Modelling Based Approach for Reconstructing Evidence of VoIP Malicious Attacks Mohammed Ibrahim, Mohd Taufik Abdullah and Ali Dehghantanha Faculty of Computer Science and Information Technology Universiti Putra Malaysia, 43400 UPM, Serdang, Selangor, Malaysia m.ibrahim47@yahoo.com, {mtaufik, alid}@fsktm.upm.edu.my ABSTRACT Voice over Internet Protocol (VoIP) is a new communication technology that uses internet protocol in providing phone services. VoIP provides various forms of benefits such as low monthly fee and cheaper rate in terms of long distance and international calls. However, VoIP is accompanied with novel security threats. Criminals often take advantages of such security threats and commit illicit activities. These activities require digital forensic experts to acquire, analyses, reconstruct and provide digital evidence. Meanwhile, there are various methodologies and models proposed in detecting, analysing and providing digital evidence in VoIP forensic. However, at the time of writing this paper, there is no model formalized for the reconstruction of VoIP malicious attacks. Reconstruction of attack scenario is an important technique in exposing the unknown criminal acts. Hence, this paper will strive in addressing that gap. We propose a model for reconstructing VoIP malicious attacks. To achieve that, a formal logic approach called Secure Temporal Logic of Action(S-TLA + ) was adopted in rebuilding the attack scenario. The expected result of this model is to generate additional related evidences and their consistency with the existing evidences can be determined by means of S-TLA + model checker. KEYWORDS Voice over IP, S-TLA + , Reconstruction, malicious attack, Investigation, SIP, Evidence Generation, attack scenario 1 INTRODUCTION Voice-over Internet Protocols (VoIP) phone services are prevalent in modern telecommunication settings and demonstrate a potentiality to be the next-generation telephone system. This novel telecommunication system provides a set of platform that varied from the subjected and closed environment offered by conventional public switch network telephone (PSTN) service providers [1]. The exploitation of VoIP applications has drastically changed the universal communication patterns by dynamically combining video and audio (Voice) data to traverse together with the usual data packets within a network system [2]. The advantages of using VoIP services incorporated with cheaper call costs for long distance, local and international calls. Users make telephone calls with soft phones or IP phones (such as Skype) and send instant messages to their friends or loved ones via their computer systems [3]. The development of VoIP has brought a significant amount of benefits and satisfactory services to its subscribers [2]. However, VoIP services are exposed to various security threats derived from the Internet Protocol (IP) [4]. Threats related to this new technology are denial of service, 324 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 1(4): 324-340 The Society of Digital Information and Wireless Communications, 2012 (ISSN: 2305-0012)