Skip to Content

Intelligence from Encrypted Communications: E-PXE Shines a Light for Law Enforcement Analysts

Increased privacy concerns have led to greater use of encryption technology. SS8’s Enhanced Protocol Extraction Engine illuminates communications that are “going dark”, giving law enforcement visibility into targeted, encrypted communications to solve crimes faster. Learn more!

Intelligence from Encrypted Communications: E-PXE Shines a Light for Law Enforcement Analysts

Read this article to learn how innovative lawful interception solutions even the technological playing field for investigators.

In the last decade, increased privacy concerns have led to greater use of encryption technology. SS8’s Enhanced Protocol Extraction Engine illuminates communications that are “going dark” by analyzing metadata, giving law enforcement visibility into targeted, encrypted communications to solve crimes faster.

In this article, you will learn:

  • How Deep Packet Inspection and Heuristic Analysis are used in E-PXE
  • Insights available from captured metadata, including patterns of life
  • How metadata is fused with other data for actionable intelligence

Content Summary

Executive Summary
Encryption Makes internet Communications Go Dark
E-PXE Throws Light on Encrypted Communications
Extracting Metadata from Encrypted Data Streams
Understanding Patterns of Life
Correlating Data
The Future

Executive Summary

Encryption on the internet began in the mid-2000’s, but by the 2010’s, heightened privacy concerns led most communications service providers to introduce encryption technology across their services. The use of encryption in modern communications means lawful intelligence capabilities must adapt. This whitepaper examines the need for Deep Packet Inspection (DPI) within lawful intercept functions to respond to internet-based communications ‘going dark’.

With an Enhanced Protocol eXtraction Engine (E-PXE), authorized LEAs and intelligence agents have visibility into targeted encrypted communications.

E-PXE enables the generation of metadata – or data on other data – by analyzing a subject of interest’s communications data. Using DPI and Heuristic Analysis, it can then identify the application being used, the type of communication (e.g. text, voice, video), and the devices and IP addresses related to each data flow.

Law enforcement can also fuse metadata analysis from E-PXE with other information (e.g. open-source intelligence (OSINT), location data, etc.) in SS8’s Intellego XT platform. The combined insights help determine patterns of life and enable intelligence-led criminal investigations.

Encryption Makes internet Communications Go Dark

Today, most communications services on the internet are encrypted using Transport Layer Security (TLS) 1.2, including 76% of fully qualified domains (, 2022). This includes most platform providers, including software, hardware, and internet browsers from Apple, Google, and Microsoft.

TLS 1.3 was introduced in 2018 and offers greater security and less latency than TLS1.2, but implementation has been slower than expected. This is largely because all devices, web browsers, and applications – which means millions of interconnections – must first adopt the new protocol to ensure there are no gaps in the encryption.

The current encryption trend also extends to popular Over The Top (OTT) communication applications such as Telegram, Signal, Messenger, and WhatsApp as well as social media platforms like Facebook, Instagram, and Twitter.

While this approach adds greater consumer privacy protections, it has the disadvantage of hiding the communications of legitimate surveillance targets from traditional lawful interception techniques.

E-PXE Throws Light on Encrypted Communications

SS8 has over 20 years of experience using Deep Packet Inspection (DPI) technology to maximize the intelligence LEAs can extract from encrypted traffic. DPI is an advanced network traffic analysis method that goes beyond conventional packet header filtering to locate, identify, and reroute or block packets with specific data or code payloads. Our Enhanced Protocol eXtraction Engine is a highly-optimized DPI that analyzes the encrypted communications of subjects of interest and provides insights into patterns of life, such as:

  • What applications and devices they use
  • When they use them
  • Where they use them
  • Whom they communicate with

SS8 leverages E-PXE throughout our end-to-end solution. A person of interest’s data is captured by our Xcipio probes, which are deployed in communications service providers’ (CSP) networks. The captured data is then ingested into our Intellego XT solution, which uses E-PXE to extract and analyze metadata from the captured data sessions.

Visualization of Application Use by Volume

With North American home broadband services averaging over 512 GB of data usage per month (OpenVault, Q421), and the average North American smart phone using over 11 GB of data per month (Ericsson, June 2021), E-PXE helps LEAs filter valuable intelligence from a sea of data flows.

Target Usage Metadata
Web Browsing URL, Hostname
Chat/Messaging Chat ID, Nicknames
Email Account login, Email address
Voice and Video E. 164 Number, SIP

Extracting Metadata from Encrypted Data Streams

In the early days of encryption, it was possible to deterministically ascertain the communication service or application being used based on data exchanged through a Server Name Identifier (SNI) during the initiation of the secure connection (D. Eastlake 3rd, 2011). However, over time SNIs have become less precise in this regard due to practices such as co-tenancy fronting (David Fifield*, 2015).

SS8 therefore uses a technique known as Heuristics Analysis, which identifies an application using a digital ‘signature’ derived from the metadata contained in the packet flow. This signature can also identify the type of communication (e.g. chat, messaging, voice calling, video calling, video streaming, etc.).

To ensure the accuracy of these signatures, SS8 reviews communications protocols and services regularly and investigates any newly discovered signatures. These files are frequently updated and can be applied in real time without impacting an analyst’s system – much like antivirus updates on a home computer.

Using Heuristics Analysis, all communications metadata can also be timestamped to determine the start and stop times of a particular interaction, which helps investigators establish a timeline of events related to a crime.

Additionally, the IP addresses of the end points, whether a server or another personal device, can be captured.

Understanding Patterns of Life

Additionally, metadata generated by E-PXE from encrypted communications can be vital in establishing patterns of life as part of an overall criminal investigation. The ability to know what applications a person of interest is using and when, or the IP address of an endpoint in a communication, allows law enforcement to subpoena the correct service provider or mobile operator to discover additional information about a suspect’s online activity.

Using IP addresses along with network address translation (NAT) binding record analysis, investigators may be able to identify the actual device being used and dynamically allocate it to a specific address at a specific time of day. Even if the IP addresses are not within the home country of the investigators, allocating them to an international service provider can establish other regions where a target may operate or have influence.

By identifying specific individuals related to captured metadata, law enforcement may also be able to obtain additional warrants for other devices owned by that individual. Smart household devices and services such as security cameras, for example, may also provide useful information, such as the ability to determine if a suspect is home at a given time.

When and where a person of interest uses a given application can also rule them out of an investigation. If a crime took place at the same time or in a different location, it may be less likely the person was involved.

Correlating Data

SS8’s Intellego XT offers law enforcement robust data fusion capabilities, linking liveintercept and 3rd party data sources to reveal new insights. For example, data derived by EPXE, such as application use and time of day, can automatically be combined with OSINT data, such as an incriminating post from an anonymous user on social media, to help identify suspects.

While millions of users may be accessing a social media platform at the same time a given threat is posted, each subsequent post of the same nature by the same account significantly narrows the number of targets online for each session. Similarly, if it can be confirmed that a subject of interest did not access a particular social media platform at the same time an incriminating post was made, this can be combined with other evidence to potentially eliminate them from the investigation.

The Future

With the proliferation of connected devices in the home and at work, E-PXE’s ability to establish pattern of life will only increase. Taking the smart security camera example a step further, access to the metadata of motion-activated cameras can even help officers preparing to serve a search warrant identify which room of a house a suspect is in. Metadata from other smart home devices (e.g. other motion detectors, security alarms, locks, etc.) can be similarly useful to police and intelligence agents in establishing patterns of life or making an entry into a potentially dangerous situation.


The E-PXE solution from SS8 enables law enforcement and intelligence organizations to gather investigative intelligence from the metadata associated with encrypted internet communications.

By showing what applications, platforms, and services a person of interest uses, on what devices and when, this metadata is an essential part of developing a pattern of life analysis. It can also help reveal that person’s network and identify accomplices.

When combined with other data sources, like OSINT or time and location information, in SS8’s Intellego XT, metadata can reveal new clues to investigators, helping them see the big picture and build an intelligence-led criminal investigation.

The evolution of the Internet of Things (IoT) will make solutions such as E-PXE even more important in the future as investigators attempt to filter and identify useful data.

SS8 is at the forefront of lawful intercept technology and will continue to evolve E-PXE and all its solutions to create actionable intelligence that helps investigators fight serious crime.

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.