cardsharing at pay tv - knime · cardsharing at pay tv. crime investigation with knime pay tv - a...
TRANSCRIPT
Crime Investigation with KNIME
Pay TV - a short description
Digital Video Broadcast Reveiver
CSA – Common Scrambling AlgorithmEMM – Entitlement Management MessageECM – Entitlement Control MessageCW – Control Word
Crime Investigation with KNIME
Card sharing – computer fraud
Digital Video Broadcast
User
Card-Sharing
Crime Investigation with KNIME
pcap analysis
One of the Question from the public prosecutor:Which german users connected the card-sharing-server
over a period of 300 seconds (5 minutes) in the time from 20 o'clock the day before yesterday und 20 o'clock yesterday?
Raw Data:● Combined wiretap from 3 card-sharing-server● wiretap period over 3 month● about 60 files (500 MByte) per day● about 17 Mio. packets per file● about 125.000 connections per file
Crime Investigation with KNIME
Full workflow
Automatisation of the analysis process. Using a cronjob.● Download of the witetap-files from ftp-server
[all 4 hours]● Start of the analysis process at 4 o'clock every day
● Cut the generic routing encapsulation (editcap)● Flow analysis to get the server-client connections within 6
consecutive pcap-files (tcpflow)– KNIME workflow to generate csv-tables with German IP-
addresses (KNIME batch-mode)● Encryption of the created csv-files (gpg)● Sending the encrypted files to the investigation
department at about 10 o'clock
Crime Investigation with KNIME
Questions ?
Andreas StahlhutPolice Department ZKD HannoverCybercrime Investigation [email protected]