The Australian Federal Police (AFP) intends to expand upon its network forensics expertise to include new deep packet inspection capacity that will be able to capture and retain metadata.
The agency is currently seeking tenders for an appliance that can accept a stream of TCP/IP traffic or potentially previously captured packets in PCAP format. The request for tender does not specify where the input to the appliance will come from, but states that at a minimum, it must be able to analyse flows of information at 10Gbps, regardless of whether it is using IPv4 or IPv6.
Further requirements that the AFP needs are the ability to identify services and applications at the application layer.
While the above requirements are a bare minimum for tenderers to achieve, AFP expects proposals to be able to capture metadata and store it. The legality of doing so would depend on the source of the information.
The AFP has long-admitted it seeks legislative changes that would force telcos and ISPs to retain data so that it may use it in criminal investigations, with its assistant commissioner Neil Gaughan previously stating that "without data-retention laws, law enforcement cannot work out criminal associations," and that ideally, he would like to see data held indefinitely.
Although the nation's proposal for a data retention scheme has all but been shelved for now, such a system described in the request for tender would potentially allow the AFP to stream traffic or import previously captured traffic from telcos and ISPs for analysis.
Proposals are additionally expected to be able to filter out packets based on keywords, protocols, applications, IP addresses and ports. They should also identify malware, antivirus activity, communication and mobile applications, detect various types of encryption when used and de-capsulate tunnelling protocols. An example of the latter could include the Layer 2 Tunneling Protocol commonly used in virtual private network (VPN) connections, assuming the AFP is able to bypass the secure channel typically established to protect such data.
Further requirements for the appliance indicate that it would likely be installed in a datacentre and completely remotely managed.
Shortlisted tenderers are expected to provide a trial of the system on January 28 next year, to be installed at the AFP's High-Tech Crime Operations facility in Barton, ACT. AFP has stated that any storage system by these trial systems will be purchased by the agency, presumably to ensure that sensitive information is not inadvertently passed back to tenderers when the trial is completed and systems are returned. Following an evaluation of each of the trials, AFP could see a system made operational on April 4 next year, with the contract lasting for three years.