Blog Careers Support +1 408 944 0250

Investigating Encrypted Data with Deep Packet Visibility

Computer code with a digital fingerprint overlaid

Pervasive encryption of internet communications continues to challenge lawful interception and intelligence practices, and investigators require updated tools and techniques. At the same time, communications and services have proliferated, particularly with over-the-top (OTT) communication platforms such as Telegram, Signal, Messenger, and WhatsApp. In this environment, law enforcement agencies (LEAs) are not only unable to read the contents of messages, but often unable to even classify the traffic. In response, it has become increasingly critical to develop and use mechanisms for investigating the evidence that remains available.

In practical terms, extracting intelligence from encrypted communications requires a refocus from the payloads of messages to the traffic flows that surround them. Superior traffic analysis based on deep packet inspection (DPI) can reveal insights that help overcome the limitations to LEAs of an internet gone dark. The SS8 lawful intelligence platform provides visibility into encrypted traffic flows using the Enhanced Protocol Extraction Engine (E-PXE), such as what application and underlying service a subject of interest is using, when, and for how long. Building on that foundation, SS8 capabilities make it possible to identify other parties involved, establish patterns of life, and advance investigations, regardless of message encryption.

Analyze Traffic Flows for Communications Insights

SS8 builds on nearly 25 years of experience to extend the potential of DPI to reveal maximum intelligence from encrypted traffic streams. E-PXE investigates beyond the conventional IP packet headers used for network routing and into the nested headers of encapsulated traffic. By analyzing those headers, DPI makes it possible to generate metadata that can be analyzed to reveal application-level characteristics of the communications from captured data sessions.

After a communication service provider (CSP) responds to a warrant or other authorization with data intercepted from a subject of interest, E-PXE uses enhanced DPI to provide insights from individual packets as well as broader traffic flows. In addition to identifying the application—such as WhatsApp— the Intellego XT lawful intelligence platform can also use this information to identify the specific communication modality, such as text, voice, or video, as well as the devices and IP addresses related to each data flow.

The metadata that the SS8 platform captures and attaches to traffic flows enables matching based on analytics and digital signatures between intercepted traffic flows and known patterns. The scope of metadata tags used varies according to the type of intercepted traffic involved, but they capture information specific to the individual communication session, such in as the following examples:

  • Web browsing: URLs, hostnames
  • Messaging: Chat IDs, nicknames
  • Email: Account login IDs, email addresses
  • Voice and video: 164 international phone numbers, session initiation protocol (SIP) data

The SS8 platform applies heuristics-based analysis to this metadata to deliver probability-based conclusions about the nature of the communications. Timestamps derived using protocol information and heuristic methods can be applied to the traffic flows to provide timelines for specific interactions. Overlaying those timelines with the broader context of a crime can help establish a subject’s patterns of life and determine whether or not that individual was involved with key events. SS8 maintains the signatures used in these processes based on evolving intelligence, similar to antivirus signatures.

Identify and Profile Subjects in their Online Contexts

The growing prevalence of direct, peer-to-peer communications between devices in OTT applications adds complexity to the process of developing protocol-oriented insights. For example, most WhatsApp calls are initiated by the service but carried out directly from one handset to the other using Real-time Transport Protocol (RTP) and related mechanisms. While the communications stream does not pass through WhatsApp servers, the information needed to initiate the connection can automatically and efficiently identify, for example, that a video call occurs between two specific IP addresses.

Using that information, an LEA can work with the relevant application providers and mobile network operators to identify the subscriber assigned that IP address at the relevant time. In the common case where the phone number belongs to a burner (pay-as-you-go) phone that does not require registration, the LEA may be unable to associate it with an individual of interest. Intellego XT works through that limitation, creating a bridge to a real-world identity based on open source intelligence integration. Formal, pre-established workflows in the SS8 platform make it possible for investigators to heuristically find that identity.

The process involves scraping the internet to find relevant associations between the phone number and other information. Investigation can extend to the deep and dark web as well, to identify the existence and nature of potential illegal activities by the subject as well as whether that individual’s information is included in a data breach, for example. SS8’s MetaHub ingests that information and correlates the clues together to posit the identity of the parties on the call. In addition to identity details, context about individuals of interest and their associates found through this process can help advance investigations from scraps of information to clear insight.

About David Anstiss

David Anstiss Head Shot - SS8 Networks

David Anstiss is Director of Solution Engineering at SS8 Networks. He has been with SS8 since 2015 and has significant experience in critical network architecture technology and advanced data analytics. He currently works as part of the Technical CTO Group under the leadership of Dr. Cemal Dikmen and is responsible for leading engagement with both intelligence agencies and Communication Service Providers (CSPs) around the world. He has been instrumental in helping them transition to 5G, defining system requirements to meet regulatory compliance. As a member of ETSI, he represents SS8 to ensure the adoption of cloud-native infrastructure is met with industry best practices and to guarantee that compliance of lawful interception is maintained. Learn more about David here on his LinkedIn profile.

About Rory Quann

Rory Quann headshot v2Rory Quann is Head of International Sales at SS8 Networks and brings with him over 10 years of experience in the Lawful Interception and Data Analysis industry. Prior to joining SS8 in 2013, Rory worked for BAE System Applied Intelligence where he was focused on large scale Government deployments of Intelligence Solutions. Rory has held multiple positions in the Lawful Intelligence space ranging from Deployment Engineer, System Consultant, and Sales Engineer focusing on Country-wide Passive deployments. Rory is a Certified Microsoft MCSA Engineer and EMC Certified deployment Engineer. You can learn more about Rory on his LinkedIn profile by clicking here.

About SS8 Networks

As a leader in Lawful and Location Intelligence, SS8 helps make societies safer. Our commitment is to extract, analyze, and visualize the critical intelligence that gives law enforcement, intelligence agencies, and emergency services the real-time insights that help save lives. Our high performance, flexible, and future-proof solutions also enable mobile network operators to achieve regulatory compliance with minimum disruption, time, and cost. SS8 is trusted by the largest government agencies, communications providers, and systems integrators globally.

Intellego® XT monitoring and data analytics portfolio is optimized for Law Enforcement Agencies to capture, analyze, and visualize complex data sets for real-time investigative intelligence.

LocationWise delivers the highest audited network location accuracy worldwide, providing active and passive location intelligence for emergency services, law enforcement, and mobile network operators.

Xcipio® mediation platform meets the demands of lawful intercept in any network type and provides the ability to transcode (convert) between lawful intercept handover versions and standard families.

To learn more, contact us at

Follow Us LinkedIn       Or X @SS8

SS8 Newsletter



How to Ingest, Filter and Query 5G Volumes

Webinar Presented by Kevin McTiernan

CLICK HERE to watch!