C.C. Yang et al. (Eds.): ISI 2008 Workshops, LNCS 5075, pp. 260–271, 2008. © Springer-Verlag Berlin Heidelberg 2008 A Collaborative Forensics Framework for VoIP Services in Multi-network Environments Hsien-Ming Hsu 1 , Yeali S. Sun 1 , and Meng Chang Chen 2 1 Dept. of Information Management, National Taiwan University, Taipei, Taiwan {d94002,sunny}@im.ntu.edu.tw 2 Institute of Information Science, Academia Sinica, Taipei, Taiwan mcc@iis.sinica.edu.tw Abstract. We propose a collaborative forensics framework to trace back callers of VoIP services in a multi-network environment. The paper is divided into two parts. The first part discusses the critical components of SIP-based telephony and determines the information needed for traceback in single and multiple Autonomous Systems (ASs). The second part proposes the framework and the entities of collaborative forensics. We also propose an algorithm for merging collected data. The mechanism used to execute collaborative forensics with co- operating units is presented and the procedures used in the collaborative archi- tecture are described. For every entity, we suggest some interesting topics for research. Keywords: collaborative forensics, VoIP services, traceback, SIP. 1 Introduction The Public Switched Telephone Network (PSTN) has dominated voice communica- tions over a long period. With the growth of the Internet, however, VoIP (Voice over IP) services based on packet-switched technology have become widely accepted and could eventually replace PSTN. Currently, a major drawback of VoIP services is that they are vulnerable to many potential security threats inherited from the Internet Pro- tocol (IP). A taxonomy for mitigating potential VoIP security and privacy problems is defined in [1]. While VoIP services have many desirable communication features, they have also become a tool for illegal activities, as criminals can communicate via VoIP services and avoid being intercepted by law enforcement agencies (LEAs). There are a number of reasons why LEAs have difficulty intercepting and tracing back VoIP calls. Two major reasons are that 1) diverse techniques are used to access the Internet, e.g., cam- pus networks, General Packet Radio Service (GPRS), Public 802.11 wireless network, and 3G; and 2) the dynamic addresses assigned to the caller/callee, are frequently lo- cated behind a Network Address Translation (NAT) router. Therefore, how to help LEAs identify IP packets lawfully is a major problem in various networks [2]. The goal of the VoIP traceback task is to trace the identities and geo-locations of the caller and callee of a VoIP service. To achieve this goal, Network Operators, Ac- cess Providers and Service Providers (NWO/AP/SvP) have to cooperate to record the identities of the parties and other necessary information. In this paper, we argue that