E-Detective is professional equipment for trace network crime, which is one-way interception machine installed on network. In order to avoid interrupting the normal operation of network, the contents of network communication will be copied to send to the collection system, which filters those without court’s authority. The data filtered can be saved in equipment for the basis of investigation and justice, which is a good tool for investigation organization against crime and evidence collection.

I. Front-end Sensor
This sensor provides to separate network packets from those for specific IP address, which not only can be set in accordance with user’s demand but also can provide packet retrieve and decoding system for packet recording and protocol decoding. There are two optical ports and two 10/100/1000Mbps ports in this sensor.

Front-end Sensor for E-Detective:

1.	Network packets and the conditions of separating IP address can be set according to user’s demand, including: designate IP address, Protocol, Domain Name, Mac Address, and Port Number to be recorded. These conditions can target source address and/or destination address.
2.	Partial Match can be used to set the conditions of IP address and specific message (Protocol). For example: a. Value 10.255.254.18 b. Range 10.255.＊.＊
3.	Packets can be saved in advance to individually separate IP, Protocol, Port Number, Domain Name, and Mac Address according to flow command.
4.	Packet retrieve and decoding system can be linked without affecting file transfer.
5.	All packets in Network Layers can be transferred for troubleshooting.
6.	An input port doesn’t take up IP address.

II. Packet Retrieve and Encoding System
This system needs to include packet recording, decoding, retrieve, and export, which the specifications are as follows:
(1) Packet Recording

1.	Network communication can be linked to authenticate front-end sensor, so that packet recording is performed without affecting file transfer.
2.	The 10/100/1000Mbps rate for packet recording must be provided under the different network environment.
3.	Packets with tcpdump must be provided to save in accordance with minute, hour, day and size.
4.	The packet format is standardized, and exported with .tcpdump for reading of other software, such as ethereal.
5.	A graphic user interface is provided to burn packets files into CD.

(2) Packet Encoding and Retrieve

1.	The contents of original packet can be retrieved.
2.	An interface is provided to import files with .tcpdump, and decode the contents of packet.
3.	Protocol packets are decoded as follows, and the original contents and communication IP and date are restored: a. Web browsing and e-mail (HTTP/URL): Including general webs, e-mails (yahoo, hotmail, hinet, seednet, url, pchome, sina, and yam), contents and attached files. b. Post Office Protocol/ Simple Mail Transfer Protocol (POP3/SMTP): Receiving and sending e-mail address (When a sender sends an e-mail with confidential attachment, the e-mail address will be displayed during monitoring receiver’s information), password, mail content (including header) and attached file. c. File Transfer Protocol (FTP): Account number, password and file restoration. d. Remote Login (TELNET): Account number, password and content. e. Immediate Message (IM): Including MSN 5.0, 6.0, 6.1,7.0,7.5, Yahoo Messenger, ICQ and AOL Messenger. f. MSN and Yahoo VOIP/Web Cam: Conversion restoration as well as resolution of source and destination address.
4.	The decoding results of packet can be retrieved according to IP, communication date, type, and content (search with text retrieve, including attached files in e-mail, and those sent by FTP and chat software). When the decoding contents conform to the conditions set in text retrieve, that string would be highlighted.
5.	Alarm: When the decoding results conform to the conditions according user’s settings, messages and e-mails will be sent to a user.

(3) Decoding Export

1.	A user can retrieve and export the results of packet decoding according to IP, communication date, type, and content (text retrieve).
2.	Each export condition can be exported to one directory, including the website files for decoding.
3.	The burn program is provided to record the export directories. ”Portable Server” is used to burn them into CD.

III. Hardware Specifications for Front-end Sensor:

1.	Intel Pentium 4 processor 3.2 GHz or more
2.	Intel Pentium 4 processor 3.2GHz or more
3.	2 x DIMM sockets or more
4.	2 x PCI Slots or more (1 x PCI-X at least)
5.	Main memory: 4 GB or more
6.	2 x USB or more
7.	HD driver: 2 x IDE 200GB or more
8.	VGA card: 64MB or more
9.	Built-in speaker
10.	Ethernet card: 2 x optical network interface or more
11.	thernet card: 2 x 10/100/1000Mbps Ethernet ports (Intel PRO/1000 MT Dual Port Server Adapter PCI-X)
12.	CD burner: 52/24/52x or more
13.	Power supplier: 450W or more
14.	19” rack in compliance with industrial standard

IV. Packet Retrieve and Encoding System Host

1.	Intel Xeon/3.2 GHz or more
2.	Mother board: (1) Support Intel Xeon 3.2GHz or more (2) 2 x DIMM sockets or more (3) 3 x PCI Slots or more
3.	Main memory: 2GB or more
4.	2 x USB or more
5.	HD driver: 2 x 200GB or more
6.	VGA card: 64MB AGP
7.	Built-in speaker
8.	Ethernet card: 2 x 10/100/1000 Ethernet ports
9.	CD burner: 52/24/52x or more
10.	Cooling fan
11.	Power supplier: 400W or more
12.	19” rack in compliance with industrial standard