Enhance technical on-job training  for police to promote capability of investigation and criminal law
    3. From viewpoint of investigation, enhance horizontal coordination among all units in order not to waste resources. From strategy, increase international, cross-strait cooperation to combat cross-border swindler group
    4. God will help those who work hard
    5. TOP