Establish persistant outbound connection for covert application

[David Siles <ctowizkid () gmail com>]

Hello all,

I am looking for some additional ideas for an application we are
trying to use for a law enforcement application.

We are currently using a product that allows us to install a software
shim on a suspect's PC and then connect into the PC at any given time
to perform forensic analysis.  While this works great, we consistently
run into the problem of personal firewalls, NAT devices, SP2, and
other ACLs that prevent us from connecting into the suspect machine.

While we usually have the suspect full cooperation in the monitoring
efforts and we can initally configure their network and/or PC
configuration to allow this communication things get changed.  Also we
run into the problem with dynamic addressing changing on us, which can
be a pain to keep track off unless we install some type of dyn dns
solution.

To tackle this problem I have been able to setup SSH tunneling and
making the suspects computer establish the SSH connection to our
external facing test box and then having our forensic station connect
in and use the SSH to redirect the tunneling, but I would like to come
up with a better method.

I am asking if anyone has ideas on this to either reply to the list
for benefit of all or contact me directly.

I am looking for something that will connect outbound, preferable
covertly as a background/hidden process (e.g. fooing a netcat/cryptcat
connection) to awaiting connection server or service for redirection. 
SSH may be the best process here, but I don't like having to open an
SSH tunnel for this.  The application we are using is already running
encrypted traffic, so adding another layer of encryption also slows it
down.

The capability to make this application call home will be of great
benefit to many in the LEO community and if your interested in what we
are doing, please feel free to contact me offlist.

Thanks,

Dave Siles