VOCAL offers complete hardware design, firmware development, software and support. For more information regarding our products and services click here

T.38 Image Extraction from Captured Network Data

Over time, the Internet has become an expansive world with many different types of traffic flowing through it. While this enables many useful services, it unfortunately gives criminals many ways to attempt to encode and hide their nefarious communications. Lawful interception technologies give law enforcement and government agencies the ability to process collected information, which may not be as useful otherwise. The ITU standard for real-time facsimile over the IP network, T.38, is one form of communication that could potentially be used to facilitate criminal activities.

During a T.38 transfer, data sent from a fax machine is collected by a T.38 gateway over the PSTN and sent across the IP network in T.38 packets to a remote T.38 gateway, which in turn sends the data to the intended destination fax machine. T.38 data can be transferred using TPKT over TCP, UDPTL over UDP, or RTP over UDP. By using the sequence numbers in each packet, along with any redundant or forward error correction (FEC) packets sent, the full T.38 stream can be constructed if the transmission was successful. Afterwards, the T.30 dialogue contained within the T.38 stream can be processed to produce the image sent.

T.30 HDLC messages are sent over the IP network as one or more HDLC data frames followed with either an FCS OK or BAD frame, which indicates whether the T.30 HDLC frame is valid. HDLC data followed by an FCS BAD indication should be discarded. The T.30 DCS message, which contains the final negotiated parameters of the fax image data, must be captured in order to decode the image. After the parameters have been negotiated, the modems are trained. If the training is successful, a T.30 CFR message is sent. After the CFR, the fax image data is transferred as either T.30 FCD messages as described above or as T.4 non-ECM data frames if Error Correction Mode (ECM) is not enabled. This data can be collected and assembled to form the T.4 or T.6 encoded image data, which can then be decoded using the knowledge gained from the T.30 DCS message.