VoIP Forensics

In this project we perform an analysis over a popular Voice over IP (VoIP) protocol and propose a framework for capturing and analyzing volatile VoIP data in order to determine forensic readiness requirements and to identify an attacker. The analysis was performed on real attack data and the findings were encouraging as it seems that if appropriate forensic readiness processes and controls are in place, a wealth of evidence can be obtained, such as the private IP addresses of the attacker including the existence of potential NAT services, as well as the end user equipment of the legitimate users and attack tools employed by the malicious parties.

Internal Users SIP User Agents

View Internal Users in a larger map

External Malicious Users are using mainly SIPVicious VoIP audit suite and SipCli. Another category named Excessive Spoof” was discovered…


View Malicious Users in a larger map

Internal Users
All SIP/SDP header information is gathered in order to build a complete profile of the internal users.
Download full report

External Malicious Users
The second group of users concerns external malicious users.
Dowload full report.

Fingerprinting a Private Lan
In this section the case of the “Intracom/Intracom-1.63.A” User Agent is selected from the internal users list and will be presented in more detail.This case is of a particular interest, as it involves an ADSL router with VoIP capabilities that was successfully identified.The goal was to investigate if it is possible to discover devices which are located inside router’s private LAN.
Dowload full report.


Copyright © 2017 Information Security and Incident Response Research Unit. All Rights Reserved.
No computers were harmed in the 0.365 seconds it took to produce this page.

Designed/Developed by Lloyd Armbrust & hot, fresh, coffee.