VoIP Evidence Model: A New Forensic Method for Investigating VoIP Malicious Attacks Mohammed Ibrahim Faculty of Computer Science and Information Technology Universiti Putra Malaysia, 43400 UPM, Serdang, Selangor, Malaysia
[email protected]
Mohd Taufik Abdullah Faculty of Computer Science and Information Technology Universiti Putra Malaysia, 43400 UPM, Serdang, Selangor, Malaysia
[email protected]
Abstract-- Although the invention of Voice over Internet Protocol (VoIP) in communication technology created significant attractive services for its users, it also brings new security threats. Criminals exploit these security threats to perform illegal activities such as VoIP malicious attacks, this will require digital forensic investigators to detect and provide digital evidence. Finding digital evidence in VoIP malicious attacks is the most difficult task, due to its associated features with converged network. In this paper, a Model of investigating VoIP malicious attacks is proposed for forensic analysis. The model formalizes hypotheses through information gathering and adopt a Secure Temporal Logic of Action(S-TLA+) in the process of reconstructing potential attack scenario. Through this processes, investigators can uncover unknown attack scenario executed in the process of attack. Subsequently, it is expected that the findings of this paper will provide clear description of attacks as well as generation of more specified evidences. Keywords-Voice over IP, Malicious attack, Investigation, Evidence Generation, SIP, S-TLA+, Scenario Fragment
I.
INTRODUCTION
Voices over internet protocols (VoIP) calls are very common in contemporary telecommunication modus with glaring potentials as the next-generation telephone of preference. This offers a new setting that differs from the dominated and closed environment provided by traditional telephone calls service providers [1]. The utilization of VoIP is radically shifting the global communications system through active synchronization of speech and video data to travel along with traditional data packets [2]. The benefits of using the technology include among others cheaper call costs for local, long distance and international calls. People commonly make telephone calls with IP phones or Soft phones (such as Skype) and send instant messages to their friends or loved ones via their computer systems [3]. Although the invention of Voice over Internet Protocol (VoIP) in communication technology has created significant satisfactory services for its users, it however brings new security threats [2]. The major drawback of VoIP services is their vulnerabilities to numerous potential security threats, inherited from the Internet Protocol (IP) [4]. The most serious of these threats are denial of service, host and protocol vulnerability exploits, surveillance of calls, hijacking of calls, users identity thefts, eavesdropping and the insertion, deletion
978-1-4673-1677-4
Ali Dehghantanha Faculty of Computer Science and Information Technology Universiti Putra Malaysia, 43400 UPM, Serdang, Selangor, Malaysia
[email protected]
and modification of audio streams [5]. However, Criminals exploit these security threats and perform illegal activities such as VoIP malicious attacks, which might require digital forensic investigator or Law Enforcement Agents to detect and provide digital evidence in the court of law. Thus, finding evidence in VoIP malicious attacks is the most difficult task, due to its associated features with converged network. Additionally, the complex nature of its service infrastructure such as SIP registrar, SIP proxies, DNS server AAA server, DHCP servers, routers, wireless and wired network components increases the complexity in handling digital investigation. Despite these challenges, various techniques are put in place to investigate VoIP malicious attacks. A. Related Work In their paper [6] and [7] respectively, developed algorithm and forensic pattern to detect VoIP malicious packets using intrusion detection system. However novel attacks can boycott intrusion detection system without being detected. In [8] the vulnerable part of VoIP system was examined and proposed a pattern to support investigation of malicious attack. The author in [2] used VoIP network forensic model to detect steganographic techniques in converged network. VoIP crimes were investigated using memory forensic technique [9], but the authors concluded that the major drawback of this technique resulted from its inability to verify the resulting memory image of the target machine. In [1] a standard operating procedure called VoIP DEFSOP is discussed, according to this procedure attack packets are identified by differentiating between normal and abnormal packets. However, not every attack packet sends an abnormal message. Other techniques like collaborative forensic framework [10] and network forensic mechanism [11] aimed at identifying the origin of the attack by collaborating with network operators and service providers to traceback VoIP calls within single and Multi-Autonomous system using a proposed model called SKYEYE. This model relied on SIP message header field values (HFVs) to indicate the type of the attack, but as has been recalled not every attack packets sends an abnormal messages.
201
Apart from individual weaknesses mentioned in some of the aforementioned techniques, they have shown effectiveness in searching digital evidence for VoIP malicious attacks. However, techniques described by [1], [7], [10] and [11] are inadequate for investigating novels malicious attacks, since most of the novels attacks can bypass intrusion detection system and they do not send abnormal message. This problem may lead to information trade-off, a situation where by investigators have insufficient details to understand the system under investigation. As a result, the number of generated evidence may be reduced as many attack packets will be left undetected. However, none of the aforementioned techniques considered this problem. Hence, with the growing rate of malicious attacks in VoIP and complexity in its service infrastructure, such problem may affect the integrity and reliability of collected evidence. Thus, affecting the purpose of computer forensic; that aims at ensuring the non-repudiation and integrity of digital evidence [1].
access to VoIP Network may interrupt media service by flooding traffic, access private information by illegal interception of call signal or call content, hijacking calls by server impersonation and making fraudulent calls by spoofing identities [3]. Such problems will violet the integrity, availability and confidentiality of the users. Spammers also make use of VoIP services to deliver spam calls, instant messages, or presence information, which is more effective than ordinary email spam as it’s difficult to filter [3]. Likewise, attacks can be transmitted across gateways to integrated networks like mobile and traditional telephony. Compromising VoIP applications also constitute a bridge to escape security mechanisms and attack internal networks [13]. Cross Script attacks and Database injection vectors can be carried out by malformed SIP messages to attack embedded web servers [13].
The aim of this paper is to develop and illustrate a new model called VoIP Evidence Model (VoIPEM) through which information will be gathered from different part of VoIP system for the purpose of formulating hypotheses to enable investigators overcomes insufficient details experience in the course of investigation. In this model instead of relying on specific component to identify attacks, VoIP system as a whole is considered to be a state machine in which behaviors that violet its desirable properties are considered to be malicious. Consequently, it may resolve the problem of identifying novel attacks that boycotts other techniques. S-TLA+ Model checker would be adopted to check the reliability and integrity of new generated evidence. This model checker can be use by investigators to understand if generated evidence can go along with the available ones. Thus, the number of unnecessary data accumulated during investigation will be reduced.
In this section, we described one of the most current threat related to Session Initiation Protocol (SIP) malicious attack known as VoIP spam. Spam as it is well known is an unsolicited bulk email or call, intended to advertise social engineering. According to the textbook of Voice over IP security reported that “Spam wastes network bandwidth and system resources. It exists in the form of Voice, instant message (IM) and presence Spam in a VoIP environment” [3]. Spam resulted from the set of session initiation attempts to establish a voice or video communications session with other users. If the users answered, the spammer proceeds to relay a message over the real-time media. This type of spam is said to be the classic telemarketer Spam, applied to VoIP protocol (SIP) and is commonly refer to as Spam over IP Telephone (SPIT). Spam is classified into instant Message (IM Spam) and presence Spam (SPPP). The former is similar to email Spam, but it is bulk and unsolicited set of instant messages whose content contains the message that the spammer is seeking to convey. IM spam is send using SIP message request with large subject headers or SIP message with text or HTML bodies. The latter, is similar to former, but it is set on presence request (that is, SIP Subscribe requests) in an attempt to get the "white list" of users to send them instant messages or set off other form of communication [3].
Moreover, the model is capable of reconstructing events and actions performed by the intruder. Therefore, all actions performed by the attacker will be conceptualized to understand, where and how such attack happened for forensic analysis. This paper extends the work of [11] and proposed a VoIP Evidence Model (VoIPEM) that will simplify and aggregate other components and protocols in investigating VoIP malicious attack. To efficiently understand our model, we adopted the method of secure temporal logic action S-TLA+ used by [12], basically S-TLA+ is generic and applicable to digital investigation irrespective of computer security technology. In addition, S-TLA+ is logic based formalism that allow adding forward hypotheses when there is insufficient details to understand the system under investigation [12]. The rest of the paper is organized as follows: Next section describes VoIP malicious attacks; section III describes VoIP digital forensic investigation, section IV explains S-TLC model checker and V conclusion. II.
VOIP MALICIOUS ATTACKS
Malware is the common term used in describing software designed to disrupt a computer system without the knowledge of the owner [13]. However, VoIP is open to such malware attacks if its vulnerabilities are to be exploited. Attackers with
978-1-4673-1677-4
A. SIP Malicious Attack
III.
VOIP DIGITAL FORENSIC INVESTIGATIONS
Lin and Yen [14] defined digital forensics science as “to preserve, identify, distract, record and interpret the computer and network system evidence and analyze the formed science through complete and perfect methods and procedures.” However, forensic computing is an extremely important crossdisciplinary research area based on computer science and drawing on telecommunications and network engineering, law, justice studies, and social sciences [9]. However, many models and Methodologies were developed by different organization to meet with their organizational security policy. There are more than hundreds of digital forensic procedures developed all over the world [15]. The increase number of security challenges in VoIP, encourages researcher to developed many models, including Voice over IP (VoIP) standard operating procedure, in which a model called Voice over IP Digital Evidence
202
Forensic Standard Operating Procedure (VoIP DEFSOP) is established [14]. At the 42nd Hawaii International Conference on System Sciences (2009), it was noted that there was no comprehensive research Agenda in digital forensic; as a result, six additional research areas were introduced, and among these is Evidence Modeling. Evidence Modeling can replicate the investigative process for practitioners and case modeling for different category of crimes [16]. In addition the high growth of crimes involved computers over the last decade encourages companies and product that aims to help determine who, what, where and how did attack happened [17]. To comply with this recent development, (VoIPEM) is capable of assisting the process of investigation by providing models of evidence that associated with VoIP malicious attacks. Subsequently, the reconstruction of potential attack scenario will enable investigator to conceptualize what, where, and how did the attack happen in VoIP system. A.
Given as the final state of VoIP system and be the collection of all its desirable properties. If then the final state of the system is said to be unsafe and can be written in Temporal Logic Action (T-LA) as . And given be the collection of all actions related to each reachable state; if { then is said to be a malicious action. Thus is indicating one of the available evidence. 2)
This component is aimed at collecting and gathering information that will provide details about VoIP system state. This stage involves the following subcomponents.
VoIP Evidence Model (VoIPEM)
The idea proposed in [15] to trace out evidence from criminal attacks based on hypotheses formulation is important in investigating malicious attacks. Thus, VoIPEM as a model, view VoIP system as a state (which describes the current behavior of its components at a time) and is based on four major components as shown in the figure below.
Fig. 1 VoIP Evidence Model Fig.1 shows VoIP Evidence Model and stages in investigation process. Below is the description of each module. 1) Terminal State/Available Evidence: This is the final state of the system at the occurrence of the crime scene, which provides available evidence. The terminal state is the point where the indication of malicious action being observed; which enable investigator to understand the type of malicious action performed to move the system to unsafe state. It is characterised with action that change system to unsafe state and other property described by [18] is system compromise, which include any of the following:
undesirable safety property components unexpected temporal property
978-1-4673-1677-4
of
some
system
Information Gathering:
VoIP components: These include components providing services like call set up, media control, protocol conversion, voice mail access, user interaction and so on. The components can be media gateways, call processing servers, proxy servers and so on, depends on the type of protocol in use. Details on software and hardware behaviour are also needed to provide investigator with a clue about VoIP system state at a given point. VoIP System states are defined to be the valuation of component variables that change as a result of actions executed open them. If are components variables that changes with executable action in a given state then these variables are refer to as flexible variables given as and for any action that transform and . Where and are the variables in old and new state and respectively. Then the behaviour of and are observed to determine whether there are desirable to the system state or not. VoIP vulnerabilities: these refer to any weaknesses an attacker can exploit and perform the attack. It includes weaknesses of the VoIP components associated with operating systems and network infrastructure. However, some weaknesses may result from errors in design and implementation, security flaws and mis-configuration settings of network devices. VoIP protocol stack (both SIP and H.323) also have weaknesses that might grant and intruder access to text based credentials and other confidential information.
3. Evidence Generation At this stage hypotheses are to be formulated based on information gathered in previous stage which can be used in the process of finding and generation of more evidence. Logic of digital investigation should be applied to consider available evidence collected from different sources and handle incompleteness in them by generating series of crime scenario according to the formulated hypotheses. This stage involves the following subcomponents:
203
Hypothesis formulation: To overcome the lack of details encountered during investigation, a hypothesis is needed to be formulated based on intruder anticipated knowledge about the system with details of VoIP components from the information gathered. The idea behind the generation of hypothetical action is based on the fact that unknown actions can be generated if additional details about internal system component are available [18]. The reason of hypothesis formulation is to predict the unknown VoIP malicious attack. In this case, there is need to have a specific variables attached to hypothesis and VoIP components respectively and clear assumption should be made to establish a relationship between them. This will determine what effect such hypothesis will have if it is applied to VoIP components. To achieve this, three main requirements are set out: a) Hypotheses should established clear relationship between system state (that is, VoIP components state in this regard), to avoid violating the original properties (Type Invariant) of the system under investigation. b) All hypotheses found to be inconsistent (contradictory) are to be represented to stop adding misleading hypothesis within generated attack scenario. c) Relationship between hypotheses should be described in order to select and add efficient hypotheses; this will reduce the number of hypotheses under which a node is reachable [12].
contradictory hypothesis that may stop system from proceeding to new state. In S-TLA it is referred to as inconsistency and symbolized as [12]
The investigation process depends on the formulation of hypotheses to explain what happened. At the lowest levels of an investigation, hypotheses will be used to reconstruct events and to abstract data into files and complex storage types. While at higher levels of investigation, hypotheses will be used to describe user actions and sequences of events [19]. An investigation can be seen as a process that applies scientific approach to formulate and test hypotheses. In this regard, VoIP variables are expressed as (indigenous Variable), while the other variables provided by hypotheses are expressed as (Exogenous Variable). A hypothetical action is modelled as a series of hypothetical atomic actions (extracted from a collection of hypotheses), executed one after the other from state s to move the system to state t (state t is thus reachable from state s under the hypothetical action) [18]. Consequently, it will describe how VoIP components are expected to behave, if hypothetical action is executed upon them. Hypothetical atomic actions only change a single internal variable (indigenous Variable) and represent a relationship between two consecutive internal systems state [18]. Assumptions are clearly made based on intruder’s anticipated knowledge about the system. The collections of hypotheses are assumed to be variables representing intruders anticipated knowledge about the system which are different from the flexible variables . As a result, all the variables resulting from hypotheses formulation are referred to as constrained variables given by . Meanwhile, as hypotheses are accumulated care should be taking to avoid adding
An action is a collection of boolean function true or false if ( = true i.e. each unprimed variables in state s is replaced with primed variable in state t the action become true
Modelling of Attack scenario: As a result of complexity in understanding attack scenario, to handle them, it is essential to build up a model that simplifies their description and representation within a library, and allow generating new attacks starting from existing ones [18]. In view of this, VoIP malicious attacks need to be modelled in order to have a clear understanding of the attack and to describe how and where to extract digital evidence. This study, adopted S-TLA+ in modelling attack scenario, as it supports reasoning with uncertainty, evidence can easily be identified with S-TLA+ using a state predicate that evaluates the relevant system variables[12]. In TLA a complete system can be specified by a formula x: [ ]v , describing the set of all its authorised behaviours. It describes a system, whose initial behaviour satisfies and where every state satisfies the next state relation or leaves the tuple of specification variable unchanged. The infinite behaviour of the system is constraint by the Liveness property (written as a conjunction of weak and strong fairness conditions of actions) [18]. In this regard, TLA can be used in S-TLA+ to illustrate a system progress from one state to another, in advance to the execution of an action under given hypothesis [12].
( = true i.e. each non- assumed constrained variable in state s is replaced with assumed constrained variable in state t. The action become true, and if then the set of actions is said to be legitimate actions. And if then the set of actions is said to be malicious actions, where is the property satisfying the behaviour of . Attack scenario fragment are the combination of both legitimate and malicious action that move the system to unsafe state. Thus, attack scenario .
Testing Attack scenario: Based on the available evidence or the behaviour of the system at certain point, the investigator should compare the generated attack scenario with the available evidence. If any of the scenarios satisfies available evidence, then the investigator should then generate and print digital new evidence. Otherwise, the hypothesis should be reformulated. Let be the collection of generated attack scenario and be the set of states in VoIP system. If }
204 978-1-4673-1677-4
and then satisfied the available evidence, where is the property satisfying the behaviour of and otherwise, known as EvidenceState 4. Print Generated evidence To generate evidence from attack scenario fragment, we used forward and backward chaining phases adopted from inferring scenarios with S-TLC [12]. The proposed model after being logically proof by the S-TLA+, it is expected to reconstruct malicious attack scenario in the form of specifications that can be verified using S-TLA+ model checker called S-TLC. S-TLC is a directed graph based on state space representation that verifies the logical flow of specifications written in S-TLA+ formal language. As a result, complete reconstructions of attack scenario fragments are represented and the logical relationships between them are depicted on a directed graph. At this point, investigator is expected to understand what, how, where and why such an attack happened in VoIP. Also the resulting outcome of the graph is expected to generate new evidence that goes along with the available ones. For all generated attack scenario such that all the flexible variables and constrained variable can be evaluated as and respectively, where is the valuation of all nonconstrained variables called a node core and is the valuation of all constrained variables called node label. Thus, each reachable state can be represented on the directed graph G with their node core and node label as , respectively. IV.
S-TLC’S(MODEL CHECKER) STATE SPACE REPRESENTATION AND INFERRING SCENARIO
A state can be represented on the directed graph as a valuation of all its variables including the constrained ones. It involves two notions: node core (represents a valuation of the entire non-constrained variables) and node label (a set of hypotheses is a valuation of the entire constrained variables). Given a state t, tn is used to denote its corresponding node core, tc to describe its resulting environment (is a set of hypotheses) and Label (G, t) to refer to its label in graph G. The S-TLC algorithms employs three data structures G, UF and UB, G refers to the reachable directed graph under construction. UF and UB are FIFO (first in first out) queues containing states whose successors are not yet computed during forward and backward chaining phases respectively. The S-TLC model checker works in three phases [12]. A. Initialization phase G, as well as UF and UB are created and initialized respectively to empty set and empty sequence . At this step, each step satisfying the initial predicate is computed and then checked whether it satisfies the invariant predicate Invariant (that is a state predicate to be satisfied by each reachable state). On satisfaction, it is appended to graph G with pointer to the null state and a label equal to the set of
978-1-4673-1677-4
hypotheses relative to the current state. Otherwise, an error is generated. If the state does not satisfy the evidence predicate EvidenceState (it is a predicate characterised with terminal state to represent digital evidence), it is attached to UF, otherwise it is considered as terminal state and appends to U B to be retrieved in backward chaining [18]. B. Forward chaining UF All the scenarios that originate from the set of initial system states are inferred in forward chaining. This involves the generation of new sets of hypotheses and evidences that are consequent to these scenarios. During this phase and until the queue becomes empty, state s is retrieved from the tail of UF and its successor states are computed. For every successor state t satisfying the predicate (specified to assert bounds on the set of reachable states) Constraint, if the predicate Invariant is not satisfied, an error is generated and the algorithm terminate otherwise state t is appended to G as follows: If G does not contain a node tn, a new node (set to tn) is attached to the graph with a label equal to tc and a predecessor equal to sn. State t is appended to UB if satisfies predicate , else it is attached to UF. If there exists a node x in G that is equal to t n and whose label includes tc, then it is conclude that node t was formerly added to G. In that case, a pointer is just added from x to the predecessor state sn. If there exists a node x in G that is equal to tn, and its label does not contain tc, then the node label is updated as follows: initially, tc is added to Label (G, x). Then any environment from Label (G, x), which is a superset of some other elements in this label, is discarded to ensure hypotheses minimality. Finally, if tc is still in Label (G, t) then x is pointed to the predecessor state sn and node t is appended to UB if it satisfies predicate EvidenceState. If not, it is attached to UF [12]. The resulting graph is a set of scenarios that end in any state satisfying the predicate Evidence State. C. Backward chaining phase All the scenarios that could produce states satisfying predicate EvidenceState, generated in forward chaining, are constructed. Throughout this phase and until the queue becomes empty, the tail of UB, described by state t, is retrieved and its predecessor states (i.e. the set of states si such that (si, t) satisfy action Next) which are not terminal states and satisfy the predicate Invariant (States that contradict predicate invariant are discarded because this step aims simply to generate additional explanations) and Constraint are computed. Each computed state s is added to graph G as follows:
205
If G does not contain sn, a new node (set to sn) is added to G with a label equal to the environment sc. Then a pointer is added from node tn to sn and state s is attached to UB. If there is x in G that is equal to sn, and whose label includes sc, then it is stated that node s has been added previously to G. In that case a pointer is simply added from t n to the predecessor state sn and s is appended to UB. If there is x in G that is equal to sn, but whose label doesn't include sc, then Label (G, t) is updated as follows: sc is added to Label (G, x). And any environment from Label (G, x) which is a superset of some other elements in this label is deleted to reduce the number of hypotheses. If sc still contained in the label of state x then node t is pointed to the predecessor state x and node s is attached to UB. The outcome of the three phases is a graph G containing the set of possible causes relative to the collected evidences. It embodies different initial system states apart from those described by the specification [12]. V. CONCLUSIONS In this paper, we have proposed a model for investigating VoIP malicious attacks. This model could provide specific forms of evidence that could go along with the available ones as a result of reconstructing potential attack scenario. Therefore, it could provide significant information on what, why, where and how a particular attack happens in VoIP. To harmonize our study, there is need for investigation of anonymous and Peer-to- peer SIP malicious attacks.
[10] Hsien-Ming Hsu, Yeali S. Sun, Meng Chang Chen. “Collaborative Forensic Framework for VoIP services in Multi-network Environments”. 2008; ISI workshop LNCS 5075 pp 260-27 [11] Hsien-Ming Hsu, Yeali S. Sun, Meng Chang Chen. “Collaborative scheme for VoIP traceback” 2011; p 185- 195 Journal of digital investigation. [12] Slim Rekhis. “Theoretical Aspects of Digital Investigation of Security Incidents” 2008; PhD thesis; [13] Mohammed Nassar, Radu State, Olivier Festor. “VoIP Malware: Attack Tool & Attack Scenarios”. 2009; IEEE International Conference on Communications, version 1-17 [14] I-Long Lin, Yun-Sheng Yen,. “VoIP Digital Evidence Standard Operating Procedure”. 2011; Vol. 2 p173 international Journal of Research and Reviews in Computer Science [15] Siti Rahayu Selamat, Robiah Yusof, Shaharin Sahib, Nor Hafeizah Hassan, Mohd Faizal Abdollah, Zaheera Zainal Abidin. “Traceability in Digital Forensic Investigation Process”. 2011; IEEE conference publication. P 101-106 [16] Kara Nance Brian Hay, Matt Bishop. “Digital Forensic: Defining a Research Agenda Incident Response”. 2009 42nd Hawaii International Conference on system science.p1-6 [17] Karen Kent Suzanne Chevaliar, Tim Grance, Hung Dang. “Integrating Forensic Techniques into Incident Response”. 2006. A white paper submitted by Guidance Software Inc. UK. NIST SP800-86 Notes p1-20 [18] Slim Rekhis and Noureddine Boudriga. “Logic Based approach for digital forensic investigation in communication Networks”. 2011; p 121 [19] Brian D. Carrier. A Hypothesis Based Approach to Digital Forensic Investigations 2006; PhD thesis, Purdue University.
REFERENCES [1] [2] [3] [4]
[5] [6] [7] [8] [9]
Yun-Sheng Yen, I-Long Lin, Bo-Lin Wu. “A Study on the Mechanisms of VoIP attacks: Analysis and digital Evidence”. 2011; Vol.8 pp 5667 Journal of Digital Investigation Jaun C. Pelaez. “Using Misuse Patterns for VoIP Steganalysis”. 20thInternational Workshop on Database and Expert Systems Application; 2009p 160 Patric Park. “Voice over IP Security”. 2009; Cisco press ISBN: 1587054698 Hsien-Ming Hsu, Yeali S. Sun, Meng Chang Chen. A collaborative Forensic Framework for VoIP Services in Multi-network Environments. 2008; pp 260-271. Proceedings of the IEEE ISI 2008 PAISI, PACCF and SOCO international workshops on intelligence and security informatics Jill Slay and Mathew Simon. “Voice over IP: Privacy and Forensic Implication”. 2009. International Journal of Digital Crime and Forensics (IJDCF). Jaun C. Pelaez. “Developing New Approaches for Intrusion Detection in converged Networks”. 2006.p322-326 Jaun C. Pelaez, Eduardo B. Fernandez, M.M Larronde- Petrie, Christian Weiser. “Misuse Patterns in VoIP”. 2009; Vol. 2, p 635-653. Security and Communication Network. Eduardo B. Fernandez, Jaun C. Pelaez, Maria M. Larrondo- Petrie Security Patterns for Voice over IP Networks 2007; p19-29 Journal of Software, Vol. 2, No. 2. Jill Slay and Mathew Simon. “Voice over IP forensics” 2008; eForensics 08 Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia workshop ICST987-963-9799-19-6
978-1-4673-1677-4
206